dcrat | c1d0b2c516e0ccd591338611ec76efb6c26ba1731de37c50c7c443bdb027c2a2

General

Target

c1d0b2c516e0ccd591338611ec76efb6c26ba1731de37c50c7c443bdb027c2a2.exe
Size

5.7MB
MD5

9ca968e7fe7c40a6324e047ccca6a7d6
SHA1

c48a0f1bbcf242e50b5239c72bfcd32dd64eaad7
SHA256

c1d0b2c516e0ccd591338611ec76efb6c26ba1731de37c50c7c443bdb027c2a2
SHA512

9e33e3584dacc531516bb98ead6a151c250c82f3518d2b3c44347ed2fee2f99285457f9a1d8752bc06ea48dfee267a07a4ce834d7155766352930bcc65c34b98
SSDEEP

98304:ZTEWU8jUj8sS/MZIZPP0G/tY1QWDIJbjRH5ux9fgAfBmRGUU3CF/5NCDNxX5EGVE:pUlIsGMZEP8G/tmQGyjRUx9hBmUeIFC1

Score

10^/10

dcrat evasion infostealer rat themida trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/1788-59-0x00000000011F0000-0x0000000001E3C000-memory.dmp	dcrat

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

c1d0b2c516e0ccd591338611ec76efb6c26ba1731de37c50c7c443bdb027c2a2.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ c1d0b2c516e0ccd591338611ec76efb6c26ba1731de37c50c7c443bdb027c2a2.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	c1d0b2c516e0ccd591338611ec76efb6c26ba1731de37c50c7c443bdb027c2a2.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

c1d0b2c516e0ccd591338611ec76efb6c26ba1731de37c50c7c443bdb027c2a2.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	c1d0b2c516e0ccd591338611ec76efb6c26ba1731de37c50c7c443bdb027c2a2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	c1d0b2c516e0ccd591338611ec76efb6c26ba1731de37c50c7c443bdb027c2a2.exe

Themida packer 1 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral1/memory/1788-59-0x00000000011F0000-0x0000000001E3C000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

c1d0b2c516e0ccd591338611ec76efb6c26ba1731de37c50c7c443bdb027c2a2.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	c1d0b2c516e0ccd591338611ec76efb6c26ba1731de37c50c7c443bdb027c2a2.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

c1d0b2c516e0ccd591338611ec76efb6c26ba1731de37c50c7c443bdb027c2a2.exe

pid process

1788 c1d0b2c516e0ccd591338611ec76efb6c26ba1731de37c50c7c443bdb027c2a2.exe

pid	process
1788	c1d0b2c516e0ccd591338611ec76efb6c26ba1731de37c50c7c443bdb027c2a2.exe

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{0FD86CD1-9FF1-11ED-9AD4-7A3897842414} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d1bbe3598fa77741a756f8643026417f000000000200000000001066000000010000200000008f3453ac9ba9ce628bf4a9ac6e3862a4d64b6e494d5196c0cd2a2dea7ecc5d82000000000e80000000020000200000007f519a5f8808093eb191bfe5035352f543ea12c2c3d32729c83e50d6310143b9200000009c630476f090202e0937703d44c93c1185b309c99f3cadc7f84fc08a84bb01fc400000006b77a1004fd4d959bb0fd208aeda74bbd2a03fe7bfeb6c0a0aabfc88da1b23230a8ef90d191ab097888e728921f1400eb9abfc6c2031ad7fa2cea819af73ac4f	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d087fceefd33d901	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d1bbe3598fa77741a756f8643026417f000000000200000000001066000000010000200000009c2991cf313909de27f0362522da72977ee9b0aa96dd2d5008b239b8274c2d76000000000e800000000200002000000056cef50ac4af052458d6a8f0c4a628e8ebed54a270d785983eb189fc80308fa69000000013955cd6a9a044dbea9610697eaa672befe0481a0d8f33e78c3233ecf08211a055d5500ddf02c3d7b3bce981e5305972c2f46defbc8d7d4e292f76a5968cf7f68d31704849e018f4d9b9de5817888d346bf0db1e25786c20554896ffb93de5b122866b83c1e3a350c944218b7928edae5fc75d8de6f04b17435ff225956a9231d2bf0e23176fb1bc4b466268f3c84f05400000009b502729cd24926ae1336538b255fb5a0016d87971b2de555e051819d52d46d269ad982fc741665e59ca269b732541ea99d79563ccf1a694e6a8dbd5e3ce4c65	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "381774299"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1076 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1076 iexplore.exe
1076 iexplore.exe
948 IEXPLORE.EXE
948 IEXPLORE.EXE
948 IEXPLORE.EXE
948 IEXPLORE.EXE

