dcrat

Sharing

Copy URL

Twitter E-mail

General

Target

archive_22.zip
Size

56.7MB
Sample

250322-ha9ddatlt6
MD5

2fe311a887c693d335d29a5ea9a0ccf3
SHA1

9a0937f1cee70275618dfb278e5ccf1d4bac8962
SHA256

7f1beb32d0565e8ebe9db45b1bc9a29b8fe6f2cfb7f17605bd2f6ec40f761b89
SHA512

eaed0fe231276781b3fe8a7a1a0cd8a25317773acf798c17f05fc03f1d29c6ca1f65df46f2ec8d603ddcd3918f996a9986125f6eeae4bb4e57567572ca07a4b0
SSDEEP

1572864:O0uQ3QtLyYR0/+hAVnI4A46clWQkHCeQj00oDoLSj:SQ3QtLVRE+4Z5l1kHhQ3oD8Sj

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

127.0.0.1:5552

Mutex

279f6960ed84a752570aca7fb2dc1552

Attributes

reg_key
279f6960ed84a752570aca7fb2dc1552
splitter
|'|'|

Extracted

Family

revengerat

Botnet

vikas

thisismylifemimeyo-22560.portmap.host:44139

Mutex

RV_MUTEX

Extracted

Family

xworm

Version

5.0

127.0.0.1:7000

Mutex

YfZTVu77X3MI2DoR

Attributes

install_file
USB.exe

aes.plain

Extracted

Family

xworm

past-protected.gl.at.ply.gg:5740

local-subsidiary.gl.at.ply.gg:17739

127.0.0.1:7000

or-city.gl.at.ply.gg:62747

Mutex

dIDqMKvvqEcMqabn

Attributes

Install_directory
%AppData%
install_file
USB.exe

aes.plain

Extracted

Family

njrat

Version

0.7d

Botnet

BLACK

frifra.hopto.org:5552

Mutex

40ea844bc01ee90bd4425548f1372df5

Attributes

reg_key
40ea844bc01ee90bd4425548f1372df5
splitter
|'|'|

Extracted

Credentials

Protocol: smtp
Host:
smtp.yandex.com
Port:
587
Username:
[email protected]
Password:
Boy12345#

Extracted

Family

nanocore

Version

1.2.2.0

[email protected]:46218

178.32.224.116:46218

Mutex

4af74541-e3f1-469c-8af7-efe4071b81cf

Attributes

activate_away_mode
false
backup_connection_host
178.32.224.116
backup_dns_server
buffer_size
65535
build_time
2018-07-28T12:59:38.488799236Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
false
clear_zone_identifier
false
connect_delay
4000
connection_port
46218
default_group
tourex
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
4af74541-e3f1-469c-8af7-efe4071b81cf
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
[email protected]
primary_dns_server
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Targets

- Target
  
  5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe
- Size
  
  1.6MB
- MD5
  
  27b689b77f3516a11f09ecb8897ad4c2
- SHA1
  
  654cb72e6167f879a83930da230b28099359721f
- SHA256
  
  5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772
- SHA512
  
  8d55b966e8e634053b62cb545366d661a37dbf467e836b8028ad63055cccd3c9032c9ba04a84e79994926425250e39f808757cfec454ddf2670cff3569b3cbbe
- SSDEEP
  
  24576:Ksm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:KD8Jijt+xpS/ekYmLGdhEAf7bCcjE
Score

10^/10

dcrat execution infostealer rat
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Dcrat family
  dcrat
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- DCRat payload
  Detects payload of DCRat, commonly dropped by NSIS installers.
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
behavioral1 behavioral2
- Target
  
  5aa23263dd63c1541c3d7e776e5f8f98.exe
- Size
  
  23KB
- MD5
  
  5aa23263dd63c1541c3d7e776e5f8f98
- SHA1
  
  221c3c6828d94ae6ed68aa50839a6c91f527f837
- SHA256
  
  1746682b55ba4fd89d47c53502abd6fcba269e6a7a7161eb381cd3ff06f52f09
- SHA512
  
  06edb2a293817db322c319c3ab879c16f6e945fe1faa26e688b4d086366a585b13d47061fc10b1bb5af2e737866a6d03fd16d5953cacb4360d9c42a088f68c07
- SSDEEP
  
  384:xk8aLWS0dABLYVq6RxP8MDFF09vK563gRMmJKUv0mRvR6JZlbw8hqIusZzZ8kY:5Xcwt3tRpcnuJN
Score

10^/10

njrat hacked defense_evasion discovery persistence privilege_escalation trojan
- Njrat family
  njrat
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Modifies Windows Firewall
  defense_evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral3 behavioral4
- Target
  
