dcrat | 7c88a47aa0a37c29edf210441cb12fab86f1fcc4bb087e088c06d4c610a72c8a

General

Target

06c91ad7df2a32a919f28d8490a5cd60_NeikiAnalytics.exe
Size

2.6MB
MD5

06c91ad7df2a32a919f28d8490a5cd60
SHA1

6216c2548a6991d57a8b8c47592ade54f6dcf7ad
SHA256

7c88a47aa0a37c29edf210441cb12fab86f1fcc4bb087e088c06d4c610a72c8a
SHA512

12c8c3d00087379077dc0ab9e4a7496959f2c829fab6dad29c372be3c74da298b184c22b616400481eaa6f1c3e2786cb1c2c995a8d19cbe58a50a3bec417c922
SSDEEP

49152:OGgiFFFV8+yrRGvGNXqOphUop06sDnvR2w1Sgh9Xb3PUvDRyaETkIfp:OviFFr6RGvAZhUop0Lx1R9Xb3c93ETkg

Score

10^/10

dcrat zgrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Detect ZGRat V1 1 IoCs

resource	yara_rule
behavioral1/memory/3040-0-0x0000000000400000-0x0000000000697000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/3040-0-0x0000000000400000-0x0000000000697000-memory.dmp	dcrat
behavioral1/files/0x000b000000015d61-3.dat	dcrat
behavioral1/files/0x0007000000016a28-32.dat	dcrat
behavioral1/memory/2452-35-0x0000000000CE0000-0x0000000000E6C000-memory.dmp	dcrat

Executes dropped EXE 3 IoCs

pid	Process
3064	K-g3n.exe
2520	Solara.exe
2452	AgentDhcp.exe

Loads dropped DLL 5 IoCs

pid	Process
3040	06c91ad7df2a32a919f28d8490a5cd60_NeikiAnalytics.exe
3040	06c91ad7df2a32a919f28d8490a5cd60_NeikiAnalytics.exe
2520	Solara.exe
2396	cmd.exe
2396	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2452	AgentDhcp.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 3040 wrote to memory of 3064	3040	06c91ad7df2a32a919f28d8490a5cd60_NeikiAnalytics.exe	28
PID 3040 wrote to memory of 3064	3040	06c91ad7df2a32a919f28d8490a5cd60_NeikiAnalytics.exe	28
PID 3040 wrote to memory of 3064	3040	06c91ad7df2a32a919f28d8490a5cd60_NeikiAnalytics.exe	28
PID 3040 wrote to memory of 3064	3040	06c91ad7df2a32a919f28d8490a5cd60_NeikiAnalytics.exe	28
PID 3040 wrote to memory of 2520	3040	06c91ad7df2a32a919f28d8490a5cd60_NeikiAnalytics.exe	29
PID 3040 wrote to memory of 2520	3040	06c91ad7df2a32a919f28d8490a5cd60_NeikiAnalytics.exe	29
PID 3040 wrote to memory of 2520	3040	06c91ad7df2a32a919f28d8490a5cd60_NeikiAnalytics.exe	29
PID 3040 wrote to memory of 2520	3040	06c91ad7df2a32a919f28d8490a5cd60_NeikiAnalytics.exe	29
PID 3064 wrote to memory of 2384	3064	K-g3n.exe	30
PID 3064 wrote to memory of 2384	3064	K-g3n.exe	30
PID 3064 wrote to memory of 2384	3064	K-g3n.exe	30
PID 3064 wrote to memory of 2384	3064	K-g3n.exe	30
PID 2520 wrote to memory of 2708	2520	Solara.exe	31
PID 2520 wrote to memory of 2708	2520	Solara.exe	31
PID 2520 wrote to memory of 2708	2520	Solara.exe	31
PID 2384 wrote to memory of 2396	2384	WScript.exe	32
PID 2384 wrote to memory of 2396	2384	WScript.exe	32
PID 2384 wrote to memory of 2396	2384	WScript.exe	32
PID 2384 wrote to memory of 2396	2384	WScript.exe	32
PID 2396 wrote to memory of 2452	2396	cmd.exe	34
PID 2396 wrote to memory of 2452	2396	cmd.exe	34
PID 2396 wrote to memory of 2452	2396	cmd.exe	34
PID 2396 wrote to memory of 2452	2396	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\06c91ad7df2a32a919f28d8490a5cd60_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\06c91ad7df2a32a919f28d8490a5cd60_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3040
- C:\Users\Admin\AppData\Local\Temp\K-g3n.exe
  "C:\Users\Admin\AppData\Local\Temp\K-g3n.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3064
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\ServerbrokerHost\7zpu6HXP6i.vbe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2384
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\ServerbrokerHost\qQ4nM.bat" "
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2396
    - - C:\ServerbrokerHost\AgentDhcp.exe
        
