dcrat | 4bf66c5c07f5443ef92f6dee5c20570c8e5a32b33ef2b9aab633835ffc88c126

General

Target

4bf66c5c07f5443ef92f6dee5c20570c8e5a32b33ef2b9aab633835ffc88c126.exe
Size

832KB
MD5

bc0f8f7740713764c8e9b5a1127dd7ae
SHA1

aa67944def3b367f8357d9d1e180cb4ee84cb85d
SHA256

4bf66c5c07f5443ef92f6dee5c20570c8e5a32b33ef2b9aab633835ffc88c126
SHA512

a4bc31e09c8e974f92c8ee17b234351e760b2c624e1ff50228b8cdc6b3cfbd30ff4f60bff9e7bee56649baa557ab1eec76c9daad3deaa8c082db4a1aa9965b70
SSDEEP

12288:0Qnk3GDYKGcblwtX+t4Y8+oDfMEztc4HNGMfla1ymqwwl5Mn/EsxADu/gB5:IAOcZwXYKDfpZVoM9a15ujMn/Es8MK

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\dllbroker\fontbroker.exe	dcrat
C:\dllbroker\fontbroker.exe	dcrat
behavioral2/memory/3128-146-0x000002B48AA30000-0x000002B48AA92000-memory.dmp	dcrat

Executes dropped EXE 2 IoCs

Processes:

sTQcnHgqkFqgW6KikWbA.exefontbroker.exe

pid process

1476 sTQcnHgqkFqgW6KikWbA.exe
3128 fontbroker.exe

pid	process
1476	sTQcnHgqkFqgW6KikWbA.exe
3128	fontbroker.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WScript.exe4bf66c5c07f5443ef92f6dee5c20570c8e5a32b33ef2b9aab633835ffc88c126.exeWScript.exesTQcnHgqkFqgW6KikWbA.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	4bf66c5c07f5443ef92f6dee5c20570c8e5a32b33ef2b9aab633835ffc88c126.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	sTQcnHgqkFqgW6KikWbA.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 2 IoCs

Processes:

4bf66c5c07f5443ef92f6dee5c20570c8e5a32b33ef2b9aab633835ffc88c126.exesTQcnHgqkFqgW6KikWbA.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings	4bf66c5c07f5443ef92f6dee5c20570c8e5a32b33ef2b9aab633835ffc88c126.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings	sTQcnHgqkFqgW6KikWbA.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

fontbroker.exe

pid process

3128 fontbroker.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

fontbroker.exe

description pid process

Token: SeDebugPrivilege 3128 fontbroker.exe

pid	process
3128	fontbroker.exe

description	pid	process
Token: SeDebugPrivilege	3128	fontbroker.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

4bf66c5c07f5443ef92f6dee5c20570c8e5a32b33ef2b9aab633835ffc88c126.exeWScript.execmd.exesTQcnHgqkFqgW6KikWbA.exeWScript.execmd.exe

description	pid	process	target process
PID 1684 wrote to memory of 2412	1684	4bf66c5c07f5443ef92f6dee5c20570c8e5a32b33ef2b9aab633835ffc88c126.exe	WScript.exe
PID 1684 wrote to memory of 2412	1684	4bf66c5c07f5443ef92f6dee5c20570c8e5a32b33ef2b9aab633835ffc88c126.exe	WScript.exe
PID 1684 wrote to memory of 2412	1684	4bf66c5c07f5443ef92f6dee5c20570c8e5a32b33ef2b9aab633835ffc88c126.exe	WScript.exe
PID 2412 wrote to memory of 5060	2412	WScript.exe	cmd.exe
PID 2412 wrote to memory of 5060	2412	WScript.exe	cmd.exe
PID 2412 wrote to memory of 5060	2412	WScript.exe	cmd.exe
PID 5060 wrote to memory of 1476	5060	cmd.exe	sTQcnHgqkFqgW6KikWbA.exe
PID 5060 wrote to memory of 1476	5060	cmd.exe	sTQcnHgqkFqgW6KikWbA.exe
PID 5060 wrote to memory of 1476	5060	cmd.exe	sTQcnHgqkFqgW6KikWbA.exe
PID 1476 wrote to memory of 4576	1476	sTQcnHgqkFqgW6KikWbA.exe	WScript.exe
PID 1476 wrote to memory of 4576	1476	sTQcnHgqkFqgW6KikWbA.exe	WScript.exe
PID 1476 wrote to memory of 4576	1476	sTQcnHgqkFqgW6KikWbA.exe	WScript.exe
PID 4576 wrote to memory of 536	4576	WScript.exe	cmd.exe
PID 4576 wrote to memory of 536	4576	WScript.exe	cmd.exe
PID 4576 wrote to memory of 536	4576	WScript.exe	cmd.exe
PID 536 wrote to memory of 3128	536	cmd.exe	fontbroker.exe
PID 536 wrote to memory of 3128	536	cmd.exe	fontbroker.exe

C:\Users\Admin\AppData\Local\Temp\4bf66c5c07f5443ef92f6dee5c20570c8e5a32b33ef2b9aab633835ffc88c126.exe
"C:\Users\Admin\AppData\Local\Temp\4bf66c5c07f5443ef92f6dee5c20570c8e5a32b33ef2b9aab633835ffc88c126.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1684

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\dllbroker\Tg6tkrBsHK892w2H04wPpqVDByTcfn.vbe"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2412

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\dllbroker\vNAIwzflRqIjbpK6yShwXvE2hoLO0Z.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:5060

C:\dllbroker\sTQcnHgqkFqgW6KikWbA.exe
sTQcnHgqkFqgW6KikWbA.exe -p34515be6cd9aa98f3abdb61718afef9bfb6828db
4⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1476

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\dllbroker\d8dlK3fuQFeiKzVzYhvkyWvG638kFf.vbe"
5⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4576

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\dllbroker\kAaek7ytGIaqMDSe8tlRsLXdgb6Qd3.bat" "
6⤵
- Suspicious use of WriteProcessMemory
PID:536

C:\dllbroker\fontbroker.exe
"C:\dllbroker\fontbroker.exe"
7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3128

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\dllbroker\Tg6tkrBsHK892w2H04wPpqVDByTcfn.vbe

Filesize
145B

MD5
3642fae19edfef4cabbd47fdbd7ce418

SHA1
0c5fc5d00c868b038f93e2a4919aeb58078ed8b6

SHA256
cb532561ef309b3f381cdb51308c7a422e45b6361798fa28d6b33b57569727cc

SHA512
2b28b93c6cc4b4cc7214f1f5a289ceecb81121b7756bbebf23b1e4ada2da045fd272b0f804008774caa2427830b7685a903740e7fe7cda880e658bb73f300683

Download Submit
C:\dllbroker\d8dlK3fuQFeiKzVzYhvkyWvG638kFf.vbe

Filesize
221B

MD5
3b2a1c3154e53b22d8f4a9ec925cb3ba

SHA1
1353f6629d4fd33b3c627b7f4986b52cbd3517d3

SHA256
4c6df0d5cb64b956cca4c2c04ea50e8bf72f4dd1b756d8960fefebab56f4d67e

SHA512
2e3f1f62b38c5c1d681daa08d0a573848d7acab2facf7d81b9a2fa34d87a3152832851b12cfa2c617883b478cc8ebf037dfa8d92da61bbcfcbdfd98d0e18d0f6

Download Submit
C:\dllbroker\fontbroker.exe

Filesize
363KB

MD5
65b9a4355922a449781ac7559fc619a3

SHA1
774700fee2d0412c1f9428005e44318435d3742f

SHA256
011e9ecf84c325ea7acde6d4a4839f70c8aa128ad64a681b3f29d6461e1159ee

SHA512
79b230a61c8a3697752899747285b17a2238508b5597c4b723bebcea8cf99e6afd6448978a4d98bd9599c9a564d745e56bd12c1a24fa0ac8b7fd44407335a19a

