dcrat | fb73858ab13c8149347c31cc4c1e975dc1f9f34ab01078df74dd60b77f490bee

General

Target

fb73858ab13c8149347c31cc4c1e975dc1f9f34ab01078df74dd60b77f490bee.exe
Size

93KB
MD5

bd3b053452658056878a387afc32144e
SHA1

fd07f4da3e7d3eed99cab4cc64de19d060a1fe2a
SHA256

fb73858ab13c8149347c31cc4c1e975dc1f9f34ab01078df74dd60b77f490bee
SHA512

35aa454e80ee5fb07fdf660bb697d125c352f8b21d30f363d6346ecd9ee0cddb9998cd062de25ffba4c04c26e91244db1480c9144ed3ad2c1d4325badb4040d2
SSDEEP

1536:L+k1GkeUqZJO5iNSimjEwzGi1dDlD5gS:L+PUqZJOQAOi1d52

Score

10^/10

dcrat njrat hacked discovery evasion infostealer persistence privilege_escalation rat trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

hakim32.ddns.net:2000

id-diesel.gl.at.ply.gg:35584

Mutex

3f091098c711642392fe49448b66f44b

Attributes

reg_key
3f091098c711642392fe49448b66f44b
splitter
|'|'|

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\NVIDIA Container.exe	dcrat

Modifies Windows Firewall 2 TTPs 3 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exenetsh.exenetsh.exe

pid process

612 netsh.exe
2684 netsh.exe
2372 netsh.exe

pid	process
612	netsh.exe
2684	netsh.exe
2372	netsh.exe

Drops startup file 2 IoCs

Processes:

server.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe

Executes dropped EXE 2 IoCs

Processes:

server.exetmp6613.tmp.exe

pid process

2760 server.exe
1948 tmp6613.tmp.exe

Loads dropped DLL 3 IoCs

Processes:

fb73858ab13c8149347c31cc4c1e975dc1f9f34ab01078df74dd60b77f490bee.exeserver.exe

pid	process
1944	fb73858ab13c8149347c31cc4c1e975dc1f9f34ab01078df74dd60b77f490bee.exe
1944	fb73858ab13c8149347c31cc4c1e975dc1f9f34ab01078df74dd60b77f490bee.exe
2760	server.exe

Drops autorun.inf file 1 TTPs 4 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

Processes:

server.exe

description	ioc	process
File created	C:\autorun.inf	server.exe
File opened for modification	C:\autorun.inf	server.exe
File created	F:\autorun.inf	server.exe
File opened for modification	F:\autorun.inf	server.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

Processes:

netsh.exenetsh.exenetsh.exe

description	ioc	process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

netsh.exenetsh.exefb73858ab13c8149347c31cc4c1e975dc1f9f34ab01078df74dd60b77f490bee.exeserver.exenetsh.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fb73858ab13c8149347c31cc4c1e975dc1f9f34ab01078df74dd60b77f490bee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

server.exe

pid	process
2760	server.exe
2760	server.exe
2760	server.exe
2760	server.exe
2760	server.exe
2760	server.exe
2760	server.exe
2760	server.exe
2760	server.exe
2760	server.exe
2760	server.exe
2760	server.exe
2760	server.exe
2760	server.exe
2760	server.exe
2760	server.exe
2760	server.exe
2760	server.exe
2760	server.exe
2760	server.exe
2760	server.exe
2760	server.exe
2760	server.exe
2760	server.exe
2760	server.exe
2760	server.exe
2760	server.exe
2760	server.exe
2760	server.exe
2760	server.exe
2760	server.exe
2760	server.exe
2760	server.exe
2760	server.exe
2760	server.exe
2760	server.exe
2760	server.exe
2760	server.exe
2760	server.exe
2760	server.exe
2760	server.exe
2760	server.exe
2760	server.exe
2760	server.exe
2760	server.exe
2760	server.exe
2760	server.exe
2760	server.exe
2760	server.exe
2760	server.exe
2760	server.exe
2760	server.exe
2760	server.exe
2760	server.exe
2760	server.exe
2760	server.exe
2760	server.exe
2760	server.exe
2760	server.exe
2760	server.exe
2760	server.exe
2760	server.exe
2760	server.exe
2760	server.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

server.exe

pid process

2760 server.exe

Suspicious use of AdjustPrivilegeToken 37 IoCs

Processes:

