Malware Analysis Report

2024-11-13 13:43

Sample ID 240515-z96j7sda64
Target 3d71f1e177234c396f2a5d7d852a2376.exe
SHA256 c0db54d6ec9c0e2310d4c8bfd1739f079a0fd85adcf088ff8876f54485a61f2c
Tags
dcrat infostealer rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c0db54d6ec9c0e2310d4c8bfd1739f079a0fd85adcf088ff8876f54485a61f2c

Threat Level: Known bad

The file 3d71f1e177234c396f2a5d7d852a2376.exe was found to be: Known bad.

Malicious Activity Summary

dcrat infostealer rat

Dcrat family

DcRat

DCRat payload

DCRat payload

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

Enumerates physical storage devices

Unsigned PE

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-15 21:26

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-15 21:26

Reported

2024-05-15 21:28

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3d71f1e177234c396f2a5d7d852a2376.exe"

Signatures

DcRat

rat infostealer dcrat

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3d71f1e177234c396f2a5d7d852a2376.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\DCRAT\RAT.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3d71f1e177234c396f2a5d7d852a2376.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\DCRAT\RAT.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\DCRAT\RAT.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\3d71f1e177234c396f2a5d7d852a2376.exe

"C:\Users\Admin\AppData\Local\Temp\3d71f1e177234c396f2a5d7d852a2376.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\DCRAT\u3Ah4o8.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\DCRAT\VmabnRVk3Q0Z4Rsmx4y.bat" "

C:\Users\Admin\AppData\Roaming\DCRAT\RAT.exe

"C:\Users\Admin\AppData\Roaming\\DCRAT\RAT.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 cz63343.tw1.ru udp
RU 185.114.247.232:80 cz63343.tw1.ru tcp
RU 185.114.247.232:80 cz63343.tw1.ru tcp
US 8.8.8.8:53 232.247.114.185.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 31.121.18.2.in-addr.arpa udp
RU 185.114.247.232:80 cz63343.tw1.ru tcp
RU 185.114.247.232:80 cz63343.tw1.ru tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
RU 185.114.247.232:80 cz63343.tw1.ru tcp
RU 185.114.247.232:80 cz63343.tw1.ru tcp

Files

C:\Users\Admin\AppData\Roaming\DCRAT\u3Ah4o8.vbe

MD5 d25609d0ea00bd9b4034f6c115d73176
SHA1 9b4e9ce99da10017399de6ef8d9ac055f1f6fb5f
SHA256 1be67ff6caccef7bc37346582d6ee3ffec585ce4a139c23a4d8fa1a2cad0836e
SHA512 c976d90d4b8f2d8aa7f8810e858acc13d51b2eb366fc1780145d24ded22fcb32c08bdb275db29d414cb217e4591fa821a42984149b1072660d28af2932348221

C:\Users\Admin\AppData\Roaming\DCRAT\VmabnRVk3Q0Z4Rsmx4y.bat

MD5 6938225aa9b06be749c03e2ed1d0a8a1
SHA1 9c18762161a7b0fb2ba460d649fa3797d6b048e3
SHA256 298f4bc92dc502984c2b53207f096788fd77e095ca3f66a512a49ff2d8fd6b59
SHA512 1be9139357b9ffe68a36bf4ba59141b9940ff5f54caa331bdcfe046f52a1f973542b54d2c383e9dea8ea01b4f3154d74d5c7a2af71910d9414ef79ff20d41327