Download Submit
C:\dllbroker\fontbroker.exe

Filesize
363KB

MD5
65b9a4355922a449781ac7559fc619a3

SHA1
774700fee2d0412c1f9428005e44318435d3742f

SHA256
011e9ecf84c325ea7acde6d4a4839f70c8aa128ad64a681b3f29d6461e1159ee

SHA512
79b230a61c8a3697752899747285b17a2238508b5597c4b723bebcea8cf99e6afd6448978a4d98bd9599c9a564d745e56bd12c1a24fa0ac8b7fd44407335a19a

Download Submit
C:\dllbroker\kAaek7ytGIaqMDSe8tlRsLXdgb6Qd3.bat

Filesize
29B

MD5
cf078351920dbe71ed7e820531d7fcf9

SHA1
ffd7815ada278ce2c52193fa7a018e08ae0ef107

SHA256
289c4fe6d2ae4ad4130145db71f8dad33a9532e968964d06d38dbb615aedceec

SHA512
27b9219b51c563d758eaf28d0dc7025bc6218b74bb679d00ff8e4201eea00417de3ae6102619a68fd54923d2bb026b53ec251e470970338c97e06f6d84665f31

Download Submit
C:\dllbroker\sTQcnHgqkFqgW6KikWbA.exe

Filesize
668KB

MD5
11e60c7252c52eda9c9e15b82cd88721

SHA1
b81101afa0fb126732523099e8731db8addac2de

SHA256
35a110dc514080379c6cd4633d24b744526ac077c917b48b10a506e3b6c43077

SHA512
7f8c228eaeff079dbc1f7c87e7e408aba4d6d303625bf2a72e8c63cf37c83b24ac8082a4575d4ab3afe7054744270020daa172b18102a3ac17a603af5718db91

Download Submit
C:\dllbroker\sTQcnHgqkFqgW6KikWbA.exe

Filesize
668KB

MD5
11e60c7252c52eda9c9e15b82cd88721

SHA1
b81101afa0fb126732523099e8731db8addac2de

SHA256
35a110dc514080379c6cd4633d24b744526ac077c917b48b10a506e3b6c43077

SHA512
7f8c228eaeff079dbc1f7c87e7e408aba4d6d303625bf2a72e8c63cf37c83b24ac8082a4575d4ab3afe7054744270020daa172b18102a3ac17a603af5718db91

Download Submit
C:\dllbroker\vNAIwzflRqIjbpK6yShwXvE2hoLO0Z.bat

Filesize
668B

MD5
56038362e5a486e2590fc5fec898b1c7

SHA1
a335cf9f7597f8a91d250bb7c295fcfe7ac4a3d1

SHA256
8e6a554199a290870cc98ff91ee97d6b3cddd167379de90902566e5de4141868

SHA512
d9921803458fdc350501e899d55192129a99aba2c9b2e7555c321e0ed19362a4e0f76b96ade7e8c863bca1c48067b3ee3791a14ddca4fe3ee810907a0abd7f42

Download Submit
memory/536-142-0x0000000000000000-mapping.dmp

Download
memory/1476-136-0x0000000000000000-mapping.dmp

Download
memory/2412-132-0x0000000000000000-mapping.dmp

Download
memory/3128-143-0x0000000000000000-mapping.dmp

Download
memory/3128-146-0x000002B48AA30000-0x000002B48AA92000-memory.dmp

Filesize
392KB

Download
memory/3128-147-0x00007FF9C6D00000-0x00007FF9C77C1000-memory.dmp

Filesize
10.8MB

Download
memory/3128-148-0x00007FF9C6D00000-0x00007FF9C77C1000-memory.dmp

Filesize
10.8MB

Download
memory/3128-149-0x00007FF9C6D00000-0x00007FF9C77C1000-memory.dmp

Filesize
10.8MB

Download
memory/4576-139-0x0000000000000000-mapping.dmp

Download
memory/5060-135-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads