dcrat

General

Target

inv2.rar
Size

998KB
Sample

241130-1lxstswnbx
MD5

7278d7ca66978bcaecdb36ac396e933a
SHA1

ca9e4626966312df94e901772513943e2698245a
SHA256

6b5c914e114e50038d60c875ca17291783bddea90a8a3b79dd0d936f2f63a7ea
SHA512

a19a214c429f02427b09e155063ff9bc643ef1c66cde419e33d98aae32fe254261570770078cb7761bbebd0727181c28e06cda9aa5fc8114ee16cee0fc685d2f
SSDEEP

24576:r41Gv8NkGPvzNHtZXDoMa2C1KeYqoh8kKuscli0nLwy:r46wkw1LoMa2C1KeYbRco

Score

10^/10

Malware Config

Extracted

Family

stealc

Botnet

QQtalk

C2

http://154.216.17.90

Attributes

url_path
/a48146f6763ef3af.php

Extracted

Family

stealc

Botnet

Voov

C2

http://154.216.17.90

Attributes

url_path
/a48146f6763ef3af.php

Targets

- Target
  
  baedawdgh.exe
- Size
  
  29KB
- MD5
  
  3ace4cb9af0f0a2788212b3ec9dd4a4e
- SHA1
  
  2914bd74b5553f5f4dbd5f7b23bc00d04a2c77cb
- SHA256
  
  121bfcb759e561bca3f63777498646c80d030a92dac5a27c7c9cc8f5581e672e
- SHA512
  
  76ecc354b1fb5bf93f18bbe9f85401ef40e0826f7eea73a0cb5afda5d69ec384a459c07b6cc2386176888978d2dbb9bac9360e249114c59799de0984bbba5c56
- SSDEEP
  
  384:EhEy+hzv91UqVY8+JppEhKe+Ej7sI4GSFdX9NAb/QX22r5A/w/o0el7xI:IEy+hT91UqVY8+XpEh6CMs7gx/o17
Score

7^/10

discovery
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
behavioral1
- Target
  
  gdwadtyjuesfshas.exe
- Size
  
  135KB
- MD5
  
  bc48cb98d8f2dacca97a2eb72f4275cb
- SHA1
  
  cd3dd263fc37c8c7beb1393a654b400f2f531f1c
- SHA256
  
  c18fb46afa17ad8578d1edd4aa6a89b42f381ca7998a4e5a096643e0f2721c49
- SHA512
  
  7db6992278ca008e7aafa07eb198b046a125d23ca524f15d5302b137385dd4e40a4a54ce4dabb28710b71fbcfdd2d3315fb36e591edc2b3e1737b11b9ee45a5c
- SSDEEP
  
  3072:1TGtOioVUSuLwYMdbQro39gSms+rkNgrQ8WZW:peoVU9JMdbQrbvtG
Score

5^/10

discovery
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
behavioral2
- Target
  
  gweadtrgh.exe
- Size
  
  409KB
- MD5
  
  3a94ac80a1bbe958b6544874f311be69
- SHA1
  
  bc6352ee84bed107a4b30b545934698c4e664baf
- SHA256
  
  1839ee5c3534ad1a6929c9de33bce63cf6f96cce1ae3dc8240f4cf352250db0f
- SHA512
  
  f31d93889251ec2c6581107a7a0122be63d5f7b8253403736d38f1d2ffa2cb693e30a205ceb36b823265fd58bb2854cc44064988110daf3fe1c8ea02e7d2227c
- SSDEEP
  
  6144:zhk7s+AfJjoF3U5w81tLffIru6t1tztD675DoRK3L9YhZmdC/0fNSZH97ndaW9:P+UJjoF3U5w8rk8LeYcR97nQW
Score

8^/10

credential_access discovery spyware stealer
- Uses browser remote debugging
  Can be used control the browser and steal sensitive information such as credentials and session cookies.
  credential_access stealer
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
behavioral3
- Target
  
  hjgesadfseawd.exe
- Size
  
  889KB
- MD5
  
  ef75329efa1fa3cff64a2249e8b59306
- SHA1
  
  90db5c089347c52e7aeddbe97a652b0dc622b840
- SHA256
  
  6024771adfff13a50785d4bca819c583db42a5671d86bc6ac517c3620d931259
- SHA512
  
  73cf385ce56147f4c7862ef90cda59c947408dc0bf82c9d0c4b503bb53266d62763c79759235ee20e07b6e36cb50c123facab185d099e397daf0574eb586302f
- SSDEEP
  
  12288:kzw1NV5Il51mx6vEiss/VRqyAk9wiXPrQfkXmm1RhdLB9XirkVknCBz9eQFZz//q:kc8Xh/VAyAksEPLZj9H6t1
Score

10^/10

dcrat infostealer rat
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Dcrat family
  dcrat
- DCRat payload
  rat
behavioral4
- Target
  
  kisloyat.exe
- Size
  
  239KB
- MD5
  
  aa002f082380ecd12dedf0c0190081e1
- SHA1
  
  a2e34bc5223abec43d9c8cff74643de5b15a4d5c
- SHA256
  
  f5626994c08eff435ab529331b58a140cd0eb780acd4ffe175e7edd70a0bf63c
- SHA512
  
  7062de1f87b9a70ed4b57b7f0fa1d0be80f20248b59ef5dec97badc006c7f41bcd5f42ca45d2eac31f62f192773ed2ca3bdb8d17ccedea91c6f2d7d45f887692
- SSDEEP
  
  3072:CLCrbK4vn4p+U1v+N3Bz1IJ8JEchyka7Z7LU/fmvXXkdMJ08:waGm1U5Y1ICJU117L+eX0dqz
Score

10^/10

stealc qqtalk credential_access discovery spyware stealer
- Stealc
  Stealc is an infostealer written in C++.
  stealer stealc
- Stealc family
  stealc
- Downloads MZ/PE file
- Uses browser remote debugging
  Can be used control the browser and steal sensitive information such as credentials and session cookies.
  credential_access stealer
- Loads dropped DLL
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
behavioral5
- Target
  
  kisteruop.exe
- Size
  
  239KB
- MD5
  
  aa7c3909bcc04a969a1605522b581a49
- SHA1
  
  e6b0be06c7a8eb57fc578c40369f06360e9d70c9
- SHA256
  
  19fcd2a83cd54c9b1c9bd9f8f6f7792e7132156b09a8180ce1da2fe6e2eeaaab
- SHA512
  
  f06b7e9efe312a659fd047c80df637dba7938035b3fd5f03f4443047f4324af9234c28309b0b927b70834d15d06f0d8e8a78ba6bd7a6db62c375df3974ce8bd0
- SSDEEP
  
  3072:QLCrbK4vn4p+U1v+N3Bz1IJ8JEchyka7Z7LU/fHY5rrr2MJ08:WaGm1U5Y1ICJU117L+45rrr2qz
Score

10^/10

stealc voov credential_access discovery spyware stealer
- Stealc
  Stealc is an infostealer written in C++.
  stealer stealc
- Stealc family
  stealc
- Downloads MZ/PE file
- Uses browser remote debugging
  Can be used control the browser and steal sensitive information such as credentials and session cookies.
  credential_access stealer
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
behavioral6
- Target
  
  pothjmawdtrg.exe
- Size
  
  439KB
- MD5
  
  d1ccaa1cdc4f59d2e32065f37e3d707f
- SHA1
  
  9414747b539af8d60c5a22f750c527601685f234
- SHA256
  
  07a2cf7b2426399a5ac14c6e5d4ab3f70c3a3b426a79f0a3aacd0c309d75b698
- SHA512
  
  f67ea08ce5ea5338df21c8a918e4a71901802eccfa350bcf30d22413e5c57dfb7cbaafadebf8fd00032ce2a887c7362a909cde177d022b2778eb8a632f3d059f
- SSDEEP
  
  12288:1O7k28xC7HMDVBjfbL5S6IZ7OGQN/RutyU3ivG/Tt9:+OS6IZ7QN/R8yoaG/B
Score

10^/10

discovery
- Suspicious use of NtCreateUserProcessOtherParentProcess
behavioral7