dcrat | 308238649d710b938f9e0cf04bf52a0a3a89b253310035afdc0ba8e846732c61 | Triage

Submit
Reports

Overview

overview

Static

static

308238649d...61.exe

windows7-x64

308238649d...61.exe

windows10-2004-x64

Sharing

General

Target

308238649d710b938f9e0cf04bf52a0a3a89b253310035afdc0ba8e846732c61.exe
Size

2.3MB
Sample

241123-ayngtatkaz
MD5

8856304a8bad8f3c4132c28042b8df80
SHA1

82adc02d2ccdc3485e6edb00ac36f71f2d804158
SHA256

308238649d710b938f9e0cf04bf52a0a3a89b253310035afdc0ba8e846732c61
SHA512

c5ab3dca5ad9c0577dcce69a6941259e67066141dc297e07a53b487ea0a51a68c9b79934ce443dc4a3f5e7eee65521cbc13b2f7afe7f594ee7ec5db59f484499
SSDEEP

49152:UbA300qL5o66QwgVAVph9QBoyycpwgPGdnDq3IEPU:UbV7oh9yycFODq3vPU

Score

10^/10

dcrat discovery infostealer persistence rat

Static task

static1

3 signatures

Behavioral task

behavioral1

Sample

308238649d710b938f9e0cf04bf52a0a3a89b253310035afdc0ba8e846732c61.exe

Resource

win7-20240903-en

dcrat discovery infostealer persistence rat

windows7-x64

15 signatures

120 seconds

Behavioral task

behavioral2

Sample

308238649d710b938f9e0cf04bf52a0a3a89b253310035afdc0ba8e846732c61.exe

Resource

win10v2004-20241007-en

dcrat discovery infostealer persistence rat

windows10-2004-x64

16 signatures

120 seconds

Malware Config

Targets

- Target
  
  308238649d710b938f9e0cf04bf52a0a3a89b253310035afdc0ba8e846732c61.exe
- Size
  
  2.3MB
- MD5
  
  8856304a8bad8f3c4132c28042b8df80
- SHA1
  
  82adc02d2ccdc3485e6edb00ac36f71f2d804158
- SHA256
  
  308238649d710b938f9e0cf04bf52a0a3a89b253310035afdc0ba8e846732c61
- SHA512
  
  c5ab3dca5ad9c0577dcce69a6941259e67066141dc297e07a53b487ea0a51a68c9b79934ce443dc4a3f5e7eee65521cbc13b2f7afe7f594ee7ec5db59f484499
- SSDEEP
  
  49152:UbA300qL5o66QwgVAVph9QBoyycpwgPGdnDq3IEPU:UbV7oh9yycFODq3vPU
Score

10^/10

dcrat discovery infostealer persistence rat
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Dcrat family
  dcrat
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- DCRat payload
  Detects payload of DCRat, commonly dropped by NSIS installers.
  rat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scheduled Task

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

dcratdiscoveryinfostealerpersistencerat

behavioral2

dcratdiscoveryinfostealerpersistencerat

© 2018-2024

Terms | Privacy