dcrat | b01c6743c332dac114f0126e5b03a64aca44b02cc1168f381bbec7f1d7d713fb

General

Target

b01c6743c332dac114f0126e5b03a64aca44b02cc1168f381bbec7f1d7d713fb.exe
Size

827KB
MD5

582c913be188005eda626aa5b6934e64
SHA1

da0e36b1d48501386a2392c801dd5401946a3450
SHA256

b01c6743c332dac114f0126e5b03a64aca44b02cc1168f381bbec7f1d7d713fb
SHA512

b9a9d60263b0a24317e2ec3842165da52a4c747684276a4ca90a780ec32e2f3fc2d52a60304d05f2d4e22f6eb3fb5432adbf38dfff3e5c647a5f187ce9d3b495
SSDEEP

12288:azqajGp5VwujJnmtVHGJQChr6UHR4leVr8+VA7qHnkGyTbJ9fztDsJUU:azqaji+uj5mtRCherled8+6ocVNzlsH

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1952	1316	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2504	1316	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2696	1316	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	852	1316	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2232	1316	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2716	1316	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2728	1316	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2608	1316	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2568	1316	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2404	1316	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2448	1316	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2520	1316	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1324	1316	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1832	1316	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2756	1316	schtasks.exe	28

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2364-1-0x0000000000F90000-0x0000000001066000-memory.dmp	dcrat
behavioral1/files/0x0006000000014bd7-11.dat	dcrat
behavioral1/memory/2892-19-0x0000000001320000-0x00000000013F6000-memory.dmp	dcrat

Executes dropped EXE 1 IoCs

pid	Process
2892	smss.exe

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files\7-Zip\Lang\explorer.exe	b01c6743c332dac114f0126e5b03a64aca44b02cc1168f381bbec7f1d7d713fb.exe
File created	C:\Program Files\7-Zip\Lang\7a0fd90576e088	b01c6743c332dac114f0126e5b03a64aca44b02cc1168f381bbec7f1d7d713fb.exe
File created	C:\Program Files (x86)\Windows Mail\en-US\b01c6743c332dac114f0126e5b03a64aca44b02cc1168f381bbec7f1d7d713fb.exe	b01c6743c332dac114f0126e5b03a64aca44b02cc1168f381bbec7f1d7d713fb.exe
File created	C:\Program Files (x86)\Windows Mail\en-US\7ed7544c2c03c6	b01c6743c332dac114f0126e5b03a64aca44b02cc1168f381bbec7f1d7d713fb.exe
File created	C:\Program Files (x86)\Google\csrss.exe	b01c6743c332dac114f0126e5b03a64aca44b02cc1168f381bbec7f1d7d713fb.exe
File created	C:\Program Files (x86)\Google\886983d96e3d3e	b01c6743c332dac114f0126e5b03a64aca44b02cc1168f381bbec7f1d7d713fb.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\taskhost.exe	b01c6743c332dac114f0126e5b03a64aca44b02cc1168f381bbec7f1d7d713fb.exe
File created	C:\Windows\Tasks\b75386f1303e64	b01c6743c332dac114f0126e5b03a64aca44b02cc1168f381bbec7f1d7d713fb.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2504	schtasks.exe
2696	schtasks.exe
2568	schtasks.exe
2404	schtasks.exe
2520	schtasks.exe
1324	schtasks.exe
1832	schtasks.exe
1952	schtasks.exe
2608	schtasks.exe
2756	schtasks.exe
2716	schtasks.exe
852	schtasks.exe
2232	schtasks.exe
2728	schtasks.exe
2448	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2364	b01c6743c332dac114f0126e5b03a64aca44b02cc1168f381bbec7f1d7d713fb.exe
2364	b01c6743c332dac114f0126e5b03a64aca44b02cc1168f381bbec7f1d7d713fb.exe
2364	b01c6743c332dac114f0126e5b03a64aca44b02cc1168f381bbec7f1d7d713fb.exe
2892	smss.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2364	b01c6743c332dac114f0126e5b03a64aca44b02cc1168f381bbec7f1d7d713fb.exe
Token: SeDebugPrivilege	2892	smss.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2364 wrote to memory of 2892	2364	b01c6743c332dac114f0126e5b03a64aca44b02cc1168f381bbec7f1d7d713fb.exe	44
PID 2364 wrote to memory of 2892	2364	b01c6743c332dac114f0126e5b03a64aca44b02cc1168f381bbec7f1d7d713fb.exe	44
PID 2364 wrote to memory of 2892	2364	b01c6743c332dac114f0126e5b03a64aca44b02cc1168f381bbec7f1d7d713fb.exe	44

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\b01c6743c332dac114f0126e5b03a64aca44b02cc1168f381bbec7f1d7d713fb.exe
"C:\Users\Admin\AppData\Local\Temp\b01c6743c332dac114f0126e5b03a64aca44b02cc1168f381bbec7f1d7d713fb.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2364
- C:\Users\All Users\Documents\smss.exe
  "C:\Users\All Users\Documents\smss.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Documents\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\All Users\Documents\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Documents\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "b01c6743c332dac114f0126e5b03a64aca44b02cc1168f381bbec7f1d7d713fbb" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Mail\en-US\b01c6743c332dac114f0126e5b03a64aca44b02cc1168f381bbec7f1d7d713fb.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "b01c6743c332dac114f0126e5b03a64aca44b02cc1168f381bbec7f1d7d713fb" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\en-US\b01c6743c332dac114f0126e5b03a64aca44b02cc1168f381bbec7f1d7d713fb.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "b01c6743c332dac114f0126e5b03a64aca44b02cc1168f381bbec7f1d7d713fbb" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Mail\en-US\b01c6743c332dac114f0126e5b03a64aca44b02cc1168f381bbec7f1d7d713fb.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Google\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Google\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Program Files\7-Zip\Lang\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Program Files\7-Zip\Lang\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Windows\Tasks\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\Tasks\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Windows\Tasks\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Tasks\taskhost.exe

Filesize
827KB

MD5
582c913be188005eda626aa5b6934e64

SHA1
da0e36b1d48501386a2392c801dd5401946a3450

SHA256
b01c6743c332dac114f0126e5b03a64aca44b02cc1168f381bbec7f1d7d713fb

SHA512
b9a9d60263b0a24317e2ec3842165da52a4c747684276a4ca90a780ec32e2f3fc2d52a60304d05f2d4e22f6eb3fb5432adbf38dfff3e5c647a5f187ce9d3b495

Download Submit
memory/2364-0-0x000007FEF5FA3000-0x000007FEF5FA4000-memory.dmp

Filesize
4KB

Download
memory/2364-1-0x0000000000F90000-0x0000000001066000-memory.dmp

Filesize
856KB

Download
memory/2364-2-0x000007FEF5FA0000-0x000007FEF698C000-memory.dmp

Filesize
9.9MB

Download
memory/2364-20-0x000007FEF5FA0000-0x000007FEF698C000-memory.dmp

Filesize
9.9MB

Download
memory/2892-19-0x0000000001320000-0x00000000013F6000-memory.dmp

Filesize
856KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads