dcrat | 6ab0890a2aedb8d21048be3cb8fcaf6ba8fe22d418fec483bdba53e68ab430f6 | Triage

Submit
Reports

Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

Static

static

6ab0890a2a...f6.exe

windows7-x64

6ab0890a2a...f6.exe

windows10-2004-x64

Sharing

General

Target

6ab0890a2aedb8d21048be3cb8fcaf6ba8fe22d418fec483bdba53e68ab430f6.exe
Size

3.1MB
Sample

240228-t88ehsgg3t
MD5

2c03d2d911694cd33c23b0edafd33ff0
SHA1

c16efb40930aec5b7f894b78f9b6f04bfc03fa0f
SHA256

6ab0890a2aedb8d21048be3cb8fcaf6ba8fe22d418fec483bdba53e68ab430f6
SHA512

b02b123bfb5d5ef55820315887ceecbdb4ecdc50f7af241a9b6b722baedcce0b6441e1553d1ccbc85b091ac84c1c4801d8cdcc291575d8a4dc1afa974fc76dee
SSDEEP

49152:xp70LTonM7JrVV+t8Z6e8hyF9kdrq8ChhGpg2U/KQ7d5tQX:gfonMdBVZYyjACh0DUB71

Score

10^/10

dcrat infostealer rat

Static task

static1

3 signatures

Behavioral task

behavioral1

Sample

6ab0890a2aedb8d21048be3cb8fcaf6ba8fe22d418fec483bdba53e68ab430f6.exe

Resource

win7-20240221-en

dcrat infostealer rat

windows7-x64

11 signatures

150 seconds

Behavioral task

behavioral2

Sample

6ab0890a2aedb8d21048be3cb8fcaf6ba8fe22d418fec483bdba53e68ab430f6.exe

Resource

win10v2004-20240226-en

dcrat infostealer rat

windows10-2004-x64

13 signatures

150 seconds

Malware Config

Targets

- Target
  
  6ab0890a2aedb8d21048be3cb8fcaf6ba8fe22d418fec483bdba53e68ab430f6.exe
- Size
  
  3.1MB
- MD5
  
  2c03d2d911694cd33c23b0edafd33ff0
- SHA1
  
  c16efb40930aec5b7f894b78f9b6f04bfc03fa0f
- SHA256
  
  6ab0890a2aedb8d21048be3cb8fcaf6ba8fe22d418fec483bdba53e68ab430f6
- SHA512
  
  b02b123bfb5d5ef55820315887ceecbdb4ecdc50f7af241a9b6b722baedcce0b6441e1553d1ccbc85b091ac84c1c4801d8cdcc291575d8a4dc1afa974fc76dee
- SSDEEP
  
  49152:xp70LTonM7JrVV+t8Z6e8hyF9kdrq8ChhGpg2U/KQ7d5tQX:gfonMdBVZYyjACh0DUB71
Score

10^/10

dcrat infostealer rat
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- DCRat payload
  Detects payload of DCRat, commonly dropped by NSIS installers.
  rat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

dcratinfostealerrat

behavioral2

dcratinfostealerrat

© 2018-2025

Terms | Privacy