dcrat | bf822ec47b562c8067c24397e77e91f3ed9107237152843480f12e945ce05940

General

Target

e59150e5c2e49772bb573492df8dd17cff30f78b23bc2574d8c19dab1551cf40.exe
Size

604KB
MD5

bdf00f92a1a06df314a8edd867c5a45e
SHA1

8c0a924ff7ef218a4ff39586f753b45861c4b64d
SHA256

e59150e5c2e49772bb573492df8dd17cff30f78b23bc2574d8c19dab1551cf40
SHA512

ce0f22291a2f8e891f874f4f67a80b314a6e3f43efd1f223057ac0db7576f54d7c4d8818d40bccdd359399a6560f924da43251cb06f375fb1117572f007d043c
SSDEEP

12288:SbGpjowFTdOOEvs1Vc9d7TBLgHrn8giw2pWBSzhqhjb2CB0UrON:SbO0cdYscn7KBiwOzF

Score

10^/10

dcrat discovery infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/4972-7-0x0000000000400000-0x0000000000488000-memory.dmp	dcrat

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4952 set thread context of 4972	4952	e59150e5c2e49772bb573492df8dd17cff30f78b23bc2574d8c19dab1551cf40.exe	86

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e59150e5c2e49772bb573492df8dd17cff30f78b23bc2574d8c19dab1551cf40.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e59150e5c2e49772bb573492df8dd17cff30f78b23bc2574d8c19dab1551cf40.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
4952	e59150e5c2e49772bb573492df8dd17cff30f78b23bc2574d8c19dab1551cf40.exe
4952	e59150e5c2e49772bb573492df8dd17cff30f78b23bc2574d8c19dab1551cf40.exe
4952	e59150e5c2e49772bb573492df8dd17cff30f78b23bc2574d8c19dab1551cf40.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4952	e59150e5c2e49772bb573492df8dd17cff30f78b23bc2574d8c19dab1551cf40.exe
Token: SeDebugPrivilege	4972	e59150e5c2e49772bb573492df8dd17cff30f78b23bc2574d8c19dab1551cf40.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4952 wrote to memory of 4972	4952	e59150e5c2e49772bb573492df8dd17cff30f78b23bc2574d8c19dab1551cf40.exe	86
PID 4952 wrote to memory of 4972	4952	e59150e5c2e49772bb573492df8dd17cff30f78b23bc2574d8c19dab1551cf40.exe	86
PID 4952 wrote to memory of 4972	4952	e59150e5c2e49772bb573492df8dd17cff30f78b23bc2574d8c19dab1551cf40.exe	86
PID 4952 wrote to memory of 4972	4952	e59150e5c2e49772bb573492df8dd17cff30f78b23bc2574d8c19dab1551cf40.exe	86
PID 4952 wrote to memory of 4972	4952	e59150e5c2e49772bb573492df8dd17cff30f78b23bc2574d8c19dab1551cf40.exe	86
PID 4952 wrote to memory of 4972	4952	e59150e5c2e49772bb573492df8dd17cff30f78b23bc2574d8c19dab1551cf40.exe	86
PID 4952 wrote to memory of 4972	4952	e59150e5c2e49772bb573492df8dd17cff30f78b23bc2574d8c19dab1551cf40.exe	86
PID 4952 wrote to memory of 4972	4952	e59150e5c2e49772bb573492df8dd17cff30f78b23bc2574d8c19dab1551cf40.exe	86

C:\Users\Admin\AppData\Local\Temp\e59150e5c2e49772bb573492df8dd17cff30f78b23bc2574d8c19dab1551cf40.exe
"C:\Users\Admin\AppData\Local\Temp\e59150e5c2e49772bb573492df8dd17cff30f78b23bc2574d8c19dab1551cf40.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4952
- C:\Users\Admin\AppData\Local\Temp\e59150e5c2e49772bb573492df8dd17cff30f78b23bc2574d8c19dab1551cf40.exe
  "C:\Users\Admin\AppData\Local\Temp\e59150e5c2e49772bb573492df8dd17cff30f78b23bc2574d8c19dab1551cf40.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\e59150e5c2e49772bb573492df8dd17cff30f78b23bc2574d8c19dab1551cf40.exe.log

Filesize
410B

MD5
24cfd42a8de70b38ed70e1f8cf4eda1c

SHA1
e447168fd38da9175084b36a06c3e9bbde99064c

SHA256
93b740416114e346878801c73e8a8670ff1390d3fa009424b88fafe614a3c5cd

SHA512
5c2daf5328ba99d750e9d0362e84f3a79b7fc8395aa8aa2bc1a01b266583fe1f8352bf0619f985aa72223412d14afa054537739b4941610a1d0f96e7fee2a875

Download Submit
memory/4952-11-0x0000000074C40000-0x00000000753F0000-memory.dmp

Filesize
7.7MB

Download
memory/4952-1-0x0000000000200000-0x00000000002A0000-memory.dmp

Filesize
640KB

Download
memory/4952-2-0x0000000002770000-0x0000000002776000-memory.dmp

Filesize
24KB

Download
memory/4952-3-0x00000000056C0000-0x0000000005C64000-memory.dmp

Filesize
5.6MB

Download
memory/4952-5-0x0000000074C40000-0x00000000753F0000-memory.dmp

Filesize
7.7MB

Download
memory/4952-4-0x00000000051B0000-0x0000000005242000-memory.dmp

Filesize
584KB

Download
memory/4952-6-0x0000000004C40000-0x0000000004C4A000-memory.dmp

Filesize
40KB

Download
memory/4952-0-0x0000000074C4E000-0x0000000074C4F000-memory.dmp

Filesize
4KB

Download
memory/4972-10-0x0000000074C40000-0x00000000753F0000-memory.dmp

Filesize
7.7MB

Download
memory/4972-9-0x00000000054B0000-0x000000000554C000-memory.dmp

Filesize
624KB

Download
memory/4972-12-0x0000000074C40000-0x00000000753F0000-memory.dmp

Filesize
7.7MB

Download
memory/4972-13-0x00000000053F0000-0x00000000053FE000-memory.dmp

Filesize
56KB

Download
memory/4972-15-0x0000000005430000-0x000000000543A000-memory.dmp

Filesize
40KB

Download
memory/4972-14-0x0000000005480000-0x000000000548A000-memory.dmp

Filesize
40KB

Download
memory/4972-16-0x0000000074C40000-0x00000000753F0000-memory.dmp

Filesize
7.7MB

Download
memory/4972-7-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/4972-18-0x0000000074C40000-0x00000000753F0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing