dcrat | 071523576cd4bb651eeecf43780cea7dd9bcba75e00382016bc6ce9d47129c98 | Triage

Submit
Reports

Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

Static

static

Expensive.exe

windows10-2004-x64

Resubmissions

28/10/2023, 19:07

231028-xs4m6sef9w 10

28/10/2023, 18:18

231028-wxkv7aee4y 10

Sharing

General

Target

Expensive.exe
Size

2.1MB
Sample

231028-xs4m6sef9w
MD5

9127de477fcc591eea0315222e9ab353
SHA1

3731c238313b43c908c5c10981f6e0f35bb6593f
SHA256

071523576cd4bb651eeecf43780cea7dd9bcba75e00382016bc6ce9d47129c98
SHA512

3999391dc6dd1e2e92d2d1318ee6b2306542c0e7d2977e73130283a3b44edce8b553663e17d54eb683ddf04096006a31d8b47b430309e38f199599f6c9947023
SSDEEP

24576:h2G/nvxW3Wwh0hcCTp8vHOBYpTy1h1SyhGfS3l2o4nFAwODRxWcKmBN3ialREy4z:hbA3tGhcqKIJT1fsFpO/kWiaUJz

Score

10^/10

dcrat evasion infostealer rat trojan

Static task

static1

3 signatures

Behavioral task

behavioral1

Sample

Expensive.exe

Resource

win10v2004-20231020-en

dcrat evasion infostealer rat trojan

windows10-2004-x64

26 signatures

1800 seconds

Malware Config

Targets

- Target
  
  Expensive.exe
- Size
  
  2.1MB
- MD5
  
  9127de477fcc591eea0315222e9ab353
- SHA1
  
  3731c238313b43c908c5c10981f6e0f35bb6593f
- SHA256
  
  071523576cd4bb651eeecf43780cea7dd9bcba75e00382016bc6ce9d47129c98
- SHA512
  
  3999391dc6dd1e2e92d2d1318ee6b2306542c0e7d2977e73130283a3b44edce8b553663e17d54eb683ddf04096006a31d8b47b430309e38f199599f6c9947023
- SSDEEP
  
  24576:h2G/nvxW3Wwh0hcCTp8vHOBYpTy1h1SyhGfS3l2o4nFAwODRxWcKmBN3ialREy4z:hbA3tGhcqKIJT1fsFpO/kWiaUJz
Score

10^/10

dcrat evasion infostealer rat trojan
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- UAC bypass
  evasion trojan
- DCRat payload
  Detects payload of DCRat, commonly dropped by NSIS installers.
  rat
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Checks whether UAC is enabled
  evasion trojan
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Abuse Elevation Control Mechanism

Bypass User Account Control

Scheduled Task/Job

Defense Evasion

Abuse Elevation Control Mechanism

Bypass User Account Control

Impair Defenses

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

dcratevasioninfostealerrattrojan

© 2018-2025

Terms | Privacy