dcrat | a38de42e94a51926732b3b562723df643e5fde2c4b0286842dc356be62f697d6 | Triage

Resubmissions

31-01-2025 20:57

250131-zrnaxaypgq 10

31-01-2025 20:55

250131-zqv95aypfj 10

Sharing

General

Target

cheatxloader.exe
Size

2.1MB
Sample

250131-zqv95aypfj
MD5

6ad4c27c5c844630732d5a6f1144f403
SHA1

55eaa9e50b68ba4438ba8c495e2e872f70afea5d
SHA256

a38de42e94a51926732b3b562723df643e5fde2c4b0286842dc356be62f697d6
SHA512

050835c1abe9bb077882368b21e94583a8a69b290d34c810283cbf805619ee80b5432b3fd91e23ff4adfe3a6d736b71438c85874d3ee9e2e18040ca80c19509c
SSDEEP

24576:2TbBv5rUyXVjfDjUr+21JjS+5+MtJoIeEs+TwAo7+Fgz2RPuWHvswr5ZvAPwfzkS:IBJjUXGMoMJwugSRzPswr5ZIPkMRnfU

Score

10^/10

dcrat discovery infostealer persistence rat spyware stealer

Malware Config

Targets

- Target
  
  cheatxloader.exe
- Size
  
  2.1MB
- MD5
  
  6ad4c27c5c844630732d5a6f1144f403
- SHA1
  
  55eaa9e50b68ba4438ba8c495e2e872f70afea5d
- SHA256
  
  a38de42e94a51926732b3b562723df643e5fde2c4b0286842dc356be62f697d6
- SHA512
  
  050835c1abe9bb077882368b21e94583a8a69b290d34c810283cbf805619ee80b5432b3fd91e23ff4adfe3a6d736b71438c85874d3ee9e2e18040ca80c19509c
- SSDEEP
  
  24576:2TbBv5rUyXVjfDjUr+21JjS+5+MtJoIeEs+TwAo7+Fgz2RPuWHvswr5ZvAPwfzkS:IBJjUXGMoMJwugSRzPswr5ZIPkMRnfU
Score

10^/10

dcrat discovery infostealer persistence rat spyware stealer
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Dcrat family
  dcrat
- Modifies WinLogon for persistence
  persistence
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Drops file in System32 directory
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scheduled Task

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Scheduled Task/Job

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

dcratdiscoveryinfostealerpersistenceratspywarestealer