dcrat | 06b5199b7753075d90d3adf5d33adcef9b1c3254d0471a70c282e2cc1391f1b1

General

Target

06b5199b7753075d90d3adf5d33adcef9b1c3254d0471a70c282e2cc1391f1b1.exe
Size

46.0MB
MD5

2bdf60ce1391ccc1a829a41c8b531dd5
SHA1

8fecb37b06dd016f820cbc55c1446aa34666bf12
SHA256

06b5199b7753075d90d3adf5d33adcef9b1c3254d0471a70c282e2cc1391f1b1
SHA512

0091fc481589bb93b2c4352b600220691cd7f0e0ae7979d6cdf4c529db97613d40cf693b01e3b119bc69a3414ba3f700561ee2364474f48a80f2c9763f357359
SSDEEP

24576:f5r3oaR/k4XDG/BcoNWmt2G/nvxW3Ww0tXegr2pdxgLHw8dQefBkrzCL7:dmtbA30XeY6o/QAU+L

Score

10^/10

dcrat umbral infostealer rat stealer

Malware Config

Extracted

Family

umbral

C2

https://discordapp.com/api/webhooks/1253005353222668289/_twANrdJlJok9NDlMWHxe2qUewe11QbdTTPK9sqVpjZ9uRjyV2p28YwCPVaWlpRMyL50

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Detect Umbral payload 3 IoCs

resource	yara_rule
behavioral2/files/0x00070000000233ff-18.dat	family_umbral
behavioral2/memory/5040-27-0x000002147D090000-0x000002147D0D0000-memory.dmp	family_umbral
behavioral2/memory/4480-29-0x0000000000400000-0x0000000000562000-memory.dmp	family_umbral

Process spawned unexpected child process 9 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4680	4272	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1572	4272	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2696	4272	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1344	4272	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4604	4272	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4048	4272	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2412	4272	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4512	4272	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4140	4272	schtasks.exe	88

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x0007000000023400-25.dat	dcrat
behavioral2/memory/4480-29-0x0000000000400000-0x0000000000562000-memory.dmp	dcrat
behavioral2/files/0x0007000000023403-42.dat	dcrat
behavioral2/memory/1484-44-0x0000000000D20000-0x0000000000DF6000-memory.dmp	dcrat

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	06b5199b7753075d90d3adf5d33adcef9b1c3254d0471a70c282e2cc1391f1b1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	8XChecker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	bridgefont.exe

