dcrat | f729b1f245206764aec8b16491884978effc91030735430d5d906c06c4761a5c | Triage

Submit
Reports

Overview

overview

Static

static

25bc30afa6...52.exe

windows7-x64

25bc30afa6...52.exe

windows10-2004-x64

Sharing

General

Target

7fbdb2f5c7830894d0436a8291e1231f.bin
Size

239KB
Sample

230130-xlqgzadc3t
MD5

d933a2fb580dfbe584a1d7ab88a58a2b
SHA1

a9b39cdca491e29933e9744f132880bd043f1d54
SHA256

f729b1f245206764aec8b16491884978effc91030735430d5d906c06c4761a5c
SHA512

92c30c2dcc3fbcf5e7740bd3bfb101ae6b77663ef60ec58452ee8365d55b61a374eaab8d02bce511290429c80ea7a5edf40d74b0208a4411105c5c2e3ee1f28b
SSDEEP

6144:Wmj1EXVzGH36sRRlt2DgUr7omqjpTS6EeNx:b1EFaH9RyxtqlG6NL

Score

10^/10

dcrat infostealer persistence rat

Static task

static1

2 signatures

Behavioral task

behavioral1

Sample

25bc30afa69d34b938949f1f75a41a142636603a71607e2313e0ce467af93152.exe

Resource

win7-20220812-en

dcrat infostealer persistence rat

windows7-x64

13 signatures

150 seconds

Behavioral task

behavioral2

Sample

25bc30afa69d34b938949f1f75a41a142636603a71607e2313e0ce467af93152.exe

Resource

win10v2004-20220812-en

dcrat infostealer persistence rat

windows10-2004-x64

13 signatures

150 seconds

Malware Config

Targets

- Target
  
  25bc30afa69d34b938949f1f75a41a142636603a71607e2313e0ce467af93152.exe
- Size
  
  532KB
- MD5
  
  7fbdb2f5c7830894d0436a8291e1231f
- SHA1
  
  22a13d9bacb8dcf04eb0260999f75fed68d21d0a
- SHA256
  
  25bc30afa69d34b938949f1f75a41a142636603a71607e2313e0ce467af93152
- SHA512
  
  186f41e9bf79dd0e3711c95d2a73ac734efe83b2321f4f5cd920bf21e95c4075829780d91adbce471335a76cc786a68d8162447b6032465def9d54e8e6b36c1d
- SSDEEP
  
  12288:KqnOG4bunLVYAN2ehGtdd3vzQ2JzgW8Lntk:K+OG4bcYAnhGl3U2Jz
Score

10^/10

dcrat infostealer persistence rat
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Modifies WinLogon for persistence
  persistence
- DCRat payload
  Detects payload of DCRat, commonly dropped by NSIS installers.
  rat
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Adds Run key to start application
  persistence
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Winlogon Helper DLL

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Remote System Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

dcratinfostealerpersistencerat

behavioral2

dcratinfostealerpersistencerat

© 2018-2024

Terms | Privacy