Extracted

Extracted

Extracted

• • Target

    edc3aaee08710efb4075a8ee0336bca09e2c02aa41be1cec7794dc60bccf1ec0N.exe

  • Size

    1.6MB

  • MD5

    fd916b5a03cbd36946d3e984facd2830

  • SHA1

    facdc37ecfc4ec4e7728e441fecd9c5463e634f6

  • SHA256

    edc3aaee08710efb4075a8ee0336bca09e2c02aa41be1cec7794dc60bccf1ec0

  • SHA512

    b4070781ce4257b576d311e86372516530606bab259a4ec31c81b2055be0ba5400e6b90fc29be964033bfad56bd1acd7d9c497096080458c2d53380850bac59c

  • SSDEEP

    24576:wqXpbSKduSouaZ1EodUD36JyYh4OzQDzxMmmw5OjCI4WjlAIdHT:wq52BuO1n+j6Jfj0Hy73jCzWiIFT

  Score

  10^/10

  dcratneshtaphemedroneremcosstormkittyxwormonedriveaspackv2credential_accessdiscoveryevasionexecutioninfostealerpersistenceratspywarestealertrojan

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat

  • Dcrat family

    dcrat

  • Detect Xworm Payload

  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    persistencespywareneshta

  • Neshta family

    neshta

  • Phemedrone

    An information and wallet stealer written in C#.

    stealerphemedrone

  • Phemedrone family

    phemedrone

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos

  • Remcos family

    remcos

  • StormKitty

    StormKitty is an open source info stealer written in C#.

    stealerstormkitty

  • StormKitty payload

  • Stormkitty family

    stormkitty

  • UAC bypass

    evasiontrojan

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm

  • Xworm family

    xworm

  • DCRat payload

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat

  • Adds policy Run key to start application

    persistence

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Disables Task Manager via registry modification

    evasion

  • Downloads MZ/PE file

  • ASPack v2.12-2.42

    Detects executables packed with ASPack v2.12-2.42

    aspackv2

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Executes dropped EXE

  • Loads dropped DLL

  • Modifies system executable filetype association

    persistence

  • Reads data files stored by FTP clients

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Unsecured Credentials: Credentials In Files

    Steal credentials from unsecured files.

    credential_accessstealer

  • Adds Run key to start application

    persistence

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext

  behavioral1behavioral2