        "C:\ServerbrokerHost\AgentDhcp.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2452
- C:\Users\Admin\AppData\Local\Temp\Solara.exe
  "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2520
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 2520 -s 620
    3⤵
    PID:2708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ServerbrokerHost\7zpu6HXP6i.vbe

Filesize
198B

MD5
543bfebe9dc3c79fc4858ba03fab092e

SHA1
d3c8e238fd5808a9aab44927916688c12c27175c

SHA256
1e09eb7ec0fb1cf64b51d9b54a3480f3e58607685551e750d3250fe9ad301b34

SHA512
2ec16c950b5536f756a718ecb6acfcb212362be2ca2fb2a326deb6080a3f3e7cdea83c6d99d376d8a55c28e10d72cbd31befe48b11f48746705b46c8d197b17a

Download Submit
C:\ServerbrokerHost\AgentDhcp.exe

Filesize
1.5MB

MD5
e0aecee17a08239dbb095f5b4c46a23d

SHA1
7d719a103ec697c84551b0a2af42606b16592875

SHA256
5bf11d3c375d3da1373ad03ad9a46cef3a1ae0c42f2cd552c60a9827527286c1

SHA512
c566ec73edd6c934557cbd2df52f25d72b7509e80e6228d61e3013449685ed34fb4875cb88a3308999ede23f4b12bf133aa5a81cbc7e545715031a456e643b43

Download Submit
C:\ServerbrokerHost\qQ4nM.bat

Filesize
35B

MD5
626f23c4cc33b2e7bde40a75b81f005e

SHA1
325253408a8c5f8e6f7c5deb77134404b2466b6a

SHA256
971717849bc740a88ca581c9f4be51665eac37a01f92b8326f5fd4d9dd0464f0

SHA512
d1344196224c8f28fc5a7d78ec064e2ec5cc109df6e70e7069ccf86a7bdd68bd878abb4c46a140270ddb771d081e95d945771c2d0f09b667f90bb15da3310120

Download Submit
\Users\Admin\AppData\Local\Temp\K-g3n.exe

Filesize
1.8MB

MD5
862b26556a89c1422791a0402f4fc28d

SHA1
eeb5aef89dc84cc2f51d62ecd6dc608a1c16b461

SHA256
1a6c3f9db0a2bbbfe6d09f241d29b628d941417c0676e6f194c46e12da5e5134

SHA512
f3a66d974726ac20e649165f4c77c0b511a0193d4517751b45728525142d73ac67cce028134503764a3ecd889dba33d7a80425eb62a204f7e7d655b5e85d77be

Download Submit
\Users\Admin\AppData\Local\Temp\Solara.exe

Filesize
769KB

MD5
91f3d54d71a0751d55fc066d7831f356

SHA1
990c18b063c78cecfac1ae3d870058e5f1619613

SHA256
5b459f91fab604c2630768e0423c7d0004aab701978154e1a1ce8d2460ab945f

SHA512
e40818039bc0855b108d4e4cb703a399ccbdb86c1df577b81cb9e7a07fd588a18e31f3d805af01d3d8e37ecc4a87d819641408526b7ae12a13e981d351528551

Download Submit
\Users\Admin\AppData\Local\Temp\bdfe1398330148c085d9bc6215bd335b\WebView2Loader.dll

Filesize
133KB

MD5
a0bd0d1a66e7c7f1d97aedecdafb933f

SHA1
dd109ac34beb8289030e4ec0a026297b793f64a3

SHA256
79d7e45f8631e8d2541d01bfb5a49a3a090be72b3d465389a2d684680fee2e36

SHA512
2a50ae5c7234a44b29f82ebc2e3cfed37bf69294eb00b2dc8905c61259975b2f3a059c67aeab862f002752454d195f7191d9b82b056f6ef22d6e1b0bb3673d50

Download Submit
memory/2452-35-0x0000000000CE0000-0x0000000000E6C000-memory.dmp

Filesize
1.5MB

Download
memory/2452-36-0x0000000000240000-0x000000000024E000-memory.dmp

Filesize
56KB

Download
memory/2520-29-0x00000000002F0000-0x0000000000306000-memory.dmp

Filesize
88KB

Download
memory/2520-16-0x0000000000B50000-0x0000000000C16000-memory.dmp

Filesize
792KB

Download
memory/2520-14-0x000007FEF5693000-0x000007FEF5694000-memory.dmp

Filesize
4KB

Download
memory/2520-37-0x000007FEF5693000-0x000007FEF5694000-memory.dmp

Filesize
4KB

Download
memory/3040-0-0x0000000000400000-0x0000000000697000-memory.dmp

Filesize
2.6MB

Download

Analysis

Sharing