dcrat | 28811102826496a523a7d4a1ad7e172cdc9cc9e68475e2022884c06daf99fed4

General

Target

DCRatBuild.exe
Size

2.7MB
MD5

a6216891da5db0b3fc6a0b45df02109d
SHA1

fb31e60c08195e8587e9bd8de5ce13832832b7f3
SHA256

28811102826496a523a7d4a1ad7e172cdc9cc9e68475e2022884c06daf99fed4
SHA512

e00276c11a89ded1c29f0629e1735c6aa9c52a80b96d051c9a3e1e5a8d3b595be3653957abb6f5c60c361379c6d387891924237c1d0bcab6013cfee6021b2cae
SSDEEP

49152:UbA30juPXAT7byyJGjvN/WXOTE2xNAJ3CMKplFYhb4k:Ub2PXATvGB/DIoN0hKMH

Score

10^/10

dcrat discovery infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\surrogateBrowser\componentperf.exe	dcrat
behavioral2/memory/2360-13-0x0000000000FA0000-0x0000000001210000-memory.dmp	dcrat

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

DCRatBuild.exeWScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	DCRatBuild.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 1 IoCs

Processes:

componentperf.exe

pid process

2360 componentperf.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2360	componentperf.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.exeDCRatBuild.exeWScript.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DCRatBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Modifies registry class 1 IoCs

Processes:

DCRatBuild.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\Local Settings DCRatBuild.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

componentperf.exe

description pid process

Token: SeDebugPrivilege 2360 componentperf.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\Local Settings	DCRatBuild.exe

description	pid	process
Token: SeDebugPrivilege	2360	componentperf.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

DCRatBuild.exeWScript.execmd.exe

description	pid	process	target process
PID 3240 wrote to memory of 4580	3240	DCRatBuild.exe	WScript.exe
PID 3240 wrote to memory of 4580	3240	DCRatBuild.exe	WScript.exe
PID 3240 wrote to memory of 4580	3240	DCRatBuild.exe	WScript.exe
PID 4580 wrote to memory of 2328	4580	WScript.exe	cmd.exe
PID 4580 wrote to memory of 2328	4580	WScript.exe	cmd.exe
PID 4580 wrote to memory of 2328	4580	WScript.exe	cmd.exe
PID 2328 wrote to memory of 2360	2328	cmd.exe	componentperf.exe
PID 2328 wrote to memory of 2360	2328	cmd.exe	componentperf.exe

C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
"C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3240

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\surrogateBrowser\X0ZR9XyVuCivKGwPlccHfjYM.vbe"
2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4580

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\surrogateBrowser\9fi0JvYhY1MK2Tx.bat" "
3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2328

C:\surrogateBrowser\componentperf.exe
"C:\surrogateBrowser\componentperf.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\surrogateBrowser\9fi0JvYhY1MK2Tx.bat

Filesize
39B

MD5
cc69ff276bc01cf713869de612989b6e

SHA1
68bf9bcbd1b73b192291e35cb5fc1398362c97b1

SHA256
bc399373baab928a60d2b9e99ef09c1bf87d6978ed27b80aedb83d355d38aa67

SHA512
f6e304dbec4185ff84309d2138f8823c02e8690074fdbfd560d7559b05916d6ab5c820344a5a5006d55236fa19d3338b2ee6d01cbe831ed170fd4bed22772a1c

Download Submit
C:\surrogateBrowser\X0ZR9XyVuCivKGwPlccHfjYM.vbe

Filesize
208B

MD5
0f9b26eeecba44fedf3fe1b2c0b0ff4a

SHA1
d6358f84dafbaa9adf6f341795e9bfaf8fa261cf

SHA256
ed0fa5bb902eb434235ea76cf6204c60632a4cdfd131b2110fed576f1bf7ce39

SHA512
319e5f8ca0341714504b86f878049091e4e6968c5b6a17cb80d54e2763e589c89fb94dff9b3215abf6178733ad6e4e485c51d992950a40bf9ebfa7ef134dad3d

Download Submit
C:\surrogateBrowser\componentperf.exe

Filesize
2.4MB

MD5
63bd7eb2d20f013248a886ef716416ba

SHA1
fdf7730ecbd60b20f351591a99feba678e8d2936

SHA256
d8b8dd9728ceaef91c2308f5897e2d2d0c375875499c310d425fcef51865bdd0

SHA512
a65c7133caec54e77e0e38a1252b3e6575fc6e6742aba42772d6529fc7a25c4b558cec98d466e7e7eabc0fa4b94c8004042e26ac246f24415c7b98fbede6d5cb

Download Submit
memory/2360-12-0x00007FF91D833000-0x00007FF91D835000-memory.dmp

Filesize
8KB

Download
memory/2360-13-0x0000000000FA0000-0x0000000001210000-memory.dmp

Filesize
2.4MB

Download
memory/2360-14-0x0000000001A50000-0x0000000001A5E000-memory.dmp

Filesize
56KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads