dcrat | 2338196b590a6d147d3d65884181bf33f35d197cf8351052e6e756109e3d07d4

General

Target

37fec973f5fda9a800ae2b73626f020b.exe
Size

574KB
MD5

37fec973f5fda9a800ae2b73626f020b
SHA1

d4dab6d09e28640bf696f27e4d6c001676241a0f
SHA256

2338196b590a6d147d3d65884181bf33f35d197cf8351052e6e756109e3d07d4
SHA512

37e5e5c6a291ee4d29e4e79a1ed5369149f939d437a246fff31a60a4cc5ac88653c5123dbef0676ce6e1a041fc809de0687c276434422812d47ea09ddcfaa32a
SSDEEP

12288:ONpszYhvXWSVJdMaeb2X+t4RJLAPm6Rqmxg1etyGzKp0Uf:yhvJVJdMf0jAu1m2etRKb

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 6 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1640	828	schtasks.exe	50
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3912	828	schtasks.exe	50
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4660	828	schtasks.exe	50
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3400	828	schtasks.exe	50
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4104	828	schtasks.exe	50
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2588	828	schtasks.exe	50

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x000700000001e5df-4.dat	dcrat
behavioral2/memory/4748-12-0x0000000000F30000-0x0000000000FDC000-memory.dmp	dcrat
behavioral2/files/0x000700000001e5df-11.dat	dcrat

Creates scheduled task(s) 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1640	schtasks.exe
3912	schtasks.exe
4660	schtasks.exe
3400	schtasks.exe
4104	schtasks.exe
2588	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\37fec973f5fda9a800ae2b73626f020b.exe
"C:\Users\Admin\AppData\Local\Temp\37fec973f5fda9a800ae2b73626f020b.exe"
1⤵
PID:1916
- C:\Users\Admin\AppData\Local\Temp\revirf.exe
  "C:\Users\Admin\AppData\Local\Temp\revirf.exe"
  2⤵
  PID:4748
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sElsk7KG4k.bat"
    3⤵
    PID:3660
  - - C:\Windows\System32\rundll32\dwm.exe
      "C:\Windows\System32\rundll32\dwm.exe"
      4⤵
      PID:1596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\System32\WcnEapAuthProxy\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\System32\rundll32\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\80D77D29-5A0A-4B11-A682-504965458877\root\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3400

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
1⤵
PID:3624

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:2096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Windows\System32\wbem\tsallow\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\revirf.exe

Filesize
92KB

MD5
7265520816e7c862d2c1834c3672fd88

SHA1
3d284dcfbe36ecf35e463d6b1de46a920719b919

SHA256
00c737226f0fbdeda2ed51e77462ad8c7c23dd5d3f261e5b042ee6d860f6fbad

SHA512
8463f229ea93a8e878c7c64afc375d18134e41454f01a9851612acfd53a79333ef5fac4e020abeaa4cbfc632639c52a05706642ab3ea67702f63c8b0a0a5fd1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\revirf.exe

Filesize
381KB

MD5
36932b5825b1e5d74999b03daeb44b54

SHA1
4c661f2ecc6ad477652ce69a87a763ba3c2f9d09

SHA256
8bdcbee0ae2c1f793db986c6ccdd0585c4c963c88f7a89abb62317bca2059855

SHA512
4dd41288ce6e55a925a48898e397b58958573b8bd73b82a86186abcaf83a119bfff08c7212cb9bc141c1718635d3a08b48f2def9b6f48daeb3d523f8060c4791

Download Submit
memory/1596-38-0x000000001BAB0000-0x000000001BAC0000-memory.dmp

Filesize
64KB

Download
memory/1596-37-0x00007FFEF8980000-0x00007FFEF9441000-memory.dmp

Filesize
10.8MB

Download
memory/1596-40-0x00007FFEF8980000-0x00007FFEF9441000-memory.dmp

Filesize
10.8MB

Download
memory/4748-12-0x0000000000F30000-0x0000000000FDC000-memory.dmp

Filesize
688KB

Download
memory/4748-14-0x0000000003050000-0x0000000003060000-memory.dmp

Filesize
64KB

Download
memory/4748-13-0x00007FFEF8980000-0x00007FFEF9441000-memory.dmp

Filesize
10.8MB

Download
memory/4748-33-0x00007FFEF8980000-0x00007FFEF9441000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads