dcrat | 8a7de5f2291f1e9a2601a9e2c2f899637280d5780aeb94135d60dffb474deb40

General

Target

archive.exe
Size

2.1MB
MD5

b281bb876b1fcdaa80dcd99427a2bd9c
SHA1

77fd2120a9ed75b5db3a8d1ddd93cdfc8fe8b98d
SHA256

8a7de5f2291f1e9a2601a9e2c2f899637280d5780aeb94135d60dffb474deb40
SHA512

36e283e71d638289ad3f0a4a8b7fcdb1ca9faca48953d864b5a4e4d3e3e43b62fd4402e0bce931a9b73b115d16cb1d7c1fb9b72cf5a64173f7c2d4b214482fd5
SSDEEP

49152:8bA3YaV2w7CHLjOXspMUyCw8bJpE9cToEx:8bnW7CD6Labc9soE

Score

10^/10

dcrat evasion infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/3040-1-0x0000000000400000-0x0000000000637000-memory.dmp	dcrat
behavioral1/memory/3040-18-0x0000000000400000-0x0000000000637000-memory.dmp	dcrat
behavioral1/files/0x000800000001658a-22.dat	dcrat
behavioral1/memory/1908-25-0x00000000012E0000-0x000000000141A000-memory.dmp	dcrat

Disables Task Manager via registry modification
evasion

Executes dropped EXE 2 IoCs

pid	Process
1876	~ZY3F90.tmp
1908	dhcpcommon.exe

Loads dropped DLL 4 IoCs

pid	Process
3040	archive.exe
3040	archive.exe
2308	cmd.exe
2308	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FE5451A1-ABFE-BF4F-EAFE-0000728FF659}	archive.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
1424	reg.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1908	dhcpcommon.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 3040 wrote to memory of 1876	3040	archive.exe	28
PID 3040 wrote to memory of 1876	3040	archive.exe	28
PID 3040 wrote to memory of 1876	3040	archive.exe	28
PID 3040 wrote to memory of 1876	3040	archive.exe	28
PID 1876 wrote to memory of 1404	1876	~ZY3F90.tmp	29
PID 1876 wrote to memory of 1404	1876	~ZY3F90.tmp	29
PID 1876 wrote to memory of 1404	1876	~ZY3F90.tmp	29
PID 1876 wrote to memory of 1404	1876	~ZY3F90.tmp	29
PID 3040 wrote to memory of 2680	3040	archive.exe	31
PID 3040 wrote to memory of 2680	3040	archive.exe	31
PID 3040 wrote to memory of 2680	3040	archive.exe	31
PID 3040 wrote to memory of 2680	3040	archive.exe	31
PID 2680 wrote to memory of 2308	2680	WScript.exe	32
PID 2680 wrote to memory of 2308	2680	WScript.exe	32
PID 2680 wrote to memory of 2308	2680	WScript.exe	32
PID 2680 wrote to memory of 2308	2680	WScript.exe	32
PID 2308 wrote to memory of 1908	2308	cmd.exe	34
PID 2308 wrote to memory of 1908	2308	cmd.exe	34
PID 2308 wrote to memory of 1908	2308	cmd.exe	34
PID 2308 wrote to memory of 1908	2308	cmd.exe	34
PID 2308 wrote to memory of 1424	2308	cmd.exe	36
PID 2308 wrote to memory of 1424	2308	cmd.exe	36
PID 2308 wrote to memory of 1424	2308	cmd.exe	36
PID 2308 wrote to memory of 1424	2308	cmd.exe	36

C:\Users\Admin\AppData\Local\Temp\archive.exe
"C:\Users\Admin\AppData\Local\Temp\archive.exe"
1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3040
- C:\Users\Admin\AppData\Local\Temp\~ZY3F90.tmp
  C:\Users\Admin\AppData\Local\Temp\~ZY3F90.tmp
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1876
- - C:\Windows\system32\cmd.exe
    "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\406A.tmp\406B.tmp\406C.bat C:\Users\Admin\AppData\Local\Temp\~ZY3F90.tmp"
    3⤵
    PID:1404
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Agentruntimeperfdhcp\feK7ReLHyHDhXewsN5x2bH.vbe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2680
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Agentruntimeperfdhcp\ZHwbHSvEyrpihXgvOLolKD1A8iSWw.bat" "
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2308
  - - C:\Agentruntimeperfdhcp\dhcpcommon.exe
      "C:\Agentruntimeperfdhcp\dhcpcommon.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1908
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
      4⤵
      Modifies registry key
      PID:1424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Agentruntimeperfdhcp\ZHwbHSvEyrpihXgvOLolKD1A8iSWw.bat

Filesize
152B

MD5
60b6b03cb8099ec553acc60444eafae3

SHA1
b5cd77722afae1bf237ef2df15f189eb731cd34d

SHA256
2c95bd39a47e6923b16df9933499ebf6ee76e37399fc327382a28da3d8ae4afd

SHA512
aca79dc0437cf7111c938b91018ae66c4e57d8483f70da2f2ea363405e0b4aad20426c166b26612a52230af568920eced65e48bce959912a8b3ceefff109601a

Download Submit
C:\Agentruntimeperfdhcp\dhcpcommon.exe

Filesize
1.2MB

MD5
ce246a0b4df2b22693bae03a65b17065

SHA1
25f12c0ef7a0ce0756cc344992b99f25291ba9c4

SHA256
85dd22da07c78f1452ed489d31cd3b113762653fa2371951d0a65c4b0d96dae1

SHA512
f965b0fa4cb3475f1117951b62e1721ca2a53ae23c0b4ee6c907fac4d8921a96a0980ab7dcc79739e1e93b428381c3de88a6e4522d1b9414d09420cf8373cee9

Download Submit
C:\Agentruntimeperfdhcp\feK7ReLHyHDhXewsN5x2bH.vbe

Filesize
226B

MD5
8d267886684ddfb879b6fe717ccd7e6e

SHA1
69e2445c2691ce8c28c6554887532f9b17b2a39d

SHA256
febea9fffd98027ed257e15010c0202580184303e570bcf84ebb3449d009a3e8

SHA512
fa5146c1b1b19b74fab18891079e0327b3ca85bffe8cea31cfe6405212e140783e63481f7c4f94379729966b9f56eeb6a41a5ffff1c1f8314552aa76e4e4e229

Download Submit
C:\Users\Admin\AppData\Local\Temp\406A.tmp\406B.tmp\406C.bat

Filesize
8KB

MD5
cdc27a3f7bbe8d24d1921507a468f5cd

SHA1
1db474674020cafef0c6faeb35bd64ad01cdab14

SHA256
d5524616817e603c5110a72f743abaa8a81d043e47a508e69103518bb4310ee8

SHA512
1e027eae828ca79bf650a2f48a012afa8f47d2c5293a9ebc40e1df5cb99e92ba21fbf8601794d39cef50145364271d7a58a8c1345d90cfd5a880c62342329391

Download Submit
\Users\Admin\AppData\Local\Temp\~ZY3F90.tmp

Filesize
356KB

MD5
5417d9eab3e78a7d968e00eab0e33100

SHA1
b9135bd12a4db8cd61bef519d6d70408086c0aac

SHA256
2d25d54ade4bd254f217c8110cf7f96656767c3e0c5dcf6dc0c30b5f8ceeffa7

SHA512
4af5f15212ab24ed2ba3de9c65c223cfe56adf7c1a027f63365ba63132f52c6593f61a5edb1bf05d7ac25abe0262053431d3527d8fc2b33920cd7ef7881aedda

Download Submit
memory/1908-25-0x00000000012E0000-0x000000000141A000-memory.dmp

Filesize
1.2MB

Download
memory/1908-26-0x000007FEF54A0000-0x000007FEF5E8C000-memory.dmp

Filesize
9.9MB

Download
memory/1908-27-0x000000001B260000-0x000000001B2E0000-memory.dmp

Filesize
512KB

Download
memory/1908-28-0x0000000000240000-0x000000000024E000-memory.dmp

Filesize
56KB

Download
memory/1908-29-0x000007FEF54A0000-0x000007FEF5E8C000-memory.dmp

Filesize
9.9MB

Download
memory/3040-1-0x0000000000400000-0x0000000000637000-memory.dmp

Filesize
2.2MB

Download
memory/3040-18-0x0000000000400000-0x0000000000637000-memory.dmp

Filesize
2.2MB

Download

Analysis

Sharing