dcrat | 00c5b3c574053a1faa9d26f44a73b9db72178de14e95e46893a879229597b325

General

Target

file.exe
Size

1.8MB
MD5

c2d98ce6d441b79d1ec3d50376b46b9a
SHA1

0854d68bf709c0a423e47c63eb0b6e9726c9c08f
SHA256

00c5b3c574053a1faa9d26f44a73b9db72178de14e95e46893a879229597b325
SHA512

459b5c85d4a29bd37b7e7697054cd0045df6a2eb6b8976ac5cce8e3a89eb93ca20e65636611534a383eae7e42c7117756665179780f0e85fb14d513d10dde13f
SSDEEP

49152:wkQTAUs8KECSOKf6n3C1s13gvSorrzsAf9yWU5:waCBOfICQvDrEAfwWU5

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\Windows\Temp\1.exe	dcrat
C:\Windows\Temp\1.exe	dcrat
C:\Users\Admin\AppData\Local\Temp\portSurrogatewebsession\agentServer.exe	dcrat
C:\Users\Admin\AppData\Local\Temp\portSurrogatewebsession\agentServer.exe	dcrat
behavioral2/memory/116-143-0x00000000009A0000-0x0000000000B64000-memory.dmp	dcrat

Executes dropped EXE 2 IoCs

Processes:

1.exeagentServer.exe

pid process

4368 1.exe
116 agentServer.exe

pid	process
4368	1.exe
116	agentServer.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WScript.exefile.exe1.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	file.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

1.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings 1.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

file.exeagentServer.exe

description pid process

Token: SeDebugPrivilege 4676 file.exe
Token: SeDebugPrivilege 116 agentServer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	1.exe

description	pid	process
Token: SeDebugPrivilege	4676	file.exe
Token: SeDebugPrivilege	116	agentServer.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

file.exe1.exeWScript.execmd.exe

description	pid	process	target process
PID 4676 wrote to memory of 4368	4676	file.exe	1.exe
PID 4676 wrote to memory of 4368	4676	file.exe	1.exe
PID 4676 wrote to memory of 4368	4676	file.exe	1.exe
PID 4368 wrote to memory of 392	4368	1.exe	WScript.exe
PID 4368 wrote to memory of 392	4368	1.exe	WScript.exe
PID 4368 wrote to memory of 392	4368	1.exe	WScript.exe
PID 392 wrote to memory of 4988	392	WScript.exe	cmd.exe
PID 392 wrote to memory of 4988	392	WScript.exe	cmd.exe
PID 392 wrote to memory of 4988	392	WScript.exe	cmd.exe
PID 4988 wrote to memory of 116	4988	cmd.exe	agentServer.exe
PID 4988 wrote to memory of 116	4988	cmd.exe	agentServer.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4676

C:\Windows\Temp\1.exe
"C:\Windows\Temp\1.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4368

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\portSurrogatewebsession\x1j7cF9kcN8pqeKG.vbe"
3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:392

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\portSurrogatewebsession\siisuPTUTbkLrYbSx0rFkkTlZVh.bat" "
4⤵
- Suspicious use of WriteProcessMemory
PID:4988

C:\Users\Admin\AppData\Local\Temp\portSurrogatewebsession\agentServer.exe
"C:\Users\Admin\AppData\Local\Temp\portSurrogatewebsession\agentServer.exe"
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:116

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\portSurrogatewebsession\agentServer.exe
Filesize
1.7MB

MD5
30fb2a1f02123032ff27d37353cbbd67

SHA1
f8c229f0b3b23d3131be7bc35867b478676aef50

SHA256
cb05b0d5108bb05b57e68b8e12bba7cc7f22d461558dbd22f9be3430127976de

SHA512
53a5b66374f8cebbdbf120930d94d2b99b3813f95ce8820d04ba4199d98372f98043e47060a78e2861ac0d1caa9d5a94b7fdf6de25fd8f245e6dc3b192acaa98

Download Submit
C:\Users\Admin\AppData\Local\Temp\portSurrogatewebsession\agentServer.exe
Filesize
1.7MB

MD5
30fb2a1f02123032ff27d37353cbbd67

SHA1
f8c229f0b3b23d3131be7bc35867b478676aef50

SHA256
cb05b0d5108bb05b57e68b8e12bba7cc7f22d461558dbd22f9be3430127976de

SHA512
53a5b66374f8cebbdbf120930d94d2b99b3813f95ce8820d04ba4199d98372f98043e47060a78e2861ac0d1caa9d5a94b7fdf6de25fd8f245e6dc3b192acaa98

Download Submit
C:\Users\Admin\AppData\Local\Temp\portSurrogatewebsession\siisuPTUTbkLrYbSx0rFkkTlZVh.bat
Filesize
48B

MD5
9ab646ca1ef6e402e57d0027bce41104

SHA1
8d8ec9bd07764b2a21121b620abcbd9e4a9cdc72

SHA256
7dd0dcbc4ece8af21597c712e241648580a6781b32267d21e1b899b9ad1b258f

SHA512
5e10b2a62e89c9312849a8bde48e593de5a1fa619d94cfd294e87c138d5de92fc0061937db7315b9b40335957e55e8956d851389cd12ac62f6e67ffb18748ff2

Download Submit
C:\Users\Admin\AppData\Local\Temp\portSurrogatewebsession\x1j7cF9kcN8pqeKG.vbe
Filesize
231B

MD5
ed62e680eec74b04138d15259ad35814

SHA1
05e048618c085e9f7c7de400507339c52bbdcc99

SHA256
7775b76ed99205dbbb58e7346077c466a14c385ee195fc8ba0e5a46a3c3f56f4

SHA512
007ba0a7173e057d4ac196ad7dafbb91f3a07ba4c1150eee541dbc07d173e5aa42aee0e26faf270fd7d1f5ad80d941f82556d986d32c06814cadbb919fcbd1e5

Download Submit
C:\Windows\Temp\1.exe
Filesize
2.0MB

MD5
8c2bfaedee15c793704661073648516d

SHA1
659f9362eb4e4b8212e5195c8953a51bfd5b918b

SHA256
607e3ed8d528f4bfeac6f591e588b6aa35f04e70898d535935e5f6d318d648ff

SHA512
ccca3dcbd57003de418c688fe9cc307ff4a0fd35bbe02c36de1b066b19414029cc9a8bafd891f789d468585a46a8ff8dd0c079827eb51c558524c6f0aea64c0a

Download Submit
C:\Windows\Temp\1.exe
Filesize
2.0MB

MD5
8c2bfaedee15c793704661073648516d

SHA1
659f9362eb4e4b8212e5195c8953a51bfd5b918b

SHA256
607e3ed8d528f4bfeac6f591e588b6aa35f04e70898d535935e5f6d318d648ff

SHA512
ccca3dcbd57003de418c688fe9cc307ff4a0fd35bbe02c36de1b066b19414029cc9a8bafd891f789d468585a46a8ff8dd0c079827eb51c558524c6f0aea64c0a

Download Submit
memory/116-140-0x0000000000000000-mapping.dmp

Download
memory/116-143-0x00000000009A0000-0x0000000000B64000-memory.dmp

Filesize
1.8MB

Download
memory/116-144-0x00007FFC3A4A0000-0x00007FFC3AF61000-memory.dmp

Filesize
10.8MB

Download
memory/116-145-0x00007FFC3A4A0000-0x00007FFC3AF61000-memory.dmp

Filesize
10.8MB

Download
memory/392-136-0x0000000000000000-mapping.dmp

Download
memory/4368-133-0x0000000000000000-mapping.dmp

Download
memory/4676-132-0x00000000053C0000-0x0000000005964000-memory.dmp

Filesize
5.6MB

Download
memory/4988-139-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads