dcrat | f5fb3ae5ca25c16f178ca10c99aa7b4af70dc38fd806aef46d662c6ab40aab78 | Triage

Submit
Reports

Overview

overview

Static

static

MEGALOADER.exe

windows7-x64

MEGALOADER.exe

windows10-2004-x64

Sharing

General

Target

MEGALOADER.exe
Size

1.7MB
Sample

240630-b7glasvhlj
MD5

ac4c9d6cd24a44a660c69bf7b55f17b0
SHA1

e41107db8aad88bb26d1879db7aed31e91942644
SHA256

f5fb3ae5ca25c16f178ca10c99aa7b4af70dc38fd806aef46d662c6ab40aab78
SHA512

0b1ee2a0c3a1c73d9ce53111df250c2c36d4dcc38ac9426bede09c8eb9a274aadb671e86018073c62abd7c09726ff878ccf1001240754e9bef3948e0a2130c4f
SSDEEP

24576:O2G/nvxW3Wir0g0bcg1vqd25Gl35KcbOwGqq+AZbPxtDSk5/FX5vDlIXNQdSR:ObA3dogGy/3dSnEYFJvxSN

Score

10^/10

dcrat evasion execution infostealer rat trojan

Static task

static1

3 signatures

Behavioral task

behavioral1

Sample

MEGALOADER.exe

Resource

win7-20240220-en

dcrat evasion execution infostealer rat trojan

windows7-x64

20 signatures

150 seconds

Behavioral task

behavioral2

Sample

MEGALOADER.exe

Resource

win10v2004-20240611-en

dcrat evasion execution infostealer rat trojan

windows10-2004-x64

21 signatures

150 seconds

Malware Config

Targets

- Target
  
  MEGALOADER.exe
- Size
  
  1.7MB
- MD5
  
  ac4c9d6cd24a44a660c69bf7b55f17b0
- SHA1
  
  e41107db8aad88bb26d1879db7aed31e91942644
- SHA256
  
  f5fb3ae5ca25c16f178ca10c99aa7b4af70dc38fd806aef46d662c6ab40aab78
- SHA512
  
  0b1ee2a0c3a1c73d9ce53111df250c2c36d4dcc38ac9426bede09c8eb9a274aadb671e86018073c62abd7c09726ff878ccf1001240754e9bef3948e0a2130c4f
- SSDEEP
  
  24576:O2G/nvxW3Wir0g0bcg1vqd25Gl35KcbOwGqq+AZbPxtDSk5/FX5vDlIXNQdSR:ObA3dogGy/3dSnEYFJvxSN
Score

10^/10

dcrat evasion execution infostealer rat trojan
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- UAC bypass
  evasion trojan
- DCRat payload
  Detects payload of DCRat, commonly dropped by NSIS installers.
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Disables Task Manager via registry modification
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
  evasion trojan
- Legitimate hosting services abused for malware hosting/C2
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Abuse Elevation Control Mechanism

Bypass User Account Control

Scheduled Task/Job

Scheduled Task

Defense Evasion

Abuse Elevation Control Mechanism

Bypass User Account Control

Impair Defenses

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

dcratevasionexecutioninfostealerrattrojan

behavioral2

dcratevasionexecutioninfostealerrattrojan

© 2018-2024

Terms | Privacy