dcrat | 05301399[.]exe | Triage

Sharing

General

Target

05301399.exe
Size

828KB
MD5

ece82b00b9400f1d09a763853964e291
SHA1

b1b36fcd10ff7833f9bb430ea371df5d295498af
SHA256

90daa21921c8ca1eabcbb3e6c957d912c80809050537e688530b202bd81bfc57
SHA512

52896f2e27d37356a1c7fa1c37c058d5a4a19164645253ac57f34d4f1a0644c9e08f9e651d1ce4b9968a97a95a76c8299592e19883ae461aa7bc88e4d6f46519
SSDEEP

12288:NaKyDgt9n5S56ZJ2dUWmBXcKOLUJMgAGuhLbLwN:NyDgt9n4iJ2dUbXwRgAGuLbLwN

Score

10^/10

rat dcrat

Malware Config

Signatures

DCRat payload 1 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
rat

Processes:

resource yara_rule

sample dcrat
Dcrat family
dcrat
Unsigned PE 1 IoCs
Checks for missing Authenticode signature.

Processes:

resource

05301399.exe

Files

05301399.exe
.exe windows x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 814KB - Virtual size: 813KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.sdata
Size: 12KB - Virtual size: 11KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1024B - Virtual size: 796B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