dcrat | 5b74fabd26372fb02de33316f41adba1dd5d9e0c84961699cf2f9a475729b598

General

Target

5b74fabd26372fb02de33316f41adba1dd5d9e0c84961699cf2f9a475729b598.exe
Size

2.1MB
MD5

cd41c9fd80fc79506911ae3a97676eb6
SHA1

8a53a31dabf4c6bc373d6d83b75723e1eae1a384
SHA256

5b74fabd26372fb02de33316f41adba1dd5d9e0c84961699cf2f9a475729b598
SHA512

6d1657a837906d61d1a48fea8b1397bdbf638954981b4f519a4ba62ef27ba974467d886832d4b56ff09029193553bb21cc48af37c3111391734c0030e5cb443a

Score

10^/10

dcrat evasion infostealer rat suricata

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
suricata: ET MALWARE DCRat Initial CnC Activity
suricata: ET MALWARE DCRat Initial CnC Activity
suricata
Disables Task Manager via registry modification
evasion
Executes dropped EXE 1 IoCs

Processes:

fontwin.exe

pid process

592 fontwin.exe

pid	process
592	fontwin.exe

Drops startup file 2 IoCs

Processes:

cmd.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System.lnk	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System.lnk	cmd.exe

Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

1400 cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

1900 reg.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

fontwin.exe

pid process

592 fontwin.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

fontwin.exe

description pid process

Token: SeDebugPrivilege 592 fontwin.exe

pid	process
1400	cmd.exe

pid	process
1900	reg.exe

pid	process
592	fontwin.exe

description	pid	process
Token: SeDebugPrivilege	592	fontwin.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

5b74fabd26372fb02de33316f41adba1dd5d9e0c84961699cf2f9a475729b598.exeWScript.execmd.exe

description	pid	process	target process
PID 1620 wrote to memory of 980	1620	5b74fabd26372fb02de33316f41adba1dd5d9e0c84961699cf2f9a475729b598.exe	WScript.exe
PID 1620 wrote to memory of 980	1620	5b74fabd26372fb02de33316f41adba1dd5d9e0c84961699cf2f9a475729b598.exe	WScript.exe
PID 1620 wrote to memory of 980	1620	5b74fabd26372fb02de33316f41adba1dd5d9e0c84961699cf2f9a475729b598.exe	WScript.exe
PID 1620 wrote to memory of 980	1620	5b74fabd26372fb02de33316f41adba1dd5d9e0c84961699cf2f9a475729b598.exe	WScript.exe
PID 980 wrote to memory of 1400	980	WScript.exe	cmd.exe
PID 980 wrote to memory of 1400	980	WScript.exe	cmd.exe
PID 980 wrote to memory of 1400	980	WScript.exe	cmd.exe
PID 980 wrote to memory of 1400	980	WScript.exe	cmd.exe
PID 1400 wrote to memory of 592	1400	cmd.exe	fontwin.exe
PID 1400 wrote to memory of 592	1400	cmd.exe	fontwin.exe
PID 1400 wrote to memory of 592	1400	cmd.exe	fontwin.exe
PID 1400 wrote to memory of 592	1400	cmd.exe	fontwin.exe
PID 1400 wrote to memory of 1900	1400	cmd.exe	reg.exe
PID 1400 wrote to memory of 1900	1400	cmd.exe	reg.exe
PID 1400 wrote to memory of 1900	1400	cmd.exe	reg.exe
PID 1400 wrote to memory of 1900	1400	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\5b74fabd26372fb02de33316f41adba1dd5d9e0c84961699cf2f9a475729b598.exe
"C:\Users\Admin\AppData\Local\Temp\5b74fabd26372fb02de33316f41adba1dd5d9e0c84961699cf2f9a475729b598.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1620

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\fontsvc\System.vbe"
2⤵
- Suspicious use of WriteProcessMemory
PID:980

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\fontsvc\fImP8pZE2f1erUZpTAHRXHRmAfXtCE.bat" "
3⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1400

C:\fontsvc\fontwin.exe
"C:\fontsvc\fontwin.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:592

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
4⤵
- Modifies registry key
PID:1900

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\fontsvc\System.lnk
Filesize
369B

MD5
7fab07ce9c3a32f71732c3da94fd1678

SHA1
6b739bcc81717df1a430308cd41ddfb004d0e297

SHA256
1f12c98c6f711db8dcd14c18b89b84457cee87475c55c37d4ffbc0ba8050116c

SHA512
40a57e0f19e9c2f8be0885c2fd092afc5563adf58ecb29105481d34f591509e8e8c40b1fc6d9e2c083807b70f1827e55123a2066a44a5b434509fdecd415f0e2

Download Submit
C:\fontsvc\System.vbe
Filesize
366B

MD5
08d1b73b3ebafa4fdc59aad6855288c2

SHA1
74e059014c139a5071b7c51c0c2795dd891b674c

SHA256
367e82e5ad4d288f6b41076bed049f5ccb9f7279d439f19610a1fedc1268d252

SHA512
e7a81648ab124d747b2a8333dfd9cbbf987fce4cc4744c9fda66a376d72211e983a22267d07f16a1cc3bf964a8e22254c8fcac8f8bacae17e628f96d3a6cbbcc

Download Submit
C:\fontsvc\fImP8pZE2f1erUZpTAHRXHRmAfXtCE.bat
Filesize
833B

MD5
7f2fe99aa89ebaa4f4c0f008e7820434

SHA1
996fd0408f67ce90f39db8da574c19f8a7dbf894

SHA256
6e7fa0e1d108798d9a914e790cc0ffddefeff5d5161d1aab3da9b250eccf5121

SHA512
ff71f66583de98dae1593cf584d0e9d459894c7709279d554cc65a105996b14d065f038f2b9211dda2883e938640101b5b8b5886e95f4b47a9b4b86ce47b74e9

Download Submit
C:\fontsvc\fontwin.exe
Filesize
2.2MB

MD5
409efdc11afb323a6e0225b66c4a0f93

SHA1
0fbe66e14b3921bc5d9263ff05c3f14610895856

SHA256
6fa40ea6d7026adcfd51854157e308b4169228eca157ef6e44ef1213e238b7db

SHA512
e2e072c190ae32585069760cecd96509d4f95ef884f5a6121a9f58e806aaab47272ec090454d4a1ada734b58d0d7fc95cab147047a1ecca74b8a6d7a43848a66

Download Submit
C:\fontsvc\fontwin.exe
Filesize
2.2MB

MD5
409efdc11afb323a6e0225b66c4a0f93

SHA1
0fbe66e14b3921bc5d9263ff05c3f14610895856

SHA256
6fa40ea6d7026adcfd51854157e308b4169228eca157ef6e44ef1213e238b7db

SHA512
e2e072c190ae32585069760cecd96509d4f95ef884f5a6121a9f58e806aaab47272ec090454d4a1ada734b58d0d7fc95cab147047a1ecca74b8a6d7a43848a66

Download Submit
C:\fontsvc\vmcheck32.dll
Filesize
596B

MD5
cc7bbc6a1d386fe2023c805e00865e8c

SHA1
906de1c94454d226a96fea1b2651884ba4dd0ee3

SHA256
19fb7a8d91f33b384891b965f94a119325c71c06336ededb042bf82088917232

SHA512
acb5d30e730fe227c047d0f86e7c7445c3f540c5f768c0736bb846952719086a23acf91aa6ce9aabd82a907a6ce2ecb8accf6210befe46fac3ec4ab8fc4700d1

Download Submit
\fontsvc\fontwin.exe
Filesize
2.2MB

MD5
409efdc11afb323a6e0225b66c4a0f93

SHA1
0fbe66e14b3921bc5d9263ff05c3f14610895856

SHA256
6fa40ea6d7026adcfd51854157e308b4169228eca157ef6e44ef1213e238b7db

SHA512
e2e072c190ae32585069760cecd96509d4f95ef884f5a6121a9f58e806aaab47272ec090454d4a1ada734b58d0d7fc95cab147047a1ecca74b8a6d7a43848a66

Download Submit
memory/592-67-0x00000000002C0000-0x0000000000314000-memory.dmp

Filesize
336KB

Download
memory/592-62-0x0000000000000000-mapping.dmp

Download
memory/592-65-0x0000000001080000-0x00000000012B4000-memory.dmp

Filesize
2.2MB

Download
memory/592-66-0x000000001B8C0000-0x000000001BC12000-memory.dmp

Filesize
3.3MB

Download
memory/592-68-0x000000001AA40000-0x000000001AABC000-memory.dmp

Filesize
496KB

Download
memory/592-69-0x000000001AB60000-0x000000001ABF0000-memory.dmp

Filesize
576KB

Download
memory/592-70-0x00000000007B0000-0x00000000007C6000-memory.dmp

Filesize
88KB

Download
memory/980-55-0x0000000000000000-mapping.dmp

Download
memory/1400-59-0x0000000000000000-mapping.dmp

Download
memory/1620-54-0x0000000075951000-0x0000000075953000-memory.dmp

Filesize
8KB

Download
memory/1900-72-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing