dcrat

Resubmissions

13-01-2025 05:27

250113-f5d5lszrem 10

12-01-2025 20:07

250112-yv3pbszlel 10

Sharing

Copy URL

Twitter E-mail

General

Target

55ef6c766af0ded94cf6feaa0a5b53d332ebb01e05e6dcdee03ec92bc2421ddcN.exe
Size

1.7MB
Sample

250113-f5d5lszrem
MD5

2709efc85a850a7ddb9ec3d228ef6640
SHA1

010165c876f030f0158b09d20af67238b954af66
SHA256

55ef6c766af0ded94cf6feaa0a5b53d332ebb01e05e6dcdee03ec92bc2421ddc
SHA512

de2741c12710609eb94a420ca2ff139d10e3783ced7ec827b3f30cba6824a81c23b2e8608fe3725f26c7beb816884720fcef689b9c78a4150228772352772de1
SSDEEP

24576:t3QwuLyEbVoCtPreIjNLoN/VNGeSQDx1m17zezKOkCzeJGFUJ:tgwuuEpdDLNwVMeXDL0fdSzAG

Score

10^/10

Malware Config

Targets

- Target
  
  55ef6c766af0ded94cf6feaa0a5b53d332ebb01e05e6dcdee03ec92bc2421ddcN.exe
- Size
  
  1.7MB
- MD5
  
  2709efc85a850a7ddb9ec3d228ef6640
- SHA1
  
  010165c876f030f0158b09d20af67238b954af66
- SHA256
  
  55ef6c766af0ded94cf6feaa0a5b53d332ebb01e05e6dcdee03ec92bc2421ddc
- SHA512
  
  de2741c12710609eb94a420ca2ff139d10e3783ced7ec827b3f30cba6824a81c23b2e8608fe3725f26c7beb816884720fcef689b9c78a4150228772352772de1
- SSDEEP
  
  24576:t3QwuLyEbVoCtPreIjNLoN/VNGeSQDx1m17zezKOkCzeJGFUJ:tgwuuEpdDLNwVMeXDL0fdSzAG
Score

10^/10

dcrat execution infostealer rat
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Dcrat family
  dcrat
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- DCRat payload
  Detects payload of DCRat, commonly dropped by NSIS installers.
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Drops file in Drivers directory
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
behavioral1 behavioral10 behavioral2 behavioral3 behavioral4 behavioral5 behavioral6 behavioral7 behavioral8 behavioral9

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Resubmissions

Sharing

General

Malware Config

Targets

Dcrat family

Process spawned unexpected child process

DCRat payload

Command and Scripting Interpreter: PowerShell

Drops file in Drivers directory

Checks computer location settings

Executes dropped EXE

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10