dcrat | 52356abff533c337129af9b251bfb053f49e3e00ad2da2440e2111ad66ceabd7

Sharing

Copy URL

Twitter E-mail

General

Target

DCRat.rar
Size

66.7MB
Sample

250306-cqal4awl13
MD5

347c4fa01de3ff6b98fbdf4b45facc0c
SHA1

0a8dc5c37f9e6f40d2a9224b5545b4068377e9fb
SHA256

52356abff533c337129af9b251bfb053f49e3e00ad2da2440e2111ad66ceabd7
SHA512

f8562c845250feaa25d81f6efaa89eacf01175bb2b2f72cf3456a963460048a6f740e59a44e370559f2a08a2745a8122a210ee7203e3c2c607bdf59109e56b70
SSDEEP

1572864:lCNb0lbPIbxJmyK3OhYGCVpQhUToQKUfDJGTK+Lu4lyPWc5pIg3:lIb5xJU3OOVpQoKUM++LBweSpZ

Score

10^/10

Malware Config

Extracted

Family

xworm

Version

5.0

127.0.0.1:3244

Mutex

GaPmqX8yNjWN2yOS

Attributes

install_file
USB.exe

aes.plain

Targets

- Target
  
  DCRat/DCRat.exe
- Size
  
  72KB
- MD5
  
  2c7d37e90dd8ab57d06dad5bc7956885
- SHA1
  
  da789c107c4c68b8250b6589e45e5a3cf7a9a143
- SHA256
  
  5ede5d774ab65f25357cf5a1fa5e354f6f2a9868651a0fa717485802b21b1939
- SHA512
  
  e74ae891771bfd9c6fcdfbe8e4f33f0d5f7c3457cd84b257500cdaf8fa8b16fe458a18db9b3a60591465982fc2871f4c3f2e7541c765f00a0516f805e7e9ca0f
- SSDEEP
  
  768:P7Zw33FNUf6Nhd/fQ1l+0vM0iT9HvMB90d24:zZ2FWSNhd/4131i89p4
Score

10^/10

xworm discovery execution rat trojan motw phishing
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Mark of the Web detected: This indicates that the page was originally saved or cloned.
  phishing motw
behavioral1 behavioral2
- Target
  
  DCRat/data/7zxa.dll
- Size
  
  160KB
- MD5
  
  c6c778752b11c3e443c97c55e60720e8
- SHA1
  
  57b29fb5760885e1594a5e97eccf18017cbbf604
- SHA256
  
  863f6bf4f51e08a4604a4e175781b35c251bb204f479eac58af0db11c7f019a2
- SHA512
  
  8ef6ea70f0b3ff65ef2cac3668487f1fc121fdb945d10919db187e95ad22e5098b5357fbfa77caee5ce2394fa707c8c79e80703aad9937a93d8cf9a5a46a413c
- SSDEEP
  
  3072:7fGomNy4JTVoXxLYxNJeINgQnK2W2KQy4fClGZMQ06+V8+NB1RkFIEu3LB:GZnMWg0y4fk6+VLB1RbE6
Score

3^/10

discovery
behavioral3 behavioral4
- Target
  
  DCRat/data/DCRBC.exe
- Size
  
  26KB
- MD5
  
  14a56e4b7bd40512b49d6f72086e8fc1
- SHA1
  
  d8c05adc75d739a56c63d6596d460304eb219cc6
- SHA256
  
  86c45fb7473e5c1df78b8cbb2003033c37b4cb01a677c1ef30ca1573e84ec692
- SHA512
  
  3d5c2010963694262dcb08337f80190630d890565a25610c33983268afad11b0882fb5c7a03b5e629560d3fd1b9b3856d4896f5a272c53928c1fd10924e3b3f8
- SSDEEP
  
  384:7P0jnfJQhdPTfmUi5YbS8ISIfKfLOI87oRehG6VBVHCHljIhzqb:4YdxccSHSjfLOIyoRet9iHWhzm
Score

1^/10
behavioral5 behavioral6
- Target
  
  DCRat/data/DCRBT.exe
- Size
  
  23KB
- MD5
  
  32e2bc4f79c776b542f6775895beaf21
- SHA1
  
  38e1d82f7cd869d1a016a94dc747110e44e80ae2
- SHA256
  
  98ec5492a2f0aeba5b39a9f41498d98c73643bf6d8d177e5831fb0ad6e6f8521
- SHA512
  
  4ed797827b33fc922b1385c7b4e1cfdc12f7e00c8969b7ed6eeb6aa82f2656fa7f73c90c67ee1a1fdff2ac654504e214d4255eb37251736d30fa694e0b3094e9
- SSDEEP
  
  384:Ik67YLzFJSKaj1A5l055eRethRv1WGqvSqRehTLONKwzI:P3JJ/V5lU5e8thRNwvI5LSKw0
Score

1^/10
behavioral7 behavioral8
- Target
  
  DCRat/data/DCRLC.exe
- Size
  
  23KB
- MD5
  
  a1bccb81f525f46b8e0994157f0dbb58
- SHA1
  
  70ad20203e56b1fed9827d87c8cc8ba09008a49f
- SHA256
  
  574f0612cef481f5bde5667586f1bf1c4df4b7672cd6093b6a8f3b2cadc10725
- SHA512
  
  9fe2dc5e4f621142d43b0ec8ced708b6fcd41c70b5432315ac98de632ab4a9e95bafb93dd30415b877ed6b2351697389cedd9285bdda7e53545e933b6c8de3be
- SSDEEP
  
  384:Yc/k09yBB7RBADETZc3+QrB4EXZcs7xaaMrbTywSUIk:07XmES+QrB4EXZX7/cnnSk
Score

1^/10
behavioral10 behavioral9
- Target
  
  DCRat/data/Default.SFX
- Size
  
  313KB
- MD5
  
  a7993e5a520b17fec65435fb4838a08f
- SHA1
  
  18fe6286473a03735e7b701d4bfaf61ad35da7ad
- SHA256
  
  c39c4466f622b7320076076ea3eb13fa0f784b9b097dff46d802f905fc39d851
- SHA512
  
  f14be864388b6f077cad0e64367f16715adfb180f57677ba83866ea000961232d21db1093b7795f17d9d76626fad4e3a7d3dbd8eb00c3a294a9aa8f60ac0ab83
- SSDEEP
  
  6144:2TouKrWBEu3/Z2lpGDHU3ykJotX+t41/:2ToPWBv/cpGrU3yVtX+t4V
Score

3^/10

discovery
behavioral11 behavioral12
- Target
  
  DCRat/data/NCC3.dll
- Size
  
  72KB
- MD5
  
  aa84f91edd922e7b3bb979e663c94f1a
- SHA1
  
  da46b9962a6c6cceef38c3e11b8b5bc9c1b536fa
- SHA256
  
  38274608d5a4b53ec22f8099f798ba46ce0ed41db65a33dfb3853f0dbf849f6f
- SHA512
  
  88392fc77a0300ece306908867be38011530d9eefdf003452ba86d82f2fa4a61c2b27a199f376ac307c095beaa4f52cefcab59c8b28fa187c0bca13f55f2d98b
- SSDEEP
  
  1536:a44UF/3qab79HtYDAD5MPEBq9iNv6qfSOBHfVW:a44G3fRMPiuuv6qqOBHfVW
Score

3^/10

discovery
behavioral13 behavioral14
- Target
  
  DCRat/data/RarExt.dll
- Size
  
  544KB
- MD5
  
  1f3bb0f89e7cd67a76220ea2e3e7d8c6
- SHA1
  
  0286863ca947b00a4e3489f07e1cddf9faddb87a
- SHA256
  
  68ecb747f523d122c1c2094b3fb6035f7f76fbd948a97e3d42ee526824546fec
- SHA512
  
  a95611f7b4cc7a3e5b9412d0c7e16616039c7152102b35aa8f672f15d21ff2478486c7a411d25d8f8d7b713a9bbd50f2a68bd048a6296a72ed4404c6cbb468ff
- SSDEEP
  
  12288:6aw1L7U6Qu1rTGl74V7pt21DIwd2gOuy33SH9Bd3X3u1EZ:6aw1L7U6Qu1rTAEV7p1wd2ZuWA9Bd3XL
Score

3^/10

discovery
behavioral15 behavioral16
- Target
  
  DCRat/data/RarExt64.dll
- Size
  
  632KB
- MD5
  
  3e78ac1a5ca308b6efb1b457d5e4b147
- SHA1
  
  b7c96a18b2c9797a0871d15b55fd14d5608a5e16
- SHA256
  
  ad149a11b96939a6e129cff0c90ba6cac57ef3ed535649a73717d8223c48bbcb
- SHA512
  
  6c3b2ca1aee8580752930afdd4bd01f71e8fde72f06e2ed407b9394fe33f1e51f61a9ebfb36345fb9ab5d6b469bc32352258729fd52a5204d0243cf852850bb6
- SSDEEP
  
  12288:iBnnEQAdpv+cJtb6Sv7x87i3YhWOU9f/e3lgtoTEBd3X3un:ixEQAzlJteSv7Uae3EoTEBd3X38
Score

3^/10
behavioral17 behavioral18
- Target
  
  DCRat/data/WinCon.SFX
- Size
  
  282KB
- MD5
  
  aec7145167e9c207db5a932e615fbf87
- SHA1
  
  b1209de9aab490749ab8021277a4475c56b541b2
- SHA256
  
  88d0e8b4958660c5d4c57c81a7c198f5e52c1505104c0a4d57dc5ea02504564a
- SHA512
  
  36e9ca67c8912a98b524c8a8bc95f90cfe3678519e8c02b3fa13f55beaabc9f181f17a7b3dbe455b10cec691c2ec07170d45848c5761106f3ed6a07a8ce294c2
- SSDEEP
  
  6144:HKWzOebmBFftgnil/07Aai66iEGJ1BgIv:HVRyBFf+niNEAr62GHBgIv
Score

3^/10

discovery
behavioral19 behavioral20
- Target
  
  DCRat/data/Zip.SFX
- Size
  
  265KB
- MD5
  
  df73e45ff5feb3631f35bba82759a711
- SHA1
  
  33e9a5e44baa2f54c1eab23a4a1462845586bdfc
- SHA256
  
  e38c3c3b083a63e40d09903eed423bab2651620e89be308f91e1b2beb4e62283
- SHA512
  
  4f42a5fd17b290e390b877951c5c8ff687d176a4c572e8b86feee64d0c72de7fb708596ad80d5110b85175772a5908f162994fc3142b1000d7e2aa65b5705ff8
- SSDEEP
  
  3072:GpUWWln1EUWTQG9VnK+DMEMrvk1imdV8hXYKWF9j85WXuNSrq1k9jhQR8+t4Hk9I:g61E/QSnxoEMTlXEulock9X+t40VM
Score

3^/10

discovery
behavioral21 behavioral22
- Target
  
  DCRat/data/dnlib.dll
- Size
  
  1.1MB
- MD5
  
  de0069c4097c987bd30ebe8155a8af35
- SHA1
  
  aced007f4d852d7b84c689a92d9c36e24381d375
- SHA256
  
  83445595d38a8e33513b33dfc201983af4746e5327c9bed470a6282d91d539b6
- SHA512
  
  66c45818e5c555e5250f8250ea704bc4ca32ddb4d5824c852ae5dc0f264b009af73c7c1e0db1b74c14ee6b612608d939386da23b56520cac415cd5a8f60a5502
- SSDEEP
  
  24576:m+pL+hwfQvqx+yLjynb1YNzh/CNX7fegPeH3hid3Hc9ZEu5DkU6FPepU1VWv7fo0:sxvCLUJ
Score

1^/10
behavioral23 behavioral24
- Target
  
  DCRat/data/dotNET_Reactor.Console.exe
- Size
  
  34KB
- MD5
  
  69d18a3245f3c2fd02c82304c494e977
- SHA1
  
  049cda6bc59daeadfe82fce2197e0e15c2847a7b
- SHA256
  
  b55b0a652538836ed681c2afd985310fd39ad2f31ac159847fc46a6065f3232e
- SHA512
  
  5791cffbc2389eaaf18e4f31c320325d4bdfadf7ab00c847bfedccbea8fec26a3f4452877d00c95e0573e90306d7a2c988c00fcb7d495ac22955c7f64fb047c3
- SSDEEP
  
  768:5oOABBREOgrMTPrZwbiRPp7yMkZwuzZyiRYn7:5oHB2OlfZwbixp7yMkZwWZyien7
Score

7^/10

discovery
- .NET Reactor proctector
  Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral25 behavioral26
- Target
  
  DCRat/data/dotNET_Reactor.exe
- Size
  
  13.3MB
- MD5
  
  bd73df4cf427511993075f7a16e037a5
- SHA1
  
  63f116641b0655f53e93d62ae559d510ed5af134
- SHA256
  
  fa0a32d408a8df70ec44f3d2374b058f57b86ff49b8068b8c68f8505d3463970
- SHA512
  
  49ad63e65e1f6a454778c904727c948969145eb09457105093af463d933413a7d30437051c7ddb8ded0b46d38b2018a1a78c83af582ab6775bef870057a9dfc3
- SSDEEP
  
  393216:xfuP82nPJiP63TKZqkoPrSz4rkZD1K1fU:xqPIPgTxkqrV6YN
Score

7^/10

discovery
- .NET Reactor proctector
  Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral27 behavioral28
- Target
  
  DCRat/data/enc.vbe
- Size
  
  692B
- MD5
  
  f88125f6eafc7f4805913cf4077b2525
- SHA1
  
  404917f27f1522cac77f3433594ccd290957da21
- SHA256
  
  5981e508e89c65c445fca892e91b8ec39b1d8563804d0999d963d640aa592444
- SHA512
  
  748249fe186892c96971a63b5055738f2b6beb3e49ba950c834de188fd62da4710ad1a5264f8caead6277b327df299d58e76a4ce219fc30fbd0281b9d5a52f54
Score

1^/10
behavioral29 behavioral30
- Target
  
  DCRat/data/mpress.exe
- Size
  
  101KB
- MD5
  
  8b632bfc3fe653a510cba277c2d699d1
- SHA1
  
  d6a57aa17e5eb51297def9bac04e574c1e36d9c7
- SHA256
  
  2852680c94a9d68cdab285012d9328a1ceca290db60c9e35155c2bb3e46a41b4
- SHA512
  
  b9ea70ed984d3b4a42eceb9f34f222b722c4c1985b79b368d769fe0fd1f19f037ffebe2cf938aa98ed450337836a7469d911848448d99223995f7fb3a9304587
- SSDEEP
  
  3072:S0+mlNniJkkKcfqBOb65VgB183gUGQ340HpL:SvmlNn4kkeOAVA1rUGh0Hp
Score

3^/10

discovery
behavioral31 behavioral32

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Detect Xworm Payload

Xworm

Xworm family

Command and Scripting Interpreter: PowerShell

Mark of the Web detected: This indicates that the page was originally saved or cloned.

.NET Reactor proctector

Suspicious use of NtSetInformationThreadHideFromDebugger

.NET Reactor proctector

Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20

behavioral21

behavioral22

behavioral23

behavioral24

behavioral25

behavioral26

behavioral27

behavioral28

behavioral29

behavioral30

behavioral31

behavioral32