dcrat | 0c580f2f9f3e2c64e1a23ab9f81e37e47fee22704d46a7bf7741802694cae951

General

Target

a8369a27fbef07a1cc2c2f20e844b58f.exe
Size

2.9MB
MD5

a8369a27fbef07a1cc2c2f20e844b58f
SHA1

737828caef2cd22845b001d247b1597f73835f4a
SHA256

0c580f2f9f3e2c64e1a23ab9f81e37e47fee22704d46a7bf7741802694cae951
SHA512

8402756c6e51ac0aa93e40ae4e03339ff0886fd09b423b98dba4fdfc34caf1d3badfa7c386e06c8f29ba78d7e68c2021dcdc580e53c927265371c460f36fcb6a
SSDEEP

49152:UbA30KjqqxP86L9Vs419H1j0m7ulwYDOOtWOf/Th:UbeGqv2419H1j0mwHftrnTh

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x002e000000015c88-10.dat	dcrat
behavioral1/files/0x002e000000015c88-9.dat	dcrat
behavioral1/files/0x002e000000015c88-12.dat	dcrat
behavioral1/files/0x002e000000015c88-11.dat	dcrat
behavioral1/memory/2748-13-0x0000000000080000-0x000000000031C000-memory.dmp	dcrat

Executes dropped EXE 1 IoCs

pid	Process
2748	webintoCommon.exe

Loads dropped DLL 2 IoCs

pid	Process
2616	cmd.exe
2616	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2748	webintoCommon.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2044 wrote to memory of 2208	2044	a8369a27fbef07a1cc2c2f20e844b58f.exe	28
PID 2044 wrote to memory of 2208	2044	a8369a27fbef07a1cc2c2f20e844b58f.exe	28
PID 2044 wrote to memory of 2208	2044	a8369a27fbef07a1cc2c2f20e844b58f.exe	28
PID 2044 wrote to memory of 2208	2044	a8369a27fbef07a1cc2c2f20e844b58f.exe	28
PID 2208 wrote to memory of 2616	2208	WScript.exe	30
PID 2208 wrote to memory of 2616	2208	WScript.exe	30
PID 2208 wrote to memory of 2616	2208	WScript.exe	30
PID 2208 wrote to memory of 2616	2208	WScript.exe	30
PID 2616 wrote to memory of 2748	2616	cmd.exe	31
PID 2616 wrote to memory of 2748	2616	cmd.exe	31
PID 2616 wrote to memory of 2748	2616	cmd.exe	31
PID 2616 wrote to memory of 2748	2616	cmd.exe	31

C:\Users\Admin\AppData\Local\Temp\a8369a27fbef07a1cc2c2f20e844b58f.exe
"C:\Users\Admin\AppData\Local\Temp\a8369a27fbef07a1cc2c2f20e844b58f.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2044
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\BridgeProviderwin\eEaD7.vbe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2208
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\BridgeProviderwin\U6Zsw0Aqkq82JoPhuqU5pdZPOaHSN.bat" "
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2616
  - - C:\BridgeProviderwin\webintoCommon.exe
      "C:\BridgeProviderwin\webintoCommon.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\BridgeProviderwin\U6Zsw0Aqkq82JoPhuqU5pdZPOaHSN.bat

Filesize
40B

MD5
142059a95ad64136b354b97c6f156495

SHA1
cf1681862136a264591d588c1394f86f7b31c992

SHA256
037fcdeaf49ec5ae65f84e63731f01685ea1fd53260dc66c126b3d479f33c5b9

SHA512
2b7ec931dbd1b56485b0a79004bfdc14f6bfaa94c28d0582c20c4d55c1730ae0ebdc53e17893959cc9c4ed40be295231c9418ffcf381822ca9e71a9035fd2d70

Download Submit
C:\BridgeProviderwin\eEaD7.vbe

Filesize
223B

MD5
7e1a81be7022bc7fe43697dfe5e8a7bf

SHA1
1a1bab88fa404e672c9fb084751647c3d83bb7f0

SHA256
9196fb30d8d69933914872811a4f612378327282995dd1faf965b4d272f80092

SHA512
6b869618393ce0530df1a2e4c37df9d34ff580c5ba7857fdada49862920a0a0eb2ca1724894e0534b131fe01d48cdd41d1bc00bb17a4d4f4b9f47386be828547

Download Submit
C:\BridgeProviderwin\webintoCommon.exe

Filesize
2.6MB

MD5
80450d4eb4cbd9ef383deec037cde42d

SHA1
595bea2ef33f9dd09bc5470aa9bbf90b84bd3e64

SHA256
d06472783b12ccb66b78364ab66f7dae851f142fec6c94f4801ab494ea630cd4

SHA512
5ad4010645c2f07460abe6ebf7ba0d07c3735f266da0fac1777d467250b0dd39244ee97a34bd9f24b2e89ebf75210e618a4bebc7e2454e6904c7784917d3c94d

Download Submit
C:\BridgeProviderwin\webintoCommon.exe

Filesize
2.6MB

MD5
80450d4eb4cbd9ef383deec037cde42d

SHA1
595bea2ef33f9dd09bc5470aa9bbf90b84bd3e64

SHA256
d06472783b12ccb66b78364ab66f7dae851f142fec6c94f4801ab494ea630cd4

SHA512
5ad4010645c2f07460abe6ebf7ba0d07c3735f266da0fac1777d467250b0dd39244ee97a34bd9f24b2e89ebf75210e618a4bebc7e2454e6904c7784917d3c94d

Download Submit
\BridgeProviderwin\webintoCommon.exe

Filesize
2.6MB

MD5
80450d4eb4cbd9ef383deec037cde42d

SHA1
595bea2ef33f9dd09bc5470aa9bbf90b84bd3e64

SHA256
d06472783b12ccb66b78364ab66f7dae851f142fec6c94f4801ab494ea630cd4

SHA512
5ad4010645c2f07460abe6ebf7ba0d07c3735f266da0fac1777d467250b0dd39244ee97a34bd9f24b2e89ebf75210e618a4bebc7e2454e6904c7784917d3c94d

Download Submit
\BridgeProviderwin\webintoCommon.exe

Filesize
2.6MB

MD5
80450d4eb4cbd9ef383deec037cde42d

SHA1
595bea2ef33f9dd09bc5470aa9bbf90b84bd3e64

SHA256
d06472783b12ccb66b78364ab66f7dae851f142fec6c94f4801ab494ea630cd4

SHA512
5ad4010645c2f07460abe6ebf7ba0d07c3735f266da0fac1777d467250b0dd39244ee97a34bd9f24b2e89ebf75210e618a4bebc7e2454e6904c7784917d3c94d

Download Submit
memory/2748-17-0x0000000000670000-0x000000000068C000-memory.dmp

Filesize
112KB

Download
memory/2748-22-0x00000000021D0000-0x00000000021E0000-memory.dmp

Filesize
64KB

Download
memory/2748-15-0x000000001B0A0000-0x000000001B120000-memory.dmp

Filesize
512KB

Download
memory/2748-16-0x0000000000660000-0x000000000066E000-memory.dmp

Filesize
56KB

Download
memory/2748-13-0x0000000000080000-0x000000000031C000-memory.dmp

Filesize
2.6MB

Download
memory/2748-18-0x0000000000690000-0x00000000006A6000-memory.dmp

Filesize
88KB

Download
memory/2748-19-0x0000000000840000-0x0000000000848000-memory.dmp

Filesize
32KB

Download
memory/2748-20-0x00000000021B0000-0x00000000021C2000-memory.dmp

Filesize
72KB

Download
memory/2748-21-0x0000000000850000-0x0000000000858000-memory.dmp

Filesize
32KB

Download
memory/2748-14-0x000007FEF55A0000-0x000007FEF5F8C000-memory.dmp

Filesize
9.9MB

Download
memory/2748-23-0x0000000002370000-0x00000000023C6000-memory.dmp

Filesize
344KB

Download
memory/2748-24-0x0000000000860000-0x000000000086C000-memory.dmp

Filesize
48KB

Download
memory/2748-25-0x00000000021C0000-0x00000000021C8000-memory.dmp

Filesize
32KB

Download
memory/2748-26-0x00000000022D0000-0x00000000022E2000-memory.dmp

Filesize
72KB

Download
memory/2748-27-0x00000000022E0000-0x00000000022EE000-memory.dmp

Filesize
56KB

Download
memory/2748-28-0x00000000023C0000-0x00000000023C8000-memory.dmp

Filesize
32KB

Download
memory/2748-29-0x000007FEF55A0000-0x000007FEF5F8C000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing