dcrat | 2ee377500e967e7e494fe644d11cc9c0cfe9571321161612a7b773d6abac4053 | Triage

Submit
Reports

Overview

overview

Static

static

fc75a247bc...18.exe

windows7-x64

fc75a247bc...18.exe

windows10-2004-x64

Sharing

General

Target

fc75a247bc88f67848e50428121cc96c_JaffaCakes118
Size

1.4MB
Sample

240420-llv7nsec3w
MD5

fc75a247bc88f67848e50428121cc96c
SHA1

fe772f5018ab78903a6888005c049938a1940d12
SHA256

2ee377500e967e7e494fe644d11cc9c0cfe9571321161612a7b773d6abac4053
SHA512

8ee432c87a2643b0c0ea9ad2824938b08ecda59a6307929c33d32e653be09520d198f4aeada4d991c768e85bda80dd1301d5f4e5d2a38fa9fb244e0925f3024c
SSDEEP

24576:eoHQQzRfEwcmM0JP/fdR7QrxJA75F4ov8Hh+4:lZ2ksS5Fz

Score

10^/10

dcrat infostealer persistence rat

Static task

static1

3 signatures

Behavioral task

behavioral1

Sample

fc75a247bc88f67848e50428121cc96c_JaffaCakes118.exe

Resource

win7-20240221-en

dcrat infostealer persistence rat

windows7-x64

14 signatures

150 seconds

Behavioral task

behavioral2

Sample

fc75a247bc88f67848e50428121cc96c_JaffaCakes118.exe

Resource

win10v2004-20240412-en

dcrat infostealer persistence rat

windows10-2004-x64

17 signatures

150 seconds

Malware Config

Targets

- Target
  
  fc75a247bc88f67848e50428121cc96c_JaffaCakes118
- Size
  
  1.4MB
- MD5
  
  fc75a247bc88f67848e50428121cc96c
- SHA1
  
  fe772f5018ab78903a6888005c049938a1940d12
- SHA256
  
  2ee377500e967e7e494fe644d11cc9c0cfe9571321161612a7b773d6abac4053
- SHA512
  
  8ee432c87a2643b0c0ea9ad2824938b08ecda59a6307929c33d32e653be09520d198f4aeada4d991c768e85bda80dd1301d5f4e5d2a38fa9fb244e0925f3024c
- SSDEEP
  
  24576:eoHQQzRfEwcmM0JP/fdR7QrxJA75F4ov8Hh+4:lZ2ksS5Fz
Score

10^/10

dcrat infostealer persistence rat
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Modifies WinLogon for persistence
  persistence
- DCRat payload
  Detects payload of DCRat, commonly dropped by NSIS installers.
  rat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Scheduled Task/Job

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Remote System Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

dcratinfostealerpersistencerat

behavioral2

dcratinfostealerpersistencerat

© 2018-2024

Terms | Privacy