dcrat | f4ab048f183a7269468b0cb8509668831e3d8f816e1be3162a0734c83c488c97 | Triage

Submit
Reports

Overview

overview

Static

static

f4ab048f18...97.exe

windows7-x64

f4ab048f18...97.exe

windows10-2004-x64

Sharing

General

Target

f4ab048f183a7269468b0cb8509668831e3d8f816e1be3162a0734c83c488c97.exe
Size

1.1MB
Sample

240705-cd89wsscke
MD5

829cab70d17eaedeabe77c32154d11f2
SHA1

196c898abee483229f61342ac1f8248677f833da
SHA256

f4ab048f183a7269468b0cb8509668831e3d8f816e1be3162a0734c83c488c97
SHA512

9d7ce634639d86cf020d1ce1a85e7c7d113feed2d0fc98f1f5ebb233ba77129e133b92636864bdbf105ec5599143f84835219203173bcf63ce047a7d40a7f4c3
SSDEEP

24576:Y2G/nvxW3W4kqExbb2uM2bowf751JKeqkTsRPns:YbA34qQUwf75bz

Score

10^/10

dcrat infostealer persistence rat

Static task

static1

3 signatures

Behavioral task

behavioral1

Sample

f4ab048f183a7269468b0cb8509668831e3d8f816e1be3162a0734c83c488c97.exe

Resource

win7-20240221-en

dcrat infostealer persistence rat

windows7-x64

15 signatures

150 seconds

Behavioral task

behavioral2

Sample

f4ab048f183a7269468b0cb8509668831e3d8f816e1be3162a0734c83c488c97.exe

Resource

win10v2004-20240508-en

dcrat infostealer persistence rat

windows10-2004-x64

15 signatures

150 seconds

Malware Config

Targets

- Target
  
  f4ab048f183a7269468b0cb8509668831e3d8f816e1be3162a0734c83c488c97.exe
- Size
  
  1.1MB
- MD5
  
  829cab70d17eaedeabe77c32154d11f2
- SHA1
  
  196c898abee483229f61342ac1f8248677f833da
- SHA256
  
  f4ab048f183a7269468b0cb8509668831e3d8f816e1be3162a0734c83c488c97
- SHA512
  
  9d7ce634639d86cf020d1ce1a85e7c7d113feed2d0fc98f1f5ebb233ba77129e133b92636864bdbf105ec5599143f84835219203173bcf63ce047a7d40a7f4c3
- SSDEEP
  
  24576:Y2G/nvxW3W4kqExbb2uM2bowf751JKeqkTsRPns:YbA34qQUwf75bz
Score

10^/10

dcrat infostealer persistence rat
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Modifies WinLogon for persistence
  persistence
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- DCRat payload
  Detects payload of DCRat, commonly dropped by NSIS installers.
  rat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

Scheduled Task

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Scheduled Task/Job

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

dcratinfostealerpersistencerat

behavioral2

dcratinfostealerpersistencerat

© 2018-2024

Terms | Privacy