dcrat | 3f4fe6774def87f9863396e9658ada2e2ca054546bda713c9bccb92da9594aca | Triage

Submit
Reports

Overview

overview

Static

static

3f4fe6774d...ca.exe

windows7-x64

3f4fe6774d...ca.exe

windows10-2004-x64

Sharing

General

Target

3f4fe6774def87f9863396e9658ada2e2ca054546bda713c9bccb92da9594aca.exe
Size

1.1MB
Sample

240503-bntfrabd91
MD5

97a02921ff06b071f3a85c0e8cc98a80
SHA1

9638ac7c260c4b02e66b16b2f23b048020aeb84b
SHA256

3f4fe6774def87f9863396e9658ada2e2ca054546bda713c9bccb92da9594aca
SHA512

6446cdbfccdeaa4f402e18b93bb41981ff55da2be3cff8190bc68a3f1228e0a15bb2c81a3c5b04901941c49749b10311a784d8692d1f18e5df93b2e7d1c84d3c
SSDEEP

12288:aRZ+IoG/n9IQxW3OBsee2X+t4RbEG5jtTrn0BGL81k/cX47Ct9lzIquqyWWg+j:U2G/nvxW3Ww0tb5jtTrnKGL81IGhNWrj

Score

10^/10

dcrat evasion infostealer rat

Static task

static1

3 signatures

Behavioral task

behavioral1

Sample

3f4fe6774def87f9863396e9658ada2e2ca054546bda713c9bccb92da9594aca.exe

Resource

win7-20240221-en

dcrat evasion infostealer rat

windows7-x64

15 signatures

150 seconds

Behavioral task

behavioral2

Sample

3f4fe6774def87f9863396e9658ada2e2ca054546bda713c9bccb92da9594aca.exe

Resource

win10v2004-20240419-en

dcrat evasion infostealer rat

windows10-2004-x64

15 signatures

150 seconds

Malware Config

Targets

- Target
  
  3f4fe6774def87f9863396e9658ada2e2ca054546bda713c9bccb92da9594aca.exe
- Size
  
  1.1MB
- MD5
  
  97a02921ff06b071f3a85c0e8cc98a80
- SHA1
  
  9638ac7c260c4b02e66b16b2f23b048020aeb84b
- SHA256
  
  3f4fe6774def87f9863396e9658ada2e2ca054546bda713c9bccb92da9594aca
- SHA512
  
  6446cdbfccdeaa4f402e18b93bb41981ff55da2be3cff8190bc68a3f1228e0a15bb2c81a3c5b04901941c49749b10311a784d8692d1f18e5df93b2e7d1c84d3c
- SSDEEP
  
  12288:aRZ+IoG/n9IQxW3OBsee2X+t4RbEG5jtTrn0BGL81k/cX47Ct9lzIquqyWWg+j:U2G/nvxW3Ww0tb5jtTrnKGL81IGhNWrj
Score

10^/10

dcrat evasion infostealer rat
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- DCRat payload
  Detects payload of DCRat, commonly dropped by NSIS installers.
  rat
- Disables Task Manager via registry modification
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

dcratevasioninfostealerrat

behavioral2

dcratevasioninfostealerrat

© 2018-2024

Terms | Privacy