C:\Users\Admin\AppData\Roaming\DCRAT\RAT.exe

MD5 4cf21cf4fe938861269eee0dce7ab40a
SHA1 8edccf6b4ce1a73419d25632d9707d1e473bfedc
SHA256 267c6d4e9f47e320bc83d14ae62a3b3942b5bc52271981a62634be7859d3e41a
SHA512 c5cdf840d65ab2e78480c1a172250696860a70953dade41463352d47f89183c40c15d0672c9268fea68711eb432ff5167189de0bac90fc83b81d563a808f2879

memory/4428-12-0x00007FFBA3163000-0x00007FFBA3165000-memory.dmp

memory/4428-13-0x0000000000800000-0x0000000000924000-memory.dmp

memory/4428-14-0x0000000001380000-0x000000000139C000-memory.dmp

memory/4428-16-0x000000001B500000-0x000000001B516000-memory.dmp

memory/4428-15-0x000000001BC20000-0x000000001BC70000-memory.dmp

memory/4428-17-0x00007FFBA3163000-0x00007FFBA3165000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-15 21:26

Reported

2024-05-15 21:28

Platform

win7-20240221-en

Max time kernel

119s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3d71f1e177234c396f2a5d7d852a2376.exe"

Signatures

DcRat

rat infostealer dcrat

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\DCRAT\RAT.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\DCRAT\RAT.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\DCRAT\RAT.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\3d71f1e177234c396f2a5d7d852a2376.exe

"C:\Users\Admin\AppData\Local\Temp\3d71f1e177234c396f2a5d7d852a2376.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\DCRAT\u3Ah4o8.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Roaming\DCRAT\VmabnRVk3Q0Z4Rsmx4y.bat" "

C:\Users\Admin\AppData\Roaming\DCRAT\RAT.exe

"C:\Users\Admin\AppData\Roaming\\DCRAT\RAT.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 cz63343.tw1.ru udp
RU 185.114.247.232:80 cz63343.tw1.ru tcp
RU 185.114.247.232:80 cz63343.tw1.ru tcp
RU 185.114.247.232:80 cz63343.tw1.ru tcp
RU 185.114.247.232:80 cz63343.tw1.ru tcp
RU 185.114.247.232:80 cz63343.tw1.ru tcp
RU 185.114.247.232:80 cz63343.tw1.ru tcp

Files

C:\Users\Admin\AppData\Roaming\DCRAT\u3Ah4o8.vbe

MD5 d25609d0ea00bd9b4034f6c115d73176
SHA1 9b4e9ce99da10017399de6ef8d9ac055f1f6fb5f
SHA256 1be67ff6caccef7bc37346582d6ee3ffec585ce4a139c23a4d8fa1a2cad0836e
SHA512 c976d90d4b8f2d8aa7f8810e858acc13d51b2eb366fc1780145d24ded22fcb32c08bdb275db29d414cb217e4591fa821a42984149b1072660d28af2932348221

C:\Users\Admin\AppData\Roaming\DCRAT\VmabnRVk3Q0Z4Rsmx4y.bat

MD5 6938225aa9b06be749c03e2ed1d0a8a1
SHA1 9c18762161a7b0fb2ba460d649fa3797d6b048e3
SHA256 298f4bc92dc502984c2b53207f096788fd77e095ca3f66a512a49ff2d8fd6b59
SHA512 1be9139357b9ffe68a36bf4ba59141b9940ff5f54caa331bdcfe046f52a1f973542b54d2c383e9dea8ea01b4f3154d74d5c7a2af71910d9414ef79ff20d41327

C:\Users\Admin\AppData\Roaming\DCRAT\RAT.exe

MD5 4cf21cf4fe938861269eee0dce7ab40a
SHA1 8edccf6b4ce1a73419d25632d9707d1e473bfedc
SHA256 267c6d4e9f47e320bc83d14ae62a3b3942b5bc52271981a62634be7859d3e41a
SHA512 c5cdf840d65ab2e78480c1a172250696860a70953dade41463352d47f89183c40c15d0672c9268fea68711eb432ff5167189de0bac90fc83b81d563a808f2879

memory/2692-13-0x00000000001B0000-0x00000000002D4000-memory.dmp

memory/2692-14-0x0000000000190000-0x00000000001AC000-memory.dmp

memory/2692-15-0x00000000003E0000-0x00000000003F6000-memory.dmp