dcrat

General

Target

SolaraBootstrapper.exe
Size

9.5MB
Sample

240721-yv23sssdjb
MD5

7d9b8cef5925d1a700d720743bf61865
SHA1

10321760a98c0220be157441ae0516a5003ceba3
SHA256

1f3a8ed14dcf8dd8b4a88787b08163b9e9d65d999e61645b90c0c91b6a8f71fd
SHA512

793cf9f9641cd3c79fdba67af80d4ecf4b17ba4c151cc4696504740db64aaf309caeec1497273092a825e3543109f1172648193b9ae8a15d57b1501b74d2f8a9
SSDEEP

196608:ZE7JB0tYrXLW+d7UcIxptvyUQymRDSI1WCOK5d66w:ZE9B0OjrdLK4J/n66w

Score

10^/10

Malware Config

Extracted

Family

gurcu

C2

https://api.telegram.org/bot7121631902:AAErn17xNWrdiucOEwhQIj8v6o5tvdffJT4/sendPhoto?chat_id=7391062786&caption=%E2%9D%95%20User%20connected%20%E2%9D%95%0A%E2%80%A2%20ID%3A%20a41ecc467eb3759f60737293cab52ce2ed05277e%0A%E2%80%A2%20Comment%3A%20br0ken%0A%0A%E2%80%A2%20User%20Name%3A%20Admin%0A%E2%80%A2%20PC%20Name%3A%20MUEOAWXB%0A%E2%80%A2%20OS%20Info%3A%20Windows%2010%20Pro%0A%0A%E2%80%A2%20IP%3A%20194.110.13.70%0A%E2%80%A2%20GEO%3A%20GB%20%2F%20London%0A%0A%E2%80%A2%20Working%20Directory%3A%20C%3A%5CRecovery%5CWindowsRE%5CSppExtComObj.ex

Targets

- Target
  
  SolaraBootstrapper.exe
- Size
  
  9.5MB
- MD5
  
  7d9b8cef5925d1a700d720743bf61865
- SHA1
  
  10321760a98c0220be157441ae0516a5003ceba3
- SHA256
  
  1f3a8ed14dcf8dd8b4a88787b08163b9e9d65d999e61645b90c0c91b6a8f71fd
- SHA512
  
  793cf9f9641cd3c79fdba67af80d4ecf4b17ba4c151cc4696504740db64aaf309caeec1497273092a825e3543109f1172648193b9ae8a15d57b1501b74d2f8a9
- SSDEEP
  
  196608:ZE7JB0tYrXLW+d7UcIxptvyUQymRDSI1WCOK5d66w:ZE9B0OjrdLK4J/n66w
Score

10^/10

dcrat gurcu xmrig execution infostealer miner persistence privilege_escalation rat spyware stealer
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Gurcu, WhiteSnake
  Gurcu is a malware stealer written in C#.
  stealer gurcu
- Modifies WinLogon for persistence
  persistence
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- DCRat payload
  Detects payload of DCRat, commonly dropped by NSIS installers.
  rat
- XMRig Miner payload
  miner
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Event Triggered Execution: AppInit DLLs
  Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
  persistence privilege_escalation
- .NET Reactor proctector
  Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Blocklisted process makes network request
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
behavioral1