dcrat

Sharing

General

Target

archive_18.zip
Size

44.5MB
Sample

250322-gw843ayzet
MD5

d70c1a243cdb511386ff95f285cec502
SHA1

64446e9130cfa7dececa2687cb09eb2d044a76f9
SHA256

f4111d30be32600233ad61440ff2f9a6484f3ba6c04fae4b522fc09ab0de3831
SHA512

aa84bf7f5cac7bae1f1202677dfa0503e70249472b0069426543e453e7bd06a439f186e14758bc1b45b557a9386f31bc99142c7ad4c5fa7cbf8bc4567a415ebd
SSDEEP

786432:g0tv7iZAp/TSyhy3e3jQ//yxNY6u9EwyTXp/ucV5wPauEs//yxNHtzEKFq:g0tvuZAp/tO6Eag9PE/ucV5wdPaZgKs

Score

10^/10

Malware Config

Extracted

Family

njrat

Version

<- NjRAT 0.7d Horror Edition ->

Botnet

Victim

denvy1-64284.portmap.host:64284:4782

Mutex

5e5cf16c381d2c6f9bd898a2b029e870

Attributes

reg_key
5e5cf16c381d2c6f9bd898a2b029e870
splitter
Y262SUCZ4UJJ

Extracted

Family

xworm

127.0.0.1:8848

expected-sega.gl.at.ply.gg:4730

chat-poster.gl.at.ply.gg:41534

193.161.193.99:21764

Attributes

Install_directory
%AppData%
install_file
XClient.exe

Extracted

Credentials

Protocol: smtp
Host:
smtp.yandex.com
Port:
587
Username:
[email protected]
Password:
Boy12345#

Extracted

Family

nanocore

Version

1.2.2.0

91.236.116.142:5888

Mutex

d995ed82-bf13-4043-b564-f5f89f8c5209

Attributes

activate_away_mode
true
backup_connection_host
91.236.116.142
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2017-01-07T03:01:54.729778636Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
5888
default_group
Spy
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
d995ed82-bf13-4043-b564-f5f89f8c5209
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
91.236.116.142
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Extracted

Family

xworm

Version

5.0

on-donors.gl.at.ply.gg:5500

Mutex

Ii4gIkCPmmFUXemC

Attributes

install_file
USB.exe

aes.plain

Targets

- Target
  
  477abe4b25790663f42286884bad1f54fccac4fd3c881cf1c7d7ad8d7bab3351.exe
- Size
  
  606KB
- MD5
  
  ec244cbabaaa60802ed76d8964a79cb3
- SHA1
  
  56419b721068e70b2b69520017f94606927fe595
- SHA256
  
  477abe4b25790663f42286884bad1f54fccac4fd3c881cf1c7d7ad8d7bab3351
- SHA512
  
  734e394c523493d9f5524eae3b6f9b20f5d291ea6052cce7de12c34c5b3833c7dc7377974480517f2eab5c962050a7f7a8a911a228e47f2aefb0fb3fa7d168f4
- SSDEEP
  
  6144:TtT/Yq3v9Auky+4dusAIFB++velibxPyp/64wjOjn6cB3ri57:16u7+487IFjvelQypyfy7i57
Score

10^/10

collection credential_access discovery persistence spyware stealer
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  47c6de91e1706234f4587aa8f42a8c76d818b3055dc457b6dda51b803bf09ab0.exe
- Size
  
  1.0MB
- MD5
  
  83e74c5c8c4c1d174a055af1e0182393
- SHA1
  
  1bdfc6b9d7a9abdaaa08e701cb6ef5fbc90e9594
- SHA256
  
  47c6de91e1706234f4587aa8f42a8c76d818b3055dc457b6dda51b803bf09ab0
- SHA512
  
  d798465d7ab67d0cd656277fad5bddbbc8de2d739dfbd5da669c1494fbddcb9518f36a92c6a27c741ec703de85d902d06197f1120f8b49e8e38d72e285ead665
- SSDEEP
  
