dcrat | 1d439ec54ed1429fac4862177dabb8281a6ff601cd74d6068a0ecee37ffc521b | Triage

Submit
Reports

Overview

overview

Static

static

1d439ec54e...1b.exe

windows7-x64

1d439ec54e...1b.exe

windows10-2004-x64

Sharing

General

Target

1d439ec54ed1429fac4862177dabb8281a6ff601cd74d6068a0ecee37ffc521b
Size

568KB
Sample

230129-yc3llscf3s
MD5

964c865ff8000d828844c15a893b6a01
SHA1

f515cc005445d2090319a8345154bcf59f3824a1
SHA256

1d439ec54ed1429fac4862177dabb8281a6ff601cd74d6068a0ecee37ffc521b
SHA512

230b0924c9fcdf67d03ce8b229d042286a2c99117f472691c3b7691bc34d4519825346ae1a279ea498c728c66e8240e4c4f20bceed40028036468ae1a926f66c
SSDEEP

12288:9Qnk3GDYKGcbloTn85eZV8D5ubjObv+hq6arF+6dS:HAOcZEnOeZ+k++q6arFTQ

Score

10^/10

dcrat evasion infostealer persistence rat

Static task

static1

Behavioral task

behavioral1

Sample

1d439ec54ed1429fac4862177dabb8281a6ff601cd74d6068a0ecee37ffc521b.exe

Resource

win7-20220901-en

dcrat evasion infostealer rat

windows7-x64

12 signatures

150 seconds

Behavioral task

behavioral2

Sample

1d439ec54ed1429fac4862177dabb8281a6ff601cd74d6068a0ecee37ffc521b.exe

Resource

win10v2004-20221111-en

dcrat evasion infostealer persistence rat

windows10-2004-x64

13 signatures

150 seconds

Malware Config

Targets

- Target
  
  1d439ec54ed1429fac4862177dabb8281a6ff601cd74d6068a0ecee37ffc521b
- Size
  
  568KB
- MD5
  
  964c865ff8000d828844c15a893b6a01
- SHA1
  
  f515cc005445d2090319a8345154bcf59f3824a1
- SHA256
  
  1d439ec54ed1429fac4862177dabb8281a6ff601cd74d6068a0ecee37ffc521b
- SHA512
  
  230b0924c9fcdf67d03ce8b229d042286a2c99117f472691c3b7691bc34d4519825346ae1a279ea498c728c66e8240e4c4f20bceed40028036468ae1a926f66c
- SSDEEP
  
  12288:9Qnk3GDYKGcbloTn85eZV8D5ubjObv+hq6arF+6dS:HAOcZEnOeZ+k++q6arFTQ
Score

10^/10

dcrat evasion infostealer rat persistence
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- DCRat payload
  Detects payload of DCRat, commonly dropped by NSIS installers.
  rat
- Disables Task Manager via registry modification
  evasion
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

dcratevasioninfostealerrat

behavioral2

dcratevasioninfostealerpersistencerat

© 2018-2024

Terms | Privacy