dcrat

Sharing

Copy URL

Twitter E-mail

General

Target

Debug.zip
Size

2.8MB
Sample

241208-wcgm2a1jcx
MD5

bcf3c12b4e7e18224d6d220b0007bfe0
SHA1

384d9eb33dd7b49235fdf2f3eeacb00b65917689
SHA256

2b9e2bdeb348be368e9cafd06c15414bbe725af32a8c40ee56c3266db8a5b2a3
SHA512

ea1b1100bf768659ff166d61cf33e2ba5bdeea2c4f13f3feddf8d78f0f327937ab875b2f922b305e4d40511c84bb3dd3f330be5fcb27cb73c44460b92161fbee
SSDEEP

49152:y1Bt3Ii6i+chPwb56vkIwKIFdZyn+4pWpm380tZQuykvBQtjyaErxtffRTiTI98+:y1Bi5yP86sIwKAC3tZQ3kvBQtjXSzffh

Score

10^/10

Malware Config

Extracted

Family

xworm

Attributes

Install_directory
%Temp%
install_file
svchost.exe
pastebin_url
https://pastebin.com/raw/vJmE27fr

Extracted

Family

xworm

Version

3.0

plus-loves.gl.at.ply.gg:59327

Attributes

Install_directory
%AppData%
install_file
USB.exe

Targets

- Target
  
  Debug/BulbaZ.exe
- Size
  
  51KB
- MD5
  
  671037658a67820363d670b4e2c3fa17
- SHA1
  
  bbae9179361f49ccdccfd4338bb108ffc1d4118a
- SHA256
  
  8bd3ee1d96fdfd71f84cdf404bf33d50d1032eb5ae8bbe45da2de693d23bf6dd
- SHA512
  
  5d79862596e234349e0fac8b904d23369d0c5b8f2ab958744b320fd0e6f3374def18f812c54f7dc7246c8cc6ed94ff503a6be53311a42fcaa39d6d9adef124eb
- SSDEEP
  
  384:3dc83wVFJoJ8nI/SV65XSxbihO2KZYTZbrrNGB5nYLEyw4VmkvwKwq6u7H:Nc8Ebio2JTZimEEh
Score

10^/10

execution dcrat xworm discovery infostealer persistence rat spyware stealer trojan
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Dcrat family
  dcrat
- Detect Xworm Payload
- Modifies WinLogon for persistence
  persistence
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
behavioral1 behavioral2
- Target
  
  Debug/bin/Xeno.dll
- Size
  
  961KB
- MD5
  
  b7a51ddc46e35cc4353e019c5c8d66dd
- SHA1
  
  9b9b3ae0d3cf7193dc991a243ba433fbc3da84f6
- SHA256
  
  33e10a804ce9d92fb11094fb92ecbf5978135fe0339a7108123e987562b9b909
- SHA512
  
  f940b009c76d5f6168155352f1de651470e319a2b0fe4e78ba4e4750eb766c7cb70f8d83e15810361e9bc0110459304b880764ccd48f6e2ab31d4caa9e823ca1
- SSDEEP
  
  12288:KUJu0NDNwqJ3Uij6zLdZNzLn/IUtsFfFrILE5pT8T145zvQ4KkTLm01M:XpwAkij6NZZMUtsxFrGE/TvU4KkTL
Score

1^/10
behavioral3 behavioral4
- Target
  
  Debug/bin/libcrypto-3-x64.dll
- Size
  
  4.5MB
- MD5
  
  be0f6d1d60e149cedaca33a04963e05f
- SHA1
  
  b686e1ed9ae47b8ae803a5d9e912b0e631bc4217
- SHA256
  
  81a5fe6cd0ef5b083e5c4bdb6a40a30bfb1b0de15a9dfad459de2d6a36d94f86
- SHA512
  
  7b39dd8c70286ec4fe61cb2c3c12062f2dcbdda607c2f14c4f983741026f6aa62b60f9e983204949395cc54b5ebf6426c0f8300e0e385c35c1f2f3847160d7ff
- SSDEEP
  
  98304:5l+f+Kv6t8y37re39P6k1CPwDvt3uFGCC:/Cyt8yLre39yk1CPwDvt3uFGCC
Score

1^/10
behavioral5 behavioral6
- Target
  
  Debug/bin/libssl-3-x64.dll
- Size
  
  802KB
- MD5
  
  733e3b58ee1760a442fec4712848c3ad
- SHA1
  
  529206caad19cce2424323bc29a9fb9a4bbd3e76
- SHA256
  
  159198cb8e740f9ad5918b51503121fd1b7e70460f6a4f6a6aa27576bbfa31c7
- SHA512
  
  10835ff09e35d8acb2739707219905b3ae2870af973d8f80040baeb732eb798fa93ef1bc599ad9898aff8e20ee21aa1f5e5e07340eda205aa938fc001cd83a88
- SSDEEP
  
  12288:uDYDcpeu9jFBOBJfbudc68KqLie1+jKMwmUxlcdEVB3ks:usM9jFr8OeW5wmNdEVB3k
Score

1^/10
behavioral7 behavioral8
- Target
  
  Debug/bin/xxhash.dll
- Size
  
  46KB
- MD5
  
  70c514826d9428f184d27f0c8f397404
- SHA1
  
  e6b0b1a396de9913004d9bcaa230972686416bb6
- SHA256
  
  aff59e91d222b75b3e3ac789baba9e24eff99796261ae5e887ef9e3c28bb3d64
- SHA512
  
  168c63cbb54865ca42a884fd974291bcadd9dd8cf8bc1980148214e84498af42a590cb3d3a394765ee0b7d2e337fab6e85ff4f85d9ced97b92b540152202a0a6
- SSDEEP
  
  768:tziPp7yW4k3QDn24NuDUSu0MKQVMNKuxYAuogba4Mk3Q18swN1WQ8hi6U:tziR74kgDn2rDRuIrN5mAvgbTg18DN1z
Score

1^/10
behavioral10 behavioral9
- Target
  
  Debug/bin/zstd.dll
- Size
  
  638KB
- MD5
  
  5b96fb0d4e6453680da278f5b7e51a29
- SHA1
  
  3c96a29248fa3644de2c653a5d97c1e21b13a769
- SHA256
  
  1374391dafd6262795243a58f9fb234be859d940683fe756c64692ca807f0478
- SHA512
  
  27d06b7182aa48a81cce18f8f7b1bee054f3a862ccebd77d273a67c6a15e5d0ef5ba8fd7430976f445eb8bff51d290f2bb50061ac7ef448255ba8a18b8baf193
- SSDEEP
  
  6144:fbauYl+rrR8uT4uB5uWYfO16oMynnjDHMkYHbpk5tRCEybNFZemMBLx4uQ16aSG:fbauYGT5BYMxjDHMk0petRCEyb9emHO
Score

1^/10
behavioral11 behavioral12
- Target
  
  Debug/bulba.dll
- Size
  
  12KB
- MD5
  
  0dc3442cb5fe2a5bc3a08c16a5c87594
- SHA1
  
  041cea3708252e60ddff97f096562153b7e3d129
- SHA256
  
  b612b25f1179c6c1dec41566248b35e12b4a3851be21e39fc3425d125bccc6ad
- SHA512
  
  fd297085c0e1fbbb5fd9ce3d3134d2b226e4a7b1f07c30b3e896cab4f5e6bccb3d2661b2e75be63ad64cf783a9b8114eb2170f06eed826dbd9dea3041031d20e
- SSDEEP
  
  192:0thyp9xF/8zoQwCDLOzIALDitq7kjjBWAKZUO5KpgFEpRKJra8uVUG:ghyE1LAIAPi8kxWAKZUOU0EZVj
Score

1^/10
behavioral13 behavioral14