dcrat | fab1001a7271caa76ddcb934ff2668bdc1f5e044a7065b7c143c429c98aba056 | Triage

Submit
Reports

Overview

overview

Static

static

fab1001a72...56.exe

windows7-x64

fab1001a72...56.exe

windows10-2004-x64

Sharing

General

Target

fab1001a7271caa76ddcb934ff2668bdc1f5e044a7065b7c143c429c98aba056
Size

2.0MB
Sample

240424-2rt5kabb3z
MD5

96373b1a9080aa751b5a98fc96cfb66c
SHA1

17436af89fdf67d4c60416b7bccda9f6cb3cd490
SHA256

fab1001a7271caa76ddcb934ff2668bdc1f5e044a7065b7c143c429c98aba056
SHA512

4cacede2b67488e46c978cbd1956ed4c0b0c1657bdd3e9b9a80203bb1175fb0b2aceadd8dbedef331332d578191620435e9561b56db420b28b767ba2dfdc9f79
SSDEEP

24576:0n2XTCHM4xT9V3XzsHhVmatCELYIXVelAtgbHHd:iaTUv0jmtEttc

Score

10^/10

dcrat infostealer persistence rat

Static task

static1

4 signatures

Behavioral task

behavioral1

Sample

fab1001a7271caa76ddcb934ff2668bdc1f5e044a7065b7c143c429c98aba056.exe

Resource

win7-20231129-en

dcrat infostealer persistence rat

windows7-x64

15 signatures

150 seconds

Behavioral task

behavioral2

Sample

fab1001a7271caa76ddcb934ff2668bdc1f5e044a7065b7c143c429c98aba056.exe

Resource

win10v2004-20240226-en

dcrat infostealer persistence rat

windows10-2004-x64

18 signatures

150 seconds

Malware Config

Targets

- Target
  
  fab1001a7271caa76ddcb934ff2668bdc1f5e044a7065b7c143c429c98aba056
- Size
  
  2.0MB
- MD5
  
  96373b1a9080aa751b5a98fc96cfb66c
- SHA1
  
  17436af89fdf67d4c60416b7bccda9f6cb3cd490
- SHA256
  
  fab1001a7271caa76ddcb934ff2668bdc1f5e044a7065b7c143c429c98aba056
- SHA512
  
  4cacede2b67488e46c978cbd1956ed4c0b0c1657bdd3e9b9a80203bb1175fb0b2aceadd8dbedef331332d578191620435e9561b56db420b28b767ba2dfdc9f79
- SSDEEP
  
  24576:0n2XTCHM4xT9V3XzsHhVmatCELYIXVelAtgbHHd:iaTUv0jmtEttc
Score

10^/10

dcrat infostealer persistence rat
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Modifies WinLogon for persistence
  persistence
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- DCRat payload
  Detects payload of DCRat, commonly dropped by NSIS installers.
  rat
- Detects executables containing bas64 encoded gzip files
- Detects executables packed with SmartAssembly
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Scheduled Task/Job

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

dcratinfostealerpersistencerat

behavioral2

dcratinfostealerpersistencerat

© 2018-2024

Terms | Privacy