dcrat | 257b99a8149825c3714e40ef1f4e0d1ccb35e0cc692deeb4e9fab1f38d9dddc9 | Triage

Submit
Reports

Overview

overview

Static

static

1744e4af1c...75.exe

windows7-x64

1744e4af1c...75.exe

windows10-2004-x64

Sharing

Copy URL Twitter E-mail

General

Target

1744e4af1c372a57b1cd99b6f92baf75.exe
Size

1.6MB
Sample

220908-13x5xsgac3
MD5

1744e4af1c372a57b1cd99b6f92baf75
SHA1

f0f396bd4d9b55f21ec054aab9e7c396ebf250be
SHA256

257b99a8149825c3714e40ef1f4e0d1ccb35e0cc692deeb4e9fab1f38d9dddc9
SHA512

a5c7ee33ffafd6b348026af4afd829ba433bcd0431300178b6dd30341d7253557adb2f0343419c1430b96abf2b9d130513917b7d1ccfbf0d4c12fafd9e2def2b
SSDEEP

24576:+XGq9fNAehxNnn+MsgnUQ0+vgd9Ulk5R/+VKkccpScpuw72sEeh8Sx8y:vqVNxhxFVKQKHgk5RmVKG7dr

Score

10^/10

dcrat infostealer persistence rat

Static task

static1

Behavioral task

behavioral1

Sample

1744e4af1c372a57b1cd99b6f92baf75.exe

Resource

win7-20220901-en

dcrat infostealer persistence rat

windows7-x64

15 signatures

150 seconds

Behavioral task

behavioral2

Sample

1744e4af1c372a57b1cd99b6f92baf75.exe

Resource

win10v2004-20220812-en

dcrat infostealer persistence rat

windows10-2004-x64

17 signatures

150 seconds

Malware Config

Targets

- Target
  
  1744e4af1c372a57b1cd99b6f92baf75.exe
- Size
  
  1.6MB
- MD5
  
  1744e4af1c372a57b1cd99b6f92baf75
- SHA1
  
  f0f396bd4d9b55f21ec054aab9e7c396ebf250be
- SHA256
  
  257b99a8149825c3714e40ef1f4e0d1ccb35e0cc692deeb4e9fab1f38d9dddc9
- SHA512
  
  a5c7ee33ffafd6b348026af4afd829ba433bcd0431300178b6dd30341d7253557adb2f0343419c1430b96abf2b9d130513917b7d1ccfbf0d4c12fafd9e2def2b
- SSDEEP
  
  24576:+XGq9fNAehxNnn+MsgnUQ0+vgd9Ulk5R/+VKkccpScpuw72sEeh8Sx8y:vqVNxhxFVKQKHgk5RmVKG7dr
Score

10^/10

dcrat infostealer persistence rat
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Modifies WinLogon for persistence
  persistence
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Winlogon Helper DLL

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

Web Service

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

dcratinfostealerpersistencerat

behavioral2

dcratinfostealerpersistencerat

© 2018-2025

Terms | Privacy