dcrat | 87d453765a28d077f2e7f2fc88d3d74da20ff46ce8091b997eb090e75ef2b927 | Triage

Submit
Reports

Overview

overview

Static

static

87D453765A...91.exe

windows7-x64

87D453765A...91.exe

windows10-2004-x64

Sharing

General

Target

87D453765A28D077F2E7F2FC88D3D74DA20FF46CE8091.exe
Size

1.2MB
Sample

230109-x2m2saag9s
MD5

9813aa384e2c0d3ae5d2fa54f94371a1
SHA1

39d610d7d3131f0c6bcb9b5866e6d34596ea9647
SHA256

87d453765a28d077f2e7f2fc88d3d74da20ff46ce8091b997eb090e75ef2b927
SHA512

9502f14d66d20af12a8750bf6ca7a2ad83fdd86162bb455e86c88be522053377470497b0cb81430d2e747db9f2b0b033b641c8f68400e433f8888a73143454eb
SSDEEP

24576:yPdhBJ+P1fWl87ElLyYAUML/JqR4NA+4:MXDszElLylUMlpp

Score

10^/10

dcrat infostealer persistence rat

Static task

static1

2 signatures

Behavioral task

behavioral1

Sample

87D453765A28D077F2E7F2FC88D3D74DA20FF46CE8091.exe

Resource

win7-20220812-en

dcrat infostealer persistence rat

windows7-x64

13 signatures

150 seconds

Behavioral task

behavioral2

Sample

87D453765A28D077F2E7F2FC88D3D74DA20FF46CE8091.exe

Resource

win10v2004-20221111-en

dcrat infostealer persistence rat

windows10-2004-x64

13 signatures

150 seconds

Malware Config

Targets

- Target
  
  87D453765A28D077F2E7F2FC88D3D74DA20FF46CE8091.exe
- Size
  
  1.2MB
- MD5
  
  9813aa384e2c0d3ae5d2fa54f94371a1
- SHA1
  
  39d610d7d3131f0c6bcb9b5866e6d34596ea9647
- SHA256
  
  87d453765a28d077f2e7f2fc88d3d74da20ff46ce8091b997eb090e75ef2b927
- SHA512
  
  9502f14d66d20af12a8750bf6ca7a2ad83fdd86162bb455e86c88be522053377470497b0cb81430d2e747db9f2b0b033b641c8f68400e433f8888a73143454eb
- SSDEEP
  
  24576:yPdhBJ+P1fWl87ElLyYAUML/JqR4NA+4:MXDszElLylUMlpp
Score

10^/10

dcrat infostealer persistence rat
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- DCRat payload
  Detects payload of DCRat, commonly dropped by NSIS installers.
  rat
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Adds Run key to start application
  persistence
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

dcratinfostealerpersistencerat

behavioral2

dcratinfostealerpersistencerat

© 2018-2024

Terms | Privacy