dcrat | dec093070d245723af3d5a631e72b6ff1303b4e1a862b6edc95915cf8f863f9d

Analysis

max time kernel
149s
max time network
152s
platform
windows11-21h2_x64
resource
win11-20240426-en
resource tags

arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
submitted
27-05-2024 01:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DCRat.exe
Size

6.9MB
MD5

00d9d8efbbc40085276b347014d676cb
SHA1

2f170d5a165cb799ae6abca04995ac7a5f2db3ac
SHA256

dec093070d245723af3d5a631e72b6ff1303b4e1a862b6edc95915cf8f863f9d
SHA512

780cf48eeaafb2533ae49dc9515e33530b1a0c194da80275436ce5fd642b927e7e101c3fad9c4e0cc23ea30def9bd5c706252bff48d5c03e0a19e2d2aad80a89
SSDEEP

196608:aUI3ljBj/NBM6I059onJ5hrZEnyiU8AdZYJERurTb:qVjBj1iw9c5hlEXAdZYygr/

Score

10^/10

dcrat discovery infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\DCRat.exe	dcrat
C:\Users\Admin\AppData\Roaming\Serverfontwininto\SavesMonitor.exe	dcrat
behavioral1/memory/3916-62-0x0000000000880000-0x0000000000A96000-memory.dmp	dcrat

Executes dropped EXE 3 IoCs

Processes:

DCRat.exeDCRat1.exeSavesMonitor.exe

pid process

3280 DCRat.exe
3100 DCRat1.exe
3916 SavesMonitor.exe
Loads dropped DLL 4 IoCs

Processes:

DCRat.exe

pid process

2500 DCRat.exe
2500 DCRat.exe
2500 DCRat.exe
2500 DCRat.exe
Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

1892 icacls.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

DCRat.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings DCRat.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

SavesMonitor.exe

description pid process

Token: SeDebugPrivilege 3916 SavesMonitor.exe

pid	process
3280	DCRat.exe
3100	DCRat1.exe
3916	SavesMonitor.exe

pid	process
2500	DCRat.exe
2500	DCRat.exe
2500	DCRat.exe
2500	DCRat.exe

pid	process
1892	icacls.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings	DCRat.exe

description	pid	process
Token: SeDebugPrivilege	3916	SavesMonitor.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

DCRat.exeDCRat.execmd.exeDCRat.execmd.exeDCRat1.exejavaw.exeWScript.execmd.exe

description	pid	process	target process
PID 3564 wrote to memory of 2500	3564	DCRat.exe	DCRat.exe
PID 3564 wrote to memory of 2500	3564	DCRat.exe	DCRat.exe
PID 2500 wrote to memory of 1376	2500	DCRat.exe	cmd.exe
PID 2500 wrote to memory of 1376	2500	DCRat.exe	cmd.exe
PID 1376 wrote to memory of 3280	1376	cmd.exe	DCRat.exe
PID 1376 wrote to memory of 3280	1376	cmd.exe	DCRat.exe
PID 1376 wrote to memory of 3280	1376	cmd.exe	DCRat.exe
PID 3280 wrote to memory of 2400	3280	DCRat.exe	WScript.exe
PID 3280 wrote to memory of 2400	3280	DCRat.exe	WScript.exe
PID 3280 wrote to memory of 2400	3280	DCRat.exe	WScript.exe
PID 2500 wrote to memory of 5032	2500	DCRat.exe	cmd.exe
PID 2500 wrote to memory of 5032	2500	DCRat.exe	cmd.exe
PID 5032 wrote to memory of 3100	5032	cmd.exe	DCRat1.exe
PID 5032 wrote to memory of 3100	5032	cmd.exe	DCRat1.exe
PID 5032 wrote to memory of 3100	5032	cmd.exe	DCRat1.exe
PID 3100 wrote to memory of 436	3100	DCRat1.exe	javaw.exe
PID 3100 wrote to memory of 436	3100	DCRat1.exe	javaw.exe
PID 436 wrote to memory of 1892	436	javaw.exe	icacls.exe
PID 436 wrote to memory of 1892	436	javaw.exe	icacls.exe
PID 2400 wrote to memory of 2264	2400	WScript.exe	cmd.exe
PID 2400 wrote to memory of 2264	2400	WScript.exe	cmd.exe
PID 2400 wrote to memory of 2264	2400	WScript.exe	cmd.exe
PID 2264 wrote to memory of 3916	2264	cmd.exe	SavesMonitor.exe
PID 2264 wrote to memory of 3916	2264	cmd.exe	SavesMonitor.exe

C:\Users\Admin\AppData\Local\Temp\DCRat.exe
"C:\Users\Admin\AppData\Local\Temp\DCRat.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3564

C:\Users\Admin\AppData\Local\Temp\DCRat.exe
"C:\Users\Admin\AppData\Local\Temp\DCRat.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\\DCRat.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:1376

C:\DCRat.exe
C:\\DCRat.exe
4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3280

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Serverfontwininto\oYDSY0JCnrsd7g.vbe"
5⤵
- Suspicious use of WriteProcessMemory
PID:2400

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Serverfontwininto\jJZf28BLIdI.bat" "
6⤵
- Suspicious use of WriteProcessMemory
PID:2264

C:\Users\Admin\AppData\Roaming\Serverfontwininto\SavesMonitor.exe
"C:\Users\Admin\AppData\Roaming\Serverfontwininto\SavesMonitor.exe"
7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\\DCRat1.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:5032

C:\DCRat1.exe
C:\\DCRat1.exe
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3100

C:\Program Files\Java\jre-1.8\bin\javaw.exe
"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -Dprism.dirtyopts=false -Dfile.encoding=UTF-8 -classpath " org.develnext.jphp.ext.javafx.FXLauncher
5⤵
- Suspicious use of WriteProcessMemory
PID:436

C:\Windows\system32\icacls.exe
C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
6⤵
- Modifies file permissions
PID:1892

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\DCRat.exe
Filesize
2.4MB

MD5
5d02471f99d435bd5f26e0d2a7eb0c09

SHA1
aa1a74f0fea0a14fc1b0f57d60d62d69c3011c51

SHA256
114fbc3713a4e5793955d39e818aaf83f007a3065c3b268e4c123f1884b5f4d1

SHA512
ca60f4ddcb7841bf79e78d5d9b37e174109fb74c4881cd684e025988ed0798af60bced6aed6728390547e3f2bc1299744c850cddd03babcbabaf9fadea9ccbd5

Download Submit
C:\DCRat1.exe
Filesize
72KB

MD5
2c7d37e90dd8ab57d06dad5bc7956885

SHA1
da789c107c4c68b8250b6589e45e5a3cf7a9a143

SHA256
5ede5d774ab65f25357cf5a1fa5e354f6f2a9868651a0fa717485802b21b1939

SHA512
e74ae891771bfd9c6fcdfbe8e4f33f0d5f7c3457cd84b257500cdaf8fa8b16fe458a18db9b3a60591465982fc2871f4c3f2e7541c765f00a0516f805e7e9ca0f

Download Submit
C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp
Filesize
46B

MD5
2bee3f9785c4c646d7ee0c0338300aeb

SHA1
2343d0ba8ff3d112ba10081d31cb7d44098ae083

SHA256
63a78a789957aab1a65307349e5cd76ddb2f30f5620924f971c26d47e98329bc

SHA512
3ef3318e1df9cd13638145d019767554f16ce910175b19c90681f7133e5f60218a5a6e4892e77fb081c2b27c93196a178e4b0664ffeb5f5469171aca38520006

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35642\VCRUNTIME140.dll
Filesize
99KB

MD5
8697c106593e93c11adc34faa483c4a0

SHA1
cd080c51a97aa288ce6394d6c029c06ccb783790

SHA256
ff43e813785ee948a937b642b03050bb4b1c6a5e23049646b891a66f65d4c833

SHA512
724bbed7ce6f7506e5d0b43399fb3861dda6457a2ad2fafe734f8921c9a4393b480cdd8a435dbdbd188b90236cb98583d5d005e24fa80b5a0622a6322e6f3987

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35642\_bz2.pyd
Filesize
83KB

MD5
6c7565c1efffe44cb0616f5b34faa628

SHA1
88dd24807da6b6918945201c74467ca75e155b99

SHA256
fe63361f6c439c6aa26fd795af3fd805ff5b60b3b14f9b8c60c50a8f3449060a

SHA512
822445c52bb71c884461230bb163ec5dee0ad2c46d42d01cf012447f2c158865653f86a933b52afdf583043b3bf8ba7011cc782f14197220d0325e409aa16e22

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35642\_decimal.pyd
Filesize
264KB

MD5
ce4df4dfe65ab8dc7ae6fcdebae46112

SHA1
cdbbfda68030394ac90f6d6249d6dd57c81bc747

SHA256
ffbe84f0a1eab363ca9cf73efb7518f2abd52c0893c7cc63266613c930855e96

SHA512
fc8e39942e46e4494356d4a45257b657495cbfa20e9d67850627e188f70b149e22603ae4801b4ba7b9a04d201b3787899d2aee21565237d18e0afce9bae33ee9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35642\_hashlib.pyd
Filesize
63KB

MD5
f377a418addeeb02f223f45f6f168fe6

SHA1
5d8d42dec5d08111e020614600bbf45091c06c0b

SHA256
9551431425e9680660c6baf7b67a262040fd2efceb241e4c9430560c3c1fafac

SHA512
6f60bfac34ed55ff5d6ae10c6ec5511906c983e0650e5d47dac7b8a97a2e0739266cae009449cced8dff59037e2dbfc92065fbbdfde2636d13679e1629650280

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35642\_lzma.pyd
Filesize
157KB

MD5
b5355dd319fb3c122bb7bf4598ad7570

SHA1
d7688576eceadc584388a179eed3155716c26ef5

SHA256
b9bc7f1d8aa8498cb8b5dc75bb0dbb6e721b48953a3f295870938b27267fb5f5

SHA512
0e228aa84b37b4ba587f6d498cef85aa1ffec470a5c683101a23d13955a8110e1c0c614d3e74fb0aa2a181b852bceeec0461546d0de8bcbd3c58cf9dc0fb26f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35642\_socket.pyd
Filesize
77KB

MD5
f5dd9c5922a362321978c197d3713046

SHA1
4fbc2d3e15f8bb21ecc1bf492f451475204426cd

SHA256
4494992665305fc9401ed327398ee40064fe26342fe44df11d89d2ac1cc6f626

SHA512
ce818113bb87c6e38fa85156548c6f207aaab01db311a6d8c63c6d900d607d7beff73e64d717f08388ece4b88bf8b95b71911109082cf4b0c0a9b0663b9a8e99

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35642\base_library.zip
Filesize
822KB

MD5
077f614c0d45a14b87aa769da7277165

SHA1
edd2f5a6bfffc3b5b7705fa179054ee4c46617f1

SHA256
1888bebd2e4d139168e11ce69b9100e4f6d6fa038436155adbdcd2bede8419a3

SHA512
d46896f4a1a50ca660c5b1b2825e39883535dc6bafb3c64da5b185e05197f1b1d319c26fb9d875d70ead73ea2d7dcc02fa5bc3e22187bf65278493dcc951ad1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35642\dist.zip
Filesize
1.8MB

MD5
6818b5581ade91261f4cee9790de4f4f

SHA1
bd1a37be5c061c0fdabb89d816e67878c682b82d

SHA256
41913157869046fb079d615d9235bbc50e067c8b9224a33140daca839bf8a12b

SHA512
f1382bc2280abfa432d1a8e8175065a7fe87ae0e5c0dc5bb4e1a3165fcfc47c1bfb51297cf627e616cf0693cfa203b415cad0f7707c4c6c506fbe77f349ee67c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35642\libcrypto-1_1.dll
Filesize
3.2MB

MD5
cc4cbf715966cdcad95a1e6c95592b3d

SHA1
d5873fea9c084bcc753d1c93b2d0716257bea7c3

SHA256
594303e2ce6a4a02439054c84592791bf4ab0b7c12e9bbdb4b040e27251521f1

SHA512
3b5af9fbbc915d172648c2b0b513b5d2151f940ccf54c23148cd303e6660395f180981b148202bef76f5209acc53b8953b1cb067546f90389a6aa300c1fbe477

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35642\python39.dll
Filesize
4.3MB

MD5
11c051f93c922d6b6b4829772f27a5be

SHA1
42fbdf3403a4bc3d46d348ca37a9f835e073d440

SHA256
0eabf135bb9492e561bbbc5602a933623c9e461aceaf6eb1ceced635e363cd5c

SHA512
1cdec23486cffcb91098a8b2c3f1262d6703946acf52aa2fe701964fb228d1411d9b6683bd54527860e10affc0e3d3de92a6ecf2c6c8465e9c8b9a7304e2a4a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35642\select.pyd
Filesize
26KB

MD5
7a442bbcc4b7aa02c762321f39487ba9

SHA1
0fcb5bbdd0c3d3c5943e557cc2a5b43e20655b83

SHA256
1dd7bba480e65802657c31e6d20b1346d11bca2192575b45eb9760a4feb468ad

SHA512
3433c46c7603ae0a73aa9a863b2aecd810f8c0cc6c2cd96c71ef6bde64c275e0fceb4ea138e46a5c9bf72f66dcdea3e9551cf2103188a1e98a92d8140879b34c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35642\unicodedata.pyd
Filesize
1.1MB

MD5
8320c54418d77eba5d4553a5d6ec27f9

SHA1
e5123cf166229aebb076b469459856a56fb16d7f

SHA256
7e719ba47919b668acc62008079c586133966ed8b39fec18e312a773cb89edae

SHA512
b9e6cdcb37d26ff9c573381bda30fa4cf1730361025cd502b67288c55744962bdd0a99790cedd4a48feef3139e3903265ab112ec545cb1154eaa2a91201f6b34

Download Submit
C:\Users\Admin\AppData\Roaming\Serverfontwininto\SavesMonitor.exe
Filesize
2.1MB

MD5
2f3aa0e8b1045c3497539519fb7e36be

SHA1
40f4f50408fcaaa2de71fd57da0c6cc5ae2ef8ef

SHA256
210257769a3c1ca4c1591fd8db921131acf7278d17363b90f59b388721c38d09

SHA512
34d5f5d863251cc89eb2789fbe0d3a69f70aa1cdcab3c020e1fef3896e5f83bef9e80f25073d9eedeec401e6a0720c5b3259f8e865e29937beaa12d7f071f8e6

Download Submit
C:\Users\Admin\AppData\Roaming\Serverfontwininto\jJZf28BLIdI.bat
Filesize
46B

MD5
aeba5d7e0c5a6f04b45bc8383004531d

SHA1
2f91e08d1632a383dd6762ffa75a6aa0bff4e9ec

SHA256
4d53b4a240c985f76aa022697b58b4e8d0244a59790cb9663f910b69b67de901

SHA512
8a2b1e764602d67e4a53fc28d38c121d6abcad3ff22300a9763c54d87991368b318f0911ab5b3212bc3f476bfb83e64596aba6ad20421fbfc897b2af284b38f0

Download Submit
C:\Users\Admin\AppData\Roaming\Serverfontwininto\oYDSY0JCnrsd7g.vbe
Filesize
212B

MD5
455cb37291d6d11e8838fb81cd7f972a

SHA1
078474190138ac8ee686a023d6dee78d00fa7cb1

SHA256
2f6af207af3395136c1d11d871c10cef47d8f51f152600dbeaef54a5c48a6582

SHA512
32a37258c47e9367d421dc3d90cd86d53338b21f0479184f41d559e14a028bbe5321c76812d80583f0933de8bd6488b2f716cdc77ea59b28a781081f806561c0

Download Submit
memory/436-57-0x00000181EF830000-0x00000181EF831000-memory.dmp

Filesize
4KB

Download
memory/3100-44-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3916-62-0x0000000000880000-0x0000000000A96000-memory.dmp

Filesize
2.1MB

Download
memory/3916-63-0x0000000002C10000-0x0000000002C1E000-memory.dmp

Filesize
56KB

Download