dcrat

Sharing

Copy URL

Twitter E-mail

General

Target

archive_4.zip
Size

47.5MB
Sample

250322-ha9ddatlt5
MD5

d2623b39e221a6d5b8f640590b260cad
SHA1

0abc5ead1d21ad085b77a8260cfaf33f4f9b37e7
SHA256

000996e02592d6f5216a77464baff2591739b5cb35a8ad930a5424c9099c7e11
SHA512

8f29d34313e9f0fdd883b8f092b9384fdee1e9b0b11fb6a78ef90e943274712d6b2d6acb7d7eed78e14679e7a548320ad1be11949d1db9c5c8eaafaea4d7067b
SSDEEP

786432:PwfTyQ378+ylqYQ//yxNjHCIXjD3SESL4P3aqRCoKLFrck30a/sL+yQ37hsjaOA/:P2eQA+AqYEa3FXjPS0PgrtckEzLlQ+js

Malware Config

Extracted

Family

xworm

127.0.0.1:2408

front-recommend.gl.at.ply.gg:2408

Attributes

Install_directory
%Userprofile%
install_file
svchost.exe

Extracted

Family

vulturi

http://78.70.235.238:5050:5050/gate

Attributes

c2_encryption_key
RW0cRe5Zs02XCURF84ns2Q
c2_user
root

Extracted

Family

njrat

Version

0.7d

Botnet

https://uloz.to/

kamel-hacker.no-ip.biz:1188

Mutex

07f06f409b0231ba4f84af2f218145fb

Attributes

reg_key
07f06f409b0231ba4f84af2f218145fb
splitter
|'|'|

Extracted

Family

njrat

Version

0.7.3

Botnet

Lime

167.71.56.116:22364

Mutex

Client.exe

Attributes

reg_key
Client.exe
splitter
1234

Extracted

Family

xworm

Version

5.0

blog-inter.gl.at.ply.gg:35572

Mutex

e5Fz01U2wnLTm6Jz

Attributes

Install_directory
%AppData%
install_file
Microsoft.exe
telegram
https://api.telegram.org/bot7818532225:AAE5zgOMxoOeN0vIwutFPXEo3TEyYEyqB5k/sendMessage?chat_id=5147096551

aes.plain

Extracted

Family

xworm

Version

3.0

rndik-156-193-90-159.a.free.pinggy.link:36647

Mutex

XjOZyJuVeu5SB3cb

Attributes

install_file
USB.exe

aes.plain

Extracted

Family

njrat

Version

im523

Botnet

HacKed

match-monte.gl.at.ply.gg:5816

Mutex

09b7fb4586b6a7f342b9f8da2c44b4b6

Attributes

reg_key
09b7fb4586b6a7f342b9f8da2c44b4b6
splitter
|'|'|

Extracted

Family

nanocore

Version

1.2.2.0

[email protected]:46218

178.32.224.116:46218

Mutex

4af74541-e3f1-469c-8af7-efe4071b81cf

Attributes

activate_away_mode
false
backup_connection_host
178.32.224.116
backup_dns_server
buffer_size
65535
build_time
2018-07-28T12:59:38.488799236Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
false
clear_zone_identifier
false
connect_delay
4000
connection_port
46218
default_group
tourex
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
4af74541-e3f1-469c-8af7-efe4071b81cf
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
[email protected]
primary_dns_server
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Extracted

Family

redline

Botnet

REALLOG

196.251.92.11:1912

Extracted

Credentials

Protocol: smtp
Host:
smtp.yandex.com
Port:
587
Username:
[email protected]
Password:
Boy12345#

Targets

- Target
  
  0ce8e2125cf9b2549eeb18b14754aa2158878fc9eabcde0f54d75556492048fa.exe
- Size
  
  17.6MB
- MD5
  
  a3d4b788c684ee6d200957eb4e54a56e
- SHA1
  
  8465ccf43773e62e8929c2272b3b0c0e9327b62c
- SHA256
  
  0ce8e2125cf9b2549eeb18b14754aa2158878fc9eabcde0f54d75556492048fa
- SHA512
  
  c5a4d7ffc8c7379822e7846979d3e8cd36a0cf6d3890d70fe214c2ed9713f3df6591fe324238ef89508db8fe4dcdb942abcd0c571566a6daeb6c159eabbcfbe1
- SSDEEP
  
