dcrat

Sharing

General

Target

archive_43.zip
Size

20.7MB
Sample

250322-gz716sy1cv
MD5

dc8899f5ca4f4a51b441a3f92e0531ac
SHA1

b173ce5b4348974b3f1ce008df8a430f412458f4
SHA256

286e0821c9dff60f28f608fbc48788495e4fc25616f718991a9b1979fce08cac
SHA512

c196e037f7e9033aa3ae734d49660673606a8b59aa2661392eee7101c0f5f97a3d5ed8237000df9346a29a99123bc5f904e77743c3a5a07f30741f4ca424a77b
SSDEEP

393216:EknOOFclqT88ASs6ugWNfsNp+sNpvAgq/n6aXpsxXdX845JTyhuAs7cEhYOrIJx2:dOgT84uPajv+//yxNFJTyQ37cHOiJ3K

Score

10^/10

Malware Config

Extracted

Family

xworm

Attributes

Install_directory
%AppData%
install_file
XClient.exe
pastebin_url
https://pastebin.com/raw/s22HcgbS

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

hakim32.ddns.net:2000

if-contest.gl.at.ply.gg:5461

Mutex

99446badde7a6173ecd00ba89ecae31a

Attributes

reg_key
99446badde7a6173ecd00ba89ecae31a
splitter
|'|'|

Extracted

Family

njrat

Version

0.7d

Botnet

حياتي

love50.no-ip.biz:82

Mutex

48176f323bb3167506e2cbf91191abf6

Attributes

reg_key
48176f323bb3167506e2cbf91191abf6
splitter
|'|'|

Extracted

Credentials

Protocol: smtp
Host:
smtp.yandex.com
Port:
587
Username:
[email protected]
Password:
Boy12345#

Extracted

Family

remcos

Version

1.7 Pro

Botnet

Host

213.183.58.19:4000

Attributes

audio_folder
audio
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
5
copy_file
remcos.exe
copy_folder
remcos
delete_file
false
hide_file
false
hide_keylog_file
true
install_flag
false
install_path
%AppData%
keylog_crypt
true
keylog_file
read.dat
keylog_flag
false
keylog_folder
CastC
keylog_path
%AppData%
mouse_option
false
mutex
remcos_sccafsoidz
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screens
screenshot_path
%AppData%
screenshot_time
1
startup_value
remcos
take_screenshot_option
false
take_screenshot_time
5

Extracted

Family

remcos

Botnet

Host

213.183.58.19:4000

Attributes

audio_folder
audio
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
5
copy_file
remcos.exe
copy_folder
remcos
delete_file
false
hide_file
false
hide_keylog_file
true
install_flag
false
install_path
%AppData%
keylog_crypt
true
keylog_file
read.dat
keylog_flag
false
keylog_folder
CastC
keylog_path
%AppData%
mouse_option
false
mutex
remcos_sccafsoidz
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screens
screenshot_path
%AppData%
screenshot_time
1
startup_value
remcos
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  b022d9e4ed0716b265fec7cac8a8b3d9.exe
- Size
  
  9.5MB
- MD5
  
  b022d9e4ed0716b265fec7cac8a8b3d9
- SHA1
  
  06186c33e890e938a38ab244e2b5a5a96cbe03ab
- SHA256
  
  213700faddee1ca46428597c9011cf189a5c5ce20b4fbf7cdc5cb047d37f3cbe
- SHA512
  
  92a0c2404ddec21b10884b963d9ca012c971b2b736004563c3fbdfa097ad5bec4de050f3f4b3781e98a836c8a07840d2ab74cb70ad4b986b8c51cc2df81b2e02
- SSDEEP
  
  1536:5+2CEf8o9ppJ96zWkMzppJY6zWk3KEKclR:jCEf8sppX6zJippm6zJ3KLYR
Score

3^/10

discovery
behavioral1 behavioral2
- Target
  
  b0493b9be59163a45659abbfb522d98b.exe
- Size
  
  92KB
- MD5
  
  b0493b9be59163a45659abbfb522d98b
- SHA1
  
  020f593bf2e2b2b16d11ce9aa1c53a19b64fa163
- SHA256
  
  0a4d48600d4fdb9bbd4e887e21997daad958d1248f3691d54a1983006f418972
- SHA512
  
  27ffa99ffbc6bdfc6a12a7261d6d9b14abfe2bb4482b38e1518600e9eea1010d9073a0a99129601820628d8f642b7672e6a2c233541456d6017f2bcfa078d6e9
- SSDEEP
  
  1536:5fEsW5y1CWyg8d84nv32hSfTS7xNVn7/Ogr0dV8qKmbp5AxB:5fEsA3ng8fugkKxdiqKmbp+
Score

10^/10

xworm rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
behavioral3 behavioral4
- Target
  
  b05f7f78ca8a8285fcaedf481b5ee1df.exe
- Size
  
  1.6MB
- MD5
  
  b05f7f78ca8a8285fcaedf481b5ee1df
- SHA1
  
  468ce88a79124efa42dc6b55842ef8df4592d4b1
- SHA256
  
  ed5a2293fc8b4a12153242623be44827fd147f8b4277eb80129960a74c051fb9
- SHA512
  
  d31b92af65eb4bf7c3f2550a571a24d19adba0ae33b52cb669a2d9b0304f864a4d7c244033a3db4aae225089162c1401ac4c252b738cd10b0da4dd35a5a56f90
- SSDEEP
  
  24576:1D39v74lfGQrFUspugRNJI2DJ53J/J/L5dJPjoh:1p7E+QrFUBgq20
Score

10^/10

remcos host discovery persistence rat spyware stealer
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Remcos family
  remcos
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral5 behavioral6
- Target
  
  b0a1fdb84b6401a5471152ae215350fb.exe
- Size
  
  78KB
- MD5
  
  b0a1fdb84b6401a5471152ae215350fb
- SHA1
  
  fc1abcf7b7025ccfa1dde201a678ec9cf63d4f96
- SHA256
  
  e6b1b5ede89edb671aa3939086b30bf020dbcb5e34ec2bc21f043cc8263fa355
- SHA512
  
  95ebc5c35acbe095f9fa680594cdc89ce6cc328b7a4842dd599b8dade967f6fd2de16c84479f5d4e465e509f8b4635b68bb6b5c73dd4010d77c1ffa012158031
- SSDEEP
  
  1536:TRWV5jSTdy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtC6m9/J16X:TRWV5jSyn7N041Qqhgu9/Q
Score

10^/10

metamorpherrat discovery persistence rat stealer trojan
- MetamorpherRAT
  Metamorpherrat is a hacking tool that has been around for a while since 2013.
  trojan rat stealer metamorpherrat
- Metamorpherrat family
  metamorpherrat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Uses the VBS compiler for execution
- Adds Run key to start application
  persistence
behavioral7 behavioral8
- Target
  
  b0e8870a05aca75049ce841f3c69b1197885514c49e316acac199914998d2444.exe
- Size
  
  154KB
- MD5
  
  e030eb40be750f3fb66967ad6d098c37
- SHA1
  
  f4ad311180d5086be0e281af0f22f52ef9a7e2a2
- SHA256
  
  b0e8870a05aca75049ce841f3c69b1197885514c49e316acac199914998d2444
- SHA512
  
  7fbb246e5b97c876bb9ef6f85eabdc73129a15e23d45ee20953dc40de8363087715f9fe8f36aea7eea59019e10396db5539a4078f3d7c7c89b1dc8617088d131
- SSDEEP
  
  1536:2mZmg5zb02q/t6jOFvDO7slsF9PS24s+lSmSWQWOxzlAuT2oLkC1N5UbsGt3kcm5:JZmCb6ROF96zMq1yLAHtUcmKyR
Score

7^/10

discovery
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
behavioral10 behavioral9
- Target
  
  b1be021a241291568911ceeb4c50d4db.exe
- Size
  
  78KB
- MD5
  
  b1be021a241291568911ceeb4c50d4db
- SHA1
  
  09745bff096e30f3f85fbfdbc32b405391f3af25
- SHA256
  
  a5b5c9778aead01cd31a0726a8c5f167ebb4882ab391bb615a0c3a1039546a03
- SHA512
  
  49c4cc40205dfcd89a958c54110b336eacd48454bcb915ebd60a1b9f07c415cb4604c8d67a4d8811c6829ed8c11d85cc15fd9de3afa5a1f088c53cce955c1b88
- SSDEEP
  
  1536:aRWV5jMdy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtC6N9/gj1Un:aRWV5j7n7N041Qqhg19/x
Score

10^/10

metamorpherrat discovery persistence rat stealer trojan
- MetamorpherRAT
  Metamorpherrat is a hacking tool that has been around for a while since 2013.
  trojan rat stealer metamorpherrat
- Metamorpherrat family
  metamorpherrat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Uses the VBS compiler for execution
- Adds Run key to start application
  persistence
behavioral11 behavioral12
- Target
  
  b1c02067394abbda441f3b9a5c9e11dc596001abff5901f8fa41a6f7dc199696.exe
- Size
  
  776KB
- MD5
  
  d8160b68e84f544205644e75b57f6703
- SHA1
  
  802733b01b84c1f906541ef1c3ce38d720cbf78a
- SHA256
  
  b1c02067394abbda441f3b9a5c9e11dc596001abff5901f8fa41a6f7dc199696
- SHA512
  
  5e113f27de76c6695d3c1526ba9da3179e16276255baee328f4dbf99109a3032c4bb8fbc21f4c1ac1ae7f546cd036fe3d4879947f07b9a8cce77bf15a90bed68
- SSDEEP
  
  6144:NtT/Yq3v9Auky+4dusAIFB++velibxPyp/64wjOjn6cB3rTJN:P6u7+487IFjvelQypyfy7TJN
Score

10^/10

collection credential_access discovery persistence spyware stealer
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral13 behavioral14
- Target
  
  b1caa98d799555b069cbab81864da4e3.exe
- Size
  
  1.8MB
- MD5
  
  b1caa98d799555b069cbab81864da4e3
- SHA1
  
  5378ec401b30bee17e591f36ec04d0f6e2c7ea11
- SHA256
  
  32f40684e82a342dfdd376030e5f2401abc3d84929b516478ab71750f50f223d
- SHA512
  
  af3ccb545117991c133b56fb8c91b5b084d98628b863f1a9072f9140431ffeb8ce3128a7a642de153cdeccc0837e39ec77976f03e992518a286c84d883bc000c
- SSDEEP
  
  24576:fD39dlfGQrFUspugRNJI2DJnUw9W/j+BeKJWqwH6W:fF+QrFUBgq25eKu6W
Score

10^/10

remcos host discovery persistence rat spyware stealer
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Remcos family
  remcos
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral15 behavioral16
- Target
  
  b2045d697bbec1ed26c20ba12b9920d79ebbbd7206889256b2193819f6185de4.exe
- Size
  
  3.5MB
- MD5
  
  069654ff747a5b37f77fa01f85d96988
- SHA1
  
  474affa7d41d5e713b7afb373ccd6318f839fcc7
- SHA256
  
  b2045d697bbec1ed26c20ba12b9920d79ebbbd7206889256b2193819f6185de4
- SHA512
  
  0d5753f4836bf215df1c5413a912fbdc1ee104bfea37d9108127e81f18fb332d135ee009acf70def04c46ebbc6a6352a4f1ab4b36d5b798d34fa15c80fcf11b8
- SSDEEP
  
  98304:EZBtlkPIKtfA+PfdTIZXVQhoqN9VQhoqNRUlBu3Fnd:EFlizB3tIZKhuh4lM3Fd
Score

3^/10

discovery
behavioral17 behavioral18
- Target
  
  b2340f4c7b57c1f26a997075e120058a.exe
- Size
  
  75KB
- MD5
  
  b2340f4c7b57c1f26a997075e120058a
- SHA1
  
  e610e4b37c2d337c336bd8e8447a6cc48e7f5212
- SHA256
  
  f265d59074a90d5fecd64f1cc5af573d25edb92b6576ed5f768cfb411d4b34a8
- SHA512
  
  98daa70f15dd3119eb8ec7e7a73ae01d2eca9f91362c366cfbbf14bed0dad1be1d2452dc56c985b5b7501d6ad7ea989efcda1bc86bbd23c850bf8ae680aef9df
- SSDEEP
  
  1536:ySDWerVJJ80rWoCo9RdrHbkRFuYYiEprW6bd2O3ZOR:h1T+Fvo7VbkjuDpwO3MR
Score

10^/10

xworm rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral19 behavioral20
- Target
  
  b2583c9e8796deef4e8b3409cabe395c003fd8620c0743de39cab4f110d8fd82.exe
- Size
  
  486KB
- MD5
  
  43b75abea8a7d2f0587f171a9206818b
- SHA1
  
  15e5a8f5e5330e7187694e9495b4fb9c92c6856b
- SHA256
  
  b2583c9e8796deef4e8b3409cabe395c003fd8620c0743de39cab4f110d8fd82
- SHA512
  
  c736ee7390d423f98cc8b183268f2528e6b3868dab987a44d18b692b2b2af61374d1e449b829305c757c60420b3b885f8841b810bdd0af7d773867bb8503dcc0
- SSDEEP
  
  1536:N4eK+IFjWfoPbuaTRM3nFkwHbaA3LL0idWwiQcmWkF7jV:G+IF6foPCaTRMXbaev0FQcmWkRV
Score

7^/10

discovery
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
behavioral21 behavioral22
- Target
  
  b26193ca5677aa19cbc3bfd5c170c161.exe
- Size
  
  2.0MB
- MD5
  
  b26193ca5677aa19cbc3bfd5c170c161
- SHA1
  
  b2c537420b5b3ac516429b582e93779a8deb8f47
- SHA256
  
  2120942a943fe120041957c6291068cd177e6b9d5148228229b8fddae7f01dc7
- SHA512
  
  d7484d537721962741d8e930880c8de51b4c992b3e91f8cc414eb7b980de44e758f073ab113ac5a9ee75840c4c2fd62a9166ce08a6a1b5c180c3e4ec8f4c0253
- SSDEEP
  
  49152:brYU+Yy4J8jao9UVlWAOjhRzsiYHjo++xTN:bdxVJC9UqRzsu+8N
Score

10^/10

dcrat infostealer rat
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Dcrat family
  dcrat
- DCRat payload
  Detects payload of DCRat, commonly dropped by NSIS installers.
  rat
behavioral23 behavioral24
- Target
  
  b274fcd0b7cf29d6ccc27de01ba359bb.exe
- Size
  
  12KB
- MD5
  
  b274fcd0b7cf29d6ccc27de01ba359bb
- SHA1
  
  64cba723549eeada97dd8a8a06da30de49b58924
- SHA256
  
  8d2dfc74cf07e6eefe91c734574c11d8f967d50a3ef0c9224db27a1aeaf5fd6b
- SHA512
  
  8ede2502d657bb9c7f8ef26a17a853c4c697ff4a55c02fe4828c7eb7789e53466f894ed76f3a23312b6cbbe62d33638be4f353d5bdbecfc14d7b735e5c1e321e
- SSDEEP
  
  384:xL7li/2z2q2DcEQvdfcJKLTp/NK9xacZ:xWMZQ9ccZ
Score

7^/10

discovery
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Uses the VBS compiler for execution
behavioral25 behavioral26
- Target
  
  b2806b01d727bb20b0bda20794c21cba.exe
- Size
  
  78KB
- MD5
  
  b2806b01d727bb20b0bda20794c21cba
- SHA1
  
  b218c95a7f6a27f277a4f4bf681567b3034df3c7
- SHA256
  
  8cbc27a772e52ac6ed8b7ed27b26817e27f72e6a9b8c7e6b0c788e40c46bf797
- SHA512
  
  c56fb8e2af6e841c2ed2fce1f0708ee12051aab4bc8c96d120430d866e386c93253b4ce2ae28d8bc70a120c41c7e97a09b319894735a9bd0904f7dc299a8c16f
- SSDEEP
  
  1536:OHFo6638dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQts9/J14P:OHFo53Ln7N041Qqhgs9/q
Score

10^/10

metamorpherrat discovery persistence rat stealer trojan
- MetamorpherRAT
  Metamorpherrat is a hacking tool that has been around for a while since 2013.
  trojan rat stealer metamorpherrat
- Metamorpherrat family
  metamorpherrat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Uses the VBS compiler for execution
- Adds Run key to start application
  persistence
behavioral27 behavioral28
- Target
  
  b2ed62517c26f1d5103b1fb31fd2c347.exe
- Size
  
  2.0MB
- MD5
  
  b2ed62517c26f1d5103b1fb31fd2c347
- SHA1
  
  1c4cb094fb6c15fad3956d1836f25bb5d4dfdcc3
- SHA256
  
  c72ed4699ef49027dcc6bbae9465fe2e2e7ffd2e16be407a4e2e6b74c957f1f7
- SHA512
  
  08c6d3d42d7cb4e291e9ef54f9d254d5e34d5fae38109116cd2563724b4aeb99f8952ec1bf4d37b483d7c556ded684a84b54eb694621faa05ec65c54d32a20be
- SSDEEP
  
  49152:zrYU+Yy4J8jao9UVlWAOjhRzsiYHjo++xTN:zdxVJC9UqRzsu+8N
Score

10^/10

dcrat infostealer rat
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Dcrat family
  dcrat
- DCRat payload
  Detects payload of DCRat, commonly dropped by NSIS installers.
  rat
behavioral29 behavioral30
- Target
  
  b31fb95009cabc0f3df1aa933306bd32.exe
- Size
  
  1.6MB
- MD5
  
  b31fb95009cabc0f3df1aa933306bd32
- SHA1
  
  6500d8051a4fa58e907f78782c8f64036d936f73
- SHA256
  
  fb65fd84e33f32f49ae865e640a957886b51e895fecbf7a6539f7a1e780181f8
- SHA512
  
  278c02052dbc4e45331cd0c345cefa9a6b82af032f11500885eb088ed35b7250059f38801270249c534cabe49ba94b5ae741108750ed8c6e2810a1dea3e4d8a1
- SSDEEP
  
  24576:Ksm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:KD8Jijt+xpS/ekYmLGdhEAf7bCcjE
Score

10^/10

dcrat execution infostealer rat
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Dcrat family
  dcrat
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- DCRat payload
  Detects payload of DCRat, commonly dropped by NSIS installers.
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
behavioral31 behavioral32