dcrat | 5cd85b152bcf8d7766a44d2e09081e97c797fa1f8c605aeb32a572944256acb1

Analysis

max time kernel
49s
max time network
52s
platform
windows10-1703_x64
resource
win10-20220901-en
resource tags

arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system
submitted
25-01-2023 19:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DCRatBuild.exe
Size

1.6MB
MD5

b9bf48563c4adea08f8305c8a775b19b
SHA1

1a904599b55f558c1921557742c1a6139f83ccd1
SHA256

5cd85b152bcf8d7766a44d2e09081e97c797fa1f8c605aeb32a572944256acb1
SHA512

98492d1105eca16bb98c01935eb810ecd28880fbdbc1e641ed264692df0703c15ed0b5ead7ddc1cb5b1c79b8b78195aaef8ab11a5064b3a111adb473acfcd357
SSDEEP

24576:U2G/nvxW3Ww0t8Zpg0RDNJ1rYIyjEKBNrYM8gDw2135+pQpIy/HnRuWJSq:UbA30mTLtrSr1cG3Qalnkgn

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\Blockcomdhcp\Containeragentsaves.exe	dcrat
C:\Blockcomdhcp\Containeragentsaves.exe	dcrat
behavioral1/memory/3424-286-0x0000000000320000-0x0000000000472000-memory.dmp	dcrat

Executes dropped EXE 1 IoCs

Processes:

Containeragentsaves.exe

pid process

3424 Containeragentsaves.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

DCRatBuild.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings DCRatBuild.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Containeragentsaves.exe

description pid process

Token: SeDebugPrivilege 3424 Containeragentsaves.exe

pid	process
3424	Containeragentsaves.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	DCRatBuild.exe

description	pid	process
Token: SeDebugPrivilege	3424	Containeragentsaves.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

DCRatBuild.exeWScript.execmd.exe

description	pid	process	target process
PID 2412 wrote to memory of 1884	2412	DCRatBuild.exe	WScript.exe
PID 2412 wrote to memory of 1884	2412	DCRatBuild.exe	WScript.exe
PID 2412 wrote to memory of 1884	2412	DCRatBuild.exe	WScript.exe
PID 1884 wrote to memory of 1372	1884	WScript.exe	cmd.exe
PID 1884 wrote to memory of 1372	1884	WScript.exe	cmd.exe
PID 1884 wrote to memory of 1372	1884	WScript.exe	cmd.exe
PID 1372 wrote to memory of 3424	1372	cmd.exe	Containeragentsaves.exe
PID 1372 wrote to memory of 3424	1372	cmd.exe	Containeragentsaves.exe

C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
"C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2412

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Blockcomdhcp\1z1MVZDmqXnM3rqjFd3shGjUL1e.vbe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1884

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Blockcomdhcp\D3yK3jRsKQo3ViPT1.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:1372

C:\Blockcomdhcp\Containeragentsaves.exe
"C:\Blockcomdhcp\Containeragentsaves.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3424

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Blockcomdhcp\1z1MVZDmqXnM3rqjFd3shGjUL1e.vbe
Filesize
206B

MD5
e1c1c90e5c5bb4ece4f90435fc1104b4

SHA1
89f676571d3005529558b9500a9a27411cefa3c4

SHA256
25eebc284f20cb5492ee4ccbef21573770b728a639f4601cfdec58b9862ad670

SHA512
bae0d432ceb23488430adc2e844ed0802647dc1373d8ec2f661cbad90f4ab1ecf8ffa7a0ac141a653d5f25183c17e4faa468c4f8ec33e2d2829831fa34cd7020

Download Submit
C:\Blockcomdhcp\Containeragentsaves.exe
Filesize
1.3MB

MD5
96a0193c62d478cf2a254eb25247d36c

SHA1
87159c8fd5cbe740d3659a1de5c6effc3983eddc

SHA256
8e4837a8bb1c86ced4a241601756394a1675a7ea52b4e059321d29acec920989

SHA512
35d2dc8496485f5582efcdff73aa6f6d262f66bb006e00fca3a1a60861c1e910e31a9af89417d2ac4de60c2cad89070d90ff0850076e8c5600cc861e322d10f7

Download Submit
C:\Blockcomdhcp\Containeragentsaves.exe
Filesize
1.3MB

MD5
96a0193c62d478cf2a254eb25247d36c

SHA1
87159c8fd5cbe740d3659a1de5c6effc3983eddc

SHA256
8e4837a8bb1c86ced4a241601756394a1675a7ea52b4e059321d29acec920989

SHA512
35d2dc8496485f5582efcdff73aa6f6d262f66bb006e00fca3a1a60861c1e910e31a9af89417d2ac4de60c2cad89070d90ff0850076e8c5600cc861e322d10f7

Download Submit
C:\Blockcomdhcp\D3yK3jRsKQo3ViPT1.bat
Filesize
41B

MD5
409f4308cdbebd408c94bba4d607ff7b

SHA1
5387bd3ae961b859bd66135fbc9a7aefa7523943

SHA256
23003a1de133340b2efef393f0ec343fad75a08054e61d5ebaa03e4ec36fcae1

SHA512
18f5552f2c5006f0ac6b027468f51ce6c146f75d5f11cf5a44b954968352c792886c29d471393a33d71eec5a2ed96a370ca75bfd504cf2fc8c7b41fd70b655e5

Download Submit
memory/1372-260-0x0000000000000000-mapping.dmp

Download
memory/1884-184-0x0000000000000000-mapping.dmp

Download
memory/1884-185-0x00000000774F0000-0x000000007767E000-memory.dmp

Filesize
1.6MB

Download
memory/1884-186-0x00000000774F0000-0x000000007767E000-memory.dmp

Filesize
1.6MB

Download
memory/2412-153-0x00000000774F0000-0x000000007767E000-memory.dmp

Filesize
1.6MB

Download
memory/2412-138-0x00000000774F0000-0x000000007767E000-memory.dmp

Filesize
1.6MB

Download
memory/2412-126-0x00000000774F0000-0x000000007767E000-memory.dmp

Filesize
1.6MB

Download
memory/2412-128-0x00000000774F0000-0x000000007767E000-memory.dmp

Filesize
1.6MB

Download
memory/2412-129-0x00000000774F0000-0x000000007767E000-memory.dmp

Filesize
1.6MB

Download
memory/2412-157-0x00000000774F0000-0x000000007767E000-memory.dmp

Filesize
1.6MB

Download
memory/2412-131-0x00000000774F0000-0x000000007767E000-memory.dmp

Filesize
1.6MB

Download
memory/2412-132-0x00000000774F0000-0x000000007767E000-memory.dmp

Filesize
1.6MB

Download
memory/2412-133-0x00000000774F0000-0x000000007767E000-memory.dmp

Filesize
1.6MB

Download
memory/2412-134-0x00000000774F0000-0x000000007767E000-memory.dmp

Filesize
1.6MB

Download
memory/2412-135-0x00000000774F0000-0x000000007767E000-memory.dmp

Filesize
1.6MB

Download
memory/2412-136-0x00000000774F0000-0x000000007767E000-memory.dmp

Filesize
1.6MB

Download
memory/2412-137-0x00000000774F0000-0x000000007767E000-memory.dmp

Filesize
1.6MB

Download
memory/2412-158-0x00000000774F0000-0x000000007767E000-memory.dmp

Filesize
1.6MB

Download
memory/2412-139-0x00000000774F0000-0x000000007767E000-memory.dmp

Filesize
1.6MB

Download
memory/2412-140-0x00000000774F0000-0x000000007767E000-memory.dmp

Filesize
1.6MB

Download
memory/2412-141-0x00000000774F0000-0x000000007767E000-memory.dmp

Filesize
1.6MB

Download
memory/2412-142-0x00000000774F0000-0x000000007767E000-memory.dmp

Filesize
1.6MB

Download
memory/2412-143-0x00000000774F0000-0x000000007767E000-memory.dmp

Filesize
1.6MB

Download
memory/2412-144-0x00000000774F0000-0x000000007767E000-memory.dmp

Filesize
1.6MB

Download
memory/2412-145-0x00000000774F0000-0x000000007767E000-memory.dmp

Filesize
1.6MB

Download
memory/2412-146-0x00000000774F0000-0x000000007767E000-memory.dmp

Filesize
1.6MB

Download
memory/2412-147-0x00000000774F0000-0x000000007767E000-memory.dmp

Filesize
1.6MB

Download
memory/2412-148-0x00000000774F0000-0x000000007767E000-memory.dmp

Filesize
1.6MB

Download
memory/2412-149-0x00000000774F0000-0x000000007767E000-memory.dmp

Filesize
1.6MB

Download
memory/2412-159-0x00000000774F0000-0x000000007767E000-memory.dmp

Filesize
1.6MB

Download
memory/2412-151-0x00000000774F0000-0x000000007767E000-memory.dmp

Filesize
1.6MB

Download
memory/2412-152-0x00000000774F0000-0x000000007767E000-memory.dmp

Filesize
1.6MB

Download
memory/2412-123-0x00000000774F0000-0x000000007767E000-memory.dmp

Filesize
1.6MB

Download
memory/2412-154-0x00000000774F0000-0x000000007767E000-memory.dmp

Filesize
1.6MB

Download
memory/2412-155-0x00000000774F0000-0x000000007767E000-memory.dmp

Filesize
1.6MB

Download
memory/2412-156-0x00000000774F0000-0x000000007767E000-memory.dmp

Filesize
1.6MB

Download
memory/2412-130-0x00000000774F0000-0x000000007767E000-memory.dmp

Filesize
1.6MB

Download
memory/2412-125-0x00000000774F0000-0x000000007767E000-memory.dmp

Filesize
1.6MB

Download
memory/2412-150-0x00000000774F0000-0x000000007767E000-memory.dmp

Filesize
1.6MB

Download
memory/2412-160-0x00000000774F0000-0x000000007767E000-memory.dmp

Filesize
1.6MB

Download
memory/2412-161-0x00000000774F0000-0x000000007767E000-memory.dmp

Filesize
1.6MB

Download
memory/2412-162-0x00000000774F0000-0x000000007767E000-memory.dmp

Filesize
1.6MB

Download
memory/2412-163-0x00000000774F0000-0x000000007767E000-memory.dmp

Filesize
1.6MB

Download
memory/2412-164-0x00000000774F0000-0x000000007767E000-memory.dmp

Filesize
1.6MB

Download
memory/2412-165-0x00000000774F0000-0x000000007767E000-memory.dmp

Filesize
1.6MB

Download
memory/2412-166-0x00000000774F0000-0x000000007767E000-memory.dmp

Filesize
1.6MB

Download
memory/2412-167-0x00000000774F0000-0x000000007767E000-memory.dmp

Filesize
1.6MB

Download
memory/2412-168-0x00000000774F0000-0x000000007767E000-memory.dmp

Filesize
1.6MB

Download
memory/2412-169-0x00000000774F0000-0x000000007767E000-memory.dmp

Filesize
1.6MB

Download
memory/2412-170-0x00000000774F0000-0x000000007767E000-memory.dmp

Filesize
1.6MB

Download
memory/2412-171-0x00000000774F0000-0x000000007767E000-memory.dmp

Filesize
1.6MB

Download
memory/2412-172-0x00000000774F0000-0x000000007767E000-memory.dmp

Filesize
1.6MB

Download
memory/2412-173-0x00000000774F0000-0x000000007767E000-memory.dmp

Filesize
1.6MB

Download
memory/2412-174-0x00000000774F0000-0x000000007767E000-memory.dmp

Filesize
1.6MB

Download
memory/2412-175-0x00000000774F0000-0x000000007767E000-memory.dmp

Filesize
1.6MB

Download
memory/2412-176-0x00000000774F0000-0x000000007767E000-memory.dmp

Filesize
1.6MB

Download
memory/2412-177-0x00000000774F0000-0x000000007767E000-memory.dmp

Filesize
1.6MB

Download
memory/2412-178-0x00000000774F0000-0x000000007767E000-memory.dmp

Filesize
1.6MB

Download
memory/2412-122-0x00000000774F0000-0x000000007767E000-memory.dmp

Filesize
1.6MB

Download
memory/2412-179-0x00000000774F0000-0x000000007767E000-memory.dmp

Filesize
1.6MB

Download
memory/2412-180-0x00000000774F0000-0x000000007767E000-memory.dmp

Filesize
1.6MB

Download
memory/2412-181-0x00000000774F0000-0x000000007767E000-memory.dmp

Filesize
1.6MB

Download
memory/2412-182-0x00000000774F0000-0x000000007767E000-memory.dmp

Filesize
1.6MB

Download
memory/2412-183-0x00000000774F0000-0x000000007767E000-memory.dmp

Filesize
1.6MB

Download
memory/2412-120-0x00000000774F0000-0x000000007767E000-memory.dmp

Filesize
1.6MB

Download
memory/2412-121-0x00000000774F0000-0x000000007767E000-memory.dmp

Filesize
1.6MB

Download
memory/3424-283-0x0000000000000000-mapping.dmp

Download
memory/3424-286-0x0000000000320000-0x0000000000472000-memory.dmp

Filesize
1.3MB

Download
memory/3424-287-0x0000000000EA0000-0x0000000000EAE000-memory.dmp

Filesize
56KB

Download