dcrat | f698f53c372a26a4ab1ecd516064546fcd24da106293786c04e638de3582b2cd

General

Target

245ed2db66c841556f3d7b52ab251030.exe
Size

1.2MB
MD5

245ed2db66c841556f3d7b52ab251030
SHA1

8f12f472db36bf57ac7f2a02f21549d1559c672c
SHA256

f698f53c372a26a4ab1ecd516064546fcd24da106293786c04e638de3582b2cd
SHA512

6d5cdac70c9f090d472d4baa378c87d0bc7b582606f2767938b011401bfa6822cd7159c62ff58369c2d2c017654624a49134687879229f42673e4a785f47a0d6

Score

10^/10

dcrat infostealer rat suricata

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
suricata: ET MALWARE DCRAT Activity (GET)
suricata: ET MALWARE DCRAT Activity (GET)
suricata

DCRat Payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
\chainreview\.exe	dcrat
C:\chainreview\.exe	dcrat
\chainreview\.exe	dcrat
C:\chainreview\.exe	dcrat

Executes dropped EXE 1 IoCs

Processes:

.exe

pid process

1728 .exe
Loads dropped DLL 2 IoCs

Processes:

cmd.exe

pid process

1364 cmd.exe
1364 cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

.exe

pid process

1728 .exe
1728 .exe
1728 .exe
1728 .exe
1728 .exe
1728 .exe
1728 .exe
1728 .exe
1728 .exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

.exe

description pid process

Token: SeDebugPrivilege 1728 .exe

pid	process
1728	.exe

pid	process
1364	cmd.exe
1364	cmd.exe

pid	process
1728	.exe
1728	.exe
1728	.exe
1728	.exe
1728	.exe
1728	.exe
1728	.exe
1728	.exe
1728	.exe

description	pid	process
Token: SeDebugPrivilege	1728	.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

245ed2db66c841556f3d7b52ab251030.exeWScript.execmd.exe

description	pid	process	target process
PID 2000 wrote to memory of 1912	2000	245ed2db66c841556f3d7b52ab251030.exe	WScript.exe
PID 2000 wrote to memory of 1912	2000	245ed2db66c841556f3d7b52ab251030.exe	WScript.exe
PID 2000 wrote to memory of 1912	2000	245ed2db66c841556f3d7b52ab251030.exe	WScript.exe
PID 2000 wrote to memory of 1912	2000	245ed2db66c841556f3d7b52ab251030.exe	WScript.exe
PID 1912 wrote to memory of 1364	1912	WScript.exe	cmd.exe
PID 1912 wrote to memory of 1364	1912	WScript.exe	cmd.exe
PID 1912 wrote to memory of 1364	1912	WScript.exe	cmd.exe
PID 1912 wrote to memory of 1364	1912	WScript.exe	cmd.exe
PID 1364 wrote to memory of 1728	1364	cmd.exe	.exe
PID 1364 wrote to memory of 1728	1364	cmd.exe	.exe
PID 1364 wrote to memory of 1728	1364	cmd.exe	.exe
PID 1364 wrote to memory of 1728	1364	cmd.exe	.exe

C:\Users\Admin\AppData\Local\Temp\245ed2db66c841556f3d7b52ab251030.exe
"C:\Users\Admin\AppData\Local\Temp\245ed2db66c841556f3d7b52ab251030.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2000
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\chainreview\TMWNv3mE2TIbawdkFU0NZqVs.vbe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1912
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\chainreview\hVeVLdt7YgrTd9f5EBWZj5Lf.bat" "
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1364
  - - C:\chainreview\.exe
      "C:\chainreview\.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1728

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\chainreview\.exe

Filesize
828KB

MD5
c95eaf6c0946234a5ae4d8cc18fabb01

SHA1
19d9507d5c6bc789f9ff0c27a6da4c7d415d3157

SHA256
f088eb6b6fc42f625c0d93872779819cddf1dea74eb8e87ad6c607912075c4c7

SHA512
8216ed40179963cd7ff766f4d62fdf525f1c89ed0e944f73f3dbf603ff929c734b79bc6f730979191b5d92e229ef15e9ab6e6b24ef4ad3b1ad86f57ca91388f0

Download Submit
C:\chainreview\.exe

Filesize
828KB

MD5
c95eaf6c0946234a5ae4d8cc18fabb01

SHA1
19d9507d5c6bc789f9ff0c27a6da4c7d415d3157

SHA256
f088eb6b6fc42f625c0d93872779819cddf1dea74eb8e87ad6c607912075c4c7

SHA512
8216ed40179963cd7ff766f4d62fdf525f1c89ed0e944f73f3dbf603ff929c734b79bc6f730979191b5d92e229ef15e9ab6e6b24ef4ad3b1ad86f57ca91388f0

Download Submit
C:\chainreview\TMWNv3mE2TIbawdkFU0NZqVs.vbe

Filesize
212B

MD5
c754e26593c070e05dbb6ca50b277202

SHA1
55c260c08200e12bd2cff1cd1367a86aa75b70a4

SHA256
7ec888e0d565acff5594b6fad96e6c39e35fba928837ec2ca7c31669ef09dade

SHA512
4c87df6a307222d90794425c314bf66d78cdef84a7f9ba54c47dc19eb59ee89fde53b5d9d9908fb4e9b26b58eb8b1cb2c2d5a5b37aa04f851bf1116297d8952d

Download Submit
C:\chainreview\hVeVLdt7YgrTd9f5EBWZj5Lf.bat

Filesize
21B

MD5
4b2d709c097bcecdacf548330a0f2704

SHA1
d2adee306617f4846b31727e1c03289d425fa8bb

SHA256
b4c73df97e2777d089313540a743479457b2098566588ce2ba541bb48c4a3c4b

SHA512
3043fc7b83d03788f5af852009571fe617e568514e3fcbd1f400e0f354fb0697257e540a708d049b7ab8e970588ec5d01d3e4a7fc444cd7eddaeddcc9e68c331

Download Submit
\chainreview\.exe

Filesize
828KB

MD5
c95eaf6c0946234a5ae4d8cc18fabb01

SHA1
19d9507d5c6bc789f9ff0c27a6da4c7d415d3157

SHA256
f088eb6b6fc42f625c0d93872779819cddf1dea74eb8e87ad6c607912075c4c7

SHA512
8216ed40179963cd7ff766f4d62fdf525f1c89ed0e944f73f3dbf603ff929c734b79bc6f730979191b5d92e229ef15e9ab6e6b24ef4ad3b1ad86f57ca91388f0

Download Submit
\chainreview\.exe

Filesize
828KB

MD5
c95eaf6c0946234a5ae4d8cc18fabb01

SHA1
19d9507d5c6bc789f9ff0c27a6da4c7d415d3157

SHA256
f088eb6b6fc42f625c0d93872779819cddf1dea74eb8e87ad6c607912075c4c7

SHA512
8216ed40179963cd7ff766f4d62fdf525f1c89ed0e944f73f3dbf603ff929c734b79bc6f730979191b5d92e229ef15e9ab6e6b24ef4ad3b1ad86f57ca91388f0

Download Submit
memory/1364-59-0x0000000000000000-mapping.dmp

Download
memory/1728-63-0x0000000000000000-mapping.dmp

Download
memory/1728-65-0x0000000000A80000-0x0000000000B56000-memory.dmp

Filesize
856KB

Download
memory/1912-55-0x0000000000000000-mapping.dmp

Download
memory/2000-54-0x0000000075221000-0x0000000075223000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing