dcrat | 550b6cbdefab0c183b41f9fa96c8ed0797efaf13081fd6ca745f30670d8725f0 | Triage

Submit
Reports

Overview

overview

Static

static

3

Temp Spoofer.exe

windows10-ltsc 2021-x64

Resubmissions

24-11-2024 01:20

241124-bp5v6sspcr 10

24-11-2024 01:18

241124-bn4xgswqav 10

Sharing

General

Target

Temp Spoofer.exe
Size

80KB
Sample

241124-bn4xgswqav
MD5

5374b62745b86ac86e6a4c89921182cd
SHA1

921a4a2d5c6489bc5a0b5697bf19678495dfadbf
SHA256

550b6cbdefab0c183b41f9fa96c8ed0797efaf13081fd6ca745f30670d8725f0
SHA512

e56cb7ebd3be67e94776043f885412e5f42cfc0c258fe9a2f2fe3dd79f115b0416f64df5cfc82fa275ada0787224ece1400a86bd9567f6e014361ef87082461f
SSDEEP

1536:brvp14xgT6UellETcCMUlzLCYzha6a2UWwZyeMcxV6MFae:bbVjnTcCMUZLZBUWwZhMcCMFa

Score

10^/10

dcrat discovery evasion execution infostealer rat

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

Temp Spoofer.exe

Resource

win10ltsc2021-20241023-en

dcrat discovery evasion execution infostealer rat

windows10-ltsc 2021-x64

24 signatures

300 seconds

Malware Config

Targets

- Target
  
  Temp Spoofer.exe
- Size
  
  80KB
- MD5
  
  5374b62745b86ac86e6a4c89921182cd
- SHA1
  
  921a4a2d5c6489bc5a0b5697bf19678495dfadbf
- SHA256
  
  550b6cbdefab0c183b41f9fa96c8ed0797efaf13081fd6ca745f30670d8725f0
- SHA512
  
  e56cb7ebd3be67e94776043f885412e5f42cfc0c258fe9a2f2fe3dd79f115b0416f64df5cfc82fa275ada0787224ece1400a86bd9567f6e014361ef87082461f
- SSDEEP
  
  1536:brvp14xgT6UellETcCMUlzLCYzha6a2UWwZyeMcxV6MFae:bbVjnTcCMUZLZBUWwZhMcCMFa
Score

10^/10

dcrat discovery evasion execution infostealer rat
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Dcrat family
  dcrat
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Downloads MZ/PE file
- Stops running service(s)
  evasion execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

System Services

Service Execution

Persistence

Create or Modify System Process

Windows Service

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Create or Modify System Process

Windows Service

Scheduled Task/Job

Scheduled Task

Defense Evasion

Impair Defenses

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

Tasks

static1

behavioral1

dcratdiscoveryevasionexecutioninfostealerrat

© 2018-2024

Terms | Privacy