dcrat | 54096c1f199a69326018b8a54c3c2e8b6a2e0a1f4724d0fceb8016cf4ae0cece | Triage

Submit
Reports

Overview

overview

Static

static

04a31d7675...d5.exe

windows7-x64

04a31d7675...d5.exe

windows10-2004-x64

Sharing

General

Target

04a31d7675a4858c9c1ddb7c818782d5
Size

1.4MB
Sample

231229-1hkn4aabf6
MD5

04a31d7675a4858c9c1ddb7c818782d5
SHA1

991b6bd9ed58869e8e408158b99a050791e15f17
SHA256

54096c1f199a69326018b8a54c3c2e8b6a2e0a1f4724d0fceb8016cf4ae0cece
SHA512

2fac1ab544a88b0476e474d0990ab24fa5a678f0ae983aca1666910774d85a0b5dcc2040ef5fff21a25ef04d57fdc35de34af28d24c73af8b66c163b890b5d97
SSDEEP

24576:u2G/nvxW3WieCO0Kktota4CJjOEn3v02OSPm0woqLvs4eI3x9WE+4Q:ubA3jY4oLCJjNn/wGb8eASb

Score

10^/10

dcrat infostealer persistence rat

Static task

static1

3 signatures

Behavioral task

behavioral1

Sample

04a31d7675a4858c9c1ddb7c818782d5.exe

Resource

win7-20231215-en

dcrat infostealer persistence rat

windows7-x64

13 signatures

150 seconds

Behavioral task

behavioral2

Sample

04a31d7675a4858c9c1ddb7c818782d5.exe

Resource

win10v2004-20231215-en

dcrat infostealer persistence rat

windows10-2004-x64

14 signatures

150 seconds

Malware Config

Targets

- Target
  
  04a31d7675a4858c9c1ddb7c818782d5
- Size
  
  1.4MB
- MD5
  
  04a31d7675a4858c9c1ddb7c818782d5
- SHA1
  
  991b6bd9ed58869e8e408158b99a050791e15f17
- SHA256
  
  54096c1f199a69326018b8a54c3c2e8b6a2e0a1f4724d0fceb8016cf4ae0cece
- SHA512
  
  2fac1ab544a88b0476e474d0990ab24fa5a678f0ae983aca1666910774d85a0b5dcc2040ef5fff21a25ef04d57fdc35de34af28d24c73af8b66c163b890b5d97
- SSDEEP
  
  24576:u2G/nvxW3WieCO0Kktota4CJjOEn3v02OSPm0woqLvs4eI3x9WE+4Q:ubA3jY4oLCJjNn/wGb8eASb
Score

10^/10

dcrat infostealer persistence rat
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Modifies WinLogon for persistence
  persistence
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- DCRat payload
  Detects payload of DCRat, commonly dropped by NSIS installers.
  rat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Scheduled Task/Job

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

dcratinfostealerpersistencerat

behavioral2

dcratinfostealerpersistencerat

© 2018-2024

Terms | Privacy