  5ab4e24c19920bf215f60ccceeb4a0641f6ac404665f99abcea4eec4aa2aa529.exe
- Size
  
  2.0MB
- MD5
  
  5d49b43f14e616ffc8c7592057de2bf1
- SHA1
  
  ca6f05166af3837a1f0557969f5b4386636f3824
- SHA256
  
  5ab4e24c19920bf215f60ccceeb4a0641f6ac404665f99abcea4eec4aa2aa529
- SHA512
  
  5242e1a38d0f935d857781207feeb58c497874858e5200a757293e225bd92034f96050332ea425a02ea31873b1892833837a453810d22c055ab7577d737d7189
- SSDEEP
  
  49152:TrYU+Yy4J8jao9UVlWAOjhRzsiYHjo++xTN:TdxVJC9UqRzsu+8N
Score

10^/10

dcrat infostealer rat
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Dcrat family
  dcrat
- DCRat payload
  Detects payload of DCRat, commonly dropped by NSIS installers.
  rat
behavioral5 behavioral6
- Target
  
  5aba8889254015bbafbba1cca9d776bb318bd21a60106974f250dceefbfe2987.exe
- Size
  
  221KB
- MD5
  
  541e5218c80af67946ff24083bd0b726
- SHA1
  
  2ff2e275005f9f7ce165701ee2de3512cba7c2ba
- SHA256
  
  5aba8889254015bbafbba1cca9d776bb318bd21a60106974f250dceefbfe2987
- SHA512
  
  cefedd6a1198531d6c95f71875bd2552696b35acd86fac1894f074201f1a9eb71c227d85611016f64989fccab7a924900f437c123fa4485955d1f31cfe5c7a52
- SSDEEP
  
  3072:YsXRmUIMitiMQose27vc+Eld+xZp2vPRL1tT06zJoxAWBcKpSP//dwRmR:ZR5IuMQoseGk7RZBGxAycKpSPX2S
Score

10^/10

defense_evasion discovery persistence spyware stealer
- Modifies WinLogon for persistence
  persistence
- Modifies visiblity of hidden/system files in Explorer
  defense_evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral7 behavioral8
- Target
  
  5af4910e242c77f6b6e68a0ac29292d0.exe
- Size
  
  16KB
- MD5
  
  5af4910e242c77f6b6e68a0ac29292d0
- SHA1
  
  6d1def2ec4b980215bee82a2765d6bf6530fa55b
- SHA256
  
  0881efb0572ce644ed64b36837914be59acdf5e11fb2a8f5e813af60ff5bd6dc
- SHA512
  
  c0f1e0bdc2ecc4be7fbfd2067f40bffbc74e55e6e558e54d9879101914de696ed375d16c3a0b1f30a7c512579da7b69456e7e3fe0d6ca0f40056989b00b9be26
- SSDEEP
  
  384:Jjmvn8X19vieB68b9oDPlMNcLlb5sVKByV5Ct:Jjmvni19TB3clMNE2o
Score

1^/10
behavioral10 behavioral9
- Target
  
  5b286cfa6293d55ebb9adf9591836714279b8032e91bd9794f1f37c02fa50321.exe
- Size
  
  995KB
- MD5
  
  f00a98571c214d4b1fb70767f7f04bc7
- SHA1
  
  e7be37ce959fc754d9d7207589d405ef36a5c288
- SHA256
  
  5b286cfa6293d55ebb9adf9591836714279b8032e91bd9794f1f37c02fa50321
- SHA512
  
  5c0165ef585b43ac5b04189adad008700b7d0d835f6db0488a4cde4d08bbe7cb436f55f60556fd149c66e2b2336a7ebc43eedc67825eb8a6dd90c18a21ed28b5
- SSDEEP
  
  6144:HWusAIFB++velibxPyp/64wjOjn6cB3rZtT/Yq3v9Auky+4N1vbMM/c511:Hz7IFjvelQypyfy7z6u7+4DvbMM/c511
Score

10^/10

collection credential_access discovery persistence spyware stealer
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral11 behavioral12
- Target
  
  5b4ca84a7ecc5e29784e9ab2f73a1d242a4b52768134018c3498688f286f986d.exe
- Size
  
  145KB
- MD5
  
  9a091ee98c1c24801976dacf72472d1b
- SHA1
  
  9cfbe42a131d1e7aded04e0931d73d83e419b8ca
- SHA256
  
  5b4ca84a7ecc5e29784e9ab2f73a1d242a4b52768134018c3498688f286f986d
- SHA512
  
  dc646977fdd02f789492def873daa2936536d7cd46d09dde13424f22443b01a665a10feaff4f7c5ee20a83bd2fb8e0a3de5b0eddf04fedc49ec71a0eb9d2e46f
- SSDEEP
  
  3072:mvNYkHFE9j6OjM4NpVq8BxFRzaqF+o2GQJ7/JzqVfGvM:2rE9AgVqwlL
Score

10^/10

xworm rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
behavioral13 behavioral14
- Target
  
  5b62e114e9c9713eda5a0e6b5d9d889d.exe
- Size
  
  2.0MB
- MD5
  
  5b62e114e9c9713eda5a0e6b5d9d889d
- SHA1
  
  fd29491568f573378be56a3d869fe15aad7ec99b
- SHA256
  
  e1f602783c8aa65757c86fe71f7fd1cfe80b8b04bdb3da9957d08e91d179e295
- SHA512
  
  f2a4ccf07dda4ddb5a89887c1044837010b2f99de2099288a6f65ef580e08d0649f6b3044258c07954edfda1e49ed67d8f5a0d5b4ac3bf9f6e5adc2fac5b1cbb
- SSDEEP
  
  49152:7rYU+Yy4J8jao9UVlWAOjhRzsiYHjo++xTN:7dxVJC9UqRzsu+8N
Score

10^/10

dcrat infostealer rat
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Dcrat family
  dcrat
- DCRat payload
  Detects payload of DCRat, commonly dropped by NSIS installers.
  rat
behavioral15 behavioral16
- Target
  
  5b70645dfb8e566d22c36db3f361bbd320dbaca42930d0d9328e350adc9cef94.exe
- Size
  
  123KB
- MD5
  
  799a0eb13e004a4717f0a2c81f4ef2a2
- SHA1
  
  ab21696be7b802cee1911600d382a17db9f2b8a6
- SHA256
  
  5b70645dfb8e566d22c36db3f361bbd320dbaca42930d0d9328e350adc9cef94
- SHA512
  
  1c1660778426b66abaf5e7a9486e7799148b52f2e4c1027b892997c2e4ca58cfe66c8af4e0e5251090c8805889ed659f59a31a22dfe57c34ee9807e34f8ec803
- SSDEEP
  
  3072:anGuRAAapU2cNd7dTzFAUc/g5wm8XKxmxxWhU6I:anGqGp3cRzFPc4JaKkxxg
Score

10^/10

xworm rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
behavioral17 behavioral18
- Target
  
  5bc9cb6ad0fa3859ec1f5aa542d9350b.exe
- Size
  
  28KB
- MD5
  
  5bc9cb6ad0fa3859ec1f5aa542d9350b
- SHA1
  
  9eb380e12c31f714356e957f27ea2a9a353433fd
- SHA256
  
  3c91d53cfe883fa95a24c9706f3d7cb44149d6db0386c64220d3ac8cd340e1e8
- SHA512
  
  3e51284910068366ca0aa44d3ca9df759f9d906fd8c036ae80c0518fc766acf78c0748abc2b23c028b13f3d9229b1eddc39cf4f2fab3517360db0ac63d10c7c9
- SSDEEP
  
  384:fHz+t6T6MD8fAtAu5Lt1zrl26m2pOivYPLz00LE2wVGubiNrxwmjYZtHMJhDdtVW:yt6TTsE5fzRFZcY0LiV9bvZqV
Score

10^/10

njrat defense_evasion discovery persistence privilege_escalation trojan
- Njrat family
  njrat
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Modifies Windows Firewall
  defense_evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral19 behavioral20
- Target
  
  5bd53b90c9a087f62175a657969ca112ea270bf5677a4a0dfb8eb383c2d1f4e5.exe
- Size
  
  418KB
- MD5
  
  26e78fb82b46031cfd6883a62888f021
- SHA1
  
  a280d339fcb7fec26ae6a3ade73c4069c15a0070
- SHA256
  
  5bd53b90c9a087f62175a657969ca112ea270bf5677a4a0dfb8eb383c2d1f4e5
- SHA512
  
  315b1f25cb335ae78b917fb9cc5e5985e4c2f24ef49940f2a1f05a4536757cfdff64785684f679ab10ea608ae232b78cd25e5d58e5d17d9de224dd194ddfb2aa
- SSDEEP
  
  6144:ITNE3ZRrnaBVlvphVxmP+6CiejgcME1cwYfU+va+RUwbvl:ITNYrnE3bm/CiejewY5vXd
Score

10^/10

nanocore defense_evasion discovery keylogger persistence spyware stealer trojan
- NanoCore
  NanoCore is a remote access tool (RAT) with a variety of capabilities.
  keylogger trojan stealer spyware nanocore
- Nanocore family
  nanocore
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  defense_evasion trojan
- Suspicious use of SetThreadContext
behavioral21 behavioral22
- Target
  
  5be338c227e46f56eb13670ecc6ba26209097332f30411531456d5d829cbf547.exe
- Size
  
  441KB
- MD5
  
  b9f5eaf0927d4c526e3a838d82236dbc
- SHA1
  
  b760db73097b50b340706d785bf67236c3074c25
- SHA256
  
  5be338c227e46f56eb13670ecc6ba26209097332f30411531456d5d829cbf547
- SHA512
  
  673aa114aeb21e124d2f6cfb697a5880194edf4543d1ce792ffbe9742e236e4607f5f51aa6f5e672f500b2f894c358686c32bbd41ca6a2552c502c1c5ac51106
- SSDEEP
  
  6144:pXoI87e04Y8x9eL7e6VlWT8b9BcgjwUPbQVd/y1E:pM98+7PVle8rAUeCE
Score

10^/10

persistence privilege_escalation
- Modifies WinLogon for persistence
  persistence
- Event Triggered Execution: AppInit DLLs
  Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
  persistence privilege_escalation
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral23 behavioral24
- Target
  
  5bf9504e15f844a8d96c9b05341934f0ccb027ad5ab74cbc28c1678cd7e91b35.exe
- Size
  
  931KB
- MD5
  
  de0b7b43df33cbfe60f07ec20ed2bc04
- SHA1
  
  5ea660ba3c486cbc098d52a152a09a0c19d5ca0b
- SHA256
  
  5bf9504e15f844a8d96c9b05341934f0ccb027ad5ab74cbc28c1678cd7e91b35
- SHA512
  
  8b7bcb0105e0c5efaf938df1c94593c9fe0ae2108ab16c9a7a7044945f6c1dd36ad17d2b0da3868e84786aa8e5f9f886da60c41fab933a63aaa7442bf6f61ba2
- SSDEEP
  
  12288:E7DTJUtg9krVkuACDM2my6ZDqnel2Ut/mBlEiqBEglJFdH/wN9YY3Qxx/5Y26280:EBdMM20dqnavYbbyEsCE3L5fBut16XL
Score

7^/10

discovery spyware stealer
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses 2FA software files, possible credential harvesting
  spyware stealer
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of SetThreadContext
behavioral25 behavioral26
- Target
  
  5c267be2da7a03e076603b32034d402c1cbe54ec38a6742cbeeabb5186de3125.exe
- Size
  
  335KB
- MD5
  
  1fe9cc525fbe038e451330126058029d
- SHA1
  
  45800d0c776029607c1ded3638886edc4727d998
- SHA256
  
  5c267be2da7a03e076603b32034d402c1cbe54ec38a6742cbeeabb5186de3125
- SHA512
  
  0fc4748ef6b79588d3f82de05f136565e7e45cbc696b711d5f2eb5fe2eb8241259d0ac5b9c93f95838a393df1c84decfc8f7a9ae60a302262a5876c959f6fe41
- SSDEEP
  
  6144:YNpY/HRxQLnoI6GJmQfcxTS+KRVItiPkiFbsqrCq0MGP7VUcFRbrDeg6zJv2:YsJxino+L62ItiPkiFbsqGq0MGP7VUcb
Score

3^/10

discovery
behavioral27 behavioral28
- Target
  
  5c4c8e3473b0c8f8a1d81b941495d80c1d07fc22d02cd10dc467f4309645d2e2.exe
- Size
  
  770KB
- MD5
  
  512de90549a0ffd01db566d4e69afa97
- SHA1
  
  193cce38892758314db86d16fbc1e6a07008729c
- SHA256
  
  5c4c8e3473b0c8f8a1d81b941495d80c1d07fc22d02cd10dc467f4309645d2e2
- SHA512
  
  fdbe1b71231057d8b1c25c9a152a846d0860f5f9a3e1942a877f691d5f39e702fafe14b0e9a2e7e21dfa427fed6d20b6fe33109dd82a53fda7b2271ed9c7b177
- SSDEEP
  
  12288:2Cg/vC4AAY6NkAI9gNoDUCvUMMyRx0E6eKJQ0qnkf29Bq:2C4vCNAEAwgNIUUz0E1KJQBnkMq
Score

10^/10

xworm rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
behavioral29 behavioral30
- Target
  
  5c55fbcb2e826d47b9446973666e9dfbb429c5e37581d6641b0cf2528649ef2a.exe
- Size
  
  495KB
- MD5
  
  4f0cb3352c75a47e9fb8cc3a08fe62fc
- SHA1
  
  7f992fe7e02920b6e81a8375e7783d3ff3ec8594
- SHA256
  
  5c55fbcb2e826d47b9446973666e9dfbb429c5e37581d6641b0cf2528649ef2a
- SHA512
  
  7ba555345f6acfb3bd9351f96d56891e7529f393d03ea557c0ed796ece46ca2103e082d648b9b472168ba37abcacf18bab98c1facc6b4e80be06f8ca6ab5bd39
- SSDEEP
  
  6144:SrUyLo6Ne40BlxE4F459KSLUKF2U6B/Z3InJv6jsyZIf78p33MYn65lMDKEmcSpM:SQb6Ne405E4aqYU1SUZO8pnMXADdSl
Score

10^/10

xworm discovery execution persistence rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral31 behavioral32