dcrat | aa7a05956ca47e164a10a94d0bdbe01123b84eb01fad5e581e1e72b10d93d5a9 | Triage

Sharing

General

Target

aa7a05956ca47e164a10a94d0bdbe01123b84eb01fad5e581e1e72b10d93d5a9.exe
Size

2.7MB
Sample

241212-c4e4qsskel
MD5

8b744166eecace320158f4d0f704b13e
SHA1

b92636084b3bd914514bc44556c4803933d667a3
SHA256

aa7a05956ca47e164a10a94d0bdbe01123b84eb01fad5e581e1e72b10d93d5a9
SHA512

641b3065e30186ccf9ba84ce6d345565763bbdb5fc1b1201c3f08fce5466c2384250b85b4c0220d2b9e21c5a51ff5ef60e9b910e07107e2b7e06f97b4e429d27
SSDEEP

24576:l+O4GuNVHU+AH2FWxOYIOlIZBrlsQBYI63DSyve5fG:s3N5IO6OtsMYIxS

Score

10^/10

dcrat infostealer persistence rat

Malware Config

Targets

- Target
  
  aa7a05956ca47e164a10a94d0bdbe01123b84eb01fad5e581e1e72b10d93d5a9.exe
- Size
  
  2.7MB
- MD5
  
  8b744166eecace320158f4d0f704b13e
- SHA1
  
  b92636084b3bd914514bc44556c4803933d667a3
- SHA256
  
  aa7a05956ca47e164a10a94d0bdbe01123b84eb01fad5e581e1e72b10d93d5a9
- SHA512
  
  641b3065e30186ccf9ba84ce6d345565763bbdb5fc1b1201c3f08fce5466c2384250b85b4c0220d2b9e21c5a51ff5ef60e9b910e07107e2b7e06f97b4e429d27
- SSDEEP
  
  24576:l+O4GuNVHU+AH2FWxOYIOlIZBrlsQBYI63DSyve5fG:s3N5IO6OtsMYIxS
Score

10^/10

dcrat infostealer persistence rat
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Dcrat family
  dcrat
- Modifies WinLogon for persistence
  persistence
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scheduled Task

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Scheduled Task/Job

Scheduled Task

Defense Evasion

Modify Registry

Subvert Trust Controls

Install Root Certificate

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

dcratinfostealerpersistencerat

behavioral2

dcratinfostealerpersistencerat