dcrat | 14fe2e3c3da4f7833248a28afe183191cb4a0bb4412fd6b7efdd2606542c8041 | Triage

Sharing

General

Target

14fe2e3c3da4f7833248a28afe183191cb4a0bb4412fd6b7efdd2606542c8041N
Size

973KB
Sample

241001-tcxcda1hkc
MD5

9e2d06b56585b3d7cf2453d98c53de20
SHA1

5858c3ae6bdf0e1a2f4d15d02094cf0172946c52
SHA256

14fe2e3c3da4f7833248a28afe183191cb4a0bb4412fd6b7efdd2606542c8041
SHA512

c6b32a070a557c3bc23c807a419305f6bf91033a9d4a010c110c1221962718c3d0bb582ac20ff9e0344caa504545ea5aacfc17979003327fda1c192b962d4010
SSDEEP

12288:/hhBMuext92N3cit1RGJV/H0uQ1PjmzBd5EBy10cgZMc29ZxasnLlDD:/5E92NRzO/UFdmBchH29Zsg9

Score

10^/10

dcrat infostealer persistence rat

Malware Config

Targets

- Target
  
  14fe2e3c3da4f7833248a28afe183191cb4a0bb4412fd6b7efdd2606542c8041N
- Size
  
  973KB
- MD5
  
  9e2d06b56585b3d7cf2453d98c53de20
- SHA1
  
  5858c3ae6bdf0e1a2f4d15d02094cf0172946c52
- SHA256
  
  14fe2e3c3da4f7833248a28afe183191cb4a0bb4412fd6b7efdd2606542c8041
- SHA512
  
  c6b32a070a557c3bc23c807a419305f6bf91033a9d4a010c110c1221962718c3d0bb582ac20ff9e0344caa504545ea5aacfc17979003327fda1c192b962d4010
- SSDEEP
  
  12288:/hhBMuext92N3cit1RGJV/H0uQ1PjmzBd5EBy10cgZMc29ZxasnLlDD:/5E92NRzO/UFdmBchH29Zsg9
Score

10^/10

dcrat infostealer persistence rat
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scheduled Task

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

dcratinfostealerpersistencerat

behavioral2

dcratinfostealerpersistencerat