dcrat

General

Target

Acrepi 3.6.zip
Size

1.1MB
Sample

230424-23akasfb43
MD5

ebc164d5ba9b55f9b07f1a04e3b49c79
SHA1

0fa7a01ecf3171eb4992c3ade3cf136a55084f97
SHA256

82631fce8b8c5a06d952c9d0eec077cd0c14bb14fe0164a9b50a925bd46aae9b
SHA512

25516be43ea316beeaa9af1326e34b6baf9f8e5ea379521ff63457a3ee6f455a093d04a219137e10eab37df347c54cc92a89689e00b5ff73e31088fc185e5936
SSDEEP

24576:7u2JhY0Jayh7sOxjEDpfiBwVz6rUhVI/0bmFPEpoVTbg3vbxl9wlMAo86WY3uC:i2/Y0X7scQpVe6VIM6FMp0I3vbx4lN6l

Score

10^/10

Malware Config

Targets

- Target
  
  CLibrary.dll
- Size
  
  18KB
- MD5
  
  379358b4cd4b60137c0807f327531987
- SHA1
  
  b0a5f6e3dcd0dbc94726f16ed55d2461d1737b59
- SHA256
  
  0ff1d03926f5d9c01d02fae5c5e1f018a87d7f90a1826de47277530bfc7776f8
- SHA512
  
  097c08135d654596a19ada814ad360a8c2374d989cbd7094c6acb092e9854abf1f1d878d3da72b66c4c75806586bee7fe04d555a1d82db170725bdbeadea7d50
- SSDEEP
  
  384:rLyPunoshzdtnbuH0aXOk0GfZh5g+zCxU:rLy7s5dJuHHOqhyy
Score

1^/10
behavioral1
- Target
  
  injector.exe
- Size
  
  1.7MB
- MD5
  
  8cc41b512b7fdf051bff007c253e4043
- SHA1
  
  0b63191f4f416c41be915a08e2e045e9ba1ce1a0
- SHA256
  
  9dcfcb7b9dd25f740986fe03702928371903d279dbab6b5d8c7cb7a574f0caca
- SHA512
  
  3d773346ba5e7a1782934121e66b47d1865c1b82a8260ad2195c28865fb80dbaa325d6483a28c99e7e510a3d0dd4f835742626acea44042e3155d41f71bd93e9
- SSDEEP
  
  24576:P2G/nvxW3W+0ZddL1uN+9vYzK1pTVklXQ3JcGJdyuC6gFLMRUSIxNhoAJHIqL/hg:PbA3ebJ1uo8IcayuqSIdo0eL1
Score

10^/10

dcrat evasion infostealer persistence rat spyware stealer
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Modifies WinLogon for persistence
  persistence
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- DCRat payload
  Detects payload of DCRat, commonly dropped by NSIS installers.
  rat
- Disables Task Manager via registry modification
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
behavioral2