dcrat | a6ce812851fb640d0a2c871e4196d4d4fab355695e8d29d3f5c39a5a7c4b4c28

General

Target

file.exe
Size

1.7MB
MD5

a079be1caf5e0fc987be2bbd1f55a865
SHA1

51d8633e6b3b698a181f2d68b663b356eb338516
SHA256

a6ce812851fb640d0a2c871e4196d4d4fab355695e8d29d3f5c39a5a7c4b4c28
SHA512

238d81673129f641937904c48e6574b56c37a70835ba8f6b970b7ce24cbf262be4319a3549067bb6ca83d48a54db602c2b8ff5ea26befd0dc873bbe1815dd18f
SSDEEP

49152:JkQTAqbq63skEfe+WR1O0FhKqto5gFE1ad67Th:Jau80tjO0FhKuogd67Th

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x0009000000022e54-134.dat	dcrat
behavioral2/files/0x0009000000022e54-135.dat	dcrat
behavioral2/files/0x0006000000022e5e-141.dat	dcrat
behavioral2/files/0x0006000000022e5e-142.dat	dcrat
behavioral2/memory/4936-143-0x00000000008E0000-0x0000000000A94000-memory.dmp	dcrat

Executes dropped EXE 2 IoCs

pid	Process
2036	1.exe
4936	agentServer.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	file.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	1.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1232	file.exe
Token: SeDebugPrivilege	4936	agentServer.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1232 wrote to memory of 2036	1232	file.exe	83
PID 1232 wrote to memory of 2036	1232	file.exe	83
PID 1232 wrote to memory of 2036	1232	file.exe	83
PID 2036 wrote to memory of 1536	2036	1.exe	84
PID 2036 wrote to memory of 1536	2036	1.exe	84
PID 2036 wrote to memory of 1536	2036	1.exe	84
PID 1536 wrote to memory of 4804	1536	WScript.exe	85
PID 1536 wrote to memory of 4804	1536	WScript.exe	85
PID 1536 wrote to memory of 4804	1536	WScript.exe	85
PID 4804 wrote to memory of 4936	4804	cmd.exe	87
PID 4804 wrote to memory of 4936	4804	cmd.exe	87

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1232
- C:\Windows\Temp\1.exe
  "C:\Windows\Temp\1.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2036
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\portSurrogatewebsession\JMhHId60mgylcyV8.vbe"
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:1536
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\portSurrogatewebsession\veSiBgqprE9pIRxQbQFRfuR.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4804
    - - C:\Users\Admin\AppData\Local\Temp\portSurrogatewebsession\agentServer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\portSurrogatewebsession\agentServer.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4936

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\portSurrogatewebsession\JMhHId60mgylcyV8.vbe

Filesize
227B

MD5
7b5ec169be1f73f299d40e1247427cd8

SHA1
9fb4e52746987b9f2564d08fc30101e1696fe034

SHA256
3f2e3be75cac246172191c2ccd1fff4dd8a4dda53baa84b8347c50ace78c7d11

SHA512
c9d08a76ffa27b7a76e44f4109c4e9d591a85d0061980650cfaddf12f27d079f6f773514d1145faddeb25e7f0f9f549d1ee95a773a23a3ff5c10cc9459c513ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\portSurrogatewebsession\agentServer.exe

Filesize
1.7MB

MD5
e4a21433249462360678d10cd22b3316

SHA1
e52643733d330aa5a388847a363d1e547f534156

SHA256
f63b171d539913a0ff31df9872cc082c680c56edf95f61c99f08362054c4482d

SHA512
292f95f4f875bd72ccf8196ced227a0d72e49c94050770f739c6984e4dc26cb3048a77c3bc6ee504b9a36c10545339759f3302f980e1c56293e5f990ef0545d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\portSurrogatewebsession\agentServer.exe

Filesize
1.7MB

MD5
e4a21433249462360678d10cd22b3316

SHA1
e52643733d330aa5a388847a363d1e547f534156

SHA256
f63b171d539913a0ff31df9872cc082c680c56edf95f61c99f08362054c4482d

SHA512
292f95f4f875bd72ccf8196ced227a0d72e49c94050770f739c6984e4dc26cb3048a77c3bc6ee504b9a36c10545339759f3302f980e1c56293e5f990ef0545d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\portSurrogatewebsession\veSiBgqprE9pIRxQbQFRfuR.bat

Filesize
48B

MD5
9ab646ca1ef6e402e57d0027bce41104

SHA1
8d8ec9bd07764b2a21121b620abcbd9e4a9cdc72

SHA256
7dd0dcbc4ece8af21597c712e241648580a6781b32267d21e1b899b9ad1b258f

SHA512
5e10b2a62e89c9312849a8bde48e593de5a1fa619d94cfd294e87c138d5de92fc0061937db7315b9b40335957e55e8956d851389cd12ac62f6e67ffb18748ff2

Download Submit
C:\Windows\Temp\1.exe

Filesize
2.0MB

MD5
f87bfad050b6fd8370b86850449d329d

SHA1
4da443e9e066c62b7025360938c51baece146197

SHA256
d0e786e10bbbd7d60f6594f05c554a9c37d256d20bc1a4901c27f440fbd9f823

SHA512
138994f93d15ea2bba66e20177510b653f9bd05db9b288a0b00e03ace5b60df2025c0b81cd76eaa7d2650b6e8c9826d25e4f75ded2ea60398da45902b04deba0

Download Submit
C:\Windows\Temp\1.exe

Filesize
2.0MB

MD5
f87bfad050b6fd8370b86850449d329d

SHA1
4da443e9e066c62b7025360938c51baece146197

SHA256
d0e786e10bbbd7d60f6594f05c554a9c37d256d20bc1a4901c27f440fbd9f823

SHA512
138994f93d15ea2bba66e20177510b653f9bd05db9b288a0b00e03ace5b60df2025c0b81cd76eaa7d2650b6e8c9826d25e4f75ded2ea60398da45902b04deba0

Download Submit
memory/1232-132-0x0000000005480000-0x0000000005A24000-memory.dmp

Filesize
5.6MB

Download
memory/4936-143-0x00000000008E0000-0x0000000000A94000-memory.dmp

Filesize
1.7MB

Download
memory/4936-144-0x00007FFF7BA50000-0x00007FFF7C511000-memory.dmp

Filesize
10.8MB

Download
memory/4936-145-0x00007FFF7BA50000-0x00007FFF7C511000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing