dcrat | f554f85e09589b01fd0b4280b8446e4c28300e699676ca4c1a1bac3342b48522 | Triage

Submit
Reports

Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

Static

static

f554f85e09...22.exe

windows7-x64

f554f85e09...22.exe

windows10-2004-x64

Sharing

General

Target

f554f85e09589b01fd0b4280b8446e4c28300e699676ca4c1a1bac3342b48522
Size

2.5MB
Sample

231012-q17w8see94
MD5

e71b100ba4895671392bebdb6940b58a
SHA1

3f0cc8aad3fa8041b5ba40ac4c3e9d9d2d909d25
SHA256

f554f85e09589b01fd0b4280b8446e4c28300e699676ca4c1a1bac3342b48522
SHA512

24d99c32e2b275aa2554225932e73c319169cbe87811ab4d08861e44a43f0e7984690e1e83200405321062680d7ec679eea7ab7d09b633700b1edcf73dc68191
SSDEEP

49152:UbA30JB27p9ftg4mUnKbgHns5D6RL1gVHrl+ZraG9LOgwddVyB7pe:Ub3a9fmbgMN8qLYxasqDncq

Score

10^/10

dcrat infostealer rat

Static task

static1

3 signatures

Behavioral task

behavioral1

Sample

f554f85e09589b01fd0b4280b8446e4c28300e699676ca4c1a1bac3342b48522.exe

Resource

win7-20230831-en

dcrat infostealer rat

windows7-x64

14 signatures

150 seconds

Behavioral task

behavioral2

Sample

f554f85e09589b01fd0b4280b8446e4c28300e699676ca4c1a1bac3342b48522.exe

Resource

win10v2004-20230915-en

dcrat infostealer rat

windows10-2004-x64

15 signatures

150 seconds

Malware Config

Targets

- Target
  
  f554f85e09589b01fd0b4280b8446e4c28300e699676ca4c1a1bac3342b48522
- Size
  
  2.5MB
- MD5
  
  e71b100ba4895671392bebdb6940b58a
- SHA1
  
  3f0cc8aad3fa8041b5ba40ac4c3e9d9d2d909d25
- SHA256
  
  f554f85e09589b01fd0b4280b8446e4c28300e699676ca4c1a1bac3342b48522
- SHA512
  
  24d99c32e2b275aa2554225932e73c319169cbe87811ab4d08861e44a43f0e7984690e1e83200405321062680d7ec679eea7ab7d09b633700b1edcf73dc68191
- SSDEEP
  
  49152:UbA30JB27p9ftg4mUnKbgHns5D6RL1gVHrl+ZraG9LOgwddVyB7pe:Ub3a9fmbgMN8qLYxasqDncq
Score

10^/10

dcrat infostealer rat
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- DCRat payload
  Detects payload of DCRat, commonly dropped by NSIS installers.
  rat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Legitimate hosting services abused for malware hosting/C2
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

dcratinfostealerrat

behavioral2

dcratinfostealerrat

© 2018-2025

Terms | Privacy