dcrat | 3b6c50997c6575d2c7a3300b6afaf16b2440874c0540ee415b842d649d104f44

General

Target

Neles Skinchanger 0.28.4.exe
Size

5.6MB
MD5

a13bcc8067d988bdf67c04cbd394213a
SHA1

d32d82f56b632f74381caff663a363e5f30e22f7
SHA256

3b6c50997c6575d2c7a3300b6afaf16b2440874c0540ee415b842d649d104f44
SHA512

b49f9f27f5b1b9e505d13777477f7d05e42b2455ee336e2d2aba0e595cb600f1de7da5a18a78acbd28a4512fe63faa539b960a4f7977f2bc5b32a06637bb17e8
SSDEEP

98304:jNXGluIWpVgaDIz6Sjozu+bk1Ct6hvCzWlcdiuN4bupuwJ2PuGnXhzVb+yl:jNXGlNF6irKu3C+vQWls48anXVVKI

Score

10^/10

dcrat zgrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Detect ZGRat V1 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1448-19-0x0000000000400000-0x00000000009A5000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe	dcrat
behavioral2/memory/1448-19-0x0000000000400000-0x00000000009A5000-memory.dmp	dcrat
C:\Serverfontinto\browserPerf.exe	dcrat
behavioral2/memory/4176-37-0x0000000000F30000-0x00000000010D2000-memory.dmp	dcrat

.NET Reactor proctector 1 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

Processes:

resource	yara_rule
behavioral2/memory/1448-19-0x0000000000400000-0x00000000009A5000-memory.dmp	net_reactor

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Neles Skinchanger 0.28.4.exeDCRatBuild.exeWScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\Geo\Nation	Neles Skinchanger 0.28.4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\Geo\Nation	DCRatBuild.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 3 IoCs

Processes:

Neles Skinchanger 0.28.1.exeDCRatBuild.exebrowserPerf.exe

pid process

1772 Neles Skinchanger 0.28.1.exe
1616 DCRatBuild.exe
4176 browserPerf.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

DCRatBuild.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\Local Settings DCRatBuild.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

browserPerf.exe

description pid process

Token: SeDebugPrivilege 4176 browserPerf.exe

pid	process
1772	Neles Skinchanger 0.28.1.exe
1616	DCRatBuild.exe
4176	browserPerf.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\Local Settings	DCRatBuild.exe

description	pid	process
Token: SeDebugPrivilege	4176	browserPerf.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

Neles Skinchanger 0.28.4.exeDCRatBuild.exeWScript.execmd.exe

description	pid	process	target process
PID 1448 wrote to memory of 1772	1448	Neles Skinchanger 0.28.4.exe	Neles Skinchanger 0.28.1.exe
PID 1448 wrote to memory of 1772	1448	Neles Skinchanger 0.28.4.exe	Neles Skinchanger 0.28.1.exe
PID 1448 wrote to memory of 1616	1448	Neles Skinchanger 0.28.4.exe	DCRatBuild.exe
PID 1448 wrote to memory of 1616	1448	Neles Skinchanger 0.28.4.exe	DCRatBuild.exe
PID 1448 wrote to memory of 1616	1448	Neles Skinchanger 0.28.4.exe	DCRatBuild.exe
PID 1616 wrote to memory of 1028	1616	DCRatBuild.exe	WScript.exe
PID 1616 wrote to memory of 1028	1616	DCRatBuild.exe	WScript.exe
PID 1616 wrote to memory of 1028	1616	DCRatBuild.exe	WScript.exe
PID 1028 wrote to memory of 3480	1028	WScript.exe	cmd.exe
PID 1028 wrote to memory of 3480	1028	WScript.exe	cmd.exe
PID 1028 wrote to memory of 3480	1028	WScript.exe	cmd.exe
PID 3480 wrote to memory of 4176	3480	cmd.exe	browserPerf.exe
PID 3480 wrote to memory of 4176	3480	cmd.exe	browserPerf.exe

C:\Users\Admin\AppData\Local\Temp\Neles Skinchanger 0.28.4.exe
"C:\Users\Admin\AppData\Local\Temp\Neles Skinchanger 0.28.4.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1448

C:\Users\Admin\AppData\Local\Temp\Neles Skinchanger 0.28.1.exe
"C:\Users\Admin\AppData\Local\Temp\Neles Skinchanger 0.28.1.exe"
2⤵
- Executes dropped EXE
PID:1772

C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
"C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1616

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Serverfontinto\ggA79gEQWMtGyHjPedBsT7q1K2zClm.vbe"
3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1028

