dcrat | 40fb662761491390c1e86e0e2d7cfc671b2239a5c3109ee0c76c963cf1f1fd62 | Triage

Submit
Reports

Overview

overview

Static

static

900eb9fef2...a1.exe

windows7_x64

900eb9fef2...a1.exe

windows10_x64

Sharing

General

Target

900eb9fef2464a9f9d8f8e6583bcb8a1.exe
Size

1.4MB
Sample

220130-13xt6abccq
MD5

900eb9fef2464a9f9d8f8e6583bcb8a1
SHA1

5941e80798f6aa3ea56bc4891494a27f55bb2c10
SHA256

40fb662761491390c1e86e0e2d7cfc671b2239a5c3109ee0c76c963cf1f1fd62
SHA512

2f3a72d450c35a96ed9ac40bd889cb558d42d15581d1df91857551dee7f7429ebaa4e6d67cfa8b1f56b590f924306d0ac35bbe880c33ff14933e28291aa2416e

Score

10^/10

dcrat infostealer persistence rat spyware stealer suricata

Static task

static1

Behavioral task

behavioral1

Sample

900eb9fef2464a9f9d8f8e6583bcb8a1.exe

Resource

win7-en-20211208

dcrat infostealer persistence rat spyware stealer suricata

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

900eb9fef2464a9f9d8f8e6583bcb8a1.exe

Resource

win10-en-20211208

dcrat infostealer persistence rat spyware stealer suricata

windows10_x64

0 signatures

0 seconds

Malware Config

Targets

- Target
  
  900eb9fef2464a9f9d8f8e6583bcb8a1.exe
- Size
  
  1.4MB
- MD5
  
  900eb9fef2464a9f9d8f8e6583bcb8a1
- SHA1
  
  5941e80798f6aa3ea56bc4891494a27f55bb2c10
- SHA256
  
  40fb662761491390c1e86e0e2d7cfc671b2239a5c3109ee0c76c963cf1f1fd62
- SHA512
  
  2f3a72d450c35a96ed9ac40bd889cb558d42d15581d1df91857551dee7f7429ebaa4e6d67cfa8b1f56b590f924306d0ac35bbe880c33ff14933e28291aa2416e
Score

10^/10

dcrat infostealer persistence rat spyware stealer suricata
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Modifies WinLogon for persistence
  persistence
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- suricata: ET MALWARE DCRAT Activity (GET)
  suricata: ET MALWARE DCRAT Activity (GET)
  suricata
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Winlogon Helper DLL

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

dcratinfostealerpersistenceratspywarestealersuricata

behavioral2

dcratinfostealerpersistenceratspywarestealersuricata

© 2018-2024

Terms | Privacy