dcrat | 15443c40e026f2aed7f025261a8e3a0d25ac8b2160df15f8cf40206c80eca148

General

Target

HeInstaller.exe
Size

46.7MB
MD5

36b72eb9b84d29b97dc67493144d281d
SHA1

87ed47da38b5c2a8b3564aaba5d92391900f7c12
SHA256

15443c40e026f2aed7f025261a8e3a0d25ac8b2160df15f8cf40206c80eca148
SHA512

c4388f41362093049b354b0baa602605983392b7eea71d507edb9ec4072f500740b8903ffaa0dbe78d3f03ffa938096b1afa88aaec34f78719c70f1b0d3e923c
SSDEEP

786432:lw6mZpUq1siz8tvboefpnP/fnhzs9A22yvBmVT6tcKYocMerZbvF9CfzameBGNv0:e6QUy8tvtfpn3fh42yvBqPr9v3C7ameP

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral2/memory/2044-107-0x0000000000400000-0x00000000004CE000-memory.dmp	dcrat
behavioral2/memory/2044-113-0x0000000000400000-0x00000000004CE000-memory.dmp	dcrat
behavioral2/memory/2044-114-0x0000000000400000-0x00000000004CE000-memory.dmp	dcrat

Executes dropped EXE 1 IoCs

Processes:

EBZfayui1.exe

pid process

688 EBZfayui1.exe
Loads dropped DLL 2 IoCs

Processes:

pid process

1184
1184
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Suspicious use of SetThreadContext 1 IoCs

Processes:

EBZfayui1.exe

description pid process target process

PID 688 set thread context of 2044 688 EBZfayui1.exe vbc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
688	EBZfayui1.exe

pid	process
1184
1184

description	pid	process	target process
PID 688 set thread context of 2044	688	EBZfayui1.exe	vbc.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

HeInstaller.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Main	HeInstaller.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

vbc.exe

pid process

2044 vbc.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

HeInstaller.exe

pid process

1524 HeInstaller.exe

pid	process
2044	vbc.exe

pid	process
1524	HeInstaller.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

AUDIODG.EXEvbc.exe

description	pid	process
Token: 33	2004	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2004	AUDIODG.EXE
Token: 33	2004	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2004	AUDIODG.EXE
Token: SeDebugPrivilege	2044	vbc.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

HeInstaller.exe

pid process

1524 HeInstaller.exe
1524 HeInstaller.exe

pid	process
1524	HeInstaller.exe
1524	HeInstaller.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

EBZfayui1.exe

description	pid	process	target process
PID 688 wrote to memory of 2044	688	EBZfayui1.exe	vbc.exe
PID 688 wrote to memory of 2044	688	EBZfayui1.exe	vbc.exe
PID 688 wrote to memory of 2044	688	EBZfayui1.exe	vbc.exe
PID 688 wrote to memory of 2044	688	EBZfayui1.exe	vbc.exe
PID 688 wrote to memory of 2044	688	EBZfayui1.exe	vbc.exe
PID 688 wrote to memory of 2044	688	EBZfayui1.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\HeInstaller.exe
"C:\Users\Admin\AppData\Local\Temp\HeInstaller.exe"
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1524

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x47c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2004

C:\Users\Admin\Desktop\New folder\HeInstaller\EBZfayui1.exe
"C:\Users\Admin\Desktop\New folder\HeInstaller\EBZfayui1.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:688
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2044

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\New folder\HeInstaller\EBZfayui1.exe

Filesize
822KB

MD5
811faae91071bb739c2f18b0802d0a41

SHA1
b7ae85e0d7935254521cf8aca99ac6f2c67c9086

SHA256
709b00ad6afcc2940706acc2f65095130ef9df7bb0fbd444c327b0c97971c29d

SHA512
d6cca56185f1d1b0d357f0f7ab2b633268e2a45d8bbd31c8d399b175b5e61e9930b27bb3da93913a6a76bb686d40027811dc8dec5ec40a3cf6dbd0ff579c872c

Download Submit
\Users\Admin\Desktop\New folder\HeInstaller\RFQ2.exe

Filesize
4.6MB

MD5
fab2cc9e8a64f905fb0e84ac8f014bee

SHA1
4cd94c381554f8a2ed956acb5b073c4f5a704de1

SHA256
df921c4f173a6bd6fe0b347f2494ff8c2c4a5407de343e87061e43b89890a712

SHA512
a2e7b01dea7c801f34a54fa70de812d032263eccf5f21fd9b5b1bdc448f63c363dfb84b88b275fe2129a7403b2ea3381ec1561d484db43387897f56daf92df9a

Download Submit
\Users\Admin\Desktop\New folder\HeInstaller\RFQ2.exe

Filesize
4.6MB

MD5
fab2cc9e8a64f905fb0e84ac8f014bee

SHA1
4cd94c381554f8a2ed956acb5b073c4f5a704de1

SHA256
df921c4f173a6bd6fe0b347f2494ff8c2c4a5407de343e87061e43b89890a712

SHA512
a2e7b01dea7c801f34a54fa70de812d032263eccf5f21fd9b5b1bdc448f63c363dfb84b88b275fe2129a7403b2ea3381ec1561d484db43387897f56daf92df9a

Download Submit
memory/2044-113-0x0000000000400000-0x00000000004CE000-memory.dmp

Filesize
824KB

Download
memory/2044-107-0x0000000000400000-0x00000000004CE000-memory.dmp

Filesize
824KB

Download
memory/2044-111-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2044-106-0x0000000000400000-0x00000000004CE000-memory.dmp

Filesize
824KB

Download
memory/2044-114-0x0000000000400000-0x00000000004CE000-memory.dmp

Filesize
824KB

Download
memory/2044-115-0x0000000004DA0000-0x0000000004DE0000-memory.dmp

Filesize
256KB

Download
memory/2044-116-0x00000000005B0000-0x00000000005CC000-memory.dmp

Filesize
112KB

Download
memory/2044-117-0x00000000005E0000-0x00000000005F6000-memory.dmp

Filesize
88KB

Download
memory/2044-118-0x0000000000620000-0x0000000000632000-memory.dmp

Filesize
72KB

Download
memory/2044-119-0x0000000000730000-0x000000000073E000-memory.dmp

Filesize
56KB

Download
memory/2044-120-0x0000000004DA0000-0x0000000004DE0000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads