dcrat | 708f1bcec066db275b751c43a2b92fe54ea5f82e33c61b0114a249476a9ad8d6

Analysis

max time kernel
51s
max time network
66s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
29-10-2024 22:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RakBot.exe
Size

1.1MB
MD5

0a4bcbacfca9876e5914933a8481391e
SHA1

91876f816adca7cd5eace2b23134eac094ea78ae
SHA256

708f1bcec066db275b751c43a2b92fe54ea5f82e33c61b0114a249476a9ad8d6
SHA512

7b089c7c6c6f22015cda9d74b8fbfcd7c29fad97c1eb62b3af6c3ab4b0b6994a07e258795ede117b7fab6057fca3c34de1afde010b830a5cbffdc78d42a598f7
SSDEEP

24576:l9h9ghwRVQAOBdlSER9MysrYx4ltFbc+Dyd8oC:lr9k3lPLMJYxEv0C

Score

10^/10

dcrat discovery infostealer rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

DCRat payload 4 IoCs

rat

resource	yara_rule
behavioral1/files/0x00280000000186b7-26.dat	family_dcrat_v2
behavioral1/memory/1692-25-0x0000000000400000-0x00000000004E6000-memory.dmp	family_dcrat_v2
behavioral1/memory/1500-29-0x00000000008A0000-0x0000000000950000-memory.dmp	family_dcrat_v2
behavioral1/memory/2456-55-0x0000000000130000-0x00000000001E0000-memory.dmp	family_dcrat_v2

Executes dropped EXE 3 IoCs

pid	Process
2972	tvsAAll0AZ.exe
1500	FUuTM4xKD1.exe
2456	lsass.exe

Loads dropped DLL 2 IoCs

pid	Process
1692	RakBot.exe
1692	RakBot.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2528 set thread context of 1692	2528	RakBot.exe	31

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Defender\System.exe	FUuTM4xKD1.exe
File created	C:\Program Files\Windows Defender\27d1bcfc3c54e0	FUuTM4xKD1.exe
File created	C:\Program Files\Windows Defender\de-DE\lsass.exe	FUuTM4xKD1.exe
File created	C:\Program Files\Windows Defender\de-DE\6203df4a6bafc7	FUuTM4xKD1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RakBot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RakBot.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2544	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2544	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1500	FUuTM4xKD1.exe
1500	FUuTM4xKD1.exe
1500	FUuTM4xKD1.exe
1500	FUuTM4xKD1.exe
1500	FUuTM4xKD1.exe
1500	FUuTM4xKD1.exe
1500	FUuTM4xKD1.exe
1500	FUuTM4xKD1.exe
1500	FUuTM4xKD1.exe
1500	FUuTM4xKD1.exe
1500	FUuTM4xKD1.exe
1500	FUuTM4xKD1.exe
1500	FUuTM4xKD1.exe
1500	FUuTM4xKD1.exe
1500	FUuTM4xKD1.exe
1500	FUuTM4xKD1.exe
1500	FUuTM4xKD1.exe
1500	FUuTM4xKD1.exe
1500	FUuTM4xKD1.exe
1500	FUuTM4xKD1.exe
1500	FUuTM4xKD1.exe
1500	FUuTM4xKD1.exe
1500	FUuTM4xKD1.exe
1500	FUuTM4xKD1.exe
1500	FUuTM4xKD1.exe
1500	FUuTM4xKD1.exe
1500	FUuTM4xKD1.exe
1500	FUuTM4xKD1.exe
1500	FUuTM4xKD1.exe
1500	FUuTM4xKD1.exe
1500	FUuTM4xKD1.exe
1500	FUuTM4xKD1.exe
1500	FUuTM4xKD1.exe
1500	FUuTM4xKD1.exe
1500	FUuTM4xKD1.exe
1500	FUuTM4xKD1.exe
1500	FUuTM4xKD1.exe
1500	FUuTM4xKD1.exe
1500	FUuTM4xKD1.exe
1500	FUuTM4xKD1.exe
1500	FUuTM4xKD1.exe
1500	FUuTM4xKD1.exe
1500	FUuTM4xKD1.exe
1500	FUuTM4xKD1.exe
1500	FUuTM4xKD1.exe
1500	FUuTM4xKD1.exe
1500	FUuTM4xKD1.exe
1500	FUuTM4xKD1.exe
1500	FUuTM4xKD1.exe
1500	FUuTM4xKD1.exe
1500	FUuTM4xKD1.exe
1500	FUuTM4xKD1.exe
1500	FUuTM4xKD1.exe
1500	FUuTM4xKD1.exe
1500	FUuTM4xKD1.exe
1500	FUuTM4xKD1.exe
1500	FUuTM4xKD1.exe
1500	FUuTM4xKD1.exe
2456	lsass.exe
2456	lsass.exe
2456	lsass.exe
2456	lsass.exe
2456	lsass.exe
2456	lsass.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1500	FUuTM4xKD1.exe
Token: SeDebugPrivilege	2456	lsass.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 2528 wrote to memory of 1692	2528	RakBot.exe	31
PID 2528 wrote to memory of 1692	2528	RakBot.exe	31
PID 2528 wrote to memory of 1692	2528	RakBot.exe	31
PID 2528 wrote to memory of 1692	2528	RakBot.exe	31
PID 2528 wrote to memory of 1692	2528	RakBot.exe	31
PID 2528 wrote to memory of 1692	2528	RakBot.exe	31
PID 2528 wrote to memory of 1692	2528	RakBot.exe	31
PID 2528 wrote to memory of 1692	2528	RakBot.exe	31
PID 2528 wrote to memory of 1692	2528	RakBot.exe	31
PID 2528 wrote to memory of 1692	2528	RakBot.exe	31
PID 2528 wrote to memory of 1692	2528	RakBot.exe	31
PID 1692 wrote to memory of 1500	1692	RakBot.exe	33
PID 1692 wrote to memory of 1500	1692	RakBot.exe	33
PID 1692 wrote to memory of 1500	1692	RakBot.exe	33
PID 1692 wrote to memory of 1500	1692	RakBot.exe	33
PID 1500 wrote to memory of 1336	1500	FUuTM4xKD1.exe	34
PID 1500 wrote to memory of 1336	1500	FUuTM4xKD1.exe	34
PID 1500 wrote to memory of 1336	1500	FUuTM4xKD1.exe	34
PID 1336 wrote to memory of 2224	1336	cmd.exe	36
PID 1336 wrote to memory of 2224	1336	cmd.exe	36
PID 1336 wrote to memory of 2224	1336	cmd.exe	36
PID 1336 wrote to memory of 2544	1336	cmd.exe	37
PID 1336 wrote to memory of 2544	1336	cmd.exe	37
PID 1336 wrote to memory of 2544	1336	cmd.exe	37
PID 1336 wrote to memory of 2456	1336	cmd.exe	38
PID 1336 wrote to memory of 2456	1336	cmd.exe	38
PID 1336 wrote to memory of 2456	1336	cmd.exe	38

