dcrat | ee66bca1ea767e827dfafd301d994e9afd36ff0fae546ad51e18347e999e9529 | Triage

Submit
Reports

Overview

overview

Static

static

ee66bca1ea...9N.exe

windows7-x64

ee66bca1ea...9N.exe

windows10-2004-x64

Sharing

General

Target

ee66bca1ea767e827dfafd301d994e9afd36ff0fae546ad51e18347e999e9529N.exe
Size

1.2MB
Sample

241220-f9p3ns1kg1
MD5

bb7e3c97bc9136dd95203ac7b480b230
SHA1

55af32d959f455d87aec058789c35471272a34f2
SHA256

ee66bca1ea767e827dfafd301d994e9afd36ff0fae546ad51e18347e999e9529
SHA512

7cfe9fc9e23247ffd1f6d0fb7588af62c01f714d843e2268dab1442af2471e22559d1e41878bdcfb6796d6e572eda982c887160d20015a96e7c3a9c87ad1d77b
SSDEEP

24576:m5/FWj01uCUyGXFgSTq/kbe58fWj+1Ya:k/FG0Cpt4i28fWj+1Y

Score

10^/10

dcrat infostealer persistence rat

Static task

static1

3 signatures

Behavioral task

behavioral1

Sample

ee66bca1ea767e827dfafd301d994e9afd36ff0fae546ad51e18347e999e9529N.exe

Resource

win7-20241010-en

dcrat infostealer persistence rat

windows7-x64

15 signatures

120 seconds

Behavioral task

behavioral2

Sample

ee66bca1ea767e827dfafd301d994e9afd36ff0fae546ad51e18347e999e9529N.exe

Resource

win10v2004-20241007-en

dcrat infostealer persistence rat

windows10-2004-x64

16 signatures

120 seconds

Malware Config

Targets

- Target
  
  ee66bca1ea767e827dfafd301d994e9afd36ff0fae546ad51e18347e999e9529N.exe
- Size
  
  1.2MB
- MD5
  
  bb7e3c97bc9136dd95203ac7b480b230
- SHA1
  
  55af32d959f455d87aec058789c35471272a34f2
- SHA256
  
  ee66bca1ea767e827dfafd301d994e9afd36ff0fae546ad51e18347e999e9529
- SHA512
  
  7cfe9fc9e23247ffd1f6d0fb7588af62c01f714d843e2268dab1442af2471e22559d1e41878bdcfb6796d6e572eda982c887160d20015a96e7c3a9c87ad1d77b
- SSDEEP
  
  24576:m5/FWj01uCUyGXFgSTq/kbe58fWj+1Ya:k/FG0Cpt4i28fWj+1Y
Score

10^/10

dcrat infostealer persistence rat
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Dcrat family
  dcrat
- Modifies WinLogon for persistence
  persistence
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- DCRat payload
  Detects payload of DCRat, commonly dropped by NSIS installers.
  rat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scheduled Task

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Scheduled Task/Job

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

dcratinfostealerpersistencerat

behavioral2

dcratinfostealerpersistencerat

© 2018-2024

Terms | Privacy