server.exe

description	pid	process
Token: SeDebugPrivilege	2760	server.exe
Token: 33	2760	server.exe
Token: SeIncBasePriorityPrivilege	2760	server.exe
Token: 33	2760	server.exe
Token: SeIncBasePriorityPrivilege	2760	server.exe
Token: 33	2760	server.exe
Token: SeIncBasePriorityPrivilege	2760	server.exe
Token: 33	2760	server.exe
Token: SeIncBasePriorityPrivilege	2760	server.exe
Token: 33	2760	server.exe
Token: SeIncBasePriorityPrivilege	2760	server.exe
Token: 33	2760	server.exe
Token: SeIncBasePriorityPrivilege	2760	server.exe
Token: 33	2760	server.exe
Token: SeIncBasePriorityPrivilege	2760	server.exe
Token: 33	2760	server.exe
Token: SeIncBasePriorityPrivilege	2760	server.exe
Token: 33	2760	server.exe
Token: SeIncBasePriorityPrivilege	2760	server.exe
Token: 33	2760	server.exe
Token: SeIncBasePriorityPrivilege	2760	server.exe
Token: 33	2760	server.exe
Token: SeIncBasePriorityPrivilege	2760	server.exe
Token: 33	2760	server.exe
Token: SeIncBasePriorityPrivilege	2760	server.exe
Token: 33	2760	server.exe
Token: SeIncBasePriorityPrivilege	2760	server.exe
Token: 33	2760	server.exe
Token: SeIncBasePriorityPrivilege	2760	server.exe
Token: 33	2760	server.exe
Token: SeIncBasePriorityPrivilege	2760	server.exe
Token: 33	2760	server.exe
Token: SeIncBasePriorityPrivilege	2760	server.exe
Token: 33	2760	server.exe
Token: SeIncBasePriorityPrivilege	2760	server.exe
Token: 33	2760	server.exe
Token: SeIncBasePriorityPrivilege	2760	server.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

fb73858ab13c8149347c31cc4c1e975dc1f9f34ab01078df74dd60b77f490bee.exeserver.exe

description	pid	process	target process
PID 1944 wrote to memory of 2760	1944	fb73858ab13c8149347c31cc4c1e975dc1f9f34ab01078df74dd60b77f490bee.exe	server.exe
PID 1944 wrote to memory of 2760	1944	fb73858ab13c8149347c31cc4c1e975dc1f9f34ab01078df74dd60b77f490bee.exe	server.exe
PID 1944 wrote to memory of 2760	1944	fb73858ab13c8149347c31cc4c1e975dc1f9f34ab01078df74dd60b77f490bee.exe	server.exe
PID 1944 wrote to memory of 2760	1944	fb73858ab13c8149347c31cc4c1e975dc1f9f34ab01078df74dd60b77f490bee.exe	server.exe
PID 2760 wrote to memory of 2372	2760	server.exe	netsh.exe
PID 2760 wrote to memory of 2372	2760	server.exe	netsh.exe
PID 2760 wrote to memory of 2372	2760	server.exe	netsh.exe
PID 2760 wrote to memory of 2372	2760	server.exe	netsh.exe
PID 2760 wrote to memory of 2684	2760	server.exe	netsh.exe
PID 2760 wrote to memory of 2684	2760	server.exe	netsh.exe
PID 2760 wrote to memory of 2684	2760	server.exe	netsh.exe
PID 2760 wrote to memory of 2684	2760	server.exe	netsh.exe
PID 2760 wrote to memory of 612	2760	server.exe	netsh.exe
PID 2760 wrote to memory of 612	2760	server.exe	netsh.exe
PID 2760 wrote to memory of 612	2760	server.exe	netsh.exe
PID 2760 wrote to memory of 612	2760	server.exe	netsh.exe
PID 2760 wrote to memory of 1948	2760	server.exe	tmp6613.tmp.exe
PID 2760 wrote to memory of 1948	2760	server.exe	tmp6613.tmp.exe
PID 2760 wrote to memory of 1948	2760	server.exe	tmp6613.tmp.exe
PID 2760 wrote to memory of 1948	2760	server.exe	tmp6613.tmp.exe

C:\Users\Admin\AppData\Local\Temp\fb73858ab13c8149347c31cc4c1e975dc1f9f34ab01078df74dd60b77f490bee.exe
"C:\Users\Admin\AppData\Local\Temp\fb73858ab13c8149347c31cc4c1e975dc1f9f34ab01078df74dd60b77f490bee.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1944

C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
2⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Drops autorun.inf file
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2760

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2372

C:\Windows\SysWOW64\netsh.exe
netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2684

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:612

C:\Users\Admin\AppData\Local\Temp\tmp6613.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp6613.tmp.exe"
3⤵
- Executes dropped EXE
PID:1948

C:\Users\Admin\AppData\Local\Temp\NVIDIA Container.exe
"C:\Users\Admin\AppData\Local\Temp\NVIDIA Container.exe"
4⤵
PID:1756

C:\Users\Admin\AppData\Local\Temp\Русский Гусь.exe
"C:\Users\Admin\AppData\Local\Temp\Русский Гусь.exe"
4⤵
PID:1928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

1

T1091

Execution

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

1

T1562.004

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Replication Through Removable Media

1

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\NVIDIA Container.exe

Filesize
1.8MB

MD5
531bf67134a7c1fb4096113ca58cc648

SHA1
99e0fc1fb7a07c0685e426b327921d3e6c34498c

SHA256
67942630366d114efa35f3f4a79741a4a4eb2c3b0c8ffaac07af527f84d4489a

SHA512
8facae8335a4f33f54e48c64814946eb8b480800b4453612fffcef64117946a35d493f433d4e27186ee864603da756319f816e70c3bfc08b8bb1861fc7030ff4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Русский Гусь.exe

Filesize
1.0MB

MD5
04c87a2f53778fd46274b524914b9b79

SHA1
c5ce0043ca4011225044aa6fe1bef35f191efbd5

SHA256
6e494c08b426cf441f3e0146e7578b6eef41658bbf58b7ef5cb531ddc2f458a5

SHA512
18794701c80ac6e956f9733c76aaa9631dfab7ce3d5f1cfa5d5fac20012931fd4161f2dc83fddc4f9ca83f2223ca16862cfba34c3ea6b091d4cc6318d08d74fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Русский Гусь.exe

Filesize
960KB

MD5
3127981258169c0f7e4cfcc1519f6fc9

SHA1
a3fe35c39f26059e0844b4dd4701fdc3827b62ce

SHA256
1b1ca9c2292eba94b5b6657ae8fb381ac5c33ea7fca636a6b30f683b3e9944c1

SHA512
2a32902d1f3cc6a68cbdab37eec6debaf2514989682fd4eaa4766504339813838dd86f86132a962f12a6485ef42775d5ac61ca66dfecb17f2ecaa24f0499b2fb

Download Submit
C:\Users\Admin\AppData\Roaming\app

Filesize
5B

MD5
cac4598fdc0f92181616d12833eb6ca1

SHA1
80a7b7a46a0e8e674b782b9eb569e5430a69c84b

SHA256
275918973c23ad700f278c69cc03c9c82ec9f4d9ed0f53111ad22bec197ff440

SHA512
01a7556bfcce6d9d8251aadc7f6e6169fdd0477d487ce88729c44bfe8b85b2eee500985d553c0479765ef5b5c6dc3517c0305efb9089814c3f8a9ea6fc51c713

Download Submit
\Users\Admin\AppData\Local\Temp\server.exe

Filesize
93KB

MD5
bd3b053452658056878a387afc32144e

SHA1
fd07f4da3e7d3eed99cab4cc64de19d060a1fe2a

SHA256
fb73858ab13c8149347c31cc4c1e975dc1f9f34ab01078df74dd60b77f490bee

SHA512
35aa454e80ee5fb07fdf660bb697d125c352f8b21d30f363d6346ecd9ee0cddb9998cd062de25ffba4c04c26e91244db1480c9144ed3ad2c1d4325badb4040d2

Download Submit
\Users\Admin\AppData\Local\Temp\tmp6613.tmp.exe

Filesize
4.5MB

MD5
cbe263551fead5f9f24537c26e2672e3

SHA1
93792371b1383f5e7abfba204dcb712942512baf

SHA256
d5e67f41a6a4da9d68c039c6abba98f9c4c80720e10ab32fda217430de97f27d

SHA512
c2c7c41c071eb082a8da2204b104954c31578bd8e28ff6de72dcc849f286405650321370c7b10cd844d3653ca2e16125ad3130c8f04852320f548622b554eacd

Download Submit
memory/1944-1-0x00000000748B0000-0x0000000074E5B000-memory.dmp

Filesize
5.7MB

Download
memory/1944-2-0x00000000748B0000-0x0000000074E5B000-memory.dmp

Filesize
5.7MB

Download
memory/1944-14-0x00000000748B0000-0x0000000074E5B000-memory.dmp

Filesize
5.7MB

Download
memory/1944-0-0x00000000748B1000-0x00000000748B2000-memory.dmp

Filesize
4KB

Download
memory/1948-40-0x0000000000C00000-0x000000000108E000-memory.dmp

Filesize
4.6MB

Download
memory/2760-16-0x00000000748B0000-0x0000000074E5B000-memory.dmp

Filesize
5.7MB

Download
memory/2760-33-0x00000000748B0000-0x0000000074E5B000-memory.dmp

Filesize
5.7MB

Download
memory/2760-15-0x00000000748B0000-0x0000000074E5B000-memory.dmp

Filesize
5.7MB

Download
memory/2760-17-0x00000000748B0000-0x0000000074E5B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads