dcrat | 7061c7e12d504439149ec1e7cdb81a90bb54b6f067b14e62372bfd9398df3795 | Triage

Submit
Reports

Overview

overview

Static

static

04bc55e59d...89.exe

windows7-x64

04bc55e59d...89.exe

windows10-2004-x64

Sharing

General

Target

04bc55e59d87e74f4c0ec46372abd189.exe
Size

1.2MB
Sample

230109-vmeezsad5y
MD5

04bc55e59d87e74f4c0ec46372abd189
SHA1

b56a220ce878cc0aced7b9245e9ecc91d34595df
SHA256

7061c7e12d504439149ec1e7cdb81a90bb54b6f067b14e62372bfd9398df3795
SHA512

0fc1c2a801331149a296e060347eb6ded5eafc22b8fd5b4435f76c04b3d1a2177150319c6c6e52d992d6f7aeb2083496dfded4ddbb993f3cc363833f87e57e6d
SSDEEP

24576:AWFIGSbrjVGH+PZmriNz9GNTq6w1ZdTM0QfbSQk4j46oHO:PIxmxvlaO

Score

10^/10

dcrat agilenet infostealer persistence rat

Static task

static1

agilenet rat dcrat

3 signatures

Behavioral task

behavioral1

Sample

04bc55e59d87e74f4c0ec46372abd189.exe

Resource

win7-20220812-en

dcrat agilenet infostealer persistence rat

windows7-x64

11 signatures

150 seconds

Behavioral task

behavioral2

Sample

04bc55e59d87e74f4c0ec46372abd189.exe

Resource

win10v2004-20221111-en

dcrat agilenet infostealer persistence rat

windows10-2004-x64

16 signatures

150 seconds

Malware Config

Targets

- Target
  
  04bc55e59d87e74f4c0ec46372abd189.exe
- Size
  
  1.2MB
- MD5
  
  04bc55e59d87e74f4c0ec46372abd189
- SHA1
  
  b56a220ce878cc0aced7b9245e9ecc91d34595df
- SHA256
  
  7061c7e12d504439149ec1e7cdb81a90bb54b6f067b14e62372bfd9398df3795
- SHA512
  
  0fc1c2a801331149a296e060347eb6ded5eafc22b8fd5b4435f76c04b3d1a2177150319c6c6e52d992d6f7aeb2083496dfded4ddbb993f3cc363833f87e57e6d
- SSDEEP
  
  24576:AWFIGSbrjVGH+PZmriNz9GNTq6w1ZdTM0QfbSQk4j46oHO:PIxmxvlaO
Score

10^/10

dcrat agilenet infostealer persistence rat
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Modifies WinLogon for persistence
  persistence
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- DCRat payload
  Detects payload of DCRat, commonly dropped by NSIS installers.
  rat
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Obfuscated with Agile.Net obfuscator
  Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
  agilenet
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Winlogon Helper DLL

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

agilenetratdcrat

behavioral1

dcratagilenetinfostealerpersistencerat

behavioral2

dcratagilenetinfostealerpersistencerat

© 2018-2024

Terms | Privacy