dcrat | acc16e7688ff39619631a8f3e04eb8136733514e49eb917c86097f675be0d6c7

General

Target

vfcfe09.exe
Size

614KB
MD5

017781864802f7e6342e72886256c48a
SHA1

a9a805c3ca5ec10bdf2de0e5f5e6cdb264ec7b42
SHA256

acc16e7688ff39619631a8f3e04eb8136733514e49eb917c86097f675be0d6c7
SHA512

9a97fac840018dfcb607a70d60c1d3123605513057f2c310449849e02b830a37ef5c124b357d032a18505de8375a7f34bd0f5b0da4df9c31d3ed2e9fab5cbd7b
SSDEEP

12288:/dA/Tlh/DAbovlNWkrRMZe2aWgr6pHXrgeBrbAnOkK7xj:G/D3NRyZe2QupHX8eBreh4

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 6 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2588	2648	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2712	2648	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2928	2648	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2180	2648	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2460	2648	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2604	2648	schtasks.exe	30

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/1744-0-0x0000000000120000-0x00000000001BB000-memory.dmp	dcrat
behavioral1/memory/2824-3-0x0000000000080000-0x00000000000D6000-memory.dmp	dcrat
behavioral1/memory/2824-11-0x0000000000080000-0x00000000000D6000-memory.dmp	dcrat
behavioral1/memory/2824-10-0x0000000000080000-0x00000000000D6000-memory.dmp	dcrat
behavioral1/memory/1744-9-0x0000000000120000-0x00000000001BB000-memory.dmp	dcrat

Executes dropped EXE 1 IoCs

pid	Process
2440	lsass.exe

Loads dropped DLL 1 IoCs

pid	Process
2824	MSBuild.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1744 set thread context of 2824	1744	vfcfe09.exe	29

Creates scheduled task(s) 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2460	schtasks.exe
2604	schtasks.exe
2588	schtasks.exe
2712	schtasks.exe
2928	schtasks.exe
2180	schtasks.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2824	MSBuild.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2824	MSBuild.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 1744 wrote to memory of 2824	1744	vfcfe09.exe	29
PID 1744 wrote to memory of 2824	1744	vfcfe09.exe	29
PID 1744 wrote to memory of 2824	1744	vfcfe09.exe	29
PID 1744 wrote to memory of 2824	1744	vfcfe09.exe	29
PID 1744 wrote to memory of 2824	1744	vfcfe09.exe	29
PID 1744 wrote to memory of 2824	1744	vfcfe09.exe	29
PID 2824 wrote to memory of 2440	2824	MSBuild.exe	37
PID 2824 wrote to memory of 2440	2824	MSBuild.exe	37
PID 2824 wrote to memory of 2440	2824	MSBuild.exe	37
PID 2824 wrote to memory of 2440	2824	MSBuild.exe	37

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\vfcfe09.exe
"C:\Users\Admin\AppData\Local\Temp\vfcfe09.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1744
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2824
- - C:\Users\Default\PrintHood\lsass.exe
    "C:\Users\Default\PrintHood\lsass.exe"
    3⤵
    - Executes dropped EXE
    PID:2440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Default User\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Users\Default\PrintHood\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Default\PrintHood\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Users\Default\PrintHood\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\lsass.exe

Filesize
255KB

MD5
9af17c8393f0970ee5136bd3ffa27001

SHA1
4b285b72c1a11285a25f31f2597e090da6bbc049

SHA256
71d6a7a3fe5f8dc878cd5bdeca0e09177efb85c01e9a8a10a95262cabefaa019

SHA512
b90f7de7d5ce72dccb264c7ba609e173c529b9d99ed9a63f88632bc58b1a994bbb727365f519c73b979f8918bd6de3c39a9f0347eb3a4bccdce4b2772a6516a3

Download Submit
memory/1744-9-0x0000000000120000-0x00000000001BB000-memory.dmp

Filesize
620KB

Download
memory/1744-0-0x0000000000120000-0x00000000001BB000-memory.dmp

Filesize
620KB

Download
memory/2440-24-0x0000000000910000-0x0000000000950000-memory.dmp

Filesize
256KB

Download
memory/2440-25-0x0000000074850000-0x0000000074F3E000-memory.dmp

Filesize
6.9MB

Download
memory/2440-26-0x0000000074850000-0x0000000074F3E000-memory.dmp

Filesize
6.9MB

Download
memory/2824-7-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2824-3-0x0000000000080000-0x00000000000D6000-memory.dmp

Filesize
344KB

Download
memory/2824-11-0x0000000000080000-0x00000000000D6000-memory.dmp

Filesize
344KB

Download
memory/2824-10-0x0000000000080000-0x00000000000D6000-memory.dmp

Filesize
344KB

Download
memory/2824-1-0x0000000000080000-0x00000000000D6000-memory.dmp

Filesize
344KB

Download
memory/2824-12-0x0000000074850000-0x0000000074F3E000-memory.dmp

Filesize
6.9MB

Download
memory/2824-13-0x00000000049B0000-0x00000000049F0000-memory.dmp

Filesize
256KB

Download
memory/2824-22-0x0000000074850000-0x0000000074F3E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads