dcrat | a6cea4f4b68b7f3dd83cbef2f154555cb1f351ad75c061c0650edefa25455d01 | Triage

Sharing

General

Target

6689bd9a5c795eedc631e5fbb850b7ff.bin
Size

1.4MB
Sample

241212-btd81svqg1
MD5

cc188238362b783c5d55497084c076fa
SHA1

d15af480f1567153ef756529bae754725a1d610c
SHA256

a6cea4f4b68b7f3dd83cbef2f154555cb1f351ad75c061c0650edefa25455d01
SHA512

02e253c04ed4ddd8d0f4f6703068149ebab5d827d124e07066b9060ba5f517c8b81df83f854ed7a6aad17110cec44392a2ec13e54ae037c127832db93085b536
SSDEEP

24576:MsEy174so8a+XbFG03/Ju5NzYwu8WmkzR2BgKyaJIEAUr/KwGpyStDJ5:Mvy174sov+LFPwuvBzRoao/KwFSB

Score

10^/10

dcrat execution infostealer persistence rat

Malware Config

Targets

- Target
  
  cb4626ad921c63113e18c3aefb109f70c8e334089871133ea675d62d836d810b.exe
- Size
  
  1.5MB
- MD5
  
  6689bd9a5c795eedc631e5fbb850b7ff
- SHA1
  
  b63d8e25d4eb9abea3ed0f7867f70db2ab18cba2
- SHA256
  
  cb4626ad921c63113e18c3aefb109f70c8e334089871133ea675d62d836d810b
- SHA512
  
  ff51ccd8918344bb0439a4d9e39394383bff2196496d778db9a3d2862479e55f1bf59c7d467ff055c721231cb592c3c7ded63c5af28a3f9552dc6421dd1151bf
- SSDEEP
  
  24576:K17t7ROjwJqMAVS2hEijP79eAPkavlCCyYcBoZ11q8UuZPt5PsuWg:KBt7R0wJ4L5Uw5lCCyG31oIPmg
Score

10^/10

dcrat execution infostealer persistence rat
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Dcrat family
  dcrat
- Modifies WinLogon for persistence
  persistence
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Scheduled Task/Job

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

dcratexecutioninfostealerpersistencerat

behavioral2

dcratexecutioninfostealerpersistencerat