dcrat

General

Target

SourceLeak.zip
Size

39.6MB
Sample

250125-xmlkeawpby
MD5

e64b8344b70fecd613395cdf888698ae
SHA1

543c6c5297febf627a28be183adfb500012bb00a
SHA256

b878bfc5791ec1039c16b2e81e465fe511e04619f1952f1b34c4d5a28d3eb60d
SHA512

3b65d816dbd64aeef3d8627c6b22239adfd21a91bbfa327d76e48057d0a8503cda0bf9dd946ddaab389f5d078f68292970c0447c0dd1c3c9ab0fafad50e7bfff
SSDEEP

786432:Q8f8EgLU6Dc11xD8ZEs69KZZg2pK0BWvcErSde6No8Xpt:Q8EEggPBW8AgeKagcmSrNF

Score

10^/10

Malware Config

Targets

- Target
  
  Source Leak/FortniteExternalBase/util/loadup.hpp
- Size
  
  7KB
- MD5
  
  a0f66b0a76db9a2faedfc8aa94601a25
- SHA1
  
  5a8838b0757be592c61a2e2860336eea7e79ff56
- SHA256
  
  6db0aea5b2d57418c257610ea5ceaa80e7744fafaf0319cba3bc79bb3100a3cb
- SHA512
  
  9e4fa89c72a54e6522597b8262792355165c098446a25f9d257d2a5be901536478eeb2370415e21f4cff272f8e8cc58b138f9403c92c7df1bb86cf38643ab95d
- SSDEEP
  
  96:XRKQHhzoxEM8z/9vGna6E66Mm3BXx6538x6p3Rx6j34f6Tn+gIXU1L3lwwen+I76:oQHlUEXYyxMscBkYw1LbEgIUGzA
Score

3^/10

execution
behavioral1 behavioral2
- Target
  
  Source Leak/FortniteExternalBase/x64/Release/Source.exe
- Size
  
  1.2MB
- MD5
  
  4abf9f8fe2accc3b0afab424826fe672
- SHA1
  
  f17fc45071d7af67323b3521ae9e3b62117869a0
- SHA256
  
  810dfd3661de789ecd7a0ddd97398868ba7f7ee391fdbcffc207af91ca65b959
- SHA512
  
  3e96fba7f12bbd5108e6873279f44ad90586beb762b0c401c46468d7abc9f46698e3aa6f9a99076187ca3cba4d3c8315f931346c3c9b71c7d1dc3de15218429f
- SSDEEP
  
  24576:joJOLUTJcMfM2kO9sT5a3K43OdKnA1sUX1sUJsFwv6EmC3Fp39zZFa:q/OonLU6UIE6EZFbV4
Score

8^/10

persistence
- Sets service image path in registry
  persistence
behavioral3 behavioral4
- Target
  
  Source Leak/Release/Source.exe
- Size
  
  1.2MB
- MD5
  
  6179f45e49ae7257c1fb5859dc119f73
- SHA1
  
  14b8a63e92e4d9254a3949f841631b96f5eaa590
- SHA256
  
  7dc826deb7225c544091b7a33f6e9093617941d90fba7c5b5057ff97e231270f
- SHA512
  
  6f492fa5a1c7ba28c269355f80e316db05186ffd9ed28c72b1ce911cb8f46a10049fcfd09008ee99996194f4d154eb46e8b7af98c31db98a4a3690397a46b519
- SSDEEP
  
  24576:CoJOLUTJcMfM2kO9shrYgTnwxznA1sUo1sUa2hZU6EmC3Fp39zZF35:7BnLUDUZi6EZFbVb
Score

10^/10

dcrat discovery infostealer rat spyware stealer
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Dcrat family
  dcrat
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
behavioral5 behavioral6