dcrat | b031e7786adbf73be86bcf7c89adac3cb4ff7034ec748872fd242c35d08a3468

General

Target

85397fd676a86cbf030d3abc21b602dd.exe
Size

1.7MB
MD5

85397fd676a86cbf030d3abc21b602dd
SHA1

6394b58e88a587eb164797a543c14922a0803768
SHA256

b031e7786adbf73be86bcf7c89adac3cb4ff7034ec748872fd242c35d08a3468
SHA512

9baee9d49aecb77ef7568562d2d802988e1382f783fda5d3f0a07d01f12e3722bcd548621e8ab9234a05f2e2767512d122db3da3e51fd15f7e10aac0ec01f6cc
SSDEEP

49152:SMKDsLRSSjyA9mg8QMBahc/L2Ud4A/g+c:KMRS+95MBaGL2U2AA

Score

10^/10

dcrat infostealer rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x00090000000130e0-61.dat	dcrat
behavioral1/memory/340-65-0x00000000013A0000-0x00000000014AA000-memory.dmp	dcrat
behavioral1/files/0x00090000000130e0-63.dat	dcrat

Executes dropped EXE 3 IoCs

pid	Process
340	websaves.exe
1020	VsDlx_reg.exe
900	COM.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\COM.exe	85397fd676a86cbf030d3abc21b602dd.exe
File created	C:\Windows\websaves.exe	85397fd676a86cbf030d3abc21b602dd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
288	900	WerFault.exe	31

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
856	powershell.exe
900	COM.exe
900	COM.exe
900	COM.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	1616	85397fd676a86cbf030d3abc21b602dd.exe
Token: SeDebugPrivilege	856	powershell.exe
Token: SeDebugPrivilege	1020	VsDlx_reg.exe
Token: SeDebugPrivilege	900	COM.exe
Token: SeDebugPrivilege	340	websaves.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1616 wrote to memory of 856	1616	85397fd676a86cbf030d3abc21b602dd.exe	27
PID 1616 wrote to memory of 856	1616	85397fd676a86cbf030d3abc21b602dd.exe	27
PID 1616 wrote to memory of 856	1616	85397fd676a86cbf030d3abc21b602dd.exe	27
PID 1616 wrote to memory of 340	1616	85397fd676a86cbf030d3abc21b602dd.exe	29
PID 1616 wrote to memory of 340	1616	85397fd676a86cbf030d3abc21b602dd.exe	29
PID 1616 wrote to memory of 340	1616	85397fd676a86cbf030d3abc21b602dd.exe	29
PID 1616 wrote to memory of 1020	1616	85397fd676a86cbf030d3abc21b602dd.exe	30
PID 1616 wrote to memory of 1020	1616	85397fd676a86cbf030d3abc21b602dd.exe	30
PID 1616 wrote to memory of 1020	1616	85397fd676a86cbf030d3abc21b602dd.exe	30
PID 1616 wrote to memory of 900	1616	85397fd676a86cbf030d3abc21b602dd.exe	31
PID 1616 wrote to memory of 900	1616	85397fd676a86cbf030d3abc21b602dd.exe	31
PID 1616 wrote to memory of 900	1616	85397fd676a86cbf030d3abc21b602dd.exe	31
PID 900 wrote to memory of 288	900	COM.exe	32
PID 900 wrote to memory of 288	900	COM.exe	32
PID 900 wrote to memory of 288	900	COM.exe	32

C:\Users\Admin\AppData\Local\Temp\85397fd676a86cbf030d3abc21b602dd.exe
"C:\Users\Admin\AppData\Local\Temp\85397fd676a86cbf030d3abc21b602dd.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1616
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHIAeQBoACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGcAcABuACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaAB6ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AYgB0ACMAPgA="
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:856
- C:\Windows\websaves.exe
  "C:\Windows\websaves.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:340
- C:\Users\Admin\AppData\Local\Temp\VsDlx_reg.exe
  "C:\Users\Admin\AppData\Local\Temp\VsDlx_reg.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1020
- C:\Windows\COM.exe
  "C:\Windows\COM.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:900
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 900 -s 108344
    3⤵
    - Program crash
    PID:288

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\VsDlx_reg.exe

Filesize
392KB

MD5
631210f9a7095d5fd531b60bc0cbdb18

SHA1
6b5b8d9c42c9424606e09bc67cbf63bd16f28226

SHA256
eded810fab6e8e234bdcabedf6d9634d8cf5f06aa5dbf09f74d67ae4e5c922a3

SHA512
06e9eec8debcb09fa1e0582c8274c73ed923e0025ce45590a3653102a8ca45bd8314c988d4eb33d17fbcd799a3d4be107c01050cd58e6c7ceac93c7bea0bf808

Download Submit
C:\Users\Admin\AppData\Local\Temp\VsDlx_reg.exe

Filesize
392KB

MD5
631210f9a7095d5fd531b60bc0cbdb18

SHA1
6b5b8d9c42c9424606e09bc67cbf63bd16f28226

SHA256
eded810fab6e8e234bdcabedf6d9634d8cf5f06aa5dbf09f74d67ae4e5c922a3

SHA512
06e9eec8debcb09fa1e0582c8274c73ed923e0025ce45590a3653102a8ca45bd8314c988d4eb33d17fbcd799a3d4be107c01050cd58e6c7ceac93c7bea0bf808

Download Submit
C:\Windows\COM.exe

Filesize
298KB

MD5
deb21814dd77173ca8cd236092a66180

SHA1
7ba9529517ccde96f052d36035456809cc2fe0d9

SHA256
c42b2b656dc3acce25058dbdb73738477ab2589042192faddd26ed2acbf1ad55

SHA512
7eb34ba13822fed57c38d645afa7a4b950ef729439531cab7a2e02133891de21ade25b76088e56789fcdf9c0a14f9c0981b11ce8edb0ffa99a9e06278779bae6

Download Submit
C:\Windows\COM.exe

Filesize
298KB

MD5
deb21814dd77173ca8cd236092a66180

SHA1
7ba9529517ccde96f052d36035456809cc2fe0d9

SHA256
c42b2b656dc3acce25058dbdb73738477ab2589042192faddd26ed2acbf1ad55

SHA512
7eb34ba13822fed57c38d645afa7a4b950ef729439531cab7a2e02133891de21ade25b76088e56789fcdf9c0a14f9c0981b11ce8edb0ffa99a9e06278779bae6

Download Submit
C:\Windows\websaves.exe

Filesize
1.0MB

MD5
216ff3355052307dc38a906d38fc1311

SHA1
92435804b0d8e7c22c16aa042f9af51ba131963d

SHA256
0c7a3a263c37cfced26ad746a0e3847427996032cbc652e6ce109d342d59d52e

SHA512
2bfda30f278426717f9ed51fd1435d5fbc04b23d3b55d790a4bb3b066dd08210dc9687c003f46a79534b345300a6d81d10a045903d0a801fdafaa1bbf796eb50

Download Submit
C:\Windows\websaves.exe

Filesize
1.0MB

MD5
216ff3355052307dc38a906d38fc1311

SHA1
92435804b0d8e7c22c16aa042f9af51ba131963d

SHA256
0c7a3a263c37cfced26ad746a0e3847427996032cbc652e6ce109d342d59d52e

SHA512
2bfda30f278426717f9ed51fd1435d5fbc04b23d3b55d790a4bb3b066dd08210dc9687c003f46a79534b345300a6d81d10a045903d0a801fdafaa1bbf796eb50

Download Submit
memory/340-96-0x0000000000470000-0x0000000000480000-memory.dmp

Filesize
64KB

Download
memory/340-83-0x0000000000450000-0x000000000046C000-memory.dmp

Filesize
112KB

Download
memory/340-107-0x000000001B120000-0x000000001B1A0000-memory.dmp

Filesize
512KB

Download
memory/340-98-0x0000000000480000-0x0000000000496000-memory.dmp

Filesize
88KB

Download
memory/340-106-0x00000000004A0000-0x00000000004AA000-memory.dmp

Filesize
40KB

Download
memory/340-102-0x000000001B120000-0x000000001B1A0000-memory.dmp

Filesize
512KB

Download
memory/340-86-0x00000000002C0000-0x00000000002C8000-memory.dmp

Filesize
32KB

Download
memory/340-65-0x00000000013A0000-0x00000000014AA000-memory.dmp

Filesize
1.0MB

Download
memory/856-81-0x0000000002734000-0x0000000002737000-memory.dmp

Filesize
12KB

Download
memory/856-71-0x0000000002730000-0x00000000027B0000-memory.dmp

Filesize
512KB

Download
memory/856-82-0x000000000273B000-0x0000000002772000-memory.dmp

Filesize
220KB

Download
memory/856-73-0x0000000001F40000-0x0000000001F48000-memory.dmp

Filesize
32KB

Download
memory/856-72-0x000000001B1F0000-0x000000001B4D2000-memory.dmp

Filesize
2.9MB

Download
memory/900-80-0x0000000000BA0000-0x0000000000BF4000-memory.dmp

Filesize
336KB

Download
memory/900-105-0x000000001ADD0000-0x000000001AE50000-memory.dmp

Filesize
512KB

Download
memory/900-108-0x000000001ADD0000-0x000000001AE50000-memory.dmp

Filesize
512KB

Download
memory/1020-74-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/1616-69-0x000000001B020000-0x000000001B0A0000-memory.dmp

Filesize
512KB

Download
memory/1616-54-0x0000000000070000-0x0000000000230000-memory.dmp

Filesize
1.8MB

Download

Analysis

Sharing