dcrat | 67e68d1933e87f680f063203e7e243c33deba2dfdbcd2bb08e9205d3fff26fb8 | Triage

Sharing

General

Target

2222-main.zip
Size

25.7MB
Sample

210730-cnbv9bq1mn
MD5

c158eab31c5a8fd2da093fd5130f1ec8
SHA1

b26bf14a694095e86cd63bf66049c37d87e6e0a4
SHA256

67e68d1933e87f680f063203e7e243c33deba2dfdbcd2bb08e9205d3fff26fb8
SHA512

abbfeaf563b6cdd45b45f51d29100f9c26f84f8505c5895b42d209ffb20abf8ff43cfa02938b46f732386724de0a7c0e7fd89bef0ed7adaebadb82cfd0f8bf52

Score

10^/10

dcrat echelon bootkit infostealer persistence rat spyware stealer suricata

Malware Config

Targets

- Target
  
  2222-main/Build.exe
- Size
  
  1.8MB
- MD5
  
  9886d20dd6f3d896861cc5f8ea0ca84b
- SHA1
  
  96ab3affa0279d5795a29f3e1ecae37546b8bb11
- SHA256
  
  56ec9503792bc40353a2f197bb3a6561325d66dfe914573a9fea9ccdedd98929
- SHA512
  
  02272f3a85b44fa8e6806356492109474c57c2d7da7f55cba4d93e4983162ed48582a73723d06689c9e89e87ba6ed8c30e409676669af0d8604d23288cfe8079
Score

10^/10

dcrat infostealer persistence rat
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Modifies WinLogon for persistence
  persistence
- DCRat Payload
  Detects payload of DCRat, commonly dropped by NSIS installers.
  rat
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Drops file in System32 directory
behavioral1 behavioral2
- Target
  
  2222-main/NanoSense.dll
- Size
  
  1.8MB
- MD5
  
  1253946cb5c0a21446422815d328603c
- SHA1
  
  39c598d2f8152642d99138bb00b14c1cee7dd862
- SHA256
  
  e9447d000a28bcbca3a142e37ad6f1c479d2941e2dcac9c7f389199b3bb644c7
- SHA512
  
  cf33ab47a69fe6a3dc793233f26a3cc5a2d3f5706b3fa0daf63b2832437f0b670fe321adffd36473310ad7146ca7527f7b7b4b69000c645dc809a1d44811375c
Score

1^/10
behavioral3 behavioral4
- Target
  
  2222-main/OTC.dll
- Size
  
  8.7MB
- MD5
  
  cbac1eb2d0f808c9a1ace63379888580
- SHA1
  
  f502e21059146f8fffba5cd84f5dccd5c8b22677
- SHA256
  
  8afbfe7db1165a9c6be977be0d2455d9287ebd9c64688ac0bbcc3e1a9872cff3
- SHA512
  
  1d1e3bff24d61b58f9e81d037f6b1a58101bb4c12a6550da0d61486f34978a5744535033e4100ba929e49fe970f92c7c30a385f7398ab30a2e21873b3aa6f715
Score

1^/10
behavioral5 behavioral6
- Target
  
  2222-main/OTC2.dll
- Size
  
  3.0MB
- MD5
  
  0c10a107fc8686a7e74c4aa1f21c70da
- SHA1
  
  ce1fa117d53e87b3b4bdaaf828f3c2eba5bb10b7
- SHA256
  
  a2a7ec38150a186831d5d967b4b8321356d30e190eaf0c17d13033aa244fe93e
- SHA512
  
  de3cf3b0e26c6feb6177e9f197f73c015b4b8d744aa1bec75eb295c1feaeaa2f02493dc61ccc12e8e54b0c29f43fbab1a4d19ee5b3b47223e6d05e897fc584f2
Score

1^/10
behavioral7 behavioral8
- Target
  
  2222-main/aurora.dll
- Size
  
  9.8MB
- MD5
  
  615ba7d6883c4b07c7714c35e5aaf83e
- SHA1
  
  92f5386d468af168d6a19bd00254523257c6374e
- SHA256
  
  c7f7e979cad914ff9cae4e36219bda55b0545aa77dd4cd6fa1c5b72a75c1a5a6
- SHA512
  
  14a69c1ee5518a3976c7ca19623b53100f6bd28ea582af53b5421ecb6f7283f34a547376e8f7f03ce7a101cbc848f3a4f1911e2a9b65665264a8a6e0cc76c3da
Score