Executes dropped EXE 5 IoCs

pid	Process
3172	X8Checker 2.6.exe
5040	Umbral.exe
212	8XChecker.exe
1484	bridgefont.exe
4484	csrss.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	8XChecker.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	bridgefont.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4680	schtasks.exe
1572	schtasks.exe
2412	schtasks.exe
4512	schtasks.exe
4140	schtasks.exe
2696	schtasks.exe
1344	schtasks.exe
4604	schtasks.exe
4048	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1484	bridgefont.exe
1484	bridgefont.exe
1484	bridgefont.exe
4484	csrss.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	5040	Umbral.exe
Token: SeDebugPrivilege	1484	bridgefont.exe
Token: SeDebugPrivilege	4484	csrss.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 4480 wrote to memory of 3172	4480	06b5199b7753075d90d3adf5d33adcef9b1c3254d0471a70c282e2cc1391f1b1.exe	81
PID 4480 wrote to memory of 3172	4480	06b5199b7753075d90d3adf5d33adcef9b1c3254d0471a70c282e2cc1391f1b1.exe	81
PID 4480 wrote to memory of 3172	4480	06b5199b7753075d90d3adf5d33adcef9b1c3254d0471a70c282e2cc1391f1b1.exe	81
PID 4480 wrote to memory of 5040	4480	06b5199b7753075d90d3adf5d33adcef9b1c3254d0471a70c282e2cc1391f1b1.exe	82
PID 4480 wrote to memory of 5040	4480	06b5199b7753075d90d3adf5d33adcef9b1c3254d0471a70c282e2cc1391f1b1.exe	82
PID 4480 wrote to memory of 212	4480	06b5199b7753075d90d3adf5d33adcef9b1c3254d0471a70c282e2cc1391f1b1.exe	83
PID 4480 wrote to memory of 212	4480	06b5199b7753075d90d3adf5d33adcef9b1c3254d0471a70c282e2cc1391f1b1.exe	83
PID 4480 wrote to memory of 212	4480	06b5199b7753075d90d3adf5d33adcef9b1c3254d0471a70c282e2cc1391f1b1.exe	83
PID 212 wrote to memory of 4016	212	8XChecker.exe	84
PID 212 wrote to memory of 4016	212	8XChecker.exe	84
PID 212 wrote to memory of 4016	212	8XChecker.exe	84
PID 4016 wrote to memory of 4356	4016	WScript.exe	85
PID 4016 wrote to memory of 4356	4016	WScript.exe	85
PID 4016 wrote to memory of 4356	4016	WScript.exe	85
PID 4356 wrote to memory of 1484	4356	cmd.exe	87
PID 4356 wrote to memory of 1484	4356	cmd.exe	87
PID 1484 wrote to memory of 3968	1484	bridgefont.exe	98
PID 1484 wrote to memory of 3968	1484	bridgefont.exe	98
PID 3968 wrote to memory of 4040	3968	cmd.exe	100
PID 3968 wrote to memory of 4040	3968	cmd.exe	100
PID 3968 wrote to memory of 4484	3968	cmd.exe	101
PID 3968 wrote to memory of 4484	3968	cmd.exe	101

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\06b5199b7753075d90d3adf5d33adcef9b1c3254d0471a70c282e2cc1391f1b1.exe
"C:\Users\Admin\AppData\Local\Temp\06b5199b7753075d90d3adf5d33adcef9b1c3254d0471a70c282e2cc1391f1b1.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4480
- C:\Users\Admin\AppData\Local\Temp\X8Checker 2.6.exe
  "C:\Users\Admin\AppData\Local\Temp\X8Checker 2.6.exe"
  2⤵
  - Executes dropped EXE
  PID:3172
- C:\Users\Admin\AppData\Local\Temp\Umbral.exe
  "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:5040
- C:\Users\Admin\AppData\Local\Temp\8XChecker.exe
  "C:\Users\Admin\AppData\Local\Temp\8XChecker.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:212
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Reviewwinbrokernet\86Wn4vQvMoqlspy5.vbe"
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:4016
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Reviewwinbrokernet\NckHnt5ezZ5X7x5KKKZDHVFQBsAwD.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4356
    - - C:\Reviewwinbrokernet\bridgefont.exe
        
        "C:\Reviewwinbrokernet\bridgefont.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1484
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XPHLZFCewE.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3968
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:4040
        
        C:\Users\Public\Documents\csrss.exe
        
        "C:\Users\Public\Documents\csrss.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Reviewwinbrokernet\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Reviewwinbrokernet\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Reviewwinbrokernet\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Admin\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Documents\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Public\Documents\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Documents\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Reviewwinbrokernet\86Wn4vQvMoqlspy5.vbe

Filesize
224B

MD5
d0546d4e82d204a215d2202b8122bebf

SHA1
b4b1c33b5104d1d003670c341908a01cc0a4a09b

SHA256
6f1ff6622e86a07eeb4c514424e78f7a9272ba7922de6dcf1df7810f40ab6756

SHA512
91d46ca23a26764f516ae273ae54cf689f303e772e954696e7e0ee7794b9b664be0aa2f432f34822b23657fb2c8bc489650f5b4d36e9b8de3d96a6ab864b9925

Download Submit
C:\Reviewwinbrokernet\NckHnt5ezZ5X7x5KKKZDHVFQBsAwD.bat

Filesize
38B

MD5
5ca65390126e266243ff3881f9cfb3f2

SHA1
228f50250b0cff6894fcc595c1dc1cbcdfd1b4b6

SHA256
ce08fb9623e455e0fd404378ec059c61cbf2c9de162f49c6cf59d244e0cdca54

SHA512
4f211680121ea9ce99c9dfa78de84b2d149902a94eda40d88e7e3cc0c2ba1910be157a84cadc4cc6bf36fbcc20f050f0766a30e9bc1481c93a2c45e6b7b7c47b

Download Submit
C:\Reviewwinbrokernet\bridgefont.exe

Filesize
828KB

MD5
b5c2e9124dfa9d37f7b2032b94127a37

SHA1
3f162c1dff58ff017d4a95540a220b7355765eb6

SHA256
15f729a2209101f7c6ecdaea74121dff0aec9fc1cb6bf3c6a30094af95bc5876

SHA512
edfbf86105464cc2cd214ec7da355f120d1913179855270d0a286bab67bc6c354151dc209a1f1e25ad777b523250ed2f1307e4c5e61434038a488f875c921b46

Download Submit
C:\Users\Admin\AppData\Local\Temp\8XChecker.exe

Filesize
1.1MB

MD5
562a032b64898a5f86890120f1a6872b

SHA1
2a96ddcf1fc64ec4ab23597cbfce61bed40dd27a

SHA256
bb99ec3195fb0a972271667234885e97ff017df9cc64e605f2d5aafb469bd2a3

SHA512
871fe5fa1da1df87e909e1f9b1276e9d6a1dcaa0e5da7ed5d2df338f12c1b3ac02442ebd65138cbf7a0eb4b6e9237e806fe844f6dd15e352669fdc50cfa8960b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Umbral.exe

Filesize
231KB

MD5
ec2aed743841885a579338921df5073b

SHA1
8167b69da03e79cc4d013f2b1e2c972a9fa15296

SHA256
f3742ed689ca175bd615de562301102cd1bb72f65b3af8660883d5ea31bada2b

SHA512
aa4430171bd657439957cd5f3da3babf43725fce801c46377d003cd2f019bbb145eaef5de84e87f8bbf81a679733923ae3c5ff54f55e31cb575e13a4073ccc7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\X8Checker 2.6.exe

Filesize
9KB

MD5
26abb9e459e5976f658ce80d6433f1b1

SHA1
3c8f02c1cf7b8ae82be3deea4b360497f6fee1c3

SHA256
60cc77b5d4210cef0a9032908b179142f212155426fdae48055c5f72811f7a12

SHA512
c2c02aa1db8036c7309100bb683ec7708fedfb129d763d86e03d9d6adc3688423ec04cb5b596eaf99300787f90d641e53350e1ceed0e8b11d6f29333e04b4ce8

Download Submit
C:\Users\Admin\AppData\Local\Temp\XPHLZFCewE.bat

Filesize
200B

MD5
8f3dd6283bcedb82b5e12ce9cff07609

SHA1
afad680c3cf6117bc6a88e81c55ab6480958a221

SHA256
20e79ab27add805c5b95c9d9bef6c609c3bbd21d0cf859477fa4dbe0dbdc5407

SHA512
cb25c6c0c465be2379ac9060962b3169b2ff1b2ba6c3762a7ad3613041962a798e2b7c82f3194b1fa1a76fcece1ef6cc6dfc431a065eced637c6c73a172ba9c0

Download Submit
memory/1484-44-0x0000000000D20000-0x0000000000DF6000-memory.dmp

Filesize
856KB

Download
memory/3172-10-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4480-29-0x0000000000400000-0x0000000000562000-memory.dmp

Filesize
1.4MB

Download
memory/5040-31-0x00007FFFEFE50000-0x00007FFFF0911000-memory.dmp

Filesize
10.8MB

Download
memory/5040-27-0x000002147D090000-0x000002147D0D0000-memory.dmp

Filesize
256KB

Download
memory/5040-23-0x00007FFFEFE53000-0x00007FFFEFE55000-memory.dmp

Filesize
8KB

Download
memory/5040-60-0x00007FFFEFE50000-0x00007FFFF0911000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads