dcrat | 07661dc549a97e60a80ae0690e206295fc7e52bfeda7da1b4df688690b6b4ea5

General

Target

ffbce36aa9defedbf576ed02e636287f.exe
Size

1.5MB
MD5

ffbce36aa9defedbf576ed02e636287f
SHA1

f252d41488346a09408d14adeda8f8d7be569948
SHA256

07661dc549a97e60a80ae0690e206295fc7e52bfeda7da1b4df688690b6b4ea5
SHA512

7e0febf2872ce264a65d9168228753a375c1187aaf5f102406647ac8306c2d769c7d586c479c97e1252702a51b65ba12f83eb7bac5ff24b00e09a8fdc8b6ed60
SSDEEP

24576:i2G/nvxW3WwJo0hip/LEXrvlZJMWyRqsBuNXaSLdYqqmZ/BYZGQEUx:ibA3G0Mp/LEXrfJMWyRD8ly4GZ3x

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
\HyperserverhostperfDhcp\BlockBroker.exe	dcrat
C:\HyperserverhostperfDhcp\BlockBroker.exe	dcrat
\HyperserverhostperfDhcp\BlockBroker.exe	dcrat
C:\HyperserverhostperfDhcp\BlockBroker.exe	dcrat
behavioral1/memory/684-65-0x0000000001130000-0x0000000001210000-memory.dmp	dcrat

Executes dropped EXE 1 IoCs

Processes:

BlockBroker.exe

pid process

684 BlockBroker.exe
Loads dropped DLL 2 IoCs

Processes:

cmd.exe

pid process

756 cmd.exe
756 cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

BlockBroker.exe

description pid process

Token: SeDebugPrivilege 684 BlockBroker.exe

pid	process
684	BlockBroker.exe

pid	process
756	cmd.exe
756	cmd.exe

description	pid	process
Token: SeDebugPrivilege	684	BlockBroker.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

ffbce36aa9defedbf576ed02e636287f.exeWScript.execmd.exe

description	pid	process	target process
PID 1416 wrote to memory of 1780	1416	ffbce36aa9defedbf576ed02e636287f.exe	WScript.exe
PID 1416 wrote to memory of 1780	1416	ffbce36aa9defedbf576ed02e636287f.exe	WScript.exe
PID 1416 wrote to memory of 1780	1416	ffbce36aa9defedbf576ed02e636287f.exe	WScript.exe
PID 1416 wrote to memory of 1780	1416	ffbce36aa9defedbf576ed02e636287f.exe	WScript.exe
PID 1780 wrote to memory of 756	1780	WScript.exe	cmd.exe
PID 1780 wrote to memory of 756	1780	WScript.exe	cmd.exe
PID 1780 wrote to memory of 756	1780	WScript.exe	cmd.exe
PID 1780 wrote to memory of 756	1780	WScript.exe	cmd.exe
PID 756 wrote to memory of 684	756	cmd.exe	BlockBroker.exe
PID 756 wrote to memory of 684	756	cmd.exe	BlockBroker.exe
PID 756 wrote to memory of 684	756	cmd.exe	BlockBroker.exe
PID 756 wrote to memory of 684	756	cmd.exe	BlockBroker.exe

C:\Users\Admin\AppData\Local\Temp\ffbce36aa9defedbf576ed02e636287f.exe
"C:\Users\Admin\AppData\Local\Temp\ffbce36aa9defedbf576ed02e636287f.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1416

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\HyperserverhostperfDhcp\dw74dL0p6Y0PumPR.vbe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1780

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\HyperserverhostperfDhcp\bbEkNdpvd0CDbVWG5LhtvVOaJzs.bat" "
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:756

C:\HyperserverhostperfDhcp\BlockBroker.exe
"C:\HyperserverhostperfDhcp\BlockBroker.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:684

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\HyperserverhostperfDhcp\BlockBroker.exe
Filesize
870KB

MD5
94390ab4d2b45d3bdcf0dbb83930e5f2

SHA1
7efa1a0975743083a6817048bc37ef54a9db0886

SHA256
422803ba6c319d3ef896cb86ab4c86dbe32d199007eb4f2f95c1103bfbeed192

SHA512
4ead00a90a4c8017a8435109fa8fdb31efebc704da0e29279584a76fb623ecbd74f99b5190d00aef8e913400688c4eb321c7f4bc998c9de42a9afd1032e6e325

Download Submit
C:\HyperserverhostperfDhcp\BlockBroker.exe
Filesize
870KB

MD5
94390ab4d2b45d3bdcf0dbb83930e5f2

SHA1
7efa1a0975743083a6817048bc37ef54a9db0886

SHA256
422803ba6c319d3ef896cb86ab4c86dbe32d199007eb4f2f95c1103bfbeed192

SHA512
4ead00a90a4c8017a8435109fa8fdb31efebc704da0e29279584a76fb623ecbd74f99b5190d00aef8e913400688c4eb321c7f4bc998c9de42a9afd1032e6e325

Download Submit
C:\HyperserverhostperfDhcp\bbEkNdpvd0CDbVWG5LhtvVOaJzs.bat
Filesize
44B

MD5
d5b649a9a78d515978e9440aa8df39c7

SHA1
81d1e4b5b1da4362cd54e3146686a807b441913c

SHA256
a2a0212a037816b3bfe177c75218b72927c303f22ca4a32eec30769c3a420ed7

SHA512
b8d32053a3da692a308127aec1f982ed2f8935081d8678841109f7f4fa270af10b96ab9f3e2ddba063271e3be427435821dbbf58bc35f99a8aa3670b05336437

Download Submit
C:\HyperserverhostperfDhcp\dw74dL0p6Y0PumPR.vbe
Filesize
227B

MD5
8f5f4cd2817523d66c78b5a381f639b5

SHA1
713fd28837fcf8175bc60be63450ba458b7721d9

SHA256
9ead6aa5bea9c1450de016d068e27c5c2f072c8e823db96deebb84e197d1138a

SHA512
4a28d5c39da19f7135ccb1793fc591c4a34c5a73bab764926f3487795aac0f6a3dabc73d91b753d9e070b43bbc14555b685a56b9bf4271df0fc44f155ab99c6c

Download Submit
\HyperserverhostperfDhcp\BlockBroker.exe
Filesize
870KB

MD5
94390ab4d2b45d3bdcf0dbb83930e5f2

SHA1
7efa1a0975743083a6817048bc37ef54a9db0886

SHA256
422803ba6c319d3ef896cb86ab4c86dbe32d199007eb4f2f95c1103bfbeed192

SHA512
4ead00a90a4c8017a8435109fa8fdb31efebc704da0e29279584a76fb623ecbd74f99b5190d00aef8e913400688c4eb321c7f4bc998c9de42a9afd1032e6e325

Download Submit
\HyperserverhostperfDhcp\BlockBroker.exe
Filesize
870KB

MD5
94390ab4d2b45d3bdcf0dbb83930e5f2

SHA1
7efa1a0975743083a6817048bc37ef54a9db0886

SHA256
422803ba6c319d3ef896cb86ab4c86dbe32d199007eb4f2f95c1103bfbeed192

SHA512
4ead00a90a4c8017a8435109fa8fdb31efebc704da0e29279584a76fb623ecbd74f99b5190d00aef8e913400688c4eb321c7f4bc998c9de42a9afd1032e6e325

Download Submit
memory/684-63-0x0000000000000000-mapping.dmp

Download
memory/684-65-0x0000000001130000-0x0000000001210000-memory.dmp

Filesize
896KB

Download
memory/684-66-0x00000000002C0000-0x00000000002CE000-memory.dmp

Filesize
56KB

Download
memory/756-59-0x0000000000000000-mapping.dmp

Download
memory/1416-54-0x0000000074DC1000-0x0000000074DC3000-memory.dmp

Filesize
8KB

Download
memory/1780-55-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing