dcrat

General

Target

Solara NEW.exe
Size

6.9MB
Sample

241020-s3wcbswape
MD5

23afefaf5360cd0ece4cb0d5f9f59088
SHA1

09464062917ac2af3bcd8d8d669a9b324b2c88db
SHA256

0d1f2e73c09d687276067a433262e1f8dc6a1e2ac64d06bd1f6f9c6f2d559247
SHA512

de4b9b161935b118493cbb8c1bdaf77bdd83de9f2993f5000462ee367ed6a260b3bedee033278a1f0db85535ee1df112ee26d11c8b45f9fc1c2e6d5c64ba2357
SSDEEP

98304:frWORYn3zDs9FD9Br8/ja/9PdnFBVXnnG0+zHVRgMmVzuIMlHK04PBgTKZ9r/hak:qPDivr8uRVZnAH/xmVzdMleuTQpwEqvE

Score

10^/10

Malware Config

Extracted

Family

remcos

Version

1.7 Pro

Botnet

Host

C2

HexLogin-25386.portmap.host:25386

Attributes

audio_folder
audio
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
5
copy_file
SFX.exe
copy_folder
WinSFX
delete_file
true
hide_file
true
hide_keylog_file
true
install_flag
true
install_path
%WinDir%
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
logs
keylog_path
%UserProfile%
mouse_option
true
mutex
remcos_drwamwuxqf
screenshot_crypt
false
screenshot_flag
true
screenshot_folder
Screens
screenshot_path
%SystemDrive%
screenshot_time
120
startup_value
WinSFX
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  Solara NEW.exe
- Size
  
  6.9MB
- MD5
  
  23afefaf5360cd0ece4cb0d5f9f59088
- SHA1
  
  09464062917ac2af3bcd8d8d669a9b324b2c88db
- SHA256
  
  0d1f2e73c09d687276067a433262e1f8dc6a1e2ac64d06bd1f6f9c6f2d559247
- SHA512
  
  de4b9b161935b118493cbb8c1bdaf77bdd83de9f2993f5000462ee367ed6a260b3bedee033278a1f0db85535ee1df112ee26d11c8b45f9fc1c2e6d5c64ba2357
- SSDEEP
  
  98304:frWORYn3zDs9FD9Br8/ja/9PdnFBVXnnG0+zHVRgMmVzuIMlHK04PBgTKZ9r/hak:qPDivr8uRVZnAH/xmVzdMleuTQpwEqvE
Score

10^/10

dcrat remcos host discovery evasion execution infostealer persistence rat spyware stealer trojan
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Modifies WinLogon for persistence
  persistence
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- UAC bypass
  evasion trojan
- DCRat payload
  Detects payload of DCRat, commonly dropped by NSIS installers.
  rat
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Adds policy Run key to start application
  persistence
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Modifies WinLogon
  persistence
- Drops file in System32 directory
behavioral1