dcrat | 87cd55f5b4dff94e4339b43efb54aa329491bf97ac8b483c2de734c1511303b7 | Triage

Submit
Reports

Overview

overview

Static

static

1

dridex

windows10-1703-x64

Sharing

General

Target

87cd55f5b4dff94e4339b43efb54aa329491bf97ac8b483c2de734c1511303b7
Size

149KB
Sample

230217-wh9k1agf67
MD5

44ec25472db6fee472da351f487dc468
SHA1

ec1213cf3c2e4cfb59d6c5939cec70127ae5089a
SHA256

87cd55f5b4dff94e4339b43efb54aa329491bf97ac8b483c2de734c1511303b7
SHA512

5a19e138bb7233701d1b4d00d135e95741f3cf2294458ce393ad2de11642a15382efaff94eb6563969fb60663e3606f59f92756900d3f4b37d8f928d89f262e6
SSDEEP

3072:eEChCvRP0UwWtirLOFtugxs3zobkeZOo3:e5hCvFvwsxFEg63wKo

Score

10^/10

dcrat smokeloader agilenet backdoor microsoft evasion infostealer phishing rat themida trojan

Static task

static1

Behavioral task

behavioral1

Sample

87cd55f5b4dff94e4339b43efb54aa329491bf97ac8b483c2de734c1511303b7.exe

Resource

win10-20220812-en

dcrat smokeloader agilenet backdoor microsoft evasion infostealer phishing rat themida trojan

windows10-1703-x64

27 signatures

150 seconds

Malware Config

Targets

- Target
  
  87cd55f5b4dff94e4339b43efb54aa329491bf97ac8b483c2de734c1511303b7
- Size
  
  149KB
- MD5
  
  44ec25472db6fee472da351f487dc468
- SHA1
  
  ec1213cf3c2e4cfb59d6c5939cec70127ae5089a
- SHA256
  
  87cd55f5b4dff94e4339b43efb54aa329491bf97ac8b483c2de734c1511303b7
- SHA512
  
  5a19e138bb7233701d1b4d00d135e95741f3cf2294458ce393ad2de11642a15382efaff94eb6563969fb60663e3606f59f92756900d3f4b37d8f928d89f262e6
- SSDEEP
  
  3072:eEChCvRP0UwWtirLOFtugxs3zobkeZOo3:e5hCvFvwsxFEg63wKo
Score

10^/10

dcrat smokeloader agilenet backdoor microsoft evasion infostealer phishing rat themida trojan
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Detects Smokeloader packer
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- DCRat payload
  Detects payload of DCRat, commonly dropped by NSIS installers.
  rat
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Downloads MZ/PE file
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Obfuscated with Agile.Net obfuscator
  Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
  agilenet
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Checks whether UAC is enabled
  evasion trojan
- Legitimate hosting services abused for malware hosting/C2
- Detected potential entity reuse from brand microsoft.
  phishing microsoft
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Modify Registry

Credential Access

Discovery

Query Registry

Virtualization/Sandbox Evasion

System Information Discovery

Peripheral Device Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

Impact

Tasks

static1

behavioral1

dcratsmokeloaderagilenetbackdoormicrosoftevasioninfostealerphishingratthemidatrojan

© 2018-2024

Terms | Privacy