  6144:op9RzLRJ4ewEuqJXdf8/v5BIhfsme6VlWT8b9HUpU15YnF149w2Ser9zeHjLozVJ:orYh3cdPVle8SU15O1yS3jLMC87J
Score

10^/10

discovery persistence privilege_escalation spyware stealer credential_access
- Modifies WinLogon for persistence
  persistence
- Event Triggered Execution: AppInit DLLs
  Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
  persistence privilege_escalation
- Credentials from Password Stores: Windows Credential Manager
  Suspicious access to Credentials History.
  credential_access stealer
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
behavioral1 behavioral2
- Target
  
  0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe
- Size
  
  1.6MB
- MD5
  
  1ce9d2fa35466d6d37d1d56f63408884
- SHA1
  
  a389a7bcde0ed2e53bfe20379fd42ec9db7bf8fc
- SHA256
  
  0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1
- SHA512
  
  f3a939183f5bcac1d5cdf92b3061227e407d8e5d0119f40130ce0e31cdcb63e741ba8978fd0ca9c43e4a6e1e68d5dac54eea2dcc9921fd6e787a799b0c441cb2
- SSDEEP
  
  24576:6sm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:6D8Jijt+xpS/ekYmLGdhEAf7bCcjE
Score

10^/10

dcrat execution infostealer rat
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Dcrat family
  dcrat
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- DCRat payload
  Detects payload of DCRat, commonly dropped by NSIS installers.
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
behavioral3 behavioral4
- Target
  
  0d39a7ade0eaa19a185fc11508caeba9.exe
- Size
  
  920KB
- MD5
  
  0d39a7ade0eaa19a185fc11508caeba9
- SHA1
  
  5083d9622465c43bc02a1edd71acd1d9ae75270c
- SHA256
  
  51c94ec08bddcec2e7992bb2c758e8518850b373e649ac57c9c26067715bd2ea
- SHA512
  
  480bbfb12c3bbde7cff197f069a9aec5558464f417c7920f0dd09e4b1ba859d9e7b7d7f552a7bad094a3ec49069ce442240be5380e2d1ee0de6cec6f514506b0
- SSDEEP
  
  12288:lANcYfRu9sAPayJk5cz9VBRmWAJXJmn72Rfc/G/BwG5vo5YTJRI1m2h47oJuzlZ4:lAbJwPa3YnGWnSR/uGuFQaRQj/
Score

10^/10

dcrat infostealer persistence rat
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Dcrat family
  dcrat
- Modifies WinLogon for persistence
  persistence
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Adds Run key to start application
  persistence
behavioral5 behavioral6
- Target
  
  0d7cbc882298f639d31191a03ec81bd3.exe
- Size
  
  1.9MB
- MD5
  
  0d7cbc882298f639d31191a03ec81bd3
- SHA1
  
  93124a821e8fe02c1736cb62e9a613c8dc8379e6
- SHA256
  
  56d64aaeab87dad048e08ea98237bcc727bbab88d97cc126e328ea1adf7fc913
- SHA512
  
  5bfbbefb14b200ded88943b685b22e5ac26ea281c9948d8a5fae49f3d19899d82730d52c8034c0b5d5c1b5fe1da1cb583d26b4d2ce3264903e5416d5480b3cf9
- SSDEEP
  
  24576:0z4T3bMX0/0ZqSEaa3OVFu8VQTo8Ia29MSVyAXmFPf87ptY60/YYhdbh7JRj:0OMX0/08SVYTcxMXPxthD
Score

10^/10

defense_evasion execution trojan
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- UAC bypass
  defense_evasion trojan
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Drops file in Drivers directory
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Checks whether UAC is enabled
  defense_evasion trojan
- Drops file in System32 directory
behavioral7 behavioral8
- Target
  
  0da351d641066e6d8ebb95e8bcb6e030.exe
- Size
  
  418KB
- MD5
  
  0da351d641066e6d8ebb95e8bcb6e030
- SHA1
  
  a95cfadf5d5c35d8d26c02c92460716003f1c9c3
- SHA256
  
  2b1b2abc07dc18921243eb6b26be170807db655803a4dfab4b4ec97d12e43d16
- SHA512
  
  398e77b481b23f8586c3da25708696b4b1b65cc7fc61035965b71d860f9e1bb7c0e984111f055fa61ee680842c4b6cd68bc7eb1717e30c55647cad7acb99b875
- SSDEEP
  
  6144:ITNE3ZRrnaBVlvphVxmP+6CiejgcME1cwYfU+va+RUwbk:ITNYrnE3bm/CiejewY5vXk
Score

10^/10

nanocore defense_evasion discovery keylogger persistence spyware stealer trojan
- NanoCore
  NanoCore is a remote access tool (RAT) with a variety of capabilities.
  keylogger trojan stealer spyware nanocore
- Nanocore family
  nanocore
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  defense_evasion trojan
- Suspicious use of SetThreadContext
behavioral10 behavioral9
- Target
  
  0dcb9d68dd68eefabbec3c03cc3e8381.exe
- Size
  
  73KB
- MD5
  
  0dcb9d68dd68eefabbec3c03cc3e8381
- SHA1
  
  2dd5b2b00ede969b27339eade10ae3777338d932
- SHA256
  
  537f638fa423a635cb9777e9a20b37c0757695a83c6307c1b482c0d8c932d9e8
- SHA512
  
  7176a5870a6ce56d2efed4f158642939714282799b326e3fbe366c4d1b2fdc8ee7441db58941a75b2fdfc58e25ed93f343cb34b8e3243fdd0a1992862452049d
- SSDEEP
  
  1536:AFOQ/aiFj51h/7Kxp/kyklHDspvtuuUP+bGzzphSt6EQj8OJ6Fj7o04ySv:AsBxppk9IvYuUP+bGzmPOB04lv
Score

10^/10

xworm execution persistence rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Adds Run key to start application
  persistence
behavioral11 behavioral12
- Target
  
  0de35a97204bf9ccbe98450bbae38fe0e7c92d608328b2e600bf5484b0a3b908.exe
- Size
  
  3.1MB
- MD5
  
  d75dc042e72a5fd37c05f05d8dbdc7de
- SHA1
  
  faf5875946155cbd51aca4e48a8a92f5fbc1ec37
- SHA256
  
  0de35a97204bf9ccbe98450bbae38fe0e7c92d608328b2e600bf5484b0a3b908
- SHA512
  
  c7ec20c1c44ae382b1b3f5491712027498fca71a8ec74970962f47703dc9a59fe599b3ad53e56fad15a113273a52a35e63ab051a86c983a508c3831a877ec580
- SSDEEP
  
  98304:27rWiRZ6B6HQxXKs7vWxvnRcOs7bWCZSmi:23WiRiYQxXDWxv+bfM
Score

3^/10

discovery
behavioral13 behavioral14
- Target
  
  0df2367bf99523e1510e59310538d736cd3b125dcf0d76a09644fe7c65402f81.exe
- Size
  
  418KB
- MD5
  
  e99b2320bfeb2fb2579d35579d57e2fc
- SHA1
  
  91521081f29857d0c52b02e9b3f1ef3d631c8223
- SHA256
  
  0df2367bf99523e1510e59310538d736cd3b125dcf0d76a09644fe7c65402f81
- SHA512
  
  acb6da9556db64bc9963635e707f1675127b78231db73524ada754bca4a855a5eaebb8d95d374e5ae8f8aa24f326df0f198b26ba47de3c824a5300dfe59205d5
- SSDEEP
  
  6144:ITNE3ZRrnaBVlvphVxmP+6CiejgcME1cwYfU+va+RUwbO:ITNYrnE3bm/CiejewY5vXO
Score

10^/10

nanocore defense_evasion discovery keylogger persistence spyware stealer trojan
- NanoCore
  NanoCore is a remote access tool (RAT) with a variety of capabilities.
  keylogger trojan stealer spyware nanocore
- Nanocore family
  nanocore
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  defense_evasion trojan
- Suspicious use of SetThreadContext
behavioral15 behavioral16
- Target
  
