dcrat

Sharing

General

Target

archive_54.zip
Size

82.6MB
Sample

250322-g17rssy1ev
MD5

7fda1e24ff93dee7a1e0f2a933a4fd4a
SHA1

84d384a63cb1640437dc615698165067555b4b11
SHA256

e9e6a5e4d64f01b158801bbaead6aedfeeb8cd754e734d1471f591ca3e2c08f8
SHA512

5b32b670828ec41d3ae1152c1c795d218779e4a34c8634b3b627fc8bf41423e73230584f0f3ee744d698d017997a307f2bfe5252e9f8ca36d12737a0f55bcc38
SSDEEP

1572864:XQ9RSafdtB5chKf3aXnDeQNILK6KuHnPqImecHBs7lqW/xTy6xjrHHaMNiEa4lpN:XQiaj7gKf3wKQNIOXuyteayDTfjrn9iC

Score

10^/10

Malware Config

Extracted

Family

xworm

sound-kuwait.gl.at.ply.gg:23006

Attributes

Install_directory
%AppData%
install_file
svchost.exe

Extracted

Family

xworm

Version

5.0

y0sxz-23886.portmap.host:23886

Mutex

Nu8ESzXeQ5CGfIYK

Attributes

Install_directory
%Temp%
install_file
updater.exe
telegram
https://api.telegram.org/bot7652540327:AAGYeqytWC570vUvKQiDlj_ZhVhXoUvUbmM/sendMessage?chat_id=7699236265

aes.plain

Extracted

Family

nanocore

Version

1.2.2.0

sysupdate24.ddns.net:45400

Mutex

ae82ab7f-db07-49ee-9d2b-76075d76f37f

Attributes

activate_away_mode
true
backup_connection_host
backup_dns_server
buffer_size
65535
build_time
2020-04-24T17:41:53.492468936Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
45400
default_group
Default
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
ae82ab7f-db07-49ee-9d2b-76075d76f37f
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
sysupdate24.ddns.net
primary_dns_server
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Extracted

Family

remcos

Version

1.7 Pro

Botnet

Host

213.183.58.19:4000

Attributes

audio_folder
audio
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
5
copy_file
remcos.exe
copy_folder
remcos
delete_file
false
hide_file
false
hide_keylog_file
true
install_flag
false
install_path
%AppData%
keylog_crypt
true
keylog_file
read.dat
keylog_flag
false
keylog_folder
CastC
keylog_path
%AppData%
mouse_option
false
mutex
remcos_sccafsoidz
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screens
screenshot_path
%AppData%
screenshot_time
1
startup_value
remcos
take_screenshot_option
false
take_screenshot_time
5

Extracted

Credentials

Protocol: smtp
Host:
smtp.yandex.com
Port:
587
Username:
[email protected]
Password:
Boy12345#

Targets

- Target
  
  d92866420d8daf87ded38ffc92b6a8db1cc13c93e7529db32979a5e52d9c0bea.exe
- Size
  
  1.9MB
- MD5
  
  371ac901265784870ebce3b2f6d4c663
- SHA1
  
  624369382a311fd84568a61b309f8414b8ca7c07
- SHA256
  
  d92866420d8daf87ded38ffc92b6a8db1cc13c93e7529db32979a5e52d9c0bea
- SHA512
  
  28a83331b901295d597616364a429020e7879aaa1abb5c690e98bd96f385a8ed5dbe27435c94d525a678c4cc4e3c6228f00fa5356828ec53b540ac67def51d27
- SSDEEP
  
  24576:Uz4T3bMX0/0ZqSEaa3OVFu8VQTo8Ia29MSVyAXmFPf87ptY60/YYhdbh7JRj:UOMX0/08SVYTcxMXPxthD
Score

10^/10

defense_evasion execution trojan
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- UAC bypass
  defense_evasion trojan
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Drops file in Drivers directory
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Checks whether UAC is enabled
  defense_evasion trojan
behavioral1 behavioral2
- Target
  
  d986bd823023960d3592fbd96b01a297d157c818c3eb3c141794f694fa97262e.exe
- Size
  
  580KB
- MD5
  
  335f23b40840863a84a2014abd32f4b6
- SHA1
  
  d8a317aafe892dc2aecb85e7580ff2d22e9087d6
- SHA256
  
  d986bd823023960d3592fbd96b01a297d157c818c3eb3c141794f694fa97262e
- SHA512
  
  93bb49a655459fc9af26e0637f73edf96caae76207e3af7f08899111b345e02a685e73613b3382e25b970e3b3d31b5f697f7007c1d199d7956a3f1a14f47b8f7
- SSDEEP
  
