dcrat | 5623347388fc45acd294e716d177fcfe0a9240a118a63a1b4c1aff16decbc688 | Triage

Submit
Reports

Overview

overview

Static

static

Mefolis.exe

windows7-x64

Mefolis.exe

windows10-2004-x64

Sharing

General

Target

Mefolis.exe
Size

2.1MB
Sample

230123-zkvreafd46
MD5

4cec961d70acca93a3ba9ef751a6148e
SHA1

3073d86f539283571debb31f074c8c5d657bbb61
SHA256

5623347388fc45acd294e716d177fcfe0a9240a118a63a1b4c1aff16decbc688
SHA512

e2db3e7397608d45f720f9037e2516da8769259a0be73f3847169992f9ad3fbdaef2fa4df8e5175afc8dbbdba5c07a1b23bd3d5d3347dc2822d1175f8ca19659
SSDEEP

49152:UbA30QIb95L66TpclrNsIqhXNDWm5wD5cRc8:UbsG95dp+sIqr6VDORc8

Score

10^/10

dcrat evasion infostealer rat trojan

Static task

static1

2 signatures

Behavioral task

behavioral1

Sample

Mefolis.exe

Resource

win7-20221111-en

dcrat evasion infostealer rat trojan

windows7-x64

17 signatures

150 seconds

Behavioral task

behavioral2

Sample

Mefolis.exe

Resource

win10v2004-20220812-en

dcrat evasion infostealer rat trojan

windows10-2004-x64

18 signatures

150 seconds

Malware Config

Targets

- Target
  
  Mefolis.exe
- Size
  
  2.1MB
- MD5
  
  4cec961d70acca93a3ba9ef751a6148e
- SHA1
  
  3073d86f539283571debb31f074c8c5d657bbb61
- SHA256
  
  5623347388fc45acd294e716d177fcfe0a9240a118a63a1b4c1aff16decbc688
- SHA512
  
  e2db3e7397608d45f720f9037e2516da8769259a0be73f3847169992f9ad3fbdaef2fa4df8e5175afc8dbbdba5c07a1b23bd3d5d3347dc2822d1175f8ca19659
- SSDEEP
  
  49152:UbA30QIb95L66TpclrNsIqhXNDWm5wD5cRc8:UbsG95dp+sIqr6VDORc8
Score

10^/10

dcrat evasion infostealer rat trojan
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- UAC bypass
  evasion trojan
- DCRat payload
  Detects payload of DCRat, commonly dropped by NSIS installers.
  rat
- Disables Task Manager via registry modification
  evasion
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Checks whether UAC is enabled
  evasion trojan
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Scheduled Task

Privilege Escalation

Bypass User Account Control

Scheduled Task

Defense Evasion

Bypass User Account Control

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

dcratevasioninfostealerrattrojan

behavioral2

dcratevasioninfostealerrattrojan

© 2018-2024

Terms | Privacy