  0df7144ed5104422c08fe0b6de1e2452.exe
- Size
  
  919KB
- MD5
  
  0df7144ed5104422c08fe0b6de1e2452
- SHA1
  
  665ac4c2866348f6b31482a410b1047707599409
- SHA256
  
  cf2142b71c02cebf4aca8910971c84f52b7692fdc6c7bdccebf8c93f6c9aca1c
- SHA512
  
  728e0f8c6e92c003813ac67895d05cdc944f172d444712ab101c8aa3d65e38715bf205dc6eeebedeef0b45400569f6fc41ab297c1610c9295cdfa8a48dbf7374
- SSDEEP
  
  12288:emxlloFX4YHwjBZXJ7HZAO/DrpDAmwySmAa5D9iX5HV/o7TcCiP0wMlP7r9r/+pj:eWlQ2HJzmO//+a5D9q/+TcLl61q
Score

10^/10

redline reallog discovery execution infostealer spyware stealer
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Redline family
  redline
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of SetThreadContext
behavioral17 behavioral18
- Target
  
  0df97b99ca90dd92e313196ed212ed8bb7931ed5ff381a3dbce0e0479f820ae3.exe
- Size
  
  32KB
- MD5
  
  24ac76c507c08cf66d5cd099a4f7a4d8
- SHA1
  
  55a327b3070cacb24f40ce9345da31ac7f130517
- SHA256
  
  0df97b99ca90dd92e313196ed212ed8bb7931ed5ff381a3dbce0e0479f820ae3
- SHA512
  
  61b897e211b50c1e7d225abd53af1f438052bdd5dead0549193a516f53025a1026ba1bb90b2d2f965a9a69b0efe848616cb9258c01a4ba536ba4f8c49f3efc81
- SSDEEP
  
  384:DTOnlqWJCo8BKsVv6GlWdWthCwClnc9ni2WOvYGcFHr+85/RfDH4e5mpaQEh5eEj:WnCBBKs0GcUUlcVBWOvYvbL/0Ebllcw
Score

4^/10

discovery
behavioral19 behavioral20
- Target
  
  0e48a47f400685a0d5ded8ad220d8f30.exe
- Size
  
  5.9MB
- MD5
  
  0e48a47f400685a0d5ded8ad220d8f30
- SHA1
  
  9e2de24fe28723727750f9e911fff325d74399bb
- SHA256
  
  8ef226d36414c628f71bebb9a7724dbbe58ed58d280a35a32f4550593baf8c2a
- SHA512
  
  66a3f552ae9cc6e4fc78ec683105a52b6f2ff4e7d8436438320a3e2332bb2ee0fc7ef61c909f8692137e7eccdcdcf3f898b810e18b64bc254dd08cb69ba77481
- SSDEEP
  
  98304:RyeUxPQ0JMLyWIvqrhH05I8TderKjHDFUh9HkEXJfw4G:RyeU11Rvqmu8TWKnF6N/1w3
Score

10^/10

dcrat defense_evasion execution infostealer rat trojan
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Dcrat family
  dcrat
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- UAC bypass
  defense_evasion trojan
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Drops file in Drivers directory
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Checks whether UAC is enabled
  defense_evasion trojan
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral21 behavioral22
- Target
  
  0e820aad5e8af67e2f996c9261b1b8c500e26eab8fd99d9ec67dfecceb43aa54.exe
- Size
  
  291KB
- MD5
  
  bc87ea1bb1b4d40338ec591ff8c61257
- SHA1
  
  3fb705fb45d64565e691b71c2ab104933b36c481
- SHA256
  
  0e820aad5e8af67e2f996c9261b1b8c500e26eab8fd99d9ec67dfecceb43aa54
- SHA512
  
  84fe4ead9bf153512bfc8ede4b9ae3275035efc2eee955d7529e024c21c9bd19b343a5eddba22733e95200cb9557d8ffc8d24383dc3206642570a257fd13fc96
- SSDEEP
  