  12288:YbD5arFJwK6hMJ6ZzHFZfc28beMGTfZuqb7AY:rBJwdhMJ6ZzHrfcsMGTfZ5PAY
Score

7^/10

discovery persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral3 behavioral4
- Target
  
  d9a7a84e51c67d1a641349c9195c4f74.exe
- Size
  
  1.1MB
- MD5
  
  d9a7a84e51c67d1a641349c9195c4f74
- SHA1
  
  ab7430806db422ec6dc6bf7c378d70f36125c33f
- SHA256
  
  98be7f502a04b1116647aec47e8e1061d2c26404d6e7855423371fe01d8f5ef9
- SHA512
  
  fd9a242d657e746ddd07474fefe772afb1b4060db34bb030d1ce8abd7c4ff1af235b209606ea8f43aaf87ae30e1cbfd5b23986344b23a6a50bf13b35deb97ee7
- SSDEEP
  
  12288:Kmc4TfAkdN7TPPl2Eh8Nv6L1FMCubuoGTeh46qTnnCPQeB89hNuD1hOp1i3l10gR:Kh4TbLUEhZL/GspeYhkc9Soh2SfwJ
Score

10^/10

dcrat defense_evasion execution infostealer persistence rat trojan
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Dcrat family
  dcrat
- Modifies WinLogon for persistence
  persistence
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- UAC bypass
  defense_evasion trojan
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Drops file in Drivers directory
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  defense_evasion trojan
- Drops file in System32 directory
behavioral5 behavioral6
- Target
  
  d9cf29b5554af511c587d42fc89b333f.exe
- Size
  
  73KB
- MD5
  
  d9cf29b5554af511c587d42fc89b333f
- SHA1
  
  cd607ac7223b6023f267b8e2bc072f065604bbe5
- SHA256
  
  255fb86d56dbcbf96016d55ccdbe48d2acf7762bb16e115487c4b9991c13bee2
- SHA512
  
  2504067df1665cd4b142144b5c5e5085c44bac809e27226fb2bf4230b0cb2966e35c9a99416d22ad261f220f4aaec349a55fadc3d169300d6078853e75267ecf
- SSDEEP
  
  1536:F9wkc4ceDXruTXh+bX7kaAj6McOVBwVCJSdUf:yODyl+bXUhcOvwQac
Score

10^/10

xworm execution persistence rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
behavioral7 behavioral8
- Target
  
  d9d8ce72bea14182d0909964ca07a8b6.exe
- Size
  
  885KB
- MD5
  
  d9d8ce72bea14182d0909964ca07a8b6
- SHA1
  
  b28d8a45177dc711160d4ea289b88ececf0174fb
- SHA256
  
  c14f2d55ba7fb0234c638ac3b7b7081e5c94fb27382b081176fd88ae5b90aeb7
- SHA512
  
  78e08e64514d53ae1335caa9c36d66b0e1eea3f52b8fef6fee72cfbc449b6cd3b8f15b432329f7528a7291a438ba96fd8ec6ee4f13a13a30438bd7f98870c256
- SSDEEP
  
  12288:clNE5VnZuh+ZIlXJBH5SP2I/lwvDT77/wOKsV42i3GULVaHeopyyx:clNCv6XJ5BClaXfD9vUha+u
Score

10^/10

dcrat infostealer rat
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Dcrat family
  dcrat
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- DCRat payload
  Detects payload of DCRat, commonly dropped by NSIS installers.
  rat
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
behavioral10 behavioral9
- Target
  
  da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe
- Size
  
  1.6MB
- MD5
  
  9af38351067812c0e3fa8e5ba3fdab5f
- SHA1
  
  896e6735656cc62d2f9258672683e200c9e30be5
- SHA256
  
  da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442
- SHA512
  
  dd35feecbb645e33a4a13247e31fac3cb480c9c9cc6aeca1e9434a082b4d7aaa77585583650358d7507e5e02d9a441c43754897c6bf09baf446346574d870c9d
- SSDEEP
  
  24576:6sm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:6D8Jijt+xpS/ekYmLGdhEAf7bCcjE
Score

10^/10

dcrat execution infostealer rat
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Dcrat family
  dcrat
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- DCRat payload
  Detects payload of DCRat, commonly dropped by NSIS installers.
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
behavioral11 behavioral12
- Target
  
  da2ab0267a2a37786edfb78c7a6a694d.exe
- Size
  
  281KB
- MD5
  
  da2ab0267a2a37786edfb78c7a6a694d
- SHA1
  
  f609fe3eb09175ae77aafcfe878be17bccd30621
- SHA256
  
  23a803a6c6730cd9ab23656c9d7ddb14f17c21cf25ea6a39e235ae1a132429a0
- SHA512
  
  224105a5f6ad2a8f8d1deaf5a57cd5b1d1869a476a14dd567e1a792571a11afe152f2b8b400c143dcabeae10b9940ecb4fc79345ad17a9e2fe40babc4b7b40f8
- SSDEEP
  
  6144:boy5p178U0MURaGyNXYWQzHazRfXrwSRnWwhrQ66fas:boSeGUA5YZazpXUmZhZ6is
Score

10^/10

discovery persistence nanocore defense_evasion keylogger spyware stealer trojan
- NanoCore
  NanoCore is a remote access tool (RAT) with a variety of capabilities.
  keylogger trojan stealer spyware nanocore
- Nanocore family
  nanocore
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  defense_evasion trojan
- Suspicious use of SetThreadContext
behavioral13 behavioral14
- Target
  
  da4889c62855c58d6c05523169436f46cac74ad92b8e173c443bc8225cc8e7ff.exe
- Size
  
  1.7MB
- MD5
  
  9af5fe2641401056a984b15f527969ca
- SHA1
  
  6d71a8f2b329bbb10c2f216070b0c4b2d99f8cfb
- SHA256
  
  da4889c62855c58d6c05523169436f46cac74ad92b8e173c443bc8225cc8e7ff
- SHA512
  
  025fa7b5755138dc84524665a3c5311e8202eb47129f223397fc5b12d1718dc99652383917e0137db630f5a7807f5d98b790d5e6d224b166b9fac51bc1613975
- SSDEEP
  
  24576:DD39v74lfGQrFUspugRNJI2DJ53J/J/L5dJPjo7:Dp7E+QrFUBgq2K
Score

10^/10

remcos host discovery persistence rat spyware stealer
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Remcos family
  remcos
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral15 behavioral16
- Target
  
  da73f613691fb380fa55261dc95a520f5c8b90ecd91ee741b56cb3628ac259a3.exe
- Size
  
  780KB
- MD5
  
  0c3baba16f3ab689be48dac074e065c3
- SHA1
  
  3b51ce649e0920a2d252fac27bcd0f2df5766d0d
- SHA256
  
  da73f613691fb380fa55261dc95a520f5c8b90ecd91ee741b56cb3628ac259a3
- SHA512
  
  9694671792a25c4829b30d507864e3b06390a9259c1a015946c582e6debf40475a4ae80d03929eb06e11033b0f5ae4d53373ba198e20bab3760702521c0ab63c
- SSDEEP
  
  6144:utT/Yq3v9Auky+4dusAIFB++velibxPyp/64wjOjn6cB3rcnKHHk:C6u7+487IFjvelQypyfy7cnKHHk
Score

10^/10

collection credential_access discovery persistence spyware stealer
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral17 behavioral18
- Target
  
  dadf12489ed76150718a6ef93c7fe010.exe
- Size
  
  5.9MB
- MD5
  
  dadf12489ed76150718a6ef93c7fe010
- SHA1
  
  1895e40361a27955832e7bc518359440fb716236
- SHA256
  
  3769933e54a8e2c3df8af84017b52a270b5307cea7df0386d860214bb9fda3eb
- SHA512
  
  4edfdc0b1231d4c757ada0f66711fafb13f812e9c8cc0b10efd41f514732a3ab6607a5403ea2b1c711758a72964ef9cc9cd962e7a5ad0be0356b339677cc9c94
- SSDEEP
  
  98304:ByeUxPQ0JMLyWIvqrhH05I8TderKjHDFUh9HkEXJfw4/:ByeU11Rvqmu8TWKnF6N/1wG
Score

10^/10

dcrat defense_evasion execution infostealer rat trojan
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Dcrat family
  dcrat
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- UAC bypass
  defense_evasion trojan
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Drops file in Drivers directory
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Checks whether UAC is enabled
  defense_evasion trojan
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral19 behavioral20
- Target
  
  dae2049164a4504d985a9d3aa054939139e01691fe60d175d27fcad81b4b1fdf.exe
- Size
  
  758KB
- MD5
  
  fca5dc41cb882456f8d33d6c9240ba6f
- SHA1
  
  7814a1bb5bab169183ed7c4f873acd57097a4eb7
- SHA256
  
  dae2049164a4504d985a9d3aa054939139e01691fe60d175d27fcad81b4b1fdf
- SHA512
  
  5399accc19a7bba346524ba9175b0772e1310738a1cdeb6522ebecb8239197d562000c46dedaef55a9b524a880d9fa92407fbf0ab1c692bde4d85daca456fda6
- SSDEEP
  
  6144:ZtT/Yq3v9Auky+4dusAIFB++velibxPyp/64wjOjn6cB3rcnK4:z6u7+487IFjvelQypyfy7cnK4
Score

