dcrat | 4139522809118bba10441242323550ef8f00264e862a5403dab48c1c5c8ad654

General

Target

loader.exe
Size

1.9MB
MD5

f462fd11ceda48487db07c5b70410dac
SHA1

48010b409ab20a6a51e562d347b87abcb15dd9fe
SHA256

4139522809118bba10441242323550ef8f00264e862a5403dab48c1c5c8ad654
SHA512

7ba4a2fae1b0558b4a2d1a081a9f63cc0b4184a395fe58a31083bf1e6b4e597938d0ecda8d0e45d03e26a848c1ad30c75941ade6e49f4237bb70139127c72204
SSDEEP

24576:h2G/nvxW3WCG0xfX0iy3dwFTQ40aI2GP1NE4utdShDpIBUx9PWRW/+YK8bnCAtF:hbA3rnxf0iyoTQi1a1wtStlx9sYX

Score

10^/10

dcrat discovery evasion infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0007000000019470-9.dat	dcrat
behavioral1/memory/2948-13-0x00000000000A0000-0x0000000000214000-memory.dmp	dcrat

Disables Task Manager via registry modification
evasion

Executes dropped EXE 1 IoCs

pid	Process
2948	containercomponentSaves.exe

Loads dropped DLL 2 IoCs

pid	Process
2892	cmd.exe
2892	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2796	reg.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2948	containercomponentSaves.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2060 wrote to memory of 2056	2060	loader.exe	29
PID 2060 wrote to memory of 2056	2060	loader.exe	29
PID 2060 wrote to memory of 2056	2060	loader.exe	29
PID 2060 wrote to memory of 2056	2060	loader.exe	29
PID 2056 wrote to memory of 2892	2056	WScript.exe	30
PID 2056 wrote to memory of 2892	2056	WScript.exe	30
PID 2056 wrote to memory of 2892	2056	WScript.exe	30
PID 2056 wrote to memory of 2892	2056	WScript.exe	30
PID 2892 wrote to memory of 2948	2892	cmd.exe	32
PID 2892 wrote to memory of 2948	2892	cmd.exe	32
PID 2892 wrote to memory of 2948	2892	cmd.exe	32
PID 2892 wrote to memory of 2948	2892	cmd.exe	32
PID 2892 wrote to memory of 2796	2892	cmd.exe	34
PID 2892 wrote to memory of 2796	2892	cmd.exe	34
PID 2892 wrote to memory of 2796	2892	cmd.exe	34
PID 2892 wrote to memory of 2796	2892	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\loader.exe
"C:\Users\Admin\AppData\Local\Temp\loader.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2060
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\blockcomwinsavescrt\DKYQpYxB0fjo0It.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2056
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\blockcomwinsavescrt\jwlZX38GInff6rIBqWRHehXwajI.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2892
  - - C:\blockcomwinsavescrt\containercomponentSaves.exe
      "C:\blockcomwinsavescrt\containercomponentSaves.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2948
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
      4⤵
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:2796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\blockcomwinsavescrt\DKYQpYxB0fjo0It.vbe

Filesize
223B

MD5
2b8d55bd0911a0d0a9b459bb97eaeee2

SHA1
636ae852b62d51447ac137871267120b8af73d37

SHA256
200afbf994d31cd86c1808c0387ed77d9b7d0e7759387f58d8dc849a7d30498c

SHA512
65bf05909eb291a66a8839ec52a386a82ff013a89a93bb0005ba29afe71c4b74a03c75fdfa3282d3a0edcc54598cefdf58538d2b070bdde44d31b61ea4b22c91

Download Submit
C:\blockcomwinsavescrt\jwlZX38GInff6rIBqWRHehXwajI.bat

Filesize
164B

MD5
460c31975a0ea04ad5a7c3730a15e570

SHA1
e71df06911bb1d755fa6ec7df0b5b3c001a35554

SHA256
8092fb842b95a8ab9198a257585d2b8fed740b49dc013d1eb472737dabe03680

SHA512
3b78b82a126589ddc93a9e12777237814bed36bc135ff894b022571254f2fd3a9faaab0ccb30d752b11f42d537e81e92722c10fb88ed77a133aa8ffc75d4e9b1

Download Submit
\blockcomwinsavescrt\containercomponentSaves.exe

Filesize
1.4MB

MD5
59e330f176ae037dcc65efc5f7d7859a

SHA1
f0fbb795992bbebf15cedec2f473718891ec2334

SHA256
8cfa942fef671bc7a15c59e2b8a0b7aeb2139d3e2bd233b1a45de15513560d72

SHA512
f844da447afaba1620b4f883f2d14d00011428e762357479417ec8e8f60f3f0c901d06c6acb96ce061d53eedfe3a9f2edb8906a2cf449a00266fc62fe0381653

Download Submit
memory/2948-13-0x00000000000A0000-0x0000000000214000-memory.dmp

Filesize
1.5MB

Download
memory/2948-14-0x0000000000340000-0x000000000034E000-memory.dmp

Filesize
56KB

Download

Analysis

Sharing