dcrat | eab2a5792346b8b55180359658308c54766541505b88f55cbdf86add05edffd5 | Triage

Submit
Reports

Overview

overview

Static

static

eab2a57923...d5.exe

windows7-x64

eab2a57923...d5.exe

windows10-2004-x64

Sharing

General

Target

eab2a5792346b8b55180359658308c54766541505b88f55cbdf86add05edffd5
Size

2.9MB
Sample

240704-fretzswbrn
MD5

ae3ebf1bdd4cfaaf60058c82c1e3075f
SHA1

7cd11b62afe32197e71c18fd480912e5166a19a5
SHA256

eab2a5792346b8b55180359658308c54766541505b88f55cbdf86add05edffd5
SHA512

4424a2614b0b73bbffe39a4f0b68d41f8f90488333995ce7d47f97274bf6d9b051a0c92511e7df3949478bb2e7d1a1923ef94058a78a6b3bf06aca1738e6be34
SSDEEP

49152:iBojA1ji5x2V6bA30eGCYdDwhc2Mmpj+6y0bgli9xPMC6Mux:iU5jbimFwhc2zjb3glukrx

Score

10^/10

dcrat gurcu discovery evasion execution infostealer persistence rat spyware stealer themida trojan

Static task

static1

3 signatures

Behavioral task

behavioral1

Sample

eab2a5792346b8b55180359658308c54766541505b88f55cbdf86add05edffd5.exe

Resource

win7-20231129-en

dcrat execution infostealer persistence rat spyware stealer

windows7-x64

23 signatures

150 seconds

Behavioral task

behavioral2

Sample

eab2a5792346b8b55180359658308c54766541505b88f55cbdf86add05edffd5.exe

Resource

win10v2004-20240611-en

dcrat gurcu discovery evasion execution infostealer persistence rat spyware stealer themida trojan

windows10-2004-x64

40 signatures

150 seconds

Malware Config

Extracted

Family

gurcu

C2

https://api.telegram.org/bot7121631902:AAErn17xNWrdiucOEwhQIj8v6o5tvdffJT4/sendPhoto?chat_id=7391062786&caption=%E2%9D%95%20User%20connected%20%E2%9D%95%0A%E2%80%A2%20ID%3A%208f21045c62c00476fa1fad6a7d6fb9a03faa10e3%0A%E2%80%A2%20Comment%3A%20proliv%0A%0A%E2%80%A2%20User%20Name%3A%20Admin%0A%E2%80%A2%20PC%20Name%3A%20ENXQHETB%0A%E2%80%A2%20OS%20Info%3A%20Windows%2010%20Pro%0A%0A%E2%80%A2%20IP%3A%20191.101.209.39%0A%E2%80%A2%20GEO%3A%20GB%20%2F%20London%0A%0A%E2%80%A2%20Working%20Directory%3A%20C%3A%5CUsers%5CAdmin%5CSendTo%5Cwininit.ex

https://api.telegram.org/bot7121631902:AAErn17xNWrdiucOEwhQIj8v6o5tvdffJT4/sendDocument?chat_id=7391062786&caption=%F0%9F%93%8E%20Log%20collected%20%F0%9F%93%8E%0A%E2%80%A2%20ID%3A%208f21045c62c00476fa1fad6a7d6fb9a03faa10e3%0A%0A%E2%80%A2%20Scanned%20Directories%3A%200%0A%E2%80%A2%20Elapsed%20Time%3A%2000%3A00%3A26.044753

Targets

- Target
  
  eab2a5792346b8b55180359658308c54766541505b88f55cbdf86add05edffd5
- Size
  
  2.9MB
- MD5
  
  ae3ebf1bdd4cfaaf60058c82c1e3075f
- SHA1
  
  7cd11b62afe32197e71c18fd480912e5166a19a5
- SHA256
  
  eab2a5792346b8b55180359658308c54766541505b88f55cbdf86add05edffd5
- SHA512
  
  4424a2614b0b73bbffe39a4f0b68d41f8f90488333995ce7d47f97274bf6d9b051a0c92511e7df3949478bb2e7d1a1923ef94058a78a6b3bf06aca1738e6be34
- SSDEEP
  
  49152:iBojA1ji5x2V6bA30eGCYdDwhc2Mmpj+6y0bgli9xPMC6Mux:iU5jbimFwhc2zjb3glukrx
Score

10^/10

dcrat execution infostealer persistence rat spyware stealer gurcu discovery evasion themida trojan
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Gurcu, WhiteSnake
  Gurcu is a malware stealer written in C#.
  stealer gurcu
- Modifies WinLogon for persistence
  persistence
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- DCRat payload
  Detects payload of DCRat, commonly dropped by NSIS installers.
  rat
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Downloads MZ/PE file
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Blocklisted process makes network request
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Scheduled Task/Job

Scheduled Task

Defense Evasion

Modify Registry

Subvert Trust Controls

Install Root Certificate

Virtualization/Sandbox Evasion

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Data from Local System

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

dcratexecutioninfostealerpersistenceratspywarestealer

behavioral2

dcratgurcudiscoveryevasionexecutioninfostealerpersistenceratspywarestealerthemidatrojan

© 2018-2024

Terms | Privacy