  12288:h11qi7aQZVQDHV1SY9LjHvxmthnjlc1qrNhx5yRfeisk:lq1QZVQDHrSY9LWnpNrcRf
Score

10^/10

xworm discovery rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Suspicious use of SetThreadContext
behavioral3 behavioral4
- Target
  
  47ce70cdeffbe184e4414b64b813fcaa.exe
- Size
  
  25.8MB
- MD5
  
  47ce70cdeffbe184e4414b64b813fcaa
- SHA1
  
  6daf2be501fb8ed05a8a5e8e5a351223c3a61c3e
- SHA256
  
  9097502ebdd5bb6c3f61d78148211feda2f25682be1ecd2f331c37c4a36cb501
- SHA512
  
  4f40036c816452794ad841fcb2deb1a5baf5bc584415f138b608f5f211a6088f7db2b6fb2a9e7e583457c314ea7d566f359c5dd0d779a89eb355a5df3877aa54
- SSDEEP
  
  393216:tSOWHAhJbjQno/A8w5y3COZfJrBIhUcT0FES0gjVhJ:t8D8w5GBkS0gPJ
Score

10^/10

defense_evasion discovery persistence
- Modifies visiblity of hidden/system files in Explorer
  defense_evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral5 behavioral6
- Target
  
  4809a98c25f0a7be709206691dd2a0ee.exe
- Size
  
  54KB
- MD5
  
  4809a98c25f0a7be709206691dd2a0ee
- SHA1
  
  83d5c6c56b101dbbff6c7e6a9abdc77270e460a1
- SHA256
  
  92d6bd28467aeb15829e676d32c09f5981baf3845ebaf7f69da9741c372b1cda
- SHA512
  
  85147c8b32df54d542f9e510226f8874f1aa5bc03e4bdc9a195a156fd92630a7ee10b15c18068244817ed5251a5bcbe5c8b52368753a389fcda7af1deacac75b
- SSDEEP
  
  1536:FOpwLVcvsG+yiZodvTlhJX3eye5IybOCoDGbfY:F4wLyvky6opTTt33MSN6rY
Score

10^/10

defense_evasion evasion persistence privilege_escalation trojan
- Modifies Windows Defender DisableAntiSpyware settings
  evasion trojan
- Modifies Windows Defender Real-time Protection settings
  defense_evasion trojan
- Modifies Windows Defender notification settings
  defense_evasion trojan
- Modifies firewall policy service
  defense_evasion
- Modifies security service
  defense_evasion
- UAC bypass
  defense_evasion trojan
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  defense_evasion
- Identifies Xen via ACPI registry values (likely anti-VM)
  defense_evasion
- Disables Task Manager via registry modification
  defense_evasion
- Disables use of System Restore points
  defense_evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Drops startup file
- Checks whether UAC is enabled
  defense_evasion trojan
- Indicator Removal: File Deletion
  Adversaries may delete files left behind by the actions of their intrusion activity.
  defense_evasion
- Modifies Security services
  Modifies the startup behavior of a security service.
  defense_evasion
behavioral7 behavioral8
- Target
  
  480bfd19cce007d5891ad838d903b17e.exe
- Size
  
  1.1MB
- MD5
  
  480bfd19cce007d5891ad838d903b17e
- SHA1
  
  f99f0df5cc724c83b37f90a47da43a2424153bc8
- SHA256
  
  01411f77f35029b6c9f9d8726f561fdae8031d6a288c9dae9e070cd9136eab25
- SHA512
  
  d83e62b20bc0b1fdb7219527f3352e346200c77a45ef47849a4762d3f47cdacc4c1463f1da3f85e4bbb4e45ba3d7a77f0dbb9cab96a2361cc4c1fdf54a2c7df8
- SSDEEP
  
  12288:t6NE5eSwJu37+GXJpkaI7ShG54v4ahgVY3whNG8/LI6i4ejmtnbAouuFteLBdBN9:t6NReJXJIwvJgVQSoPEzKkLXa
Score

10^/10

dcrat infostealer persistence rat
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Dcrat family
  dcrat
- Modifies WinLogon for persistence
  persistence
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- DCRat payload
  Detects payload of DCRat, commonly dropped by NSIS installers.
  rat
- Adds Run key to start application
  persistence
behavioral10 behavioral9
- Target
  
  4818942b6268d474373eadf8aa175f0de0315fc406eafa97d7fa7db7c154e9ae.exe
- Size
  
  3.7MB
- MD5
  
  9fca2a5278edc3a95d546f0ae7f3cbff
- SHA1
  
  c97159bcbf621e7b9374472ed53a4dd963f75cf7
- SHA256
  
  4818942b6268d474373eadf8aa175f0de0315fc406eafa97d7fa7db7c154e9ae
- SHA512
  
  447deeb5021f15c46ca4eb70cc46065d3bd041afde860dfa2a7b9a7fbd9c4640712ad4c221f220015d28251780e124ea0bc9a548f97e822946eafffe8169f211
- SSDEEP
  
  98304:AkSzpYRKKe/I765KN6fXVwfbC6gz5IfMTJInd:GPKeC65U69wfxUTa
Score

10^/10

xworm rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral11 behavioral12
- Target
  
  485ef3e4d31b39e6107f797859f14415.exe
- Size
  
  5.9MB
- MD5
  
  485ef3e4d31b39e6107f797859f14415
- SHA1
  
  3739bada3227bce92e083531766d21aa4c11159a
- SHA256
  
  b37b01540833889b41c27875378edb8fefebb2b56423c57a3a003bb1a71e501b
- SHA512
  
  d5708f1610ec1748d1866edf380b5bd34f2bced3b100654d0d8cd25651565a6ac3d92777b8959a36290a9020649570e7a64d44d6afd6d33cc6df0dee1a408145
- SSDEEP
  
  98304:hyeUxPQ0JMLyWIvqrhH05I8TderKjHDFUh9HkEXJfw4t:hyeU11Rvqmu8TWKnF6N/1wY
Score

10^/10

dcrat defense_evasion execution infostealer rat trojan
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Dcrat family
  dcrat
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- UAC bypass
  defense_evasion trojan
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Drops file in Drivers directory
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Checks whether UAC is enabled
  defense_evasion trojan
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral13 behavioral14
- Target
  
  486a44dd40852eb23aeca8e8951ffa61.exe
- Size
  
  54KB
- MD5
  
  486a44dd40852eb23aeca8e8951ffa61
- SHA1
  
  6fb6f73727522c1b67cf7db5853bd12e84226753
- SHA256
  
  ce834e57992c0f4579135e3313b176f2493712eaa6b5fd96aecd972b297d4c92
- SHA512
  
  d37587fc39fdf91a180f9b8b3cfdda6e804e28e82630428ca73205f70641a84e700a8f3558a928b31f59ad25d77364322e7fd5c0a37814fa21b8bcca66d6d6d4
- SSDEEP
  
  768:VyJZuIZ2Eslt0g5Xy3N3+dJSNXxWQG35bmaePD5PvPtXXJdxIEpmBg:Vyr1Gt0g5+NaGhWQcGDfX3xIEpmBg
Score

10^/10

njrat defense_evasion discovery execution persistence trojan
- Njrat family
  njrat
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Stops running service(s)
  defense_evasion execution
- Drops startup file
- Adds Run key to start application
  persistence
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
behavioral15 behavioral16
- Target
  