C:\Users\Admin\AppData\Local\Temp\RakBot.exe
"C:\Users\Admin\AppData\Local\Temp\RakBot.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2528
- C:\Users\Admin\AppData\Local\Temp\RakBot.exe
  "C:\Users\Admin\AppData\Local\Temp\RakBot.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1692
- - C:\Users\Admin\AppData\Roaming\tvsAAll0AZ.exe
    "C:\Users\Admin\AppData\Roaming\tvsAAll0AZ.exe"
    3⤵
    - Executes dropped EXE
    PID:2972
- - C:\Users\Admin\AppData\Roaming\FUuTM4xKD1.exe
    "C:\Users\Admin\AppData\Roaming\FUuTM4xKD1.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1500
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mYkkPZWoAf.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1336
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:2224
    - - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2544
    - - C:\Program Files\Windows Defender\de-DE\lsass.exe
        
        "C:\Program Files\Windows Defender\de-DE\lsass.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\mYkkPZWoAf.bat

Filesize
177B

MD5
1aed6093e34b14abd074607f16df95e6

SHA1
6d31ea34b4d93a4b79a7c9fbd6f78a38face0309

SHA256
944112ded33b8b2916cbd3e5ca4f92e615d89b21fce527c192ecfd304a7714bf

SHA512
cc7fb9b32f007f702c9495b996453b09b4f9f2687257557392b43d6ac70df4ad9a6bfbcf54bd86c56a975903075e9a43681a977f656781b67f49591e4298a846

Download Submit
C:\Users\Admin\AppData\Roaming\FUuTM4xKD1.exe

Filesize
674KB

MD5
1088e239e86c2316358d4e5b82810fa2

SHA1
5a16e420b1aa52c4dcd9f0bced05a59e679997a5

SHA256
0fa75c70f7304d35a4aed13dfe72793008610b429820ab8bc2ad45d3abd5e1b2

SHA512
2b79a3aca00ab269d1d8a1874bc0ce3ab06d18aa8c0d1af363f54b569e16e3a0c0fbf88ca4e76f5db3e2302e7d7b20a59bf6c76295c96179ded03c71060ac073

Download Submit
C:\Users\Admin\AppData\Roaming\tvsAAll0AZ.exe

Filesize
18KB

MD5
f3edff85de5fd002692d54a04bcb1c09

SHA1
4c844c5b0ee7cb230c9c28290d079143e00cb216

SHA256
caf29650446db3842e1c1e8e5e1bafadaf90fc82c5c37b9e2c75a089b7476131

SHA512
531d920e2567f58e8169afc786637c1a0f7b9b5c27b27b5f0eddbfc3e00cecd7bea597e34061d836647c5f8c7757f2fe02952a9793344e21b39ddd4bf7985f9d

Download Submit
memory/1500-32-0x0000000000410000-0x000000000042C000-memory.dmp

Filesize
112KB

Download
memory/1500-28-0x000007FEF6133000-0x000007FEF6134000-memory.dmp

Filesize
4KB

Download
memory/1500-52-0x000007FEF6130000-0x000007FEF6B1C000-memory.dmp

Filesize
9.9MB

Download
memory/1500-36-0x000007FEF6130000-0x000007FEF6B1C000-memory.dmp

Filesize
9.9MB

Download
memory/1500-35-0x000007FEF6130000-0x000007FEF6B1C000-memory.dmp

Filesize
9.9MB

Download
memory/1500-34-0x0000000000430000-0x0000000000448000-memory.dmp

Filesize
96KB

Download
memory/1500-30-0x000007FEF6130000-0x000007FEF6B1C000-memory.dmp

Filesize
9.9MB

Download
memory/1500-29-0x00000000008A0000-0x0000000000950000-memory.dmp

Filesize
704KB

Download
memory/1692-13-0x0000000000B20000-0x0000000000C3C000-memory.dmp

Filesize
1.1MB

Download
memory/1692-2-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/1692-5-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/1692-25-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/1692-3-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/1692-11-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/1692-9-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/1692-7-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1692-12-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/1692-1-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/1692-6-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/1692-4-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/2456-55-0x0000000000130000-0x00000000001E0000-memory.dmp

Filesize
704KB

Download
memory/2528-0-0x0000000000C35000-0x0000000000C36000-memory.dmp

Filesize
4KB

Download