dcrat | f0b7658d97ad3263b4373978e5b90674a08f57bd245fad82fb0ad2b883d75292 | Triage

Submit
Reports

Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

Static

static

07e331d8f4...cs.exe

windows7-x64

07e331d8f4...cs.exe

windows10-2004-x64

Sharing

General

Target

07e331d8f4da07460446c4946b7e1290_NeikiAnalytics.exe
Size

2.9MB
Sample

240516-wm1hwsha79
MD5

07e331d8f4da07460446c4946b7e1290
SHA1

236d4ec1debe9ff37d1b1612e2c6efc54f7900a8
SHA256

f0b7658d97ad3263b4373978e5b90674a08f57bd245fad82fb0ad2b883d75292
SHA512

49c1ee8bf1f5395bae30acfbc026d823bc5d02d2413755de768bd235121d5f992c5971e0479610c48f0d1593c0301ad713fb5cd2a75396e978acd87bd892730f
SSDEEP

49152:H4DKm+cjWnC8WLqxdGWJMcWI2TJT1Q0UN2Trsljq:YDKmzjWnC8Wikx1DUN2/Uq

Score

10^/10

dcrat evasion execution infostealer rat trojan

Static task

static1

3 signatures

Behavioral task

behavioral1

Sample

07e331d8f4da07460446c4946b7e1290_NeikiAnalytics.exe

Resource

win7-20240220-en

dcrat evasion execution infostealer rat trojan

windows7-x64

16 signatures

150 seconds

Behavioral task

behavioral2

Sample

07e331d8f4da07460446c4946b7e1290_NeikiAnalytics.exe

Resource

win10v2004-20240508-en

dcrat evasion execution infostealer rat trojan

windows10-2004-x64

18 signatures

150 seconds

Malware Config

Targets

- Target
  
  07e331d8f4da07460446c4946b7e1290_NeikiAnalytics.exe
- Size
  
  2.9MB
- MD5
  
  07e331d8f4da07460446c4946b7e1290
- SHA1
  
  236d4ec1debe9ff37d1b1612e2c6efc54f7900a8
- SHA256
  
  f0b7658d97ad3263b4373978e5b90674a08f57bd245fad82fb0ad2b883d75292
- SHA512
  
  49c1ee8bf1f5395bae30acfbc026d823bc5d02d2413755de768bd235121d5f992c5971e0479610c48f0d1593c0301ad713fb5cd2a75396e978acd87bd892730f
- SSDEEP
  
  49152:H4DKm+cjWnC8WLqxdGWJMcWI2TJT1Q0UN2Trsljq:YDKmzjWnC8Wikx1DUN2/Uq
Score

10^/10

dcrat evasion execution infostealer rat trojan
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- UAC bypass
  evasion trojan
- DCRat payload
  Detects payload of DCRat, commonly dropped by NSIS installers.
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Checks whether UAC is enabled
  evasion trojan
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Abuse Elevation Control Mechanism

Bypass User Account Control

Scheduled Task/Job

Defense Evasion

Abuse Elevation Control Mechanism

Bypass User Account Control

Impair Defenses

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

dcratevasionexecutioninfostealerrattrojan

behavioral2

dcratevasionexecutioninfostealerrattrojan

© 2018-2025

Terms | Privacy