  487afaa2421384f1449a96637df558b4.exe
- Size
  
  15KB
- MD5
  
  487afaa2421384f1449a96637df558b4
- SHA1
  
  87f9edc71b13f5bb1b87e0369e531ee6d17aff4d
- SHA256
  
  b6fd976bea3755f5b73802548928b389789584076b9d5a3e5d42642792707cdd
- SHA512
  
  905765c455b15e2221e92cb42abb075aac1bb8add344f4e8a4d9334361239d741077918f9d04f21effbb3c72f19124521bc097170099d6a31b802c523b2b6985
- SSDEEP
  
  384:o7y8xJoeC71aRZtKBl9vOVUkgha4H94jWjel0:oek65URZWnvOVJ4H9XA0
Score

3^/10

discovery
behavioral17 behavioral18
- Target
  
  488aec85d490754bc445f0e21e7d4d5146c71d500bd953b8108608d44e0351b2.exe
- Size
  
  3.4MB
- MD5
  
  e44ce2c03e5af2bc482fea32685d3fca
- SHA1
  
  c87647db90bb759d7109cd47515fa4921397f1fb
- SHA256
  
  488aec85d490754bc445f0e21e7d4d5146c71d500bd953b8108608d44e0351b2
- SHA512
  
  764f8fb037f1a529bb54ef2cde8ee91e3afe23c2ed93e8a3796082840cc3524f2c581bd2a22cab9beca975c9442bb7729024b28e0cab7adaf58471f1a736d09e
- SSDEEP
  
  98304:TRS6nfSOQZOt+CW+7EELhF3gxpNOf2k2Y/HW:Tkj8NBFwxpNOuk2b
Score

8^/10

defense_evasion execution spyware stealer
- Stops running service(s)
  defense_evasion execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
behavioral19 behavioral20
- Target
  
  48dd84f7a2cbfb0a068fa1a74c35fa4983f355dd026648bde3c594d0afe696da.exe
- Size
  
  3.3MB
- MD5
  
  74da02657baeecb247413687ca835103
- SHA1
  
  44f3e5bdc60e9d41d624a1de2154d804a53aa8be
- SHA256
  
  48dd84f7a2cbfb0a068fa1a74c35fa4983f355dd026648bde3c594d0afe696da
- SHA512
  
  c679fa77c3b8a83e6c8607d77f2ff575ce9903fe8836e850cf12b5c8756f6123411c413e79bc131a1723d6803785c33f24612a4bcedbbb73035d6ec6aa53add1
- SSDEEP
  
  49152:Ts51kZEsvhP4KUYTMb5C1JyWdLQqFxLCobXK45p4aE:Ts5eaKhgKUFCo2LP15s
Score

10^/10

dcrat defense_evasion infostealer rat trojan
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Dcrat family
  dcrat
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- UAC bypass
  defense_evasion trojan
- DCRat payload
  Detects payload of DCRat, commonly dropped by NSIS installers.
  rat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Checks whether UAC is enabled
  defense_evasion trojan
behavioral21 behavioral22
- Target
  
  4931b13a1265c5602753b3933aeb20740855f573997799ae8aed85ca66d193db.exe
- Size
  
  927KB
- MD5
  
  d383c4a6d8c27294e80c5a7a881c5bce
- SHA1
  
  9273818d087b8f4216150094392d9fa017c6d80d
- SHA256
  
  4931b13a1265c5602753b3933aeb20740855f573997799ae8aed85ca66d193db
- SHA512
  
  d0d870f5e6796bf01f84358b282e03d6dbf3216ca6e5e6f9b81f6b1119287317ae4851442c892f792d80dbb8bc2e66982c5bdc12101425d8202b8ad646eafa34
- SSDEEP
  
  24576:JdtP2cbksTpugRNJI5kFMJF9OWjwjLOjZu:KgqQ
Score

10^/10

nanocore discovery keylogger persistence spyware stealer trojan
- NanoCore
  NanoCore is a remote access tool (RAT) with a variety of capabilities.
  keylogger trojan stealer spyware nanocore
- Nanocore family
  nanocore
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral23 behavioral24
- Target
  
  4963d3411f742a92635dbd83146f3f5f7abed444f92750bcdd14072efd30e695.exe
- Size
  
  74.0MB
- MD5
  
  2bcb124a4a22b161ad6ef74d8ae5cc47
- SHA1
  
  bdc51d9661236047e65356dd091577d08cd9bdf3
- SHA256
  
  4963d3411f742a92635dbd83146f3f5f7abed444f92750bcdd14072efd30e695
- SHA512
  
  3e2958750f3a067ed67d976b11c80dda2e41bf3fa583e83c3e6aa2d92976b8506a0b54379ee8871c49fdeff1ee58e46ed12ebd822b7c161acc6ef14254af5401
- SSDEEP
  
  12288:Wtgf5uSkiE2Iiy8oNzKwhLue8LCi5o38hvrknMnFd8xbpWcpClqCWYSFx9gQ1Od8:WPiO8ijXri1aOgTy2NR
Score

3^/10

discovery
behavioral25 behavioral26
- Target
  
  4981b96b4a936aa6e960d3d9604a63e4.exe
- Size
  
  1.1MB
- MD5
  
  4981b96b4a936aa6e960d3d9604a63e4
- SHA1
  
  ed6b971a4b9b8bc2d54bcf0c6f8ac0ab4f9a7907
- SHA256
  
  5e71574cc2ae7ab174cbd9d54c4d8931043f1d337e468c50db377191e93f34b9
- SHA512
  
  cb4693e1d3dd7e9febf15f57f3e79466701939b15e3555f20542a591a1f811951243660358da85fc3a17f4398117962820b6e9763936e775a15764a72752cf6d
- SSDEEP
  
  24576:6tP10G4YBZQwL45rZGspBeAHTITMuK0T+YwfXplDF+UnDtwKHr26P4:61+tYTwtBeUTQjKksTFvnDtJHS6P
Score

3^/10

discovery
behavioral27 behavioral28
- Target
  
  4996155e60aac91174cee14de1120fcb.exe
- Size
  
  80KB
- MD5
  
  4996155e60aac91174cee14de1120fcb
- SHA1
  
  9383aacd0e7b37ed7fb104dddb98885784d11899
- SHA256
  
  0a9fe4fa5ed9fa7066864cc89aaa4c2ed1a2d8f61b121b9ebd1daa45108397fa
- SHA512
  
  bb81036881efc3a2b527bcc3b8accc47c17cd66a807089e9706bf9bb3da6cb73086ca70730f7394ee9c3eec22664c7677ada1cd99c8adba73ae8bee3e4c4095c
- SSDEEP
  
  1536:BEnRM5P+PiiL7r2iN7joR7H6AJflcE13xebbl7qQVNyRHk96PkzYOdPgXlmC8Xo:enRM5P+PiiL7ZNQR7Z9d13xWbl7ZQlka
Score

10^/10

xworm rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral29 behavioral30
- Target
  
  49986bd925df8b3a09e58c4999927830.exe
- Size
  
  1.6MB
- MD5
  
  49986bd925df8b3a09e58c4999927830
- SHA1
  
  40750b7b784db39850b805c151dfe76c9a6fdf30
- SHA256
  
  8d08430b6955cd7396f0e929bc2e098bab79adf22ff486fac8e07c369ebd9837
- SHA512
  
  4fb7adb39f1cfba3151cf099b14582e79ad3100c8de878a169bc2028f2bad9082b79ed94f1a8d0d7a441a00799f48c9a22e04eea0b7258930cda4569955b269a
- SSDEEP
  
  24576:Msm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:MD8Jijt+xpS/ekYmLGdhEAf7bCcjE
Score

10^/10

dcrat execution infostealer rat
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Dcrat family
  dcrat
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- DCRat payload
  Detects payload of DCRat, commonly dropped by NSIS installers.
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
behavioral31 behavioral32