1^/10
behavioral9 behavioral10
- Target
  
  2222-main/fatality.dll
- Size
  
  3.0MB
- MD5
  
  86043572df1eb246ac76a227f6714bde
- SHA1
  
  bead769ded4445addd232d8432215ba64d2a7996
- SHA256
  
  6640724ab609a8d4d1cc3963cb9e9d271a54cb1e387b178b7596ea57ce5e6614
- SHA512
  
  3f76ba50c014ebb243071a30c1038267118d18cd502e7f71e264447953be72109b1b1819ace5ba4c781eb8068befa783e62152d8936c8df0e37e58d9a576cd28
Score

3^/10
behavioral11 behavioral12
- Target
  
  2222-main/gan.exe
- Size
  
  1.0MB
- MD5
  
  87eaf345538203eec98ef5eb3f5fb4e2
- SHA1
  
  3c32b64679c2e85b9b843ed7a3a38094b5719ba4
- SHA256
  
  07e3cf6d608401dd2b8cc367deea6c4d9ea110056d3f32bfd87e1f8555083cf1
- SHA512
  
  553ce491a393f32ba67a8c1871fddc840bd3fc2569f57af5ae20a9ee40961e7c435cf91cdfe93574777932d08abd5380b6dfdb607aee080542cb40f157419c9d
Score

10^/10

echelon spyware stealer
- Echelon
  Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.
  stealer spyware echelon
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral13 behavioral14
- Target
  
  2222-main/mySThe.exe
- Size
  
  1.0MB
- MD5
  
  6d298ea9fddcb15bc12be3699b88724e
- SHA1
  
  946732233c9490060639a44ea593f2ccd6ddc30b
- SHA256
  
  74499fe96913a5ec1b89d8b79ca8bf2d3fd598c0d65339bd6d6223599f20aa7b
- SHA512
  
  40e40caaf22651eb749694b1827f1902c89935bb5f40baf7ec3c68bfd277b68bd76c3a7c54cfa4ce7959b7067b6fb00ec1513f57e330df7790a95e7ed6ebc8ed
Score

10^/10

echelon spyware stealer suricata
- Echelon
  Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.
  stealer spyware echelon
- suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers
  suricata
- suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer
  suricata
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral15 behavioral16
- Target
  
  2222-main/myporno.exe
- Size
  
  871KB
- MD5
  
  a5e7145dc17d160b41d36dbea524c3f0
- SHA1
  
  2ad6faea0f967df37e404d14a4c1ccca607a924e
- SHA256
  
  99dfe0c0529b4122889ac7023330f2749df048d0b11a91e92155d991e189f0d8
- SHA512
  
  672a08a7e62b1129cc2997dd77e1709e86281d89d6ab88d12e771120b7a7a15638b9e2e110d3f95cf04e319da31dedbac4727d8b67e2a2343c68d280967d83c9
Score

10^/10

echelon spyware stealer
- Echelon
  Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.
  stealer spyware echelon
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral17 behavioral18
- Target
  
  2222-main/pandora.dll
- Size
  
  8.6MB
- MD5
  
  f98204a914adb09119b97a90d7be8f8d
- SHA1
  
  eb6652f4dd2c5c61465e0e39bd729d0aa253e7a4
- SHA256
  
  74743cbc394143af17482b8be8ea93230fc5bb11a6f3f4530121b9d885726c94
- SHA512
  
  30145a0a02c339b4ef289219fe075d2945acfa1250aaec02000abea3c1dfbc4faec9e1f33fdf93efb780b6dc4dede4204db48cdcf9272121083ee46f6880f816
Score

10^/10
- Suspicious use of NtCreateProcessExOtherParentProcess
- Blocklisted process makes network request
- Suspicious use of NtCreateThreadExHideFromDebugger
behavioral19 behavioral20
- Target
  
  2222-main/pass.exe
- Size
  
  863KB
- MD5
  
  a27ba5e68cdd7333b8cd5e4ebd558019
- SHA1
  
  c4e6d99f3979003424ad4cc511a36434944c02b0
- SHA256
  
  e42ba94ba2b856fdb7aa01b9dee11abd71c55b6fc15e1933a77269deedb57e88
- SHA512
  
  2edfb1bae88e3088da81fbcf382fa7955998562817eb9f25bfaef6d82cbeb064c93764d1f9f127ad667543854109da6df84938cbb8d9b62eabf3a00ee5699ff1
Score

10^/10

spyware stealer suricata
- suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers
  suricata
- suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer
  suricata
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral21 behavioral22
- Target
  
  2222-main/petya.exe
- Size
  
  225KB
- MD5
  
  af2379cc4d607a45ac44d62135fb7015
- SHA1
  
  39b6d40906c7f7f080e6befa93324dddadcbd9fa
- SHA256
  
  26b4699a7b9eeb16e76305d843d4ab05e94d43f3201436927e13b3ebafa90739
- SHA512
  
  69899c47d0b15f92980f79517384e83373242e045ca696c6e8f930ff6454219bf609e0d84c2f91d25dfd5ef3c28c9e099c4a3a918206e957be806a1c2e0d3e99
Score

6^/10

bootkit persistence
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
behavioral23 behavioral24
- Target
  
  2222-main/sheyhST.exe
- Size
  
  1.0MB
- MD5
  
  a339a377abbfb9c0ee85652901cc67b3
- SHA1
  
  cbafbcefd502b16d4661a2da17fc6d04b34ee0cb
- SHA256
  
  0a0a341eb3849788273e62d2acd28de82942f01396c7543f85a5b8a8420e0c44
- SHA512
  
  a43ae5d6cf03c96ae757bdb97521562c64e7248d73791ecfae1498df4e9b7401d359bba5e56a3ba2c16cc0e6f30cfc6b9c421667353cb4677b98977c0082282d
Score

10^/10

echelon spyware stealer suricata
- Echelon
  Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.
  stealer spyware echelon
- suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers
  suricata
- suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer
  suricata
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral25 behavioral26
- Target
  
  2222-main/stpastio.exe
- Size
  
  1.0MB
- MD5
  
  76240af1d6ebffbf210af7d95b59b97e
- SHA1
  
  8f029dfb9a98bd1c34335010c97780ac3f602d61
- SHA256
  
  18f6c675acef58163ad7322fbbaf75ac8d92c50e3f4e2dd02f26bbc4a93f4262
- SHA512
  
  71f2a9bb9a3ba9b0123fa302c6a96f9ff5b58be7804d1a84c170c4b69173428ddbc6807e91e034b23f83db9b51dfb8c6c7ae439fb822b7887927e5c84c007687
Score

10^/10

echelon spyware stealer
- Echelon
  Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.
  stealer spyware echelon
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral27 behavioral28
- Target
  
  2222-main/test.exe
- Size
  
  50KB
- MD5
  
  934b148407a5f93bbeed3d5b2c91edde
- SHA1
  
  208fa687dea4cae2bd7a15907834ce107aea2683
- SHA256
  
  00a6aee5810a2f37be3722b8c05c363e9954e782f49e558f451c4097bbd6f217
- SHA512
  
  4cd3d836a122a19888f4be5541c158aa8add24b6276d8d9ee3a120ea2d3cc9ceb72c284ae41d3fa8d30b6c4bbfd18fe97ef451293222b9b9c23d125d3a882c2c
Score

3^/10
behavioral29 behavioral30
- Target
  
  2222-main/token.exe
- Size
  
  7KB
- MD5
  
  a35189bbe526f95125f313585a23c091
- SHA1
  
  571507b33c3bb4641562e86f66fab4068a807067
- SHA256
  
  97ffdd15bd339158c3569a1183d8d42250932c262a570bf230db6e741b5eb815
- SHA512
  
  b233916b3c56bf62098cda4a82f3e234ce9dbe20d60d055d6743464d0d75ab4890006327ea45c8f38f08284616f01f373ebe2a260b75cc1d0a74e2dae42169c5
Score

6^/10
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral31 behavioral32

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Winlogon Helper DLL

Registry Run Keys / Startup Folder

Scheduled Task

Bootkit

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

Install Root Certificate

Credential Access

Credentials in Files

Discovery

System Information Discovery

Query Registry

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

dcratinfostealerpersistencerat

behavioral2

dcratinfostealerpersistencerat

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

echelonspywarestealer

behavioral14

echelonspywarestealer

behavioral15

echelonspywarestealersuricata

behavioral16

spywarestealersuricata

behavioral17

echelonspywarestealer

behavioral18

behavioral19

behavioral20

behavioral21

spywarestealersuricata

behavioral22

spywarestealersuricata

behavioral23

bootkitpersistence

behavioral24

bootkitpersistence

behavioral25

echelonspywarestealersuricata

behavioral26

echelonspywarestealersuricata

behavioral27

echelonspywarestealer

behavioral28

behavioral29

behavioral30

behavioral31

behavioral32