dcrat

General

Target

82ae530eb29e0c64986dbd019f86cac5eff3daf3c1fb861757a60252eb1e4661.exe
Size

23.9MB
Sample

240512-kqm67abh77
MD5

585d78b9ffc988d345e7a2a0ee119111
SHA1

65b5c6a6c72a845d5610d82ca2aa9a301a907e43
SHA256

82ae530eb29e0c64986dbd019f86cac5eff3daf3c1fb861757a60252eb1e4661
SHA512

574c1f9ecaaeee0cc7afb989e3c3d309beedf3b114fbbb0aa491a285d94e27b4e87626a109805d06edcace458441189cc2dbcd17588c670ce8788c9e8e3a9772
SSDEEP

393216:849/fUrtpuKs+JINSpjQNjqsVsUzpX/Swl6YdecNbLX3IjD4BzB/RLG0jV7ZIfue:cBZs+JIgpjQosVRlKwlOq/X2EtF9IGe

Score

10^/10

Malware Config

Targets

- Target
  
  82ae530eb29e0c64986dbd019f86cac5eff3daf3c1fb861757a60252eb1e4661.exe
- Size
  
  23.9MB
- MD5
  
  585d78b9ffc988d345e7a2a0ee119111
- SHA1
  
  65b5c6a6c72a845d5610d82ca2aa9a301a907e43
- SHA256
  
  82ae530eb29e0c64986dbd019f86cac5eff3daf3c1fb861757a60252eb1e4661
- SHA512
  
  574c1f9ecaaeee0cc7afb989e3c3d309beedf3b114fbbb0aa491a285d94e27b4e87626a109805d06edcace458441189cc2dbcd17588c670ce8788c9e8e3a9772
- SSDEEP
  
  393216:849/fUrtpuKs+JINSpjQNjqsVsUzpX/Swl6YdecNbLX3IjD4BzB/RLG0jV7ZIfue:cBZs+JIgpjQosVRlKwlOq/X2EtF9IGe
Score

10^/10

dcrat zgrat discovery evasion execution infostealer persistence rat spyware stealer bootkit
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Detect ZGRat V1
- Modifies security service
  evasion
- ZGRat
  ZGRat is remote access trojan written in C#.
  rat zgrat
- DCRat payload
  Detects payload of DCRat, commonly dropped by NSIS installers.
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Creates new service(s)
  persistence execution
- Drops file in Drivers directory
- Sets service image path in registry
  persistence
- Stops running service(s)
  evasion execution
- .NET Reactor proctector
  Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2