dcrat | 708f1bcec066db275b751c43a2b92fe54ea5f82e33c61b0114a249476a9ad8d6

Analysis

max time kernel
52s
max time network
60s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
29-10-2024 22:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RakBot.exe
Size

1.1MB
MD5

0a4bcbacfca9876e5914933a8481391e
SHA1

91876f816adca7cd5eace2b23134eac094ea78ae
SHA256

708f1bcec066db275b751c43a2b92fe54ea5f82e33c61b0114a249476a9ad8d6
SHA512

7b089c7c6c6f22015cda9d74b8fbfcd7c29fad97c1eb62b3af6c3ab4b0b6994a07e258795ede117b7fab6057fca3c34de1afde010b830a5cbffdc78d42a598f7
SSDEEP

24576:l9h9ghwRVQAOBdlSER9MysrYx4ltFbc+Dyd8oC:lr9k3lPLMJYxEv0C

Score

10^/10

dcrat discovery infostealer rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

DCRat payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/files/0x0010000000023aa3-22.dat	family_dcrat_v2
behavioral2/memory/956-27-0x0000000000400000-0x00000000004E6000-memory.dmp	family_dcrat_v2
behavioral2/memory/1868-31-0x0000000000BD0000-0x0000000000C80000-memory.dmp	family_dcrat_v2

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RakBot.exe1silCLmjJD.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	RakBot.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	1silCLmjJD.exe

Executes dropped EXE 3 IoCs

Processes:

e5JLtOJeHx.exe1silCLmjJD.exewinlogon.exe

pid	Process
1756	e5JLtOJeHx.exe
1868	1silCLmjJD.exe
1912	winlogon.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Suspicious use of SetThreadContext 1 IoCs

Processes:

RakBot.exe

description	pid	Process	procid_target
PID 3328 set thread context of 956	3328	RakBot.exe	90

Drops file in Program Files directory 4 IoCs

Processes:

1silCLmjJD.exe

description	ioc	Process
File created	C:\Program Files\dotnet\swidtag\WmiPrvSE.exe	1silCLmjJD.exe
File created	C:\Program Files\dotnet\swidtag\24dbde2999530e	1silCLmjJD.exe
File created	C:\Program Files\Windows Security\BrowserCore\en-US\winlogon.exe	1silCLmjJD.exe
File created	C:\Program Files\Windows Security\BrowserCore\en-US\cc11b995f2a76d	1silCLmjJD.exe

Drops file in Windows directory 5 IoCs

Processes:

1silCLmjJD.exe

description	ioc	Process
File created	C:\Windows\fr-FR\6ccacd8608530f	1silCLmjJD.exe
File created	C:\Windows\en-US\lsass.exe	1silCLmjJD.exe
File created	C:\Windows\en-US\6203df4a6bafc7	1silCLmjJD.exe
File created	C:\Windows\fr-FR\Idle.exe	1silCLmjJD.exe
File opened for modification	C:\Windows\fr-FR\Idle.exe	1silCLmjJD.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

RakBot.exeRakBot.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RakBot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RakBot.exe

Modifies registry class 1 IoCs

Processes:

1silCLmjJD.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	1silCLmjJD.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

1silCLmjJD.exewinlogon.exe

pid	Process
1868	1silCLmjJD.exe
1868	1silCLmjJD.exe
1868	1silCLmjJD.exe
1868	1silCLmjJD.exe
1868	1silCLmjJD.exe
1868	1silCLmjJD.exe
1868	1silCLmjJD.exe
1868	1silCLmjJD.exe
1868	1silCLmjJD.exe
1868	1silCLmjJD.exe
1868	1silCLmjJD.exe
1868	1silCLmjJD.exe
1868	1silCLmjJD.exe
1868	1silCLmjJD.exe
1868	1silCLmjJD.exe
1868	1silCLmjJD.exe
1868	1silCLmjJD.exe
1868	1silCLmjJD.exe
1868	1silCLmjJD.exe
1868	1silCLmjJD.exe
1868	1silCLmjJD.exe
1868	1silCLmjJD.exe
1868	1silCLmjJD.exe
1868	1silCLmjJD.exe
1868	1silCLmjJD.exe
1868	1silCLmjJD.exe
1868	1silCLmjJD.exe
1868	1silCLmjJD.exe
1868	1silCLmjJD.exe
1868	1silCLmjJD.exe
1868	1silCLmjJD.exe
1868	1silCLmjJD.exe
1868	1silCLmjJD.exe
1868	1silCLmjJD.exe
1868	1silCLmjJD.exe
1868	1silCLmjJD.exe
1868	1silCLmjJD.exe
1868	1silCLmjJD.exe
1868	1silCLmjJD.exe
1868	1silCLmjJD.exe
1868	1silCLmjJD.exe
1868	1silCLmjJD.exe
1868	1silCLmjJD.exe
1868	1silCLmjJD.exe
1912	winlogon.exe
1912	winlogon.exe
1912	winlogon.exe
1912	winlogon.exe
1912	winlogon.exe
1912	winlogon.exe
1912	winlogon.exe
1912	winlogon.exe
1912	winlogon.exe
1912	winlogon.exe
1912	winlogon.exe
1912	winlogon.exe
1912	winlogon.exe
1912	winlogon.exe
1912	winlogon.exe
1912	winlogon.exe
1912	winlogon.exe
1912	winlogon.exe
1912	winlogon.exe
1912	winlogon.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

1silCLmjJD.exewinlogon.exe

description	pid	Process
Token: SeDebugPrivilege	1868	1silCLmjJD.exe
Token: SeDebugPrivilege	1912	winlogon.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

RakBot.exeRakBot.exe1silCLmjJD.execmd.exe

description	pid	Process	procid_target
PID 3328 wrote to memory of 956	3328	RakBot.exe	90
PID 3328 wrote to memory of 956	3328	RakBot.exe	90
PID 3328 wrote to memory of 956	3328	RakBot.exe	90
PID 3328 wrote to memory of 956	3328	RakBot.exe	90
PID 3328 wrote to memory of 956	3328	RakBot.exe	90
PID 3328 wrote to memory of 956	3328	RakBot.exe	90
PID 3328 wrote to memory of 956	3328	RakBot.exe	90
PID 3328 wrote to memory of 956	3328	RakBot.exe	90
PID 3328 wrote to memory of 956	3328	RakBot.exe	90
PID 3328 wrote to memory of 956	3328	RakBot.exe	90
PID 956 wrote to memory of 1756	956	RakBot.exe	93
PID 956 wrote to memory of 1756	956	RakBot.exe	93
PID 956 wrote to memory of 1868	956	RakBot.exe	95
PID 956 wrote to memory of 1868	956	RakBot.exe	95
PID 1868 wrote to memory of 1092	1868	1silCLmjJD.exe	97
PID 1868 wrote to memory of 1092	1868	1silCLmjJD.exe	97
PID 1092 wrote to memory of 4228	1092	cmd.exe	99
PID 1092 wrote to memory of 4228	1092	cmd.exe	99
PID 1092 wrote to memory of 3060	1092	cmd.exe	100
PID 1092 wrote to memory of 3060	1092	cmd.exe	100
PID 1092 wrote to memory of 1912	1092	cmd.exe	103
PID 1092 wrote to memory of 1912	1092	cmd.exe	103

C:\Users\Admin\AppData\Local\Temp\RakBot.exe
"C:\Users\Admin\AppData\Local\Temp\RakBot.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3328
- C:\Users\Admin\AppData\Local\Temp\RakBot.exe
  "C:\Users\Admin\AppData\Local\Temp\RakBot.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:956
- - C:\Users\Admin\AppData\Roaming\e5JLtOJeHx.exe
    "C:\Users\Admin\AppData\Roaming\e5JLtOJeHx.exe"
    3⤵
    - Executes dropped EXE
    PID:1756
- - C:\Users\Admin\AppData\Roaming\1silCLmjJD.exe
    "C:\Users\Admin\AppData\Roaming\1silCLmjJD.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1868
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tcJ0BzVyVU.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1092
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:4228
    - - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        5⤵
        
        PID:3060
    - - C:\Program Files\Windows Security\BrowserCore\en-US\winlogon.exe
        
        "C:\Program Files\Windows Security\BrowserCore\en-US\winlogon.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tcJ0BzVyVU.bat

Filesize
240B

MD5
21a9dbd94046fd0c7f7349f3312ea38b

SHA1
9228c97e5450f566aa15ae5a33a423951416f05d

SHA256
266b23056ece1e4e3fe806e2f56e435cc1c7e9d2f68e44748bd1e5bb5c606ef7

SHA512
fdb75c5442b72bf98bf2c277824ea91ad1ae5f90b45723a67761054fdb64d137c5464b1cad8a80969f2bc223e0476e42fbdc1f2f42ecb292f9cbfafa4c1ee754

Download Submit
C:\Users\Admin\AppData\Roaming\1silCLmjJD.exe

Filesize
674KB

MD5
1088e239e86c2316358d4e5b82810fa2

SHA1
5a16e420b1aa52c4dcd9f0bced05a59e679997a5

SHA256
0fa75c70f7304d35a4aed13dfe72793008610b429820ab8bc2ad45d3abd5e1b2

SHA512
2b79a3aca00ab269d1d8a1874bc0ce3ab06d18aa8c0d1af363f54b569e16e3a0c0fbf88ca4e76f5db3e2302e7d7b20a59bf6c76295c96179ded03c71060ac073

Download Submit
C:\Users\Admin\AppData\Roaming\e5JLtOJeHx.exe

Filesize
18KB

MD5
f3edff85de5fd002692d54a04bcb1c09

SHA1
4c844c5b0ee7cb230c9c28290d079143e00cb216

SHA256
caf29650446db3842e1c1e8e5e1bafadaf90fc82c5c37b9e2c75a089b7476131

SHA512
531d920e2567f58e8169afc786637c1a0f7b9b5c27b27b5f0eddbfc3e00cecd7bea597e34061d836647c5f8c7757f2fe02952a9793344e21b39ddd4bf7985f9d

Download Submit
memory/956-4-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/956-2-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/956-3-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/956-1-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/956-5-0x0000000000160000-0x000000000027C000-memory.dmp

Filesize
1.1MB

Download
memory/956-27-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/1868-30-0x00007FFB5D373000-0x00007FFB5D375000-memory.dmp

Filesize
8KB

Download
memory/1868-32-0x00007FFB5D370000-0x00007FFB5DE31000-memory.dmp

Filesize
10.8MB

Download
memory/1868-34-0x0000000002DF0000-0x0000000002E0C000-memory.dmp

Filesize
112KB

Download
memory/1868-38-0x00007FFB5D370000-0x00007FFB5DE31000-memory.dmp

Filesize
10.8MB

Download
memory/1868-37-0x0000000002E10000-0x0000000002E28000-memory.dmp

Filesize
96KB

Download
memory/1868-35-0x0000000002FA0000-0x0000000002FF0000-memory.dmp

Filesize
320KB

Download
memory/1868-39-0x00007FFB5D370000-0x00007FFB5DE31000-memory.dmp

Filesize
10.8MB

Download
memory/1868-53-0x00007FFB5D370000-0x00007FFB5DE31000-memory.dmp

Filesize
10.8MB

Download
memory/1868-31-0x0000000000BD0000-0x0000000000C80000-memory.dmp

Filesize
704KB

Download
memory/1868-57-0x00007FFB5D370000-0x00007FFB5DE31000-memory.dmp

Filesize
10.8MB

Download
memory/1912-63-0x000000001BCD0000-0x000000001BD3B000-memory.dmp

Filesize
428KB

Download
memory/3328-0-0x0000000000275000-0x0000000000276000-memory.dmp

Filesize
4KB

Download