dcrat

General

Target

961491690742f96da48d1ca1c9dcb91b0d23a803e16dcc8852d90b2f4e54028d
Size

1.9MB
Sample

241125-1s2qcsvnfk
MD5

897337394338c3de4be5d55a5d23595a
SHA1

33712202b478a39b89b6d81dc757ab3ee9c52923
SHA256

961491690742f96da48d1ca1c9dcb91b0d23a803e16dcc8852d90b2f4e54028d
SHA512

1c30fbe2772accec7da8503064c82f364168e4e5359896a54afb47c72c117e7ee01d0b9a87fd9b89bb79e3dcd9985ef8d2d8e90bc1fe2c04c7ee237cc7939296
SSDEEP

49152:OB8cAUiFBfBfQigyb/9aYabCnHLuoLk+kig2+5HNf:Q/iF/fQdCrzLk+kiIXf

Score

10^/10

Malware Config

Targets

- Target
  
  961491690742f96da48d1ca1c9dcb91b0d23a803e16dcc8852d90b2f4e54028d
- Size
  
  1.9MB
- MD5
  
  897337394338c3de4be5d55a5d23595a
- SHA1
  
  33712202b478a39b89b6d81dc757ab3ee9c52923
- SHA256
  
  961491690742f96da48d1ca1c9dcb91b0d23a803e16dcc8852d90b2f4e54028d
- SHA512
  
  1c30fbe2772accec7da8503064c82f364168e4e5359896a54afb47c72c117e7ee01d0b9a87fd9b89bb79e3dcd9985ef8d2d8e90bc1fe2c04c7ee237cc7939296
- SSDEEP
  
  49152:OB8cAUiFBfBfQigyb/9aYabCnHLuoLk+kig2+5HNf:Q/iF/fQdCrzLk+kiIXf
Score

10^/10

dcrat discovery execution infostealer rat spyware stealer
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Dcrat family
  dcrat
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2