dcrat | b4e0a7e5019643db5b46529c37c22173b1001d59030f1d711492aa3387445085 | Triage

Submit
Reports

Overview

overview

Static

static

3

SampCheat.exe

windows11-21h2-x64

Resubmissions

30-10-2024 05:15

241030-fxr2haylfm 10

15-09-2024 10:03

240915-l3teeaxhld 10

30-07-2024 12:21

240730-pjcjbsybjr 10

Sharing

General

Target

SampCheat.zip
Size

2.0MB
Sample

241030-fxr2haylfm
MD5

ac515523cb2b3733ef577b41be25f567
SHA1

de33fa0b3c4cf54453f15181d636ee019cfb68ed
SHA256

b4e0a7e5019643db5b46529c37c22173b1001d59030f1d711492aa3387445085
SHA512

ed79899f7c030696816ae969a6eea0aba82da3d6842fc7e156bcba726eabea9a761c8c84a04dc4e72094e710b6235eb980d1aea8a55b86e9f99539c95ae168a4
SSDEEP

49152:6L88/y6uin8A/AKoiejQDdAtbRib29m8O4O:evome8DitLzO

Score

10^/10

dcrat discovery execution infostealer persistence rat

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

SampCheat.exe

Resource

win11-20241007-en

dcrat discovery execution infostealer persistence rat

windows11-21h2-x64

22 signatures

150 seconds

Malware Config

Targets

- Target
  
  SampCheat.exe
- Size
  
  6.6MB
- MD5
  
  73d7e637cd16f1f807930fa6442436df
- SHA1
  
  26c13b2c29065485ce1858d85d9dc792c06ed052
- SHA256
  
  cd0f7fb1020a931c98c7c258241f06292cb9b7cab8e9acdb4010f4d56f076ef6
- SHA512
  
  f3561a2090e70b6a2a7c4070daebce1b9ff269fef1a8ca6297c20eb28170675eec7c689d05a05a00b8ddb2d1c2c82639c5d53f63782c0460acd4d3aa95328922
- SSDEEP
  
  49152:AnsHyjtk2MYC5GDuBJIopGdJ3Rjl4eZK4qgTouABRCXO8DSTYa:Ansmtk2aTeo4dJhjieLq37z8mka
Score

10^/10

dcrat discovery execution infostealer persistence rat
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Dcrat family
  dcrat
- Modifies WinLogon for persistence
  persistence
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Drops file in System32 directory
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Scheduled Task/Job

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

dcratdiscoveryexecutioninfostealerpersistencerat

© 2018-2024

Terms | Privacy