dcrat | 37b1874b580fc0c5896b06bd5ae855d66d15ab2be63408c0bda9dbd9441c0b13

General

Target

AllergiesList/Allergies List and Allowed Substances.numb05151.pdf.scr
Size

920.3MB
MD5

491c5ac82977262ef24bd22ad312c622
SHA1

1f0555370f07e94182059701f63e940429757157
SHA256

ea770032c44e773b9c9865d4ff3bfb10f76b003ace1bbfbe45755ffff227e5fe
SHA512

a9974fe623a979e12d8493200f36aa4aab5763ea97ed4d5924fb1f579038d686bb10d789d576343ce4ca4c8a4657ed9404b7ffb52f701f6f880eb75e766f6734
SSDEEP

393216:rc8yiMPNWZV4nXF12elEA7YKsHES/Sl50l:rcOMPNWTM2elpBtSwW

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/924-54-0x0000000000E90000-0x00000000037F6000-memory.dmp	dcrat

.NET Reactor proctector 35 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

Processes:

resource	yara_rule
behavioral1/memory/924-54-0x0000000000E90000-0x00000000037F6000-memory.dmp	net_reactor
behavioral1/memory/924-56-0x000000001DAD0000-0x000000001DC26000-memory.dmp	net_reactor
behavioral1/memory/924-57-0x000000001DAD0000-0x000000001DC20000-memory.dmp	net_reactor
behavioral1/memory/924-58-0x000000001DAD0000-0x000000001DC20000-memory.dmp	net_reactor
behavioral1/memory/924-62-0x000000001DAD0000-0x000000001DC20000-memory.dmp	net_reactor
behavioral1/memory/924-60-0x000000001DAD0000-0x000000001DC20000-memory.dmp	net_reactor
behavioral1/memory/924-64-0x000000001DAD0000-0x000000001DC20000-memory.dmp	net_reactor
behavioral1/memory/924-66-0x000000001DAD0000-0x000000001DC20000-memory.dmp	net_reactor
behavioral1/memory/924-68-0x000000001DAD0000-0x000000001DC20000-memory.dmp	net_reactor
behavioral1/memory/924-70-0x000000001DAD0000-0x000000001DC20000-memory.dmp	net_reactor
behavioral1/memory/924-72-0x000000001DAD0000-0x000000001DC20000-memory.dmp	net_reactor
behavioral1/memory/924-76-0x000000001DAD0000-0x000000001DC20000-memory.dmp	net_reactor
behavioral1/memory/924-74-0x000000001DAD0000-0x000000001DC20000-memory.dmp	net_reactor
behavioral1/memory/924-80-0x000000001DAD0000-0x000000001DC20000-memory.dmp	net_reactor
behavioral1/memory/924-78-0x000000001DAD0000-0x000000001DC20000-memory.dmp	net_reactor
behavioral1/memory/924-82-0x000000001DAD0000-0x000000001DC20000-memory.dmp	net_reactor
behavioral1/memory/924-88-0x000000001DAD0000-0x000000001DC20000-memory.dmp	net_reactor
behavioral1/memory/924-86-0x000000001DAD0000-0x000000001DC20000-memory.dmp	net_reactor
behavioral1/memory/924-84-0x000000001DAD0000-0x000000001DC20000-memory.dmp	net_reactor
behavioral1/memory/924-94-0x000000001DAD0000-0x000000001DC20000-memory.dmp	net_reactor
behavioral1/memory/924-92-0x000000001DAD0000-0x000000001DC20000-memory.dmp	net_reactor
behavioral1/memory/924-90-0x000000001DAD0000-0x000000001DC20000-memory.dmp	net_reactor
behavioral1/memory/924-98-0x000000001DAD0000-0x000000001DC20000-memory.dmp	net_reactor
behavioral1/memory/924-96-0x000000001DAD0000-0x000000001DC20000-memory.dmp	net_reactor
behavioral1/memory/924-102-0x000000001DAD0000-0x000000001DC20000-memory.dmp	net_reactor
behavioral1/memory/924-100-0x000000001DAD0000-0x000000001DC20000-memory.dmp	net_reactor
behavioral1/memory/924-106-0x000000001DAD0000-0x000000001DC20000-memory.dmp	net_reactor
behavioral1/memory/924-104-0x000000001DAD0000-0x000000001DC20000-memory.dmp	net_reactor
behavioral1/memory/924-108-0x000000001DAD0000-0x000000001DC20000-memory.dmp	net_reactor
behavioral1/memory/924-114-0x000000001DAD0000-0x000000001DC20000-memory.dmp	net_reactor
behavioral1/memory/924-112-0x000000001DAD0000-0x000000001DC20000-memory.dmp	net_reactor
behavioral1/memory/924-110-0x000000001DAD0000-0x000000001DC20000-memory.dmp	net_reactor
behavioral1/memory/924-118-0x000000001DAD0000-0x000000001DC20000-memory.dmp	net_reactor
behavioral1/memory/924-116-0x000000001DAD0000-0x000000001DC20000-memory.dmp	net_reactor
behavioral1/memory/924-120-0x000000001DAD0000-0x000000001DC20000-memory.dmp	net_reactor

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

Allergies List and Allowed Substances.numb05151.pdf.scr

pid	process
924	Allergies List and Allowed Substances.numb05151.pdf.scr
924	Allergies List and Allowed Substances.numb05151.pdf.scr
924	Allergies List and Allowed Substances.numb05151.pdf.scr
924	Allergies List and Allowed Substances.numb05151.pdf.scr
924	Allergies List and Allowed Substances.numb05151.pdf.scr

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Allergies List and Allowed Substances.numb05151.pdf.scr

description pid process

Token: SeDebugPrivilege 924 Allergies List and Allowed Substances.numb05151.pdf.scr

description	pid	process
Token: SeDebugPrivilege	924	Allergies List and Allowed Substances.numb05151.pdf.scr

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

Allergies List and Allowed Substances.numb05151.pdf.scr

description	pid	process	target process
PID 924 wrote to memory of 580	924	Allergies List and Allowed Substances.numb05151.pdf.scr	MSBuild.exe
PID 924 wrote to memory of 580	924	Allergies List and Allowed Substances.numb05151.pdf.scr	MSBuild.exe
PID 924 wrote to memory of 580	924	Allergies List and Allowed Substances.numb05151.pdf.scr	MSBuild.exe
PID 924 wrote to memory of 580	924	Allergies List and Allowed Substances.numb05151.pdf.scr	MSBuild.exe
PID 924 wrote to memory of 1628	924	Allergies List and Allowed Substances.numb05151.pdf.scr	MSBuild.exe
PID 924 wrote to memory of 1628	924	Allergies List and Allowed Substances.numb05151.pdf.scr	MSBuild.exe
PID 924 wrote to memory of 1628	924	Allergies List and Allowed Substances.numb05151.pdf.scr	MSBuild.exe
PID 924 wrote to memory of 1628	924	Allergies List and Allowed Substances.numb05151.pdf.scr	MSBuild.exe
PID 924 wrote to memory of 1028	924	Allergies List and Allowed Substances.numb05151.pdf.scr	MSBuild.exe
PID 924 wrote to memory of 1028	924	Allergies List and Allowed Substances.numb05151.pdf.scr	MSBuild.exe
PID 924 wrote to memory of 1028	924	Allergies List and Allowed Substances.numb05151.pdf.scr	MSBuild.exe
PID 924 wrote to memory of 1028	924	Allergies List and Allowed Substances.numb05151.pdf.scr	MSBuild.exe
PID 924 wrote to memory of 980	924	Allergies List and Allowed Substances.numb05151.pdf.scr	MSBuild.exe
PID 924 wrote to memory of 980	924	Allergies List and Allowed Substances.numb05151.pdf.scr	MSBuild.exe
PID 924 wrote to memory of 980	924	Allergies List and Allowed Substances.numb05151.pdf.scr	MSBuild.exe
PID 924 wrote to memory of 980	924	Allergies List and Allowed Substances.numb05151.pdf.scr	MSBuild.exe
PID 924 wrote to memory of 1112	924	Allergies List and Allowed Substances.numb05151.pdf.scr	MSBuild.exe
PID 924 wrote to memory of 1112	924	Allergies List and Allowed Substances.numb05151.pdf.scr	MSBuild.exe
PID 924 wrote to memory of 1112	924	Allergies List and Allowed Substances.numb05151.pdf.scr	MSBuild.exe
PID 924 wrote to memory of 1112	924	Allergies List and Allowed Substances.numb05151.pdf.scr	MSBuild.exe

C:\Users\Admin\AppData\Local\Temp\AllergiesList\Allergies List and Allowed Substances.numb05151.pdf.scr
"C:\Users\Admin\AppData\Local\Temp\AllergiesList\Allergies List and Allowed Substances.numb05151.pdf.scr" /S
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:924

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
2⤵
PID:580

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
2⤵
PID:1628

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
2⤵
PID:1028

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
2⤵
PID:980

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
2⤵
PID:1112

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/924-54-0x0000000000E90000-0x00000000037F6000-memory.dmp

Filesize
41.4MB

Download
memory/924-55-0x0000000000B60000-0x0000000000BE0000-memory.dmp

Filesize
512KB

Download
memory/924-56-0x000000001DAD0000-0x000000001DC26000-memory.dmp

Filesize
1.3MB

Download
memory/924-57-0x000000001DAD0000-0x000000001DC20000-memory.dmp

Filesize
1.3MB

Download
memory/924-58-0x000000001DAD0000-0x000000001DC20000-memory.dmp

Filesize
1.3MB

Download
memory/924-62-0x000000001DAD0000-0x000000001DC20000-memory.dmp

Filesize
1.3MB

Download
memory/924-60-0x000000001DAD0000-0x000000001DC20000-memory.dmp

Filesize
1.3MB

Download
memory/924-64-0x000000001DAD0000-0x000000001DC20000-memory.dmp

Filesize
1.3MB

Download
memory/924-66-0x000000001DAD0000-0x000000001DC20000-memory.dmp

Filesize
1.3MB

Download
memory/924-68-0x000000001DAD0000-0x000000001DC20000-memory.dmp

Filesize
1.3MB

Download
memory/924-70-0x000000001DAD0000-0x000000001DC20000-memory.dmp

Filesize
1.3MB

Download
memory/924-72-0x000000001DAD0000-0x000000001DC20000-memory.dmp

Filesize
1.3MB

Download
memory/924-76-0x000000001DAD0000-0x000000001DC20000-memory.dmp

Filesize
1.3MB

Download
memory/924-74-0x000000001DAD0000-0x000000001DC20000-memory.dmp

Filesize
1.3MB

Download
memory/924-80-0x000000001DAD0000-0x000000001DC20000-memory.dmp

Filesize
1.3MB

Download
memory/924-78-0x000000001DAD0000-0x000000001DC20000-memory.dmp

Filesize
1.3MB

Download
memory/924-82-0x000000001DAD0000-0x000000001DC20000-memory.dmp

Filesize
1.3MB

Download
memory/924-88-0x000000001DAD0000-0x000000001DC20000-memory.dmp

Filesize
1.3MB

Download
memory/924-86-0x000000001DAD0000-0x000000001DC20000-memory.dmp

Filesize
1.3MB

Download
memory/924-84-0x000000001DAD0000-0x000000001DC20000-memory.dmp

Filesize
1.3MB

Download
memory/924-94-0x000000001DAD0000-0x000000001DC20000-memory.dmp

Filesize
1.3MB

Download
memory/924-92-0x000000001DAD0000-0x000000001DC20000-memory.dmp

Filesize
1.3MB

Download
memory/924-90-0x000000001DAD0000-0x000000001DC20000-memory.dmp

Filesize
1.3MB

Download
memory/924-98-0x000000001DAD0000-0x000000001DC20000-memory.dmp

Filesize
1.3MB

Download
memory/924-96-0x000000001DAD0000-0x000000001DC20000-memory.dmp

Filesize
1.3MB

Download
memory/924-102-0x000000001DAD0000-0x000000001DC20000-memory.dmp

Filesize
1.3MB

Download
memory/924-100-0x000000001DAD0000-0x000000001DC20000-memory.dmp

Filesize
1.3MB

Download
memory/924-106-0x000000001DAD0000-0x000000001DC20000-memory.dmp

Filesize
1.3MB

Download
memory/924-104-0x000000001DAD0000-0x000000001DC20000-memory.dmp

Filesize
1.3MB

Download
memory/924-108-0x000000001DAD0000-0x000000001DC20000-memory.dmp

Filesize
1.3MB

Download
memory/924-114-0x000000001DAD0000-0x000000001DC20000-memory.dmp

Filesize
1.3MB

Download
memory/924-112-0x000000001DAD0000-0x000000001DC20000-memory.dmp

Filesize
1.3MB

Download
memory/924-110-0x000000001DAD0000-0x000000001DC20000-memory.dmp

Filesize
1.3MB

Download
memory/924-118-0x000000001DAD0000-0x000000001DC20000-memory.dmp

Filesize
1.3MB

Download
memory/924-116-0x000000001DAD0000-0x000000001DC20000-memory.dmp

Filesize
1.3MB

Download
memory/924-120-0x000000001DAD0000-0x000000001DC20000-memory.dmp

Filesize
1.3MB

Download
memory/924-1832-0x0000000000B60000-0x0000000000BE0000-memory.dmp

Filesize
512KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads