dcrat

General

Target

ReinHoodCrackinfected.7z
Size

5.8MB
Sample

250114-2jnmtasjex
MD5

1b6acac3279585874a678894db3f976e
SHA1

2818bdaef6d725a123b551fc538ae7d5e962f289
SHA256

664f2edf9843880338b78f5b1919df48f0b8363883d691381adb724ca3324e6b
SHA512

24d31fc9453d8190480620e45c8dfc300144a6ac9ec30d7b715eeea5d7352d638aea7230c0cb83669f19ff1cd069d87dcf01504ab16510cda2012b19a68cfa88
SSDEEP

98304:i8U4zA0Uddow7nyR3zjXkPbZI+IF89QTUQpJu3vh5ik+sc+QYz/ECCvOqiP14uDV:i8T/ULTyxXkPb2r89wLpcpckNQYeNe1V

Score

10^/10

Malware Config

Targets

- Target
  
  ReinHoodCrack/ReinHoodCrack.exe
- Size
  
  1.9MB
- MD5
  
  d729318f3c05173ec630df123a15550f
- SHA1
  
  f1da12a6d6906ed1244f4270990fdd80de695787
- SHA256
  
  7cc84a0d97ee454b7c281e0a48b2150741420582d65c7f7358942acab3af4b8e
- SHA512
  
  ccdebad0ab7a30f138f65a84caac179d65491c6a1668985793f75e5a642831e74f370d56e67d6596d92923af98ee79a125e2cfe5f903840b0b4e0b205aefe9ca
- SSDEEP
  
  49152:mBf/tCg1Ef8V927r9PhOSeAj/570mJyOW167/7:4QguG92v9JdRamAk/7
Score

10^/10

dcrat discovery evasion execution infostealer persistence rat spyware stealer
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Dcrat family
  dcrat
- Modifies WinLogon for persistence
  persistence
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Disables Task Manager via registry modification
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
behavioral1 behavioral2
- Target
  
  ReinHoodCrack/assets/JSON.lua
- Size
  
  61KB
- MD5
  
  bf15a0bb121f1c1fb46e84dc6e31ec94
- SHA1
  
  2d9c33a2f1a1db2288f9a90ab49dcc43485f3279
- SHA256
  
  4d3b22c99c1f64a756ff06ee2457c87ed2dc32a893f63e04ad79bd3b848d6868
- SHA512
  
  843a3a2a664b8eaec090ff21ae5211f9a1fecca0d18ba615f815176048338f396d8a31e58383b25ab2b7b732997960fbfcc8441de032130dc06a19154c0a1cc3
- SSDEEP
  
  768:QnlynhTUL97d/4Y2XP2ICaFKKylWG5jCAir2TWL35E3Rh2xGvAOvJI3JQyOPeH/0:QliK1d/Uf2TMKbWG5CU25ZzJ/QB
Score

3^/10

execution
behavioral3 behavioral4
- Target
  
  ReinHoodCrack/assets/data/update.ps1
- Size
  
  3.7MB
- MD5
  
  15be934c8a9f5e35b1b13239b67a268f
- SHA1
  
  03ccda98d2b3c7e0842ee514e3222cc2d520ac2a
- SHA256
  
  c8f13dc87fb5154d14ea5e8459c52f46d80c5ec567d14a22a570bea9c207f316
- SHA512
  
  19c9351ab115a26e82fb9d396a866af231503896e90cc6cb85504667f25aa38591424d5af76ae9148d3a8a4a29100f83c98922542ef5d07278044a99bfe5cf0c
- SSDEEP
  
  49152:D1zSatcFIFgVhq1jZmFEcUyLxXHrqFpZDEXhOed6/6SjNMhOE69s:DTs
Score

6^/10

execution
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
behavioral5 behavioral6