Extracted

• • Target

    Nonagon.exe

  • Size

    23KB

  • MD5

    1b554731ea6b94e44ab6fe7ec45eb153

  • SHA1

    1849707450548f79b4f8d941745c2c72199a7f00

  • SHA256

    f679075808adffca9a26ade94cc8494ccc500333e8613708e9ba077d88d92a70

  • SHA512

    96880df0242f41380e2877a3cac119e14ab062c4892040a3d8c9fe5fbc58ee6681729d1a1ca5c62427d4ad5ca76be1167d8811e9b4c35656e0c1000d660c06c1

  • SSDEEP

    384:LD5Ry1Yg5MsZHalPXhZAiWGVDNr2mtbQ2E65wMxsWSjRSiKM3EMtR:zymgSCh2Ey/GWSjRSiKM3Nt

  Score

  10^/10

  dcratphemedroneumbralcredential_accessdiscoveryinfostealerpersistenceratspywarestealer

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat

  • Dcrat family

    dcrat

  • Detect Umbral payload

  • Phemedrone

    An information and wallet stealer written in C#.

    stealerphemedrone

  • Phemedrone family

    phemedrone

  • Process spawned unexpected child process

    This typically indicates the parent process was compromised via an exploit or macro.

  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

    stealerumbral

  • Umbral family

    umbral

  • DCRat payload

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat

  • Downloads MZ/PE file

  • Uses browser remote debugging

    Can be used control the browser and steal sensitive information such as credentials and session cookies.

    credential_accessstealer

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Reads data files stored by FTP clients

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Unsecured Credentials: Credentials In Files

    Steal credentials from unsecured files.

    credential_accessstealer

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Modifies WinLogon

    persistence
  behavioral1