dcrat

Sharing

Copy URL

Twitter E-mail

General

Target

cwel.zip
Size

11.1MB
Sample

241220-p6r8asxkfn
MD5

2a9f3aa47c3089ab25f5755b659def4c
SHA1

31fec6624ab4ed412aad69fcaaa9e7ccef06abb9
SHA256

794c1b48e399a4ac173dcb4a6a619ad53cfa99f52b9685dc62d922dd879acb29
SHA512

0483b54ed252b5499aedf395f692a4ce884f15399b883499d66304ffa06564df8fd5bbfd48c6e52905f6d2fb3f686dcf4b0add1314181f0b80601c1f2e66558c
SSDEEP

196608:dPvlJIITPqNr34qtBFN2OtLI2YAKIcQKf7QVQKWXdk5SkqBkEZLT7oNulGOtsDvR:1vwIeNroqn82YAjcQsQvWXdk4kqBkEZA

Score

10^/10

Malware Config

Targets

- Target
  
  Paranoid Checker 4.1.7/AlphaFS.dll
- Size
  
  359KB
- MD5
  
  f2f6f6798d306d6d7df4267434b5c5f9
- SHA1
  
  23be62c4f33fc89563defa20e43453b7cdfc9d28
- SHA256
  
  837f2ceab6bbd9bc4bf076f1cb90b3158191888c3055dd2b78a1e23f1c3aafdd
- SHA512
  
  1f0c52e1d6e27382599c91ebd5e58df387c6f759d755533e36688b402417101c0eb1d6812e523d23048e0d03548fd0985a3fd7f96c66625c6299b1537c872211
- SSDEEP
  
  6144:QDyJst+jyCnzLp9hvHsPvPvPvS2JQvlojidPp:QDyJsvCnzZf4U1d
Score

1^/10
behavioral1 behavioral2
- Target
  
  Paranoid Checker 4.1.7/Extreme.Net.dll
- Size
  
  121KB
- MD5
  
  f79f0e3a0361cac000e2d3553753cd68
- SHA1
  
  4314bcef76fddc9379a8f3a266b37d685d0adb79
- SHA256
  
  8a6518ab7419fbec3ac9875baa3afb410ad1398c7aa622a09cd9084ec6cadfcd
- SHA512
  
  c77516e7f5540ecd13fa5d8cecfce34629acecd9b5a445f5f48902c9e823328fa9a6694ecaa39f5b6053de61c2b850c2d87df25357548afaad6ec37eb3e5e355
- SSDEEP
  
  3072:bdoECIgjBibgp2tBqL0Y++ruXqMG4ih3lbpMqc:bdoECIgUrG
Score

1^/10
behavioral3 behavioral4
- Target
  
  Paranoid Checker 4.1.7/License.dll
- Size
  
  5B
- MD5
  
  b08a5c34cf0a06615da2ca89010d8b4f
- SHA1
  
  626a77d86d9d12d1772f788cf67c8e77fd9f797a
- SHA256
  
  04cc5b3b49a7e9e9b6c66c7be59a20992bf2653746b5d43829c383fb233f88fa
- SHA512
  
  5dce742cd0f649461b08f8f8018e0fa39ef19e813a74a91f434a15754a4fa8be83096e8fa49cf1828ac011220b7ad3724e7e4ea9cce7937a3168169d8e561b2c
Score

1^/10
behavioral5 behavioral6
- Target
  
  Paranoid Checker 4.1.7/Newtonsoft.Json.dll
- Size
  
  695KB
- MD5
  
  715a1fbee4665e99e859eda667fe8034
- SHA1
  
  e13c6e4210043c4976dcdc447ea2b32854f70cc6
- SHA256
  
  c5c83bbc1741be6ff4c490c0aee34c162945423ec577c646538b2d21ce13199e
- SHA512
  
  bf9744ccb20f8205b2de39dbe79d34497b4d5c19b353d0f95e87ea7ef7fa1784aea87e10efcef11e4c90451eaa47a379204eb0533aa3018e378dd3511ce0e8ad
- SSDEEP
  
  12288:WBARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTU+:WBA/ZTvQD0XY0AJBSjRlXP36RMG7
Score

1^/10
behavioral7 behavioral8
- Target
  
  Paranoid Checker 4.1.7/Ookii.Dialogs.Wpf.dll
- Size
  
  103KB
- MD5
  
  932ebb3f9e7113071c6a17818342b7cc
- SHA1
  
  9ce2d08bc3840632092325abcc8d842eeb8189d4
- SHA256
  
  285aa8225732ddbcf211b1158bd6cff8bf3acbeeab69617f4be85862b7105ab5
- SHA512
  
  6b6086cff7b916c0c4536e3c7cba4ba17d6c4be2e4a88a5877be852e197f1f9c9c120d1295acf2b4277a9badd8cfd229ef3c1ab2049d0aeec22d3033be156141
- SSDEEP
  
  1536:qgoPBGuyAy52V+gtTLq6ZUc68h8O0SB/XBboIawHUPV5bKLh8sm6b0gl:qgwBGu2IV+ghd68WOxXBbx+5of
Score

1^/10
behavioral10 behavioral9
- Target
  
  Paranoid Checker 4.1.7/Paranoid Checker 4.1.7.exe
- Size
  
  2.9MB
- MD5
  
  441eb07e3d375468662db04b5892aad0
- SHA1
  
  119a7c0f7bd7e1aca6778f5a6f0acee8658b6b81
- SHA256
  
  9229a657f2e08d32136781c3923385b2dafd37ede0081b5b6341f8b6d6c87ebb
- SHA512
  
  fc46a2540ac5e5754f88c10c9bf281726dd1130140ecf9b45ff305ef98d462e008ca1cb2b0d50fd6810c2f304e56afc9b160d05714307c53c154226e6f6674d2
- SSDEEP
  
  49152:5bA3/l6mCrumolIDrgUs5WjuAGaXXCzcCEXBw123/GogkLcqeKav/aBzOP:5bg8mCrumozVAXnIes23Odk4qBBzOP
Score

10^/10

dcrat discovery evasion infostealer rat
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Dcrat family
  dcrat
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- DCRat payload
  Detects payload of DCRat, commonly dropped by NSIS installers.
  rat
- Disables Task Manager via registry modification
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Legitimate hosting services abused for malware hosting/C2
behavioral11 behavioral12
- Target
  
  Paranoid Checker 4.1.7/Pastel.dll
- Size
  
  11KB
- MD5
  
  056e487138b2cfb04bc36bffa2e43014
- SHA1
  
  d80aedb31a33671923d931be95610bb72c6cb4a5
- SHA256
  
  e5b201795c414641aeac6d303cbdec9f76d3f0bcc22f0d7ee9d1c10973fe0ea5
- SHA512
  
  e0d67b4c7df1b181c07a77916bf5331d779343f6e08d80b7ab57c94a11cba622f3ff49842655dc80109bd058320dbfe6eea76c1fd3b661530d6555158ad1e8e7
- SSDEEP
  
  192:xzuVjHRIViS+rKXrUii6Ug7qZw/ffxRihNvTWPRNt+yV1/H:gx6KrKrN7q6/BRihNmR/+C1P
Score

1^/10
behavioral13 behavioral14
- Target
  
  Paranoid Checker 4.1.7/SMDiagnostics.dll
- Size
  
  118KB
- MD5
  
  f1d92ac71001bcc24b99044ee675619f
- SHA1
  
  93537fe45921accef1a68f025748bd586447b77c
- SHA256
  
  5df3a2e0329d7668ad0f6c426f6e4c6d1ecd45225b2c39d96b15cd7b6a1bbe53
- SHA512
  
  fbf63f95afa2bd6d411d1c8a3299ba20f6fa3895cffd87bdff98d8b2540a4b98e306016bf6a82bb1678a1e078e84e3ec095c660d4d09490b8397f6971a1d2396
- SSDEEP
  
  1536:3PpCne1hkJBWlt/hFrVI0FzAiVjJ+nD2D+Fye43G8m+6dAERoHYDQ76Kh:3RIQkB0tJtVVVjJ6D2DIH42RNAF4DWb
Score

3^/10

discovery
behavioral15 behavioral16
- Target
  
  Paranoid Checker 4.1.7/System.ServiceModel.Internals.dll
- Size
  
  804KB
- MD5
  
  bc3dbd339745e51c60dbd0a095eb50d5
- SHA1
  
  d90c71463ca0c55aa942bf71c308daed386bd8fa
- SHA256
  
  0be5890dee0dc8ccd1444781287dfeed46bbfbdbf4ee289e564ea98ea94e006d
- SHA512
  
  2894b4c55e868920945a45de1b5b1d6a3f5685049ad7e005b872be1fd7744b818137f4e153ff68c15911a77a6a757d20925aae28202b838741ca4e2945369263
- SSDEEP
  
  24576:uvdATaScs0gmCWtS4B9plalsmUdJFxtZVnL7CO2XO8mYv:uFATaScs0gzhbQYv
Score

3^/10

discovery
behavioral17 behavioral18
- Target
  
  Paranoid Checker 4.1.7/libGLESv2.dll
- Size
  
  6.8MB
- MD5
  
  90ad3c47740fce98015444d1289af9b9
- SHA1
  
  0135a04b2b590e1647e3a2b123596d62d57fece0
- SHA256
  
  2082c51a86bc8b7cd5e69cf5d43914efe5d939c90503539d657fde7915a95ae1
- SHA512
  
  40bdd65a9fa761bd3835ea9fb8c4c4d90531253d9dc7183d59c2051a627afc8b267d8de7e7478396e9fb779796f2b7e9b012564446671b4ed06427de5e93689e
- SSDEEP
  
  98304:WYasIDptJ/QOjZfU5Q9S6Vaem7EdGSfhgbMKl4F:WJJd59Hk392thgbMim
Score

1^/10
behavioral19 behavioral20

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Targets

Dcrat family

Process spawned unexpected child process

DCRat payload

Disables Task Manager via registry modification

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Legitimate hosting services abused for malware hosting/C2

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20