dcrat

General

Target

Hack.zip
Size

1.8MB
Sample

240722-s6gy4svejh
MD5

ee6ed9dad9e44e6b851d82ef4f5c5bf4
SHA1

9df5855ee93aa3771ae0989349409082639f1f2d
SHA256

9a77c1df03fa36eac52d056f31852fdbbda28f3cab1e493b3214403014c524e5
SHA512

b56da27f3911851e38d38c8c77d59be48cf5a97f83ffee488affb576de2a49a4c98a2db3778c5a40b372b5a85241a623b14c358f44247574c870d03cac762128
SSDEEP

49152:v69wLFYzQ4HCnC0yGQEEGa9SwyD3Fl07J:Hdi0yGQTU1EJ

Score

10^/10

Malware Config

Extracted

Family

gurcu

C2

https://api.telegram.org/bot6821098798:AAEPdYJUdZDsDCC00Cx9TM24038Y6NPblq4/sendPhoto?chat_id=6513322270&caption=%E2%9D%95%20User%20connected%20%E2%9D%95%0A%E2%80%A2%20ID%3A%2069a05a8ea3e31a368514e5625b5580807505a969%0A%E2%80%A2%20Comment%3A%20%0A%0A%E2%80%A2%20User%20Name%3A%20Admin%0A%E2%80%A2%20PC%20Name%3A%20SXACGPIN%0A%E2%80%A2%20OS%20Info%3A%20Windows%2010%20Pro%0A%0A%E2%80%A2%20IP%3A%20194.110.13.70%0A%E2%80%A2%20GEO%3A%20GB%20%2F%20London%0A%0A%E2%80%A2%20Working%20Directory%3A%20C%3A%5CRecovery%5CWindowsRE%5Csihost.ex

https://api.telegram.org/bot6821098798:AAEPdYJUdZDsDCC00Cx9TM24038Y6NPblq4/sendDocument?chat_id=6513322270&caption=%F0%9F%93%8E%20Log%20collected%20%F0%9F%93%8E%0A%E2%80%A2%20ID%3A%2069a05a8ea3e31a368514e5625b5580807505a969%0A%0A%E2%80%A2%20Scanned%20Directories%3A%200%0A%E2%80%A2%20Elapsed%20Time%3A%2000%3A00%3A25.043177

https://api.telegram.org/bot6821098798:AAEPdYJUdZDsDCC00Cx9TM24038Y6NPblq4/sendDocument?chat_id=6513322270&caption=%F0%9F%93%8E%20Log%20collected%20%F0%9F%93%8E%0A%E2%80%A2%20ID%3A%2069a05a8ea3e31a368514e5625b5580807505a969%0A%0A%E2%80%A2%20Scanned%20Directories%3A%200%0A%E2%80%A2%20Elapsed%20Time%3A%2000%3A00%3A10.178728

Targets

- Target
  
  MalinovkaHack.exe
- Size
  
  2.3MB
- MD5
  
  684d0c5b768a7de891ff7a6c1d7a0e52
- SHA1
  
  2073f2f64ef0f225320b441307d31d7f70412311
- SHA256
  
  66f35f9abdbb58a53ad4c323ef2dc17d3dc11808d5ffaec3e7f8192845e7c762
- SHA512
  
  beef37964f1c1a3c059938216a270d38c6687b22b401dae7f086496a6ce6ff8028988cae267c82491c5d5984b329a7e4ff63679df7f0bf74b430281e40521138
- SSDEEP
  
  49152:bbA35OY/GyEjrK5Ul5ja45+CGml000ds/rczenW:bbJQGykrK5UlQZCH0dsTcKnW
Score

10^/10

dcrat gurcu execution infostealer persistence rat spyware stealer
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Gurcu, WhiteSnake
  Gurcu is a malware stealer written in C#.
  stealer gurcu
- Modifies WinLogon for persistence
  persistence
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- DCRat payload
  Detects payload of DCRat, commonly dropped by NSIS installers.
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
behavioral1