dcrat

General

Target

aedfa77790fe7a60cffddc7dfd4afa0f6fdb858965df2850ce418b4428d92a99N.exe
Size

1.8MB
Sample

241217-1gxl9symf1
MD5

5c218a3293314b8e13e89212d24e7da0
SHA1

9ff5c504f253730e1d6a15ca1c655c3882ecfbae
SHA256

aedfa77790fe7a60cffddc7dfd4afa0f6fdb858965df2850ce418b4428d92a99
SHA512

4985f19581a8fc670dde876199a1603fcb1ece427b8c0544b9cf369568fc81ee81a4e2f1a3cbf7160b87a8590917b9b4c8dc8268c5d3ce988c3a251ece047f44
SSDEEP

49152:IBJTl4fxzc8TMk++HUwh42sDnaeQdbJU7h:yj4hcEM54UG43naZs

Score

10^/10

Malware Config

Targets

- Target
  
  aedfa77790fe7a60cffddc7dfd4afa0f6fdb858965df2850ce418b4428d92a99N.exe
- Size
  
  1.8MB
- MD5
  
  5c218a3293314b8e13e89212d24e7da0
- SHA1
  
  9ff5c504f253730e1d6a15ca1c655c3882ecfbae
- SHA256
  
  aedfa77790fe7a60cffddc7dfd4afa0f6fdb858965df2850ce418b4428d92a99
- SHA512
  
  4985f19581a8fc670dde876199a1603fcb1ece427b8c0544b9cf369568fc81ee81a4e2f1a3cbf7160b87a8590917b9b4c8dc8268c5d3ce988c3a251ece047f44
- SSDEEP
  
  49152:IBJTl4fxzc8TMk++HUwh42sDnaeQdbJU7h:yj4hcEM54UG43naZs
Score

10^/10

dcrat discovery execution infostealer persistence rat spyware stealer
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Dcrat family
  dcrat
- Modifies WinLogon for persistence
  persistence
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Drops file in System32 directory
behavioral1 behavioral2