10^/10

collection credential_access discovery persistence spyware stealer
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral21 behavioral22
- Target
  
  db06d80b635eadd508aae82af68fb07f.exe
- Size
  
  154KB
- MD5
  
  db06d80b635eadd508aae82af68fb07f
- SHA1
  
  87e85410d9d92abba7da25c4ff6579ceee9eff74
- SHA256
  
  01a66c806b319086b19edef1a9a511211c0978f12c154fcba00ded27f6a79a14
- SHA512
  
  c500eec47d539cd71359da7046d770796e6bbef50bcb9375a3a3db4807275f9d58c1dcf20ba0b269c2e2fe1bceed27532cb96638fbe26b03e04ac0dcbeebe000
- SSDEEP
  
  3072:DpkFv9i/JOwR4NpVq8BxFRzaqF+o2GQJ7/JzqVfGve:D8v96gVqwlL
Score

10^/10

xworm execution persistence rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
behavioral23 behavioral24
- Target
  
  db0b5b8185efd6ca7c3f569aec811ea6.exe
- Size
  
  5.6MB
- MD5
  
  db0b5b8185efd6ca7c3f569aec811ea6
- SHA1
  
  9b4c4966684020b351943b44bb3be066e23f2ccb
- SHA256
  
  d2b0f426014687a310ac74bfe78da227f506d163d6635527d115c0b96b5d0ab4
- SHA512
  
  891b19ba225e729d691906a5a3765c248a130c562cb587fe2fee507fd78a2f585e13d851ab23b32bbeed3f87d01cd2f2d50fde9ceaaffbc12f2de6e20f96408b
- SSDEEP
  
  98304:OvGBBkxCZS9bYZhID0qLNYfeW+4IkRpKMzVUp6QRDy:aGBBJDhID0qLNY64BR0MzVUp6QRDy
Score

7^/10
- .NET Reactor proctector
  Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
behavioral25 behavioral26
- Target
  
  db34bce8df2aa261ca6ff400843ca6eb.exe
- Size
  
  20.0MB
- MD5
  
  db34bce8df2aa261ca6ff400843ca6eb
- SHA1
  
  58c310b630199f8e1213f5a94d8fc1a09013c064
- SHA256
  
  b500f2020692d8b941db3f3ece9ebdaa043100da525da081a574318cebe132c3
- SHA512
  
  1ecb24e1596ffad4e80f4296886843b5608464e83b0fef64727febba28cdbf12df6355528441b8591c76e1f69ae29323f91a2891f80ed4cd6e6208ab230e016f
- SSDEEP
  
  196608:RQXY82cxqAOz8vuoTyQWzLRRXpFrq86wEIWM0y06wrR:cicxqAOz8vuozWzlRZFu+EIWM+6wN
Score

6^/10
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral27 behavioral28
- Target
  
  db41218c5e70c47489a3c8e20c0a0402eb80c67f67b281503589430480d715fd.exe
- Size
  
  13KB
- MD5
  
  52b818c373a9aba2551a9cc823485893
- SHA1
  
  3e69f6652ddd9108ae6b7c3735f108cc001c8115
- SHA256
  
  db41218c5e70c47489a3c8e20c0a0402eb80c67f67b281503589430480d715fd
- SHA512
  
  d9a32c4914e91b9724918732ef01a023fe07bcad6fb529bb6401663416c396b6477be974a76640ec17a91a592163f130c39695b00814fbe10d6ad94868c00007
- SSDEEP
  
  192:kLNSWs+WAyaSOmywSoF2pHb4i5yXDuLaE2v1OhbJQ+AN2XWEXWY:kLMymywtcpHb40CuL329hN+WEXW
Score

1^/10
behavioral29 behavioral30
- Target
  
  db547399adb1223b51dd04ca54bc0dcd.exe
- Size
  
  1.9MB
- MD5
  
  db547399adb1223b51dd04ca54bc0dcd
- SHA1
  
  5c5010b0c7d160d19aa37a981f28884c6fb753c5
- SHA256
  
  101ccc6b92cebfc2110fc59fe95374d2b7255103cd662a796513cc18f0c6022a
- SHA512
  
  6f000a5731877d84c56df1b3268f48b6346b5c5710e8044d7b0ecffc03b89f4a40a17049a9f929f9631bf6fbcec8cb35eadd521168d739085771fa8630e5f910
- SSDEEP
  
  24576:kz4T3bMX0/0ZqSEaa3OVFu8VQTo8Ia29MSVyAXmFPf87ptY60/YYhdbh7JRj:kOMX0/08SVYTcxMXPxthD
Score

10^/10

defense_evasion execution trojan
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- UAC bypass
  defense_evasion trojan
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Drops file in Drivers directory
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Checks whether UAC is enabled
  defense_evasion trojan
behavioral31 behavioral32