Extracted

Extracted

• • Target

    DCRat.exe

  • Size

    15.0MB

  • MD5

    d4adfcf9065296e31a49327ebe642584

  • SHA1

    83f527cdb0868e772c0538fe64c68e71e8e38669

  • SHA256

    d958d55003daa3b5e322a920126104fbd93663b46803c8653aa0240aa1e80244

  • SHA512

    10942a219ec55be6c7324f1962fccff1281d0870b906bab03622d6803426db26fd3702ce350e4b05dae761031df155ff1248eb44a9fe627522f03a848f6c0929

  • SSDEEP

    393216:NdiQoFnY61ZmZZBFGndTMXdPpLNGxrkLzgTTP5b:NdiQoFnY61ZmXBFGdfrUIx

  Score

  10^/10

  dcratumbralxwormexecutioninfostealerpersistencepyinstallerratspywarestealertrojan

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat

  • Detect Umbral payload

  • Detect Xworm Payload

  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

    stealerumbral

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm

  • DCRat payload

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Drops file in Drivers directory

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Accesses cryptocurrency files/wallets, possible credential harvesting

    spyware

  • Adds Run key to start application

    persistence

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  behavioral1behavioral2