dcrat

General

Target

fatality(ez cracked).exe
Size

2.6MB
Sample

241120-w6p69s1alc
MD5

56622002384049e2d2a6b70511c5e614
SHA1

8b1edded9e65ea88c555cd3d17a297f78e8862c4
SHA256

7fd1dd60ec001addf3f66143d962dc393c68c00761257adbdc95bced6f4d684c
SHA512

f4aa66667b578c510b99b6a464976fa6d0655f89165554f7fee4dfa4d03874007319ceb57316c73ac46c5d07961a9c198dd5866bfb6956d92895e91b54a68c7d
SSDEEP

49152:JbA3TLHcQogOnBJi/2Kw+gkKh2KXQ10fCB4h70ZE5v91aLAsOfM+JJ5tRTJUHt:JbK0gOn6/2Kw+gkKgmQ17Ba0Z8v91aLz

Score

10^/10

Malware Config

Targets

- Target
  
  fatality(ez cracked).exe
- Size
  
  2.6MB
- MD5
  
  56622002384049e2d2a6b70511c5e614
- SHA1
  
  8b1edded9e65ea88c555cd3d17a297f78e8862c4
- SHA256
  
  7fd1dd60ec001addf3f66143d962dc393c68c00761257adbdc95bced6f4d684c
- SHA512
  
  f4aa66667b578c510b99b6a464976fa6d0655f89165554f7fee4dfa4d03874007319ceb57316c73ac46c5d07961a9c198dd5866bfb6956d92895e91b54a68c7d
- SSDEEP
  
  49152:JbA3TLHcQogOnBJi/2Kw+gkKh2KXQ10fCB4h70ZE5v91aLAsOfM+JJ5tRTJUHt:JbK0gOn6/2Kw+gkKgmQ17Ba0Z8v91aLz
Score

10^/10

dcrat credential_access defense_evasion discovery infostealer rat spyware stealer
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Dcrat family
  dcrat
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- DCRat payload
  Detects payload of DCRat, commonly dropped by NSIS installers.
  rat
- Drops file in Drivers directory
- Manipulates Digital Signatures
  Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.
- Credentials from Password Stores: Windows Credential Manager
  Suspicious access to Credentials History.
  credential_access stealer
- Deletes itself
- Executes dropped EXE
- Indicator Removal: Clear Windows Event Logs
  Clear Windows Event Logs to hide the activity of an intrusion.
  defense_evasion
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Drops desktop.ini file(s)
- Legitimate hosting services abused for malware hosting/C2
- Drops autorun.inf file
  Malware can abuse Windows Autorun to spread further via attached volumes.
- Drops file in System32 directory
- Modifies termsrv.dll
  Commonly used to allow simultaneous RDP sessions.
behavioral1