dcrat | 225e120cff3c4735693f6297f074cc50a7eb21709668ac7b283514a497296478 | Triage

Submit
Reports

Overview

overview

Static

static

7

DCRatBuild.exe

windows7-x64

DCRatBuild.exe

windows10-2004-x64

Sharing

General

Target

DCRatBuild.exe
Size

1.4MB
Sample

250326-ft3zla1mx7
MD5

890b09aea29e89eaf80df95deefb73c3
SHA1

3c6b2b2e635542eaaf4aefd3e0af6a285aefab50
SHA256

225e120cff3c4735693f6297f074cc50a7eb21709668ac7b283514a497296478
SHA512

2a8388fda1533b06d377ed46457cf2f68919ac62cd0ef6ff79a88383a60c1ca0b27a7dc6b1fdcde09f5a7f5b5b7389f27a2f4e79c7c5d2f01f0c602f3cec5421
SSDEEP

24576:9TbBv5rUCB0nQ1c9yzgS5o/mNHJK7CXiUgRRAJtndHr5k+jp9TO7:XBOQ1Iy0MYRIfj+

Score

10^/10

dcrat discovery infostealer rat

Static task

static1

2 signatures

Behavioral task

behavioral1

Sample

DCRatBuild.exe

Resource

win7-20240903-en

dcrat discovery infostealer rat

windows7-x64

16 signatures

150 seconds

Behavioral task

behavioral2

Sample

DCRatBuild.exe

Resource

win10v2004-20250314-en

windows10-2004-x64

14 signatures

150 seconds

Malware Config

Targets

- Target
  
  DCRatBuild.exe
- Size
  
  1.4MB
- MD5
  
  890b09aea29e89eaf80df95deefb73c3
- SHA1
  
  3c6b2b2e635542eaaf4aefd3e0af6a285aefab50
- SHA256
  
  225e120cff3c4735693f6297f074cc50a7eb21709668ac7b283514a497296478
- SHA512
  
  2a8388fda1533b06d377ed46457cf2f68919ac62cd0ef6ff79a88383a60c1ca0b27a7dc6b1fdcde09f5a7f5b5b7389f27a2f4e79c7c5d2f01f0c602f3cec5421
- SSDEEP
  
  24576:9TbBv5rUCB0nQ1c9yzgS5o/mNHJK7CXiUgRRAJtndHr5k+jp9TO7:XBOQ1Iy0MYRIfj+
Score

10^/10

dcrat discovery infostealer rat
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Dcrat family
  dcrat
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- .NET Reactor proctector
  Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Modify Registry

Subvert Trust Controls

Install Root Certificate

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

dcratdiscoveryinfostealerrat

behavioral2

© 2018-2025

Terms | Privacy