dcrat | e850c790d73622a00145c2db809cfdef073894a15f6b1ccbf64ee431b9472306

General

Target

MultiHack STALCRAFT.exe
Size

2.6MB
MD5

999f1063f749669bfb2ca8b981a02fc3
SHA1

b7cfbea56657a13fc857ef4fc0709f90c2e00433
SHA256

e850c790d73622a00145c2db809cfdef073894a15f6b1ccbf64ee431b9472306
SHA512

2695ba800010e688e4656f209a91f666b60859d1d28bba5ffd941fc7532385360a90362882c1564dd21486ac0ba085d8692cd7e030d8935df02a737f811b254b
SSDEEP

49152:UbA30+n2mgETrv8FVKWlhzEyZqRbSMeLDH/nNycDsenl9pf0ibF7izYk:Uba2irch77YW/HfgcwClr8sRizB

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 6 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4876	336	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4156	336	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4680	336	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4624	336	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4008	336	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4148	336	schtasks.exe	27

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x0006000000022e1e-139.dat	dcrat
behavioral2/files/0x0006000000022e1e-140.dat	dcrat
behavioral2/memory/3180-141-0x00000000003C0000-0x0000000000612000-memory.dmp	dcrat
behavioral2/files/0x0006000000022e25-151.dat	dcrat
behavioral2/files/0x0006000000022e25-152.dat	dcrat

Executes dropped EXE 2 IoCs

pid	Process
3180	Hyperperfcrt.exe
4204	dllhost.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	MultiHack STALCRAFT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	Hyperperfcrt.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
35	ipinfo.io
36	ipinfo.io

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4156	schtasks.exe
4680	schtasks.exe
4624	schtasks.exe
4008	schtasks.exe
4148	schtasks.exe
4876	schtasks.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings	Hyperperfcrt.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings	MultiHack STALCRAFT.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
3180	Hyperperfcrt.exe
4204	dllhost.exe
4204	dllhost.exe
4204	dllhost.exe
4204	dllhost.exe
4204	dllhost.exe
4204	dllhost.exe
4204	dllhost.exe
4204	dllhost.exe
4204	dllhost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4204	dllhost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3180	Hyperperfcrt.exe
Token: SeDebugPrivilege	4204	dllhost.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2604 wrote to memory of 4900	2604	MultiHack STALCRAFT.exe	82
PID 2604 wrote to memory of 4900	2604	MultiHack STALCRAFT.exe	82
PID 2604 wrote to memory of 4900	2604	MultiHack STALCRAFT.exe	82
PID 2604 wrote to memory of 1488	2604	MultiHack STALCRAFT.exe	83
PID 2604 wrote to memory of 1488	2604	MultiHack STALCRAFT.exe	83
PID 2604 wrote to memory of 1488	2604	MultiHack STALCRAFT.exe	83
PID 4900 wrote to memory of 3156	4900	WScript.exe	84
PID 4900 wrote to memory of 3156	4900	WScript.exe	84
PID 4900 wrote to memory of 3156	4900	WScript.exe	84
PID 3156 wrote to memory of 3180	3156	cmd.exe	86
PID 3156 wrote to memory of 3180	3156	cmd.exe	86
PID 3180 wrote to memory of 3892	3180	Hyperperfcrt.exe	96
PID 3180 wrote to memory of 3892	3180	Hyperperfcrt.exe	96
PID 3892 wrote to memory of 4892	3892	cmd.exe	98
PID 3892 wrote to memory of 4892	3892	cmd.exe	98
PID 3892 wrote to memory of 4204	3892	cmd.exe	103
PID 3892 wrote to memory of 4204	3892	cmd.exe	103

C:\Users\Admin\AppData\Local\Temp\MultiHack STALCRAFT.exe
"C:\Users\Admin\AppData\Local\Temp\MultiHack STALCRAFT.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2604
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\winrefHost\L3LnYNcg2ndBEhia1dY6vzGVM3h7rI.vbe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:4900
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\winrefHost\by3bzroT3WJ.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3156
  - - C:\winrefHost\Hyperperfcrt.exe
      "C:\winrefHost\Hyperperfcrt.exe"
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3180
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\daHDUzbFiW.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3892
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:4892
      - C:\Recovery\WindowsRE\dllhost.exe
        
        "C:\Recovery\WindowsRE\dllhost.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:4204
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\winrefHost\file.vbs"
  2⤵
  PID:1488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4148

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\WindowsRE\dllhost.exe

Filesize
2.3MB

MD5
1d719b0bbbe447f2e490abf201afd4e4

SHA1
4e1ad6d2a874f2fce789c8b5bc6ad832079e315a

SHA256
125ff5afa4cce4a8aeba52e8abe67c21001a9ebac619c3879362d1074798a09b

SHA512
3ceab2604f34fbe24d2c5160d4207cd69d922dcc8ab36ddb8569b2f61c7d151df901e5f0a0222111cc70eeb0822089215f71d2351f7a77237252780463730fd7

Download Submit
C:\Recovery\WindowsRE\dllhost.exe

Filesize
2.3MB

MD5
1d719b0bbbe447f2e490abf201afd4e4

SHA1
4e1ad6d2a874f2fce789c8b5bc6ad832079e315a

SHA256
125ff5afa4cce4a8aeba52e8abe67c21001a9ebac619c3879362d1074798a09b

SHA512
3ceab2604f34fbe24d2c5160d4207cd69d922dcc8ab36ddb8569b2f61c7d151df901e5f0a0222111cc70eeb0822089215f71d2351f7a77237252780463730fd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\daHDUzbFiW.bat

Filesize
198B

MD5
16c5bb849067c4979641111eb3366309

SHA1
d2ef68abd03bbb766d703aa5d12cfdc91f6defcf

SHA256
7ecfa1f4bf67f8f0787316986d8de2433cc72eafa5f2272d555f74902f723355

SHA512
dcbb6ccc2685ec328967aa3a74aed1452b19ca0aca24304dca54a66929554e03b7660eb417ff3044fe29024db44c03d9b480bac2ea3731813bb3a838dcb244de

Download Submit
C:\winrefHost\Hyperperfcrt.exe

Filesize
2.3MB

MD5
1d719b0bbbe447f2e490abf201afd4e4

SHA1
4e1ad6d2a874f2fce789c8b5bc6ad832079e315a

SHA256
125ff5afa4cce4a8aeba52e8abe67c21001a9ebac619c3879362d1074798a09b

SHA512
3ceab2604f34fbe24d2c5160d4207cd69d922dcc8ab36ddb8569b2f61c7d151df901e5f0a0222111cc70eeb0822089215f71d2351f7a77237252780463730fd7

Download Submit
C:\winrefHost\Hyperperfcrt.exe

Filesize
2.3MB

MD5
1d719b0bbbe447f2e490abf201afd4e4

SHA1
4e1ad6d2a874f2fce789c8b5bc6ad832079e315a

SHA256
125ff5afa4cce4a8aeba52e8abe67c21001a9ebac619c3879362d1074798a09b

SHA512
3ceab2604f34fbe24d2c5160d4207cd69d922dcc8ab36ddb8569b2f61c7d151df901e5f0a0222111cc70eeb0822089215f71d2351f7a77237252780463730fd7

Download Submit
C:\winrefHost\L3LnYNcg2ndBEhia1dY6vzGVM3h7rI.vbe

Filesize
198B

MD5
05b098999c7dcc148606c839fa680a1f

SHA1
15a99da3c7ce701748a69bc99f98b46e260031b8

SHA256
d76f2cec01d4def8fae939cd051bab2698087acc0689708524e26259b9c36097

SHA512
c28267f7e25ba651e22a17a50e5a64e92a754e400e90a00d19d023869a3cc53e7878b625d39286ded0d13f1281487c28bc2e5e6ff2586d37baa45ca24e28cb64

Download Submit
C:\winrefHost\by3bzroT3WJ.bat

Filesize
32B

MD5
935c7f36c394cada665c48a7f460ab65

SHA1
8a55a151ac6ae8ff990679aa862fd0f476fa10b8

SHA256
dfd653bf319f98bdecab9823602433fb381c73ca63335f694216daf441ad5cc5

SHA512
527587eb19a4d609174441edf570189fb07024c1bf26e1924b8a835e31251c27bf7dbbe1ef5c769e4f335f70e2ed1f53dee938958d50928ed621586e9c9dfcf2

Download Submit
C:\winrefHost\file.vbs

Filesize
34B

MD5
677cc4360477c72cb0ce00406a949c61

SHA1
b679e8c3427f6c5fc47c8ac46cd0e56c9424de05

SHA256
f1cccb5ae4aa51d293bd3c7d2a1a04cb7847d22c5db8e05ac64e9a6d7455aa0b

SHA512
7cfe2cc92f9e659f0a15a295624d611b3363bd01eb5bcf9bc7681ea9b70b0564d192d570d294657c8dc2c93497fa3b4526c975a9bf35d69617c31d9936573c6a

Download Submit
memory/3180-143-0x00007FFF4D9B0000-0x00007FFF4E471000-memory.dmp

Filesize
10.8MB

Download
memory/3180-144-0x000000001B250000-0x000000001B2A0000-memory.dmp

Filesize
320KB

Download
memory/3180-145-0x000000001CC10000-0x000000001D138000-memory.dmp

Filesize
5.2MB

Download
memory/3180-141-0x00000000003C0000-0x0000000000612000-memory.dmp

Filesize
2.3MB

Download
memory/3180-142-0x000000001C480000-0x000000001C582000-memory.dmp

Filesize
1.0MB

Download
memory/3180-149-0x00007FFF4D9B0000-0x00007FFF4E471000-memory.dmp

Filesize
10.8MB

Download
memory/4204-153-0x00007FFF4D670000-0x00007FFF4E131000-memory.dmp

Filesize
10.8MB

Download
memory/4204-154-0x00007FFF4D670000-0x00007FFF4E131000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads