dcrat

Sharing

Copy URL

Twitter E-mail

General

Target

archive_19.zip
Size

92.6MB
Sample

250322-gxcggsyzew
MD5

91943f48b65f473f773b008f948b19fe
SHA1

d905a0419e15e33664aa0f8e5cb1450a1f0876ca
SHA256

ce63ae9069832ff3b0f2eb76b384c40cd8b70987280d4cc07559493a2b5c04ff
SHA512

15c4e255854a9d32f5db9a65ee586475ac29ee26d8d08cd203a84153b6a4b72326705c4876fd0313b727cba35286749d614aac1545c995d1f6f3e38c3c76ddc6
SSDEEP

1572864:R00oDoL7wxIKaTH9reQLyeQFhn8hAVnIioVFORvcg0XUEHhFGkAid4XuK0fRkyQm:doD87wxbaTH9yQ1Qo4+nORgkAHAjuK0j

Malware Config

Extracted

Family

xworm

127.0.0.1:4758

108.77.173.66:4758

Attributes

Install_directory
%AppData%
install_file
XClient.exe

Extracted

Family

nanocore

Version

1.2.2.0

georgestephensfurry.ddns.net:4444

127.0.0.1:4444

91.236.116.142:5888

Mutex

9cf8c1ef-c568-4176-950a-5eb6788fc62d

Attributes

activate_away_mode
true
backup_connection_host
127.0.0.1
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2020-04-12T02:28:08.602442236Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
4444
default_group
Big D
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
9cf8c1ef-c568-4176-950a-5eb6788fc62d
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
georgestephensfurry.ddns.net
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Extracted

Credentials

Protocol: smtp
Host:
smtp.yandex.com
Port:
587
Username:
Trav01is@yandex.com
Password:
Boy12345#

Extracted

Family

xred

xred.mooo.com

Attributes

email
xredline1@gmail.com
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Targets

- Target
  
  4b5d342b8c5a5b19fac86b1315802786.exe
- Size
  
  8.7MB
- MD5
  
  4b5d342b8c5a5b19fac86b1315802786
- SHA1
  
  3566b77ecc01ef67839e91b542dab05434167495
- SHA256
  
  865dc3b296ef4745577ad148b1ce7f9e812a32b8d020a09bd783fbd067750467
- SHA512
  
  f74e6d947d3a3cad43a0c4b40bc33e7b3961cb3857fac18c139b686c75015d4ea5d7410fb5a833676e5d04c0d41b34cec9f618fb42cf52d75c36fe435f22ce32
- SSDEEP
  
  196608:jxSZrxSZExSZfU+2at3DS7sJav43YmOZdqUJ9quict4Z6Xfs6:jxSZrxSZExSZfU+2aJDSgJnmqukY4ZoZ
Score

9^/10

defense_evasion
- Looks for VirtualBox Guest Additions in registry
  defense_evasion
- Looks for VMWare Tools registry key
  defense_evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
behavioral1 behavioral2
- Target
  
  4bb452a3de5825053bceee8fd5ee6db144ef8c4615a71a8408ee7de4df789fa3.exe
- Size
  
  579KB
- MD5
  
  f26ad40d3a15fc5453456dc9047cabe6
- SHA1
  
  0322588ead1761f11715a5723f15f391e9211617
- SHA256
  
  4bb452a3de5825053bceee8fd5ee6db144ef8c4615a71a8408ee7de4df789fa3
- SHA512
  
  438349889e6d27fd88e9c62d015b74e55dcd78d1d720c1b9b8e3e18c45a19bbe338ea9da58ca729221facaca22cdf54c808a127524aa73bb445145f7bba72333
- SSDEEP
  
  12288:YbD5arFJwK6hMJ6ZzHFZfc28beMGTfZuqb7q:rBJwdhMJ6ZzHrfcsMGTfZ5Pq
Score

10^/10

imminent discovery persistence spyware trojan
- Imminent RAT
  Remote-access trojan based on Imminent Monitor remote admin software.
  trojan spyware imminent
- Imminent family
  imminent
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral3 behavioral4
- Target
  
  4bbf1f33d0196e9a4ffae1877690bd000c7f728d546252ced45e60ecfe25e04d.exe
- Size
  
  3.3MB
- MD5
  
  5b034c2b074c565a4c3d9f5c7e2d3118
- SHA1
  
  0595e199c88b91019387b3a80dedfd0a72b69bea
- SHA256
  
  4bbf1f33d0196e9a4ffae1877690bd000c7f728d546252ced45e60ecfe25e04d
- SHA512
  
  bf4f3f9c54bf9a1a93786e6bf8ccbfa411cb23d02e4a1c5a56aeb583d7479ebbcca4f4330f7e30c184f454b37e8b4d3db494e9065cafdc9c3d69b8d281618f8d
- SSDEEP
  
  98304:HRS6nfSOQZOt+CW+7EELhF3gxpNOf2k2Y/3UYd4q:Hkj8NBFwxpNOuk2U1d
Score

8^/10

defense_evasion execution spyware stealer
- Stops running service(s)
  defense_evasion execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
behavioral5 behavioral6
- Target
  
  4bc17871c10bb28c4e2b5e2f1d9e4664.exe
- Size
  
  28KB
- MD5
  
  4bc17871c10bb28c4e2b5e2f1d9e4664
- SHA1
  
  d6d80515426201c41e12f04fe8ec7f8c0f54b85a
- SHA256
  
  9174ac9bc0d3b5cc062f11c6b97f7a92f9e117b77fe4cbc148ca40e7cb99d302
- SHA512
  
  2ba6f62b059e59339bf62dfc7e6cb439f7a64904cc6065294c20c71ecec86e8b215075069bbda4171d001881489382eb7809801cb2dfc280f8f483429a99e5bd
- SSDEEP
  
  768:GEHTMg84YFnOVMSloeM41v1WbVgkgm3HrQQ:GEHQg84ofSxCekX3R
Score

10^/10

defense_evasion evasion trojan
- Contains code to disable Windows Defender
  A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
- Modifies Windows Defender DisableAntiSpyware settings
  evasion trojan
- Modifies Windows Defender notification settings
  defense_evasion trojan
- Drops file in Drivers directory
behavioral7 behavioral8
- Target
  
  4be84836f68985fd15cbf992a7b0e782d1bab4439960e27c6e252e76a89ce2c8.exe
- Size
  
  984KB
- MD5
  
  bf8b1d73a37f97278df6d25ee245e3a9
- SHA1
  
  7ad5a5b889a0cbbcf81e69185764596578d0e0b4
- SHA256
  
  4be84836f68985fd15cbf992a7b0e782d1bab4439960e27c6e252e76a89ce2c8
- SHA512
  
  5d351633f0575ab64b4e47073a0e689780c88d4ce9469f67c539b7946684ef6d54b859a31a7ae486f0ed11fb1939045988bfcd53a089ef4757b78f83148474a5
- SSDEEP
  
  12288:zzZvuvewk/0pPPXA5q/TQ9+n95vV25gnwHexSDwbwvDxlpaS98IUNldnd65EgF1s:zzZvuGD2PvA5YxwmbZB6Uv
Score

10^/10

dcrat infostealer persistence rat
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Dcrat family
  dcrat
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Drops file in System32 directory
behavioral10 behavioral9
- Target
  
  4c2f38b99403c4aaca4e0a524b094c17b8d7b462af1041dee9e7562c512af4d5.exe
- Size
  
  650KB
- MD5
  
  f6276c3c25982a59d17cced52b409e2f
- SHA1
  
  61025476f38e1a9bd29721014c76cc03d27f145f
- SHA256
  
  4c2f38b99403c4aaca4e0a524b094c17b8d7b462af1041dee9e7562c512af4d5
- SHA512
  
  a128ca1cd21b9e22b3173d5d0ce2015c492f271dc3a70af095a632c05bdb264261969ebefbfcc21c921022a08829f043c85ebaf075e0f34e2f532438220fda6c
- SSDEEP
  
  6144:BtT/Yq3v9Auky+4dusAIFB++velibxPyp/64wjOjn6cB3rfc:r6u7+487IFjvelQypyfy7fc
Score

10^/10

collection credential_access discovery persistence spyware stealer
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral11 behavioral12
- Target
  
  4c948e42267877c379b01be5faa66926.exe
- Size
  
  5.9MB
- MD5
  
  4c948e42267877c379b01be5faa66926
- SHA1
  
  282254e3ab196c9810c8bdf74f3fe00977bfa120
- SHA256
  
  63a4873a5658c4de311b5952d39969115f434f90c14d18a991dbc475b03ce8a7
- SHA512
  
  776483f78e6f9634551ce06d87e8fad9a58afbd962d62eb6176f2e5d05bf3c77a026af2b2e0a36c22957141de18ce085e9084aafb0c3ca3436270395f6fc5612
- SSDEEP
  
  98304:hyeUxPQ0JMLyWIvqrhH05I8TderKjHDFUh9HkEXJfw47:hyeU11Rvqmu8TWKnF6N/1wK
Score

10^/10

dcrat defense_evasion execution infostealer rat trojan
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Dcrat family
  dcrat
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- UAC bypass
  defense_evasion trojan
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Drops file in Drivers directory
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Checks whether UAC is enabled
  defense_evasion trojan
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral13 behavioral14
- Target
  
  4ca1d61a2465b19118d75478ec45e38cf03e101fd7422cfb04e4a526251ac92e.exe
- Size
  
  885KB
- MD5
  
  cce068b8de20f89eb28352e1ce50beb0
- SHA1
  
  e9a9235ac140112623fc944d139f9940aa2bf082
- SHA256
  
  4ca1d61a2465b19118d75478ec45e38cf03e101fd7422cfb04e4a526251ac92e
- SHA512
  
  09a04910138dce47f5688c4b210f40299225c1b31514e29ab20a80ab9e177d989c8049274f7d1699ca718bdcf895e171b8bd15917bae0f6d723d07d5c5cf424d
- SSDEEP
  
  12288:clNE5VnZuh+ZIlXJBH5SP2I/lwvDT77/wOKsV42i3GULVaHeopyyx:clNCv6XJ5BClaXfD9vUha+u
Score

10^/10

dcrat infostealer rat
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Dcrat family
  dcrat
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- DCRat payload
  Detects payload of DCRat, commonly dropped by NSIS installers.
  rat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
behavioral15 behavioral16
- Target
  
  4cc3e6fe699a661d5a6ea786a93cfacd887570860b351476e5f5a1d3616bf922.exe
- Size
  
  920KB
- MD5
  
  3e88b60d7a5480672d773508d6d959fb
- SHA1
  
  5226af2c7cf9ac308bb154506113a2e1dd6abebe
- SHA256
  
  4cc3e6fe699a661d5a6ea786a93cfacd887570860b351476e5f5a1d3616bf922
- SHA512
  
  0baf73952ebdb57dad095c047b70d81d357cacfcf7a64b94bf5ac347df59a3aecb362c2e80ce145216860c3fc07ed39ee86d1093c04d42a4bc7e3110b39b0528
- SSDEEP
  
  24576:7dtP2cbksTpugRNJI5kFMJF9OWjwjLOjZD:4gq1
Score

10^/10

nanocore discovery keylogger persistence spyware stealer trojan
- NanoCore
  NanoCore is a remote access tool (RAT) with a variety of capabilities.
  keylogger trojan stealer spyware nanocore
- Nanocore family
  nanocore
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral17 behavioral18
- Target
  
  4cf97069999c57b9ff02fc34f4efbe8e.exe
- Size
  
  885KB
- MD5
  
  4cf97069999c57b9ff02fc34f4efbe8e
- SHA1
  
  c22915791d667d801d2931538432a27d61294bd2
- SHA256
  
  bf2520c5a62515ec02d2bb261460be7aa67d9983cdd5fa835c5124a215a900cb
- SHA512
  
  b3baa564a6a10d4f48e0b4c1154c4220978ead57c5d9dedb8095a8386abbc18ce06fef25cae94b1633f438144b102cb5a1ffcfa1f7a3ad20b132eaa1678e0ddb
- SSDEEP
  
  12288:8lNE5VnZuh+ZIlXJBH5SP2I/lwvDT77/wOKsV42i3GULVaHeopyyx:8lNCv6XJ5BClaXfD9vUha+u
Score

10^/10

dcrat infostealer rat
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Dcrat family
  dcrat
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- DCRat payload
  Detects payload of DCRat, commonly dropped by NSIS installers.
  rat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
behavioral19 behavioral20
- Target
  
  4d8cd82fa6662df02eb5af2abbf815d5.exe
- Size
  
  14.3MB
- MD5
  
  4d8cd82fa6662df02eb5af2abbf815d5
- SHA1
  
  9a204dbafb47d5b1e40908011bac6201c4699abc
- SHA256
  
  1c96153b02b612f06efaea43f046bc0e3e8d9f2248faf8e4d19026d87a0ce8ba
- SHA512
  
  dbd290b3e39f1ab3f8d99241e4d0cdb9645762ca7ca6436f5fc2ebea6db9caff1de5a6788ec0f83ad75e2b4d9af25f72048550b2e1da9b24ea21c7c90aa19fb5
- SSDEEP
  
  393216:SGg4a7Gg4anGg4aDGg4aDGg4anGg4aOGg4aS:AbXzzXMS
Score

10^/10

xred backdoor collection discovery execution macro persistence spyware stealer
- Xred
  Xred is backdoor written in Delphi.
  backdoor xred
- Xred family
  xred
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Suspicious Office macro
  Office document equipped with macros.
  macro
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral21 behavioral22
- Target
  
  4d947659fef83a302fd6b7451b980b19.exe
- Size
  
  950KB
- MD5
  
  4d947659fef83a302fd6b7451b980b19
- SHA1
  
  7468328d4d3e8b2524a934da3b640bee161f7df6
- SHA256
  
  b3a6071623729a413d12130d4ad6b6f633ffaceb69c965f19e815283d3a08700
- SHA512
  
  bc71f8f4495bc9272f727e7c097eb5a4404ffd4fa87d99dc72470c439b3470146e704f289ab47ea00a22d8e50c9d808455344792aa717c8d252196299df7408a
- SSDEEP
  
  6144:gUnwuPAbvR+LEx+R2EmwY9JpoY+T2QmwU:gUwyE+1mwY9+XmwU
Score

10^/10

defense_evasion discovery evasion execution persistence privilege_escalation spyware stealer trojan
- Disables service(s)
  defense_evasion execution
- Modifies Windows Defender DisableAntiSpyware settings
  evasion trojan
- Modifies security service
  defense_evasion
- Modifies visibility of file extensions in Explorer
  defense_evasion
- Modifies boot configuration data using bcdedit
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Event Triggered Execution: Image File Execution Options Injection
  persistence
- Stops running service(s)
  defense_evasion execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Event Triggered Execution: Component Object Model Hijacking
  Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
  persistence privilege_escalation
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Indicator Removal: Clear Persistence
  Clear artifacts associated with previously established persistence like scheduletasks on a host.
  defense_evasion
- Indicator Removal: File Deletion
  Adversaries may delete files left behind by the actions of their intrusion activity.
  defense_evasion
- Modifies Security services
  Modifies the startup behavior of a security service.
  defense_evasion
- Network Share Discovery
  Attempt to gather information on host network.
  discovery
- Password Policy Discovery
  Attempt to access detailed information about the password policy used within an enterprise network.
  discovery
- Power Settings
  powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
  persistence
- Drops file in System32 directory
behavioral23 behavioral24
- Target
  
  4dac62ad007ffed0e0d4b738af6da8ec.exe
- Size
  
  78KB
- MD5
  
  4dac62ad007ffed0e0d4b738af6da8ec
- SHA1
  
  91437886f46d83c6106497c42b18d977ebd77b4f
- SHA256
  
  042263c682b6bb02efb4d42de2b13ab4c56ef56ffb740ea2be36fce7dd61aba4
- SHA512
  
  7e1434e2989dc57a4d632e4c6983a76d34e1ca45ae2493ac917bbef4dbb1e360567abad32c25a670bb4b379b50c1b4483332ecfa7d8ace8ee2fd6cb80631732f
- SSDEEP
  
  1536:IbhBwtZA8wBpQzZkgBzWr7qxKGpbheZMrezOnxlh6+4xZxOwqofoFKP:IbhOWBpQzZr5W/qbAWSzGfd43xOwqof7
Score

10^/10

xworm rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral25 behavioral26
- Target
  
  4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe
- Size
  
  1.9MB
- MD5
  
  464a05553b5bd47c84618761d07b32a6
- SHA1
  
  4947299420a124b29d359513690e92574d67f87d
- SHA256
  
  4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b
- SHA512
  
  526fe406c9b68ac5bcb1dedf49d90e2f4bfab3a46141b8b4e2c71eff294681ae0c4a5cce0e467856fdb46251dc65cabd40b23ca490e81045bb340f39e919f509
- SSDEEP
  
  24576:Uz4T3bMX0/0ZqSEaa3OVFu8VQTo8Ia29MSVyAXmFPf87ptY60/YYhdbh7JRj:UOMX0/08SVYTcxMXPxthD
Score

10^/10

defense_evasion execution trojan
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- UAC bypass
  defense_evasion trojan
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Drops file in Drivers directory
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Checks whether UAC is enabled
  defense_evasion trojan
- Drops file in System32 directory
behavioral27 behavioral28
- Target
  
  4e1fdde317913d69f35aa03397b5ded3.exe
- Size
  
  2.0MB
- MD5
  
  4e1fdde317913d69f35aa03397b5ded3
- SHA1
  
  ad0eec94d2dc31cca9c7d3c5b8061b0720532db9
- SHA256
  
  a4c2b8f49ef1925fd78c17e298f20ed9a67f298e3570491a3ba7075d25163d4b
- SHA512
  
  061345945ebaa10c5ea3b03f53e4e781e4f8e8bf5816f1414d2695d7c6ac3aae5dd0249bf18c6030f5af234b62e91d2545ee1007493b30dfd113931e3b7b513f
- SSDEEP
  
  49152:TrYU+Yy4J8jao9UVlWAOjhRzsiYHjo++xTN:TdxVJC9UqRzsu+8N
Score

10^/10

dcrat infostealer rat
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Dcrat family
  dcrat
- DCRat payload
  Detects payload of DCRat, commonly dropped by NSIS installers.
  rat
behavioral29 behavioral30
- Target
  
  4e248cce2fb9b5f155ca62d21c6e9da7.exe
- Size
  
  1.6MB
- MD5
  
  4e248cce2fb9b5f155ca62d21c6e9da7
- SHA1
  
  c5eab96ba2a3310bcb3cef05918a38efe5cfad86
- SHA256
  
  74c882cb1bc2e8f293c67a7c9a2bcc0c37e0aafa6fd173b1990b5ba667befe86
- SHA512
  
  958763f40b1371177b4cffa09701a600948f3126e6ac4d041a08e11f903f51f3beccd7a9ad9cd9b20cbc443310af573ac2fbb396c21f8d61fb05324553c0bb23
- SSDEEP
  
  24576:Ksm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:KD8Jijt+xpS/ekYmLGdhEAf7bCcjE
Score

10^/10

dcrat execution infostealer rat
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Dcrat family
  dcrat
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- DCRat payload
  Detects payload of DCRat, commonly dropped by NSIS installers.
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
behavioral31 behavioral32