  6144:gqQDhqYPR4+n1X5nHRd7u/EKoY2axlZlkvbVZgh:gqQAYxn1XVHRd7eEKoSTggh
Score

10^/10

vulturi stealer
- Vulturi
  An info stealer written in C# and first seen in January 2021.
  stealer vulturi
- Vulturi family
  vulturi
- Vulturi payload
behavioral23 behavioral24
- Target
  
  0ea0e36c7047f7b2bf48101f2d9f62467b4bbf3749386f53ed607061ad0f0ed3.exe
- Size
  
  2.0MB
- MD5
  
  6283ec3aa9c3465a0a642253cc203917
- SHA1
  
  d580984ae888c69292248facf6bbe4d9db838d0d
- SHA256
  
  0ea0e36c7047f7b2bf48101f2d9f62467b4bbf3749386f53ed607061ad0f0ed3
- SHA512
  
  e2f67803acec9ff1348af2bcf461a647743c887f96d5bf39e757edc956a5b2b90fd8cec5abb7bba5b0882ecfe54c7cd503cb53f5d345caf3e98eb022f458f756
- SSDEEP
  
  49152:brYU+Yy4J8jao9UVlWAOjhRzsiYHjo++xTN:bdxVJC9UqRzsu+8N
Score

10^/10

dcrat infostealer rat
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Dcrat family
  dcrat
- DCRat payload
  Detects payload of DCRat, commonly dropped by NSIS installers.
  rat
behavioral25 behavioral26
- Target
  
  0eb27c638574f831cab876ce13b9043a.exe
- Size
  
  23KB
- MD5
  
  0eb27c638574f831cab876ce13b9043a
- SHA1
  
  8b45b593edc1e9539e68106c087ccf71c2eb83b0
- SHA256
  
  209439e5a5d515be5ca3f5c578103301e52f08e7357fe0a882dbb725c75903b5
- SHA512
  
  bf7789c5afd1307ed351d7cf85995f67892b09a0d361b560bdc83163bbc163cea24c3fac763b4588124700f631d7ecf0c38073bd3bc4eb98ac1c4a964e6f73eb
- SSDEEP
  
  384:JPTWSEFDn65Egj6RGiYCINTY6xgXakh2oZDJmRvR6JZlbw8hqIusZzZ3Kgc:Jfm7OM9YX0MRpcnuoK1
Score

10^/10

njrat https://uloz.to/defense_evasion discovery persistence privilege_escalation trojan
- Njrat family
  njrat
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Modifies Windows Firewall
  defense_evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral27 behavioral28
- Target
  
  0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe
- Size
  
  1.6MB
- MD5
  
  1e635900f25bb2891a42cf6d65ca80eb
- SHA1
  
  0c6e3ec0b571ee3d1504a4769a77405ba9a54edb
- SHA256
  
  0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef
- SHA512
  
  c3c215add9a07614b4fff768ac3aeea0ebbaa459e85d6f080aa3734d4eb0742536535c4156201299bbcf86f453acdfc961585eb2536790e58cecfd32db5772a8
- SSDEEP
  
  24576:qsm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:qD8Jijt+xpS/ekYmLGdhEAf7bCcjE
Score

10^/10

dcrat execution infostealer rat
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Dcrat family
  dcrat
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- DCRat payload
  Detects payload of DCRat, commonly dropped by NSIS installers.
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
behavioral29 behavioral30
- Target
  
  0eed30726330520f68b4bec97e71989bc143e8755d0b918d2add30a15ce848f5.exe
- Size
  
  1019KB
- MD5
  
  3110a2c27c4dea08cfcc4a7c636e7c0e
- SHA1
  
  3e693b49fba673bf08c20e204e601d77d57a6469
- SHA256
  
  0eed30726330520f68b4bec97e71989bc143e8755d0b918d2add30a15ce848f5
- SHA512
  
  2b0bf73afd5e16ed4b4f40d74c0ada1acb5ffb298b786f575a4ff5dbad323d9957bf65abe5edb49ff63c1e48c2c681d3d882342da81d7275f936a60f61ed3129
- SSDEEP
  
  12288:zz7IFjvelQypyfy7z6u7+4DvbMUsIGojaYj:zz0FfMz6TEbMUskuO
Score

10^/10

collection credential_access discovery persistence spyware stealer
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral31 behavioral32