pid	process
1076	iexplore.exe

pid	process
1076	iexplore.exe
1076	iexplore.exe
948	IEXPLORE.EXE
948	IEXPLORE.EXE
948	IEXPLORE.EXE
948	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

c1d0b2c516e0ccd591338611ec76efb6c26ba1731de37c50c7c443bdb027c2a2.exeiexplore.exe

description	pid	process	target process
PID 1788 wrote to memory of 1076	1788	c1d0b2c516e0ccd591338611ec76efb6c26ba1731de37c50c7c443bdb027c2a2.exe	iexplore.exe
PID 1788 wrote to memory of 1076	1788	c1d0b2c516e0ccd591338611ec76efb6c26ba1731de37c50c7c443bdb027c2a2.exe	iexplore.exe
PID 1788 wrote to memory of 1076	1788	c1d0b2c516e0ccd591338611ec76efb6c26ba1731de37c50c7c443bdb027c2a2.exe	iexplore.exe
PID 1788 wrote to memory of 1076	1788	c1d0b2c516e0ccd591338611ec76efb6c26ba1731de37c50c7c443bdb027c2a2.exe	iexplore.exe
PID 1076 wrote to memory of 948	1076	iexplore.exe	IEXPLORE.EXE
PID 1076 wrote to memory of 948	1076	iexplore.exe	IEXPLORE.EXE
PID 1076 wrote to memory of 948	1076	iexplore.exe	IEXPLORE.EXE
PID 1076 wrote to memory of 948	1076	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\c1d0b2c516e0ccd591338611ec76efb6c26ba1731de37c50c7c443bdb027c2a2.exe
"C:\Users\Admin\AppData\Local\Temp\c1d0b2c516e0ccd591338611ec76efb6c26ba1731de37c50c7c443bdb027c2a2.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:1788

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=c1d0b2c516e0ccd591338611ec76efb6c26ba1731de37c50c7c443bdb027c2a2.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1076

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1076 CREDAT:275457 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:948

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\0X1KZSGR.txt

Filesize
607B

MD5
6aaf0e437c9dcb8b4a951b720777534e

SHA1
770429bb6d016a7f94cb712184287b64c75acb0c

SHA256
5a76e19c0a9180da924142213f772bc21c66cdad5df6f35bbfec9926dea1b91f

SHA512
443d220dd9a7f16b9e2ca11f77206ae468aacaac4699349cbafc717d59a097b526d23ba566b6ac0037bc5770baf5999fef4ec714691554f9701e103675a023a5

Download Submit
memory/1788-54-0x0000000076321000-0x0000000076323000-memory.dmp

Filesize
8KB

Download
memory/1788-55-0x00000000011F0000-0x0000000001E3C000-memory.dmp

Filesize
12.3MB

Download
memory/1788-56-0x0000000077660000-0x00000000777E0000-memory.dmp

Filesize
1.5MB

Download
memory/1788-59-0x00000000011F0000-0x0000000001E3C000-memory.dmp

Filesize
12.3MB

Download
memory/1788-60-0x0000000077660000-0x00000000777E0000-memory.dmp

Filesize
1.5MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads