dcrat | 6d95012691b58c36574d4b1061b07e0a8340909664908e991fad91028777fdd1 | Triage

Submit
Reports

Overview

overview

Static

static

0a0a64f3c4...e8.exe

windows7-x64

0a0a64f3c4...e8.exe

windows10-2004-x64

Resubmissions

12-01-2023 20:01

230112-yrh6hsae52 10

07-01-2023 04:41

230107-fa3jqagb8t 10

07-01-2023 04:21

230107-eynj2acf87 10

Sharing

General

Target

0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
Size

3.8MB
Sample

230112-yrh6hsae52
MD5

0a0a64f3c4fa7d960be983aa0a7d0ce8
SHA1

b597c7397ecaff7c5c1aa27f5124fc7b8a94e643
SHA256

6d95012691b58c36574d4b1061b07e0a8340909664908e991fad91028777fdd1
SHA512

ef04e3eb8f2b10dae6845b97fa66086c3d02c5508adcd1923a93975c88f1ad0f80f984b563c36c4868276670b1dee9e11ae3c57faf7b0509118d121d920df7d4
SSDEEP

98304:F7b3a0t2TiPhx6Sp+ybfnDA4qo34n1oO:FH3Z8cp+gDZ4n1

Score

10^/10

dcrat evasion infostealer persistence rat trojan

Static task

static1

2 signatures

Behavioral task

behavioral1

Sample

0a0a64f3c4fa7d960be983aa0a7d0ce8.exe

Resource

win7-20220901-en

dcrat evasion infostealer persistence rat trojan

windows7-x64

17 signatures

150 seconds

Behavioral task

behavioral2

Sample

0a0a64f3c4fa7d960be983aa0a7d0ce8.exe

Resource

win10v2004-20221111-en

dcrat evasion infostealer persistence rat trojan

windows10-2004-x64

19 signatures

150 seconds

Malware Config

Targets

- Target
  
  0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
- Size
  
  3.8MB
- MD5
  
  0a0a64f3c4fa7d960be983aa0a7d0ce8
- SHA1
  
  b597c7397ecaff7c5c1aa27f5124fc7b8a94e643
- SHA256
  
  6d95012691b58c36574d4b1061b07e0a8340909664908e991fad91028777fdd1
- SHA512
  
  ef04e3eb8f2b10dae6845b97fa66086c3d02c5508adcd1923a93975c88f1ad0f80f984b563c36c4868276670b1dee9e11ae3c57faf7b0509118d121d920df7d4
- SSDEEP
  
  98304:F7b3a0t2TiPhx6Sp+ybfnDA4qo34n1oO:FH3Z8cp+gDZ4n1
Score

10^/10

dcrat evasion infostealer persistence rat trojan
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Modifies WinLogon for persistence
  persistence
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- UAC bypass
  evasion trojan
- DCRat payload
  Detects payload of DCRat, commonly dropped by NSIS installers.
  rat
- Downloads MZ/PE file
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Winlogon Helper DLL

Privilege Escalation

Bypass User Account Control

Scheduled Task

Defense Evasion

Bypass User Account Control

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

dcratevasioninfostealerpersistencerattrojan

behavioral2

dcratevasioninfostealerpersistencerattrojan

© 2018-2024

Terms | Privacy