dcrat

Resubmissions

09-08-2023 01:09

230809-bh9ksage22 3

12-06-2023 15:59

230612-tfk4hsde3v 10

Sharing

Copy URL

Twitter E-mail

General

Target

Telegram Desktop.exe
Size

3.8MB
Sample

230612-tfk4hsde3v
MD5

1d156ea00258d8c5ed190ab425b6bf67
SHA1

92014a052c4654a167e933702d8b12b13ca6a90d
SHA256

96890d1d86aad9940fd54604ef09dd7e2dcf5cc084eeaf63a1062b4fbead91ae
SHA512

1eaa1fe0a8bfab0004d6dc5b773f710aebd5027f2258e41b5cf24eb164a70eb65a2395cee7d3244898e011baee3e3fc6d83dbcfbe1048d117984fa9fc40d8a54
SSDEEP

98304:iFgMEhr3Or19KXlcw1CdU2uP318hXjETV:uzGrO4n2uP3iwV

Score

10^/10

Malware Config

Targets

- Target
  
  Telegram Desktop.exe
- Size
  
  3.8MB
- MD5
  
  1d156ea00258d8c5ed190ab425b6bf67
- SHA1
  
  92014a052c4654a167e933702d8b12b13ca6a90d
- SHA256
  
  96890d1d86aad9940fd54604ef09dd7e2dcf5cc084eeaf63a1062b4fbead91ae
- SHA512
  
  1eaa1fe0a8bfab0004d6dc5b773f710aebd5027f2258e41b5cf24eb164a70eb65a2395cee7d3244898e011baee3e3fc6d83dbcfbe1048d117984fa9fc40d8a54
- SSDEEP
  
  98304:iFgMEhr3Or19KXlcw1CdU2uP318hXjETV:uzGrO4n2uP3iwV
Score

10^/10

dcrat pandastealer stormkitty infostealer persistence rat spyware stealer vmprotect collection discovery evasion trojan
- DCrat
  DarkCrystalrat.
  rat
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Panda Stealer payload
- PandaStealer
  Panda Stealer is a fork of CollectorProject Stealer written in C++.
  stealer pandastealer
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- StormKitty
  StormKitty is an open source info stealer written in C#.
  stealer stormkitty
- StormKitty payload
- DCRat payload
  Detects payload of DCRat, commonly dropped by NSIS installers.
  rat
- Downloads MZ/PE file
- Drops file in Drivers directory
- Modifies Installed Components in the registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Registers COM server for autorun
  persistence
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Accesses Microsoft Outlook profiles
  collection
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Drops desktop.ini file(s)
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Looks up geolocation information via web service
  Uses a legitimate geolocation service to find the infected system's geolocation info.
- Drops autorun.inf file
  Malware can abuse Windows Autorun to spread further via attached volumes.
- Drops file in System32 directory
- Modifies termsrv.dll
  Commonly used to allow simultaneous RDP sessions.
behavioral1 behavioral2 behavioral3