dcrat

General

Target

IF1PXZtmsaZ0kuzid.exe
Size

2.3MB
Sample

230127-d2j6cahg2v
MD5

b2ac8e0da2f2f8152825793e8bde6d08
SHA1

40345576c358da2977fc309ec87bd9997848e321
SHA256

48221b2502edd78ffb1474664a6ff020475f571fcd4216bdf321ed2ab2671f5e
SHA512

1db6fc28775acd856ee0c163918ba579a00b4f3fb28483022cce8f87340a39b23a789aa3ce6cf83c43b5ec5361c5bb90219cbc7ae6d85d04e53139e0a6017921
SSDEEP

24576:WMNtFZj9J4rIIUMRaM/v72MPcz0jP3fE4w2QRqCcXnWMutE5+:7j/cRNdPvEcnWlI+

Score

10^/10

Malware Config

Targets

- Target
  
  IF1PXZtmsaZ0kuzid.exe
- Size
  
  2.3MB
- MD5
  
  b2ac8e0da2f2f8152825793e8bde6d08
- SHA1
  
  40345576c358da2977fc309ec87bd9997848e321
- SHA256
  
  48221b2502edd78ffb1474664a6ff020475f571fcd4216bdf321ed2ab2671f5e
- SHA512
  
  1db6fc28775acd856ee0c163918ba579a00b4f3fb28483022cce8f87340a39b23a789aa3ce6cf83c43b5ec5361c5bb90219cbc7ae6d85d04e53139e0a6017921
- SSDEEP
  
  24576:WMNtFZj9J4rIIUMRaM/v72MPcz0jP3fE4w2QRqCcXnWMutE5+:7j/cRNdPvEcnWlI+
Score

10^/10

dcrat infostealer persistence rat spyware stealer
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Modifies WinLogon for persistence
  persistence
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- DCRat payload
  Detects payload of DCRat, commonly dropped by NSIS installers.
  rat
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2