dcrat | e3b4620b85709a793de2b777da764d094f9a6dc19ead0a7fcad953c1fb3e8550

General

Target

XBinderOutput(1).exe
Size

607KB
MD5

19d31479381cfda2c9878b427f51a0c2
SHA1

5b8774c60b71dd32e7325d0fbceb3434975ca7cc
SHA256

e3b4620b85709a793de2b777da764d094f9a6dc19ead0a7fcad953c1fb3e8550
SHA512

14ce10c974af40f5ab3e93f3bb3ff5ada22a8c2245bf45f40be0a59a75bcd9bfb2bf2288416744a2cebb93b3eb487ba070670d553ea87ca8c0e566c727bf28a2
SSDEEP

12288:DikJ/Wmo/J594F3o472LiJgSifSdq/UByol53uFb/V4YUWpcZm83:TJ/+z4F3osuiKoqsyol54bWYUK

Score

10^/10

dcrat discovery infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 21 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2776	960	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2620	960	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2676	960	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2228	960	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2496	960	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1112	960	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1396	960	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1644	960	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	992	960	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	964	960	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2504	960	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2028	960	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1708	960	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	324	960	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2132	960	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2384	960	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1824	960	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1448	960	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2920	960	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2932	960	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2912	960	schtasks.exe	36

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0007000000012118-6.dat	dcrat
behavioral1/files/0x000800000001707c-21.dat	dcrat
behavioral1/memory/2736-22-0x0000000000A20000-0x0000000000AF6000-memory.dmp	dcrat
behavioral1/memory/2956-44-0x0000000000830000-0x0000000000906000-memory.dmp	dcrat

Executes dropped EXE 3 IoCs

pid	Process
3060	kendalcp.exe
2736	reviewDll.exe
2956	lsm.exe

Loads dropped DLL 2 IoCs

pid	Process
2760	cmd.exe
2760	cmd.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Resources\Ease of Access Themes\wininit.exe	reviewDll.exe
File created	C:\Windows\Resources\Ease of Access Themes\56085415360792	reviewDll.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kendalcp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 21 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2132	schtasks.exe
2920	schtasks.exe
2912	schtasks.exe
2676	schtasks.exe
2496	schtasks.exe
1112	schtasks.exe
964	schtasks.exe
1708	schtasks.exe
2228	schtasks.exe
2932	schtasks.exe
1396	schtasks.exe
2384	schtasks.exe
2028	schtasks.exe
324	schtasks.exe
1824	schtasks.exe
2776	schtasks.exe
2620	schtasks.exe
1644	schtasks.exe
992	schtasks.exe
2504	schtasks.exe
1448	schtasks.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2736	reviewDll.exe
2736	reviewDll.exe
2736	reviewDll.exe
2956	lsm.exe
2956	lsm.exe
2956	lsm.exe
2956	lsm.exe
2956	lsm.exe
2956	lsm.exe
2956	lsm.exe
2956	lsm.exe
2956	lsm.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2736	reviewDll.exe
Token: SeDebugPrivilege	2956	lsm.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 1620 wrote to memory of 3060	1620	XBinderOutput(1).exe	30
PID 1620 wrote to memory of 3060	1620	XBinderOutput(1).exe	30
PID 1620 wrote to memory of 3060	1620	XBinderOutput(1).exe	30
PID 1620 wrote to memory of 3060	1620	XBinderOutput(1).exe	30
PID 3060 wrote to memory of 2076	3060	kendalcp.exe	31
PID 3060 wrote to memory of 2076	3060	kendalcp.exe	31
PID 3060 wrote to memory of 2076	3060	kendalcp.exe	31
PID 3060 wrote to memory of 2076	3060	kendalcp.exe	31
PID 2076 wrote to memory of 2760	2076	WScript.exe	33
PID 2076 wrote to memory of 2760	2076	WScript.exe	33
PID 2076 wrote to memory of 2760	2076	WScript.exe	33
PID 2076 wrote to memory of 2760	2076	WScript.exe	33
PID 2760 wrote to memory of 2736	2760	cmd.exe	35
PID 2760 wrote to memory of 2736	2760	cmd.exe	35
PID 2760 wrote to memory of 2736	2760	cmd.exe	35
PID 2760 wrote to memory of 2736	2760	cmd.exe	35
PID 2736 wrote to memory of 2960	2736	reviewDll.exe	58
PID 2736 wrote to memory of 2960	2736	reviewDll.exe	58
PID 2736 wrote to memory of 2960	2736	reviewDll.exe	58
PID 2960 wrote to memory of 580	2960	cmd.exe	60
PID 2960 wrote to memory of 580	2960	cmd.exe	60
PID 2960 wrote to memory of 580	2960	cmd.exe	60
PID 2960 wrote to memory of 2956	2960	cmd.exe	61
PID 2960 wrote to memory of 2956	2960	cmd.exe	61
PID 2960 wrote to memory of 2956	2960	cmd.exe	61

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\XBinderOutput(1).exe
"C:\Users\Admin\AppData\Local\Temp\XBinderOutput(1).exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1620
- C:\Users\Admin\AppData\Local\Temp\kendalcp.exe
  "C:\Users\Admin\AppData\Local\Temp\kendalcp.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3060
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\blocksavesperfMonitorDll\R7uOS4kiQeNNM8oo5bGADNHtfWe.vbe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2076