dcrat | c46e21416616c059a9b0d50a3a4f0250b54abf8e23a1ea916220f2e365b41d4c

Analysis

max time kernel
142s
max time network
135s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
07/01/2024, 02:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bfc0a118e19ad3ac3181c3d6c0babf16.exe
Size

6.7MB
MD5

bfc0a118e19ad3ac3181c3d6c0babf16
SHA1

c7fdf53984ea46c59c34f8925a5983ed1f99ea56
SHA256

c46e21416616c059a9b0d50a3a4f0250b54abf8e23a1ea916220f2e365b41d4c
SHA512

1d99c18f5c3dcb52fa4921dfe4a4c73cfe52066e13de505423b76ad2bf341390a358b9d32fad1cec8a5d4570319fdee04535610c13a199556770d49868bb0f94
SSDEEP

98304:AFINBsHAf5w6fhCDxO2t0BcyUedw+ad6d5KtYKkWjrSl5TzIaC8FZUYA0:Ht2xXi8edBaMdct2WjutIxJu

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2824-17-0x0000000000120000-0x0000000000256000-memory.dmp	dcrat

Executes dropped EXE 2 IoCs

pid	Process
2824	one.exe
1656	rust.exe

Loads dropped DLL 6 IoCs

pid	Process
2228	bfc0a118e19ad3ac3181c3d6c0babf16.exe
2228	bfc0a118e19ad3ac3181c3d6c0babf16.exe
2228	bfc0a118e19ad3ac3181c3d6c0babf16.exe
1656	rust.exe
1656	rust.exe
1656	rust.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2824	one.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2228 wrote to memory of 2824	2228	bfc0a118e19ad3ac3181c3d6c0babf16.exe	22
PID 2228 wrote to memory of 2824	2228	bfc0a118e19ad3ac3181c3d6c0babf16.exe	22
PID 2228 wrote to memory of 2824	2228	bfc0a118e19ad3ac3181c3d6c0babf16.exe	22
PID 2228 wrote to memory of 2824	2228	bfc0a118e19ad3ac3181c3d6c0babf16.exe	22
PID 2228 wrote to memory of 1656	2228	bfc0a118e19ad3ac3181c3d6c0babf16.exe	21
PID 2228 wrote to memory of 1656	2228	bfc0a118e19ad3ac3181c3d6c0babf16.exe	21
PID 2228 wrote to memory of 1656	2228	bfc0a118e19ad3ac3181c3d6c0babf16.exe	21
PID 2228 wrote to memory of 1656	2228	bfc0a118e19ad3ac3181c3d6c0babf16.exe	21

C:\Users\Admin\AppData\Local\Temp\bfc0a118e19ad3ac3181c3d6c0babf16.exe
"C:\Users\Admin\AppData\Local\Temp\bfc0a118e19ad3ac3181c3d6c0babf16.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2228
- C:\Users\Admin\AppData\Local\Temp\rust.exe
  "C:\Users\Admin\AppData\Local\Temp\rust.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1656
- C:\Users\Admin\AppData\Local\Temp\one.exe
  "C:\Users\Admin\AppData\Local\Temp\one.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1656-36-0x0000000000400000-0x00000000005CE000-memory.dmp

Filesize
1.8MB

Download
memory/1656-47-0x0000000000400000-0x00000000005CE000-memory.dmp

Filesize
1.8MB

Download
memory/1656-21-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1656-30-0x0000000000290000-0x000000000029F000-memory.dmp

Filesize
60KB

Download
memory/1656-27-0x0000000010000000-0x00000000104DC000-memory.dmp

Filesize
4.9MB

Download
memory/1656-45-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1656-44-0x0000000000400000-0x00000000005CE000-memory.dmp

Filesize
1.8MB

Download
memory/1656-38-0x0000000000370000-0x0000000000381000-memory.dmp

Filesize
68KB

Download
memory/2824-34-0x0000000000540000-0x0000000000556000-memory.dmp

Filesize
88KB

Download
memory/2824-17-0x0000000000120000-0x0000000000256000-memory.dmp

Filesize
1.2MB

Download
memory/2824-35-0x0000000000390000-0x000000000039E000-memory.dmp

Filesize
56KB

Download
memory/2824-42-0x000007FEF5780000-0x000007FEF616C000-memory.dmp

Filesize
9.9MB

Download
memory/2824-43-0x000007FEF5780000-0x000007FEF616C000-memory.dmp

Filesize
9.9MB

Download
memory/2824-33-0x00000000004A0000-0x00000000004BC000-memory.dmp

Filesize
112KB

Download
memory/2824-32-0x000000001B020000-0x000000001B0A0000-memory.dmp

Filesize
512KB

Download
memory/2824-19-0x000007FEF5780000-0x000007FEF616C000-memory.dmp

Filesize
9.9MB

Download