dcrat

Target

AutoClicker-3.1.exe
Size

860KB
Sample

250406-mzvnqswyat
MD5

c208a15591828ac1b1c825f33fd55c8a
SHA1

bea4a247ece1a749d0994fc085fbd2d7c90a21e7
SHA256

a6ee6130d83bbe55e9dacdff2005950d69fc2d3c54e28467b82c148e274d90da
SHA512

b78d8055fc64bac1cdd366cdb339df2e081228bd998fdb5450a6832b0720c1b321568aabd7535ce62c16067ad20c86e51712c3e78bc40945adc05c63565fd889
SSDEEP

12288:2aWzgMg7v3qnCipErQohh0F4xCJ8lnydQEzFGZ3dRP6yWD:RaHMv6C1rjpnydQEOPdWD

Score

10^/10

Malware Config

Targets

- Target
  
  AutoClicker-3.1.exe
- Size
  
  860KB
- MD5
  
  c208a15591828ac1b1c825f33fd55c8a
- SHA1
  
  bea4a247ece1a749d0994fc085fbd2d7c90a21e7
- SHA256
  
  a6ee6130d83bbe55e9dacdff2005950d69fc2d3c54e28467b82c148e274d90da
- SHA512
  
  b78d8055fc64bac1cdd366cdb339df2e081228bd998fdb5450a6832b0720c1b321568aabd7535ce62c16067ad20c86e51712c3e78bc40945adc05c63565fd889
- SSDEEP
  
  12288:2aWzgMg7v3qnCipErQohh0F4xCJ8lnydQEzFGZ3dRP6yWD:RaHMv6C1rjpnydQEOPdWD
Score

10^/10

dcrat xmrig xorddos aspackv2 botnet defense_evasion discovery downloader execution infostealer miner persistence privilege_escalation ransomware rat spyware stealer upx
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Dcrat family
  dcrat
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Xmrig family
  xmrig
- XorDDoS
  Botnet and downloader malware targeting Linux-based operating systems and IoT devices.
  botnet downloader xorddos
- XorDDoS payload
- Xorddos family
  xorddos
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- DCRat payload
  Detects payload of DCRat, commonly dropped by NSIS installers.
  rat
- Renames multiple (91) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- XMRig Miner payload
  miner
- Downloads MZ/PE file
- Drops file in Drivers directory
- Modifies Windows Firewall
  defense_evasion
- Stops running service(s)
  defense_evasion execution
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Event Triggered Execution: Component Object Model Hijacking
  Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
  persistence privilege_escalation
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
  defense_evasion
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Drops desktop.ini file(s)
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops autorun.inf file
  Malware can abuse Windows Autorun to spread further via attached volumes.
- Drops file in System32 directory
- Sets desktop wallpaper using registry
  ransomware
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1