dcrat | f1aceefbbb01466f19ac3e421082e81bf0c90e2d758665bb8124b5ebf14b5743 | Triage

Submit
Reports

Overview

overview

Static

static

F1ACEEFBBB...66.exe

windows7-x64

F1ACEEFBBB...66.exe

windows10-2004-x64

Sharing

General

Target

F1ACEEFBBB01466F19AC3E421082E81BF0C90E2D75866.exe
Size

1.5MB
Sample

220922-ya35csgadm
MD5

152fc3939962d6e1e572f00b33daf7b6
SHA1

25a7bebb0bdce7657fc563949befbf52021b5ea0
SHA256

f1aceefbbb01466f19ac3e421082e81bf0c90e2d758665bb8124b5ebf14b5743
SHA512

ba0700f093f904470b739363f5825b5ff7a0039dd2f70f3d2795496875bccfa5eadcb7794675d48fd437c3ced03fa454bad7e6dad7b5e9be2ef7a469433ee9e2
SSDEEP

24576:0crm83KQ6jF2oZkbkXu8MEG7GuR8jZBipt62ob1BKzickKhnakY:3XaJA86h7GuRIBat0BKvhX

Score

10^/10

dcrat infostealer persistence rat spyware stealer

Static task

static1

Behavioral task

behavioral1

Sample

F1ACEEFBBB01466F19AC3E421082E81BF0C90E2D75866.exe

Resource

win7-20220812-en

dcrat infostealer persistence rat spyware stealer

windows7-x64

14 signatures

150 seconds

Behavioral task

behavioral2

Sample

F1ACEEFBBB01466F19AC3E421082E81BF0C90E2D75866.exe

Resource

win10v2004-20220901-en

dcrat infostealer persistence rat spyware stealer

windows10-2004-x64

16 signatures

150 seconds

Malware Config

Targets

- Target
  
  F1ACEEFBBB01466F19AC3E421082E81BF0C90E2D75866.exe
- Size
  
  1.5MB
- MD5
  
  152fc3939962d6e1e572f00b33daf7b6
- SHA1
  
  25a7bebb0bdce7657fc563949befbf52021b5ea0
- SHA256
  
  f1aceefbbb01466f19ac3e421082e81bf0c90e2d758665bb8124b5ebf14b5743
- SHA512
  
  ba0700f093f904470b739363f5825b5ff7a0039dd2f70f3d2795496875bccfa5eadcb7794675d48fd437c3ced03fa454bad7e6dad7b5e9be2ef7a469433ee9e2
- SSDEEP
  
  24576:0crm83KQ6jF2oZkbkXu8MEG7GuR8jZBipt62ob1BKzickKhnakY:3XaJA86h7GuRIBat0BKvhX
Score

10^/10

dcrat infostealer persistence rat spyware stealer
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Modifies WinLogon for persistence
  persistence
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Winlogon Helper DLL

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

dcratinfostealerpersistenceratspywarestealer

behavioral2

dcratinfostealerpersistenceratspywarestealer

© 2018-2025

Terms | Privacy