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Serverfontinto\WPi5TAxlEJbkHM8pJVgb.bat" "
4⤵
- Suspicious use of WriteProcessMemory
PID:3480

C:\Serverfontinto\browserPerf.exe
"C:\Serverfontinto\browserPerf.exe"
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4176

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Serverfontinto\WPi5TAxlEJbkHM8pJVgb.bat
Filesize
35B

MD5
451549d6be4bec74f0c7465c96933b2e

SHA1
54eb5f78e836026b7064e02bea465e26a3be0cb9

SHA256
617f222b74ca141960f06cdab493d4725a4d543b3484f88a904fa3513bfe983d

SHA512
4b97d143cf95146dd84619dee9337b1fa2e938dd41520564211a728f52b3bc77d108810fd84465f11e91af20a833bcb2cc54c3f11a23e94b7cfa3c6d35e988f0

Download Submit
C:\Serverfontinto\browserPerf.exe
Filesize
1.6MB

MD5
2daf8639d999ab8aa57f810bdac02e00

SHA1
8163641a538bc90f4bd1f91770f5f91cc397f5e5

SHA256
eabd6c9c27a5c7586447d9c1f287b188fd863967e205985ce8e9ad6344e62a6f

SHA512
0d4f5f21c3dfb7a5e0c7980bfe0f2137c1e7c821043544ec0b46af704dce341e45bbc0f5827fbf960783b45243438aee09a39ae8d14e93d6290eedc59ae56562

Download Submit
C:\Serverfontinto\ggA79gEQWMtGyHjPedBsT7q1K2zClm.vbe
Filesize
211B

MD5
e9805e10ff10bc14a2b68c21fe567874

SHA1
221d710ef76eca3765d1a7961a1fc92b2ff5aca1

SHA256
737c8f15685ceb1999e652907a3fc061bad3d73a2c9708552eab430aa4013afa

SHA512
7e41c63e6bef29de6681958d71f5aff88e25746998562e566bcab8e0032423efb31219a41fa1466d0d120485ba05fa1e4747f1072be3db3500c6e6ca903221dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
Filesize
1.9MB

MD5
ddd2bfdbf333b9733bf0aef118755436

SHA1
f95de679c80387ca9d7fecd5852207a19faca134

SHA256
01d541dd10443cb6a162528ce488fd10f9423d8cab3b266d83744e95e421b493

SHA512
e1fa7109085bbb267bf6f7dee1933455dba6e8f468a849d973e6a45701d944c3b10a326c2f06ae7f76f65aec5f16893764aaee6064ad8c5abe5f9e5845e95c20

Download Submit
C:\Users\Admin\AppData\Local\Temp\Neles Skinchanger 0.28.1.exe
Filesize
3.4MB

MD5
d71856077c8268fdd17a3fe06b85c6ca

SHA1
03c938a15ff8a729a125e038c935302cd7cca6bd

SHA256
5bf415b23817d70fd384d1fcd9634c7a9301341083fb3ed48c57c477f58cef9e

SHA512
f1f1d03059b3a2553b253f69f8a5540876e75ed8460e5ef5e6c7ec808ce1b47f930684e90bb774ea1d239bcab39950a75430e4dc9746ea03d44d33d4b37806da

Download Submit
memory/1448-19-0x0000000000400000-0x00000000009A5000-memory.dmp

Filesize
5.6MB

Download
memory/1772-30-0x00007FF9A1350000-0x00007FF9A1E11000-memory.dmp

Filesize
10.8MB

Download
memory/1772-21-0x0000018D696C0000-0x0000018D696D0000-memory.dmp

Filesize
64KB

Download
memory/1772-20-0x00007FF9A1350000-0x00007FF9A1E11000-memory.dmp

Filesize
10.8MB

Download
memory/1772-18-0x0000018D66BA0000-0x0000018D66F18000-memory.dmp

Filesize
3.5MB

Download
memory/4176-36-0x00007FF9A0250000-0x00007FF9A0D11000-memory.dmp

Filesize
10.8MB

Download
memory/4176-37-0x0000000000F30000-0x00000000010D2000-memory.dmp

Filesize
1.6MB

Download
memory/4176-38-0x000000001BEF0000-0x000000001BF00000-memory.dmp

Filesize
64KB

Download
memory/4176-39-0x00000000031F0000-0x00000000031FE000-memory.dmp

Filesize
56KB

Download
memory/4176-41-0x00007FF9A0250000-0x00007FF9A0D11000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads