dcrat | 34b8535955457b70007bc360d6f60a59dc70bd0aa8030ccaff77a07bd38ca320

Analysis

max time kernel
122s
max time network
128s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
25/08/2023, 18:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Windscribe_2.5.18.exe
Size

20.5MB
MD5

8b45ea7fa70ea3e60c1642001ab66bb1
SHA1

69ab31a64f4d1c7ab2d5bf08b6ff05fe29efcfe1
SHA256

34b8535955457b70007bc360d6f60a59dc70bd0aa8030ccaff77a07bd38ca320
SHA512

9175435ca08cfbd498c5ab2dc63a29ebea508178397db2413d830a997673a2d60b4ca2178972c75dc57a33e9122e7d51aee2169dcc2dce8b445dcf33646a9b8e
SSDEEP

393216:uVgDgNg+Vim3Tp8YTLz4Iom3CgnuhGQ5DtOCmJ6z5OqHCQZFsAIWKCYoyLV0:uV2WIiGYTX4VPhZs7JSFlIW9V

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

DCRat payload 12 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000e00000001225c-5.dat	dcrat
behavioral1/files/0x000e00000001225c-7.dat	dcrat
behavioral1/files/0x000e00000001225c-12.dat	dcrat
behavioral1/files/0x000e00000001225c-9.dat	dcrat
behavioral1/files/0x000e00000001225c-14.dat	dcrat
behavioral1/files/0x000e00000001225c-15.dat	dcrat
behavioral1/files/0x0007000000016ce6-34.dat	dcrat
behavioral1/files/0x0007000000016ce6-33.dat	dcrat
behavioral1/files/0x0007000000016ce6-32.dat	dcrat
behavioral1/files/0x0007000000016ce6-31.dat	dcrat
behavioral1/memory/2508-35-0x0000000000150000-0x0000000000358000-memory.dmp	dcrat
behavioral1/memory/2508-38-0x000000001B0F0000-0x000000001B170000-memory.dmp	dcrat

Executes dropped EXE 4 IoCs

pid	Process
2192	Windscribe_2.5.18.exe
2844	Windscribe_2.5.18_licensekey.exe
1196	Process not Found
2508	Runtime Broker.exe

Loads dropped DLL 6 IoCs

pid	Process
2616	Windscribe_2.5.18.exe
2616	Windscribe_2.5.18.exe
2616	Windscribe_2.5.18.exe
2616	Windscribe_2.5.18.exe
3028	cmd.exe
3028	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2508	Runtime Broker.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2616 wrote to memory of 2192	2616	Windscribe_2.5.18.exe	28
PID 2616 wrote to memory of 2192	2616	Windscribe_2.5.18.exe	28
PID 2616 wrote to memory of 2192	2616	Windscribe_2.5.18.exe	28
PID 2616 wrote to memory of 2192	2616	Windscribe_2.5.18.exe	28
PID 2192 wrote to memory of 2900	2192	Windscribe_2.5.18.exe	29
PID 2192 wrote to memory of 2900	2192	Windscribe_2.5.18.exe	29
PID 2192 wrote to memory of 2900	2192	Windscribe_2.5.18.exe	29
PID 2192 wrote to memory of 2900	2192	Windscribe_2.5.18.exe	29
PID 2616 wrote to memory of 2844	2616	Windscribe_2.5.18.exe	30
PID 2616 wrote to memory of 2844	2616	Windscribe_2.5.18.exe	30
PID 2616 wrote to memory of 2844	2616	Windscribe_2.5.18.exe	30
PID 2616 wrote to memory of 2844	2616	Windscribe_2.5.18.exe	30
PID 2900 wrote to memory of 3028	2900	WScript.exe	33
PID 2900 wrote to memory of 3028	2900	WScript.exe	33
PID 2900 wrote to memory of 3028	2900	WScript.exe	33
PID 2900 wrote to memory of 3028	2900	WScript.exe	33
PID 3028 wrote to memory of 2508	3028	cmd.exe	31
PID 3028 wrote to memory of 2508	3028	cmd.exe	31
PID 3028 wrote to memory of 2508	3028	cmd.exe	31
PID 3028 wrote to memory of 2508	3028	cmd.exe	31

C:\Users\Admin\AppData\Local\Temp\Windscribe_2.5.18.exe
"C:\Users\Admin\AppData\Local\Temp\Windscribe_2.5.18.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2616
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\Windscribe_2.5.18.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Windscribe_2.5.18.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2192
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Temp\tmTZAu0ww6EK.vbe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2900
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Temp\2b3nvEZbyOKVLO0rFX9CQNCe.bat" "
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:3028
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\Windscribe_2.5.18_licensekey.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Windscribe_2.5.18_licensekey.exe"
  2⤵
  - Executes dropped EXE
  PID:2844

C:\Temp\Runtime Broker.exe
"C:\Temp\Runtime Broker.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Temp\2b3nvEZbyOKVLO0rFX9CQNCe.bat

Filesize
28B

MD5
1c0820915b23fa02cd5c9d5ee69e2110

SHA1
cb03a2ee3817d3fa191364429eada237f1fc15a4

SHA256
1d73a85802574d06a478525aa333dcbed44c1c2cdec62e637a9a729c6c524fcb

SHA512
2d16a37ca7542bd7d41f456ddbaa2d9f44f1fc0a862549f262abde4de8728766b8c2d13e641f700c81d7c4ca6158d7ec3ee97bf51a90603e08cbef288f465ec2

Download Submit
C:\Temp\Runtime Broker.exe

Filesize
2.0MB

MD5
67917ccf46c06770ac8b68d659e0de29

SHA1
2ab5ae38cc7fef5d40dcb99a75d64f70bb5e96bc

SHA256
7a65428437ef2479cf54f7feb139f0dfd3c56fb75f51d1c1d373e1658c974c18

SHA512
0d58f3de18aa45a90ba6c6f78ca07d81ee83c3608d096b4eed15065bda90435130e98990b34858a3b629ee0ef51e71cdbfa47c3429fbdfa0caac6809e6471947

Download Submit
C:\Temp\Runtime Broker.exe

Filesize
2.0MB

MD5
67917ccf46c06770ac8b68d659e0de29

SHA1
2ab5ae38cc7fef5d40dcb99a75d64f70bb5e96bc

SHA256
7a65428437ef2479cf54f7feb139f0dfd3c56fb75f51d1c1d373e1658c974c18

SHA512
0d58f3de18aa45a90ba6c6f78ca07d81ee83c3608d096b4eed15065bda90435130e98990b34858a3b629ee0ef51e71cdbfa47c3429fbdfa0caac6809e6471947

Download Submit
C:\Temp\tmTZAu0ww6EK.vbe

Filesize
205B

MD5
c1b104067034ac2b7fdd77ed7da7cd0f

SHA1
9dc28714822c1a33ba6e634c0a068f7bb6c3ad2e

SHA256
54d0b9ec8a5a9a11da51dec73b72633be8046c01798b78c89507594b3b4b0a49

SHA512
869bafe2f1a2ae32362f4c9a6ac4ae82278c21b338773a9a818372f8b93b08ec2ad368338a17e049952a2f1bd9129cc34a1de1fc551a0c3ea58e8d563481ba52

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Windscribe_2.5.18.exe

Filesize
2.3MB

MD5
6a4743cb09423008c69f5051470aecb8

SHA1
3795816b9a20af3ad0ce0186e0978fc7d0b99908

SHA256
ace228d260a36bdbf8d349d2140dfe5a98a9ef202129e02f1173d7baf1b6e261

SHA512
1af678abd2d8670400695802fb2b3036feca2152baedc4ba841bd59d7763df4b220c3b27e65f29749b1b36eb0f1901622ad46958f46bf3e977f1c66292d0da4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Windscribe_2.5.18.exe

Filesize
2.3MB

MD5
6a4743cb09423008c69f5051470aecb8

SHA1
3795816b9a20af3ad0ce0186e0978fc7d0b99908

SHA256
ace228d260a36bdbf8d349d2140dfe5a98a9ef202129e02f1173d7baf1b6e261

SHA512
1af678abd2d8670400695802fb2b3036feca2152baedc4ba841bd59d7763df4b220c3b27e65f29749b1b36eb0f1901622ad46958f46bf3e977f1c66292d0da4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Windscribe_2.5.18.exe

Filesize
2.3MB

MD5
6a4743cb09423008c69f5051470aecb8

SHA1
3795816b9a20af3ad0ce0186e0978fc7d0b99908

SHA256
ace228d260a36bdbf8d349d2140dfe5a98a9ef202129e02f1173d7baf1b6e261

SHA512
1af678abd2d8670400695802fb2b3036feca2152baedc4ba841bd59d7763df4b220c3b27e65f29749b1b36eb0f1901622ad46958f46bf3e977f1c66292d0da4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Windscribe_2.5.18_licensekey.exe

Filesize
18.8MB

MD5
5729d7f8fff698e46f35abc7d904ece9

SHA1
7017eb70ff16eeaf91e9e9f7d60b938f83fb0169

SHA256
a58515e3c3b350de864bfd41ebd570724efdffe44e17de571f78da74b5ef7475

SHA512
e7d7c26484daf285cdc0d436ba2e9298cb9594a32181fffc62ce3f2d5bfc894445417e28fd2af8e9c1558d15540be61f8154ac70f275fdec827db881201eace7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Windscribe_2.5.18_licensekey.exe

Filesize
18.8MB

MD5
5729d7f8fff698e46f35abc7d904ece9

SHA1
7017eb70ff16eeaf91e9e9f7d60b938f83fb0169

SHA256
a58515e3c3b350de864bfd41ebd570724efdffe44e17de571f78da74b5ef7475

SHA512
e7d7c26484daf285cdc0d436ba2e9298cb9594a32181fffc62ce3f2d5bfc894445417e28fd2af8e9c1558d15540be61f8154ac70f275fdec827db881201eace7

Download Submit
\Temp\Runtime Broker.exe

Filesize
2.0MB

MD5
67917ccf46c06770ac8b68d659e0de29

SHA1
2ab5ae38cc7fef5d40dcb99a75d64f70bb5e96bc

SHA256
7a65428437ef2479cf54f7feb139f0dfd3c56fb75f51d1c1d373e1658c974c18

SHA512
0d58f3de18aa45a90ba6c6f78ca07d81ee83c3608d096b4eed15065bda90435130e98990b34858a3b629ee0ef51e71cdbfa47c3429fbdfa0caac6809e6471947

Download Submit
\Temp\Runtime Broker.exe

Filesize
2.0MB

MD5
67917ccf46c06770ac8b68d659e0de29

SHA1
2ab5ae38cc7fef5d40dcb99a75d64f70bb5e96bc

SHA256
7a65428437ef2479cf54f7feb139f0dfd3c56fb75f51d1c1d373e1658c974c18

SHA512
0d58f3de18aa45a90ba6c6f78ca07d81ee83c3608d096b4eed15065bda90435130e98990b34858a3b629ee0ef51e71cdbfa47c3429fbdfa0caac6809e6471947

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Windscribe_2.5.18.exe

Filesize
2.3MB

MD5
6a4743cb09423008c69f5051470aecb8

SHA1
3795816b9a20af3ad0ce0186e0978fc7d0b99908

SHA256
ace228d260a36bdbf8d349d2140dfe5a98a9ef202129e02f1173d7baf1b6e261

SHA512
1af678abd2d8670400695802fb2b3036feca2152baedc4ba841bd59d7763df4b220c3b27e65f29749b1b36eb0f1901622ad46958f46bf3e977f1c66292d0da4d

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Windscribe_2.5.18.exe

Filesize
2.3MB

MD5
6a4743cb09423008c69f5051470aecb8

SHA1
3795816b9a20af3ad0ce0186e0978fc7d0b99908

SHA256
ace228d260a36bdbf8d349d2140dfe5a98a9ef202129e02f1173d7baf1b6e261

SHA512
1af678abd2d8670400695802fb2b3036feca2152baedc4ba841bd59d7763df4b220c3b27e65f29749b1b36eb0f1901622ad46958f46bf3e977f1c66292d0da4d

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Windscribe_2.5.18.exe

Filesize
2.3MB

MD5
6a4743cb09423008c69f5051470aecb8

SHA1
3795816b9a20af3ad0ce0186e0978fc7d0b99908

SHA256
ace228d260a36bdbf8d349d2140dfe5a98a9ef202129e02f1173d7baf1b6e261

SHA512
1af678abd2d8670400695802fb2b3036feca2152baedc4ba841bd59d7763df4b220c3b27e65f29749b1b36eb0f1901622ad46958f46bf3e977f1c66292d0da4d

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Windscribe_2.5.18_licensekey.exe

Filesize
18.8MB

MD5
5729d7f8fff698e46f35abc7d904ece9

SHA1
7017eb70ff16eeaf91e9e9f7d60b938f83fb0169

SHA256
a58515e3c3b350de864bfd41ebd570724efdffe44e17de571f78da74b5ef7475

SHA512
e7d7c26484daf285cdc0d436ba2e9298cb9594a32181fffc62ce3f2d5bfc894445417e28fd2af8e9c1558d15540be61f8154ac70f275fdec827db881201eace7

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Windscribe_2.5.18_licensekey.exe

Filesize
18.8MB

MD5
5729d7f8fff698e46f35abc7d904ece9

SHA1
7017eb70ff16eeaf91e9e9f7d60b938f83fb0169

SHA256
a58515e3c3b350de864bfd41ebd570724efdffe44e17de571f78da74b5ef7475

SHA512
e7d7c26484daf285cdc0d436ba2e9298cb9594a32181fffc62ce3f2d5bfc894445417e28fd2af8e9c1558d15540be61f8154ac70f275fdec827db881201eace7

Download Submit
memory/2508-35-0x0000000000150000-0x0000000000358000-memory.dmp

Filesize
2.0MB

Download
memory/2508-36-0x000007FEF51E0000-0x000007FEF5BCC000-memory.dmp

Filesize
9.9MB

Download
memory/2508-38-0x000000001B0F0000-0x000000001B170000-memory.dmp

Filesize
512KB

Download
memory/2508-39-0x0000000000670000-0x000000000067E000-memory.dmp

Filesize
56KB

Download
memory/2508-40-0x0000000002090000-0x000000000209E000-memory.dmp

Filesize
56KB

Download
memory/2508-41-0x000007FEF51E0000-0x000007FEF5BCC000-memory.dmp

Filesize
9.9MB

Download