dcrat | aa87eead64e484f0a37e6f0420b9b327eb983edc4f417b51b1ecd400bddd7c41 | Triage

Submit
Reports

Overview

overview

Static

static

7

injector.exe

windows7-x64

injector.exe

windows10-2004-x64

Sharing

General

Target

injector.exe
Size

4.1MB
Sample

230328-d992qsaf51
MD5

05baef98bd302a685a7b0412341223ad
SHA1

3808f40778dd09ca2437e531725a48f1cbc34a50
SHA256

aa87eead64e484f0a37e6f0420b9b327eb983edc4f417b51b1ecd400bddd7c41
SHA512

93e5f1c5176c473823bcb5e9ecbfffdd789962b401dbd7f7212126dcd3613f3a8a9005eee175590c4040b7a39c7288e3c47028700f579ab85d5b8b67c3d1cdaf
SSDEEP

98304:phfEZMB8SQTr3cEA6Ql2GyzXCNHmCWK4DYq5Ek:/fEZQ8NTrMB6QlozyOYqWk

Score

10^/10

dcrat evasion infostealer rat themida trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

injector.exe

Resource

win7-20230220-en

dcrat evasion infostealer rat themida trojan

windows7-x64

17 signatures

150 seconds

Behavioral task

behavioral2

Sample

injector.exe

Resource

win10v2004-20230220-en

dcrat evasion infostealer rat themida trojan

windows10-2004-x64

19 signatures

150 seconds

Malware Config

Targets

- Target
  
  injector.exe
- Size
  
  4.1MB
- MD5
  
  05baef98bd302a685a7b0412341223ad
- SHA1
  
  3808f40778dd09ca2437e531725a48f1cbc34a50
- SHA256
  
  aa87eead64e484f0a37e6f0420b9b327eb983edc4f417b51b1ecd400bddd7c41
- SHA512
  
  93e5f1c5176c473823bcb5e9ecbfffdd789962b401dbd7f7212126dcd3613f3a8a9005eee175590c4040b7a39c7288e3c47028700f579ab85d5b8b67c3d1cdaf
- SSDEEP
  
  98304:phfEZMB8SQTr3cEA6Ql2GyzXCNHmCWK4DYq5Ek:/fEZQ8NTrMB6QlozyOYqWk
Score

10^/10

dcrat evasion infostealer rat themida trojan
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- DCRat payload
  Detects payload of DCRat, commonly dropped by NSIS installers.
  rat
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

Virtualization/Sandbox Evasion

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

dcratevasioninfostealerratthemidatrojan

behavioral2

dcratevasioninfostealerratthemidatrojan

© 2018-2024

Terms | Privacy