dcrat | d09ecf875a5673d913c9162b9483331043bc8c17d61d24c51e92269ca29afd62 | Triage

Submit
Reports

Overview

overview

Static

static

3

2025-04-04...er.exe

windows10-2004-x64

Sharing

General

Target

2025-04-04_7ceeaab80e3c4481ebc4a025857bc0fe_black-basta_cova_luca-stealer
Size

3.8MB
Sample

250404-gcytzstks9
MD5

7ceeaab80e3c4481ebc4a025857bc0fe
SHA1

6b821230811b3e85befa6549374862a21f9c041b
SHA256

d09ecf875a5673d913c9162b9483331043bc8c17d61d24c51e92269ca29afd62
SHA512

92b8bb20771aae6f40f3da8bec754541f2b10d51aa30c493ab4b26d3e9d05416f29905954968cc1a8a013b013b8f26aeef011338e0f161b7dc4235ef91230ec9
SSDEEP

98304:bIVsEgIT4bNJFY3OqtEy7iS1ceWg8ioKgcEZm:bCOjBHY0ciSiGoKU0

Score

10^/10

dcrat discovery infostealer persistence rat

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

2025-04-04_7ceeaab80e3c4481ebc4a025857bc0fe_black-basta_cova_luca-stealer.exe

Resource

win10v2004-20250314-en

dcrat discovery infostealer persistence rat

windows10-2004-x64

19 signatures

150 seconds

Malware Config

Targets

- Target
  
  2025-04-04_7ceeaab80e3c4481ebc4a025857bc0fe_black-basta_cova_luca-stealer
- Size
  
  3.8MB
- MD5
  
  7ceeaab80e3c4481ebc4a025857bc0fe
- SHA1
  
  6b821230811b3e85befa6549374862a21f9c041b
- SHA256
  
  d09ecf875a5673d913c9162b9483331043bc8c17d61d24c51e92269ca29afd62
- SHA512
  
  92b8bb20771aae6f40f3da8bec754541f2b10d51aa30c493ab4b26d3e9d05416f29905954968cc1a8a013b013b8f26aeef011338e0f161b7dc4235ef91230ec9
- SSDEEP
  
  98304:bIVsEgIT4bNJFY3OqtEy7iS1ceWg8ioKgcEZm:bCOjBHY0ciSiGoKU0
Score

10^/10

dcrat discovery infostealer persistence rat
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Dcrat family
  dcrat
- Modifies WinLogon for persistence
  persistence
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Drops file in System32 directory
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scheduled Task

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Scheduled Task/Job

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

dcratdiscoveryinfostealerpersistencerat

© 2018-2025

Terms | Privacy