dcrat

General

Target

SolaraB.rar
Size

3.4MB
Sample

240630-h15swavcjb
MD5

c096c744fe5598e682ed1c1f2626a5e9
SHA1

a42ee3debf621ef401e9d111bb30f2ce6412a0ec
SHA256

44825fbcd6990e29a1a3c36fc9645978c17dfdde5f5355b3d5aa778e8b8fadec
SHA512

36548779d3df50e0a23a9de07c122e69f65dbd13f00edb33ed2c43e30f2cbd0f7c32f6dae165dbf229751002d812a3e04c75a2d0059d6e15c7c3fbe6c675b13a
SSDEEP

98304:2JZ3hy1IyMVar/e7lNhTRQBEjTxyYYvHygIpQSxrf:MdSIyLKhmBEjZgqQS5

Score

10^/10

Malware Config

Targets

- Target
  
  SolaraB/Solara/SolaraBootstrapper.exe
- Size
  
  3.6MB
- MD5
  
  1084103f4bd706bf885d41afea903c6d
- SHA1
  
  13d1b69e8d5beb8da4a7064dba7d170d1a038659
- SHA256
  
  a79d06166220bed4b1f1db64c211e0b8ae442d053ad3428cb7bc4a802bcb0c18
- SHA512
  
  9affc2ce5813e810d686bd5f4faf70e3b4062a07da470ce8ea1214b11b078fd4c41a8c59bd49bb64505ac209b3bb91ed32ee49e8cc69617178701e6ed8390ff4
- SSDEEP
  
  98304:ZqwBaxdtHuWZIJ0iDZkTBo2UYndDXJzATh:Zqw0xdtHutJ08uTBZUYnpQ
Score

10^/10

dcrat evasion infostealer rat themida trojan
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- UAC bypass
  evasion trojan
- DCRat payload
  Detects payload of DCRat, commonly dropped by NSIS installers.
  rat
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Checks whether UAC is enabled
  evasion trojan
- Legitimate hosting services abused for malware hosting/C2
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2