dcrat

General

Target

InstallFile.exe
Size

2.2MB
Sample

230128-e1yg1sfe8s
MD5

e14d3c54fb43442b8c99febfb7007d71
SHA1

5f2872a705eb75516e491b0a3e57d8fd945a23c5
SHA256

f7954923c8a110188d24e4d27e68e57d7d1781882644386e57fbfb183b94b366
SHA512

aa6942e8d434ffc3e1885832f43f18f9345ad221346def10a87ea5c19670f05c22a8f281d2de2ba53079f2114371c451fb0c53d5103a87966a3effd165ce50bf
SSDEEP

49152:JmYP7zNGoWl6NcM8HLSqHmNMZkWHkF+H:JmYzGQWJrtGI

Score

10^/10

Malware Config

Targets

- Target
  
  InstallFile.exe
- Size
  
  2.2MB
- MD5
  
  e14d3c54fb43442b8c99febfb7007d71
- SHA1
  
  5f2872a705eb75516e491b0a3e57d8fd945a23c5
- SHA256
  
  f7954923c8a110188d24e4d27e68e57d7d1781882644386e57fbfb183b94b366
- SHA512
  
  aa6942e8d434ffc3e1885832f43f18f9345ad221346def10a87ea5c19670f05c22a8f281d2de2ba53079f2114371c451fb0c53d5103a87966a3effd165ce50bf
- SSDEEP
  
  49152:JmYP7zNGoWl6NcM8HLSqHmNMZkWHkF+H:JmYzGQWJrtGI
Score

10^/10

dcrat evasion infostealer rat spyware stealer themida trojan
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- DCRat payload
  Detects payload of DCRat, commonly dropped by NSIS installers.
  rat
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Executes dropped EXE
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2