dcrat

General

Target

HeartsOFIronIV.rar
Size

15KB
Sample

220906-mlpwbsgfek
MD5

b8762a8dba88b4b9831597fb4cb27831
SHA1

7cf57c1a0ad12c81bb9adb3f5633d4012b947a2c
SHA256

a22afac108297e7090f54cf79abd4aa49d837195ebe3464be6718b2ab100864d
SHA512

a457e60d332c5bfd7792896f41b31270b446d6dba09966be7882af936abdf5f94163f71bad7061c1da3a1a5bdce998ed09ab2892f7b9f49e5723fa4b07738a96
SSDEEP

384:RCs3M67tAq6YWWrYRf23N5aR0Sx7EvZe3Sl8UTfL1dKhIDPD6n03c9:DM67+PW8Rf23rfy3YTxdKVec9

Score

10^/10

Malware Config

Extracted

Family

redline

Botnet

log

C2

195.3.223.79:33189

Targets

- Target
  
  HeartsOFIronIV.bat
- Size
  
  24KB
- MD5
  
  067a03764ac51fe3e7836f7f1ee6a7f6
- SHA1
  
  02a9c4e98ba5804b0a94f5464ff03efa3498684d
- SHA256
  
  ba17971c13364a2b00efc656bea093538063b5c54c6247e0c0013c5a191c5317
- SHA512
  
  1b94ec243386560465d27c7a5e1f12a438ce0bce351bdef72a10de1dbfad1a7d0f09156502726a76ae744a21143d13a9297320937b3924bd9ba639792d3908e6
- SSDEEP
  
  384:RrQOabFKKGgSjC1YuuVdLYyWPyIPsBvdQYb6WE+7EHoDunxFaM6:FQfSe3aYy7mGH7pEmuvaM6
Score

10^/10

dcrat redline log discovery evasion exploit infostealer rat spyware stealer
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Modifies security service
  evasion
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- DCRat payload
  Detects payload of DCRat, commonly dropped by NSIS installers.
  rat
- Blocklisted process makes network request
- Downloads MZ/PE file
- Drops file in Drivers directory
- Executes dropped EXE
- Possible privilege escalation attempt
  exploit
- Stops running service(s)
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Modifies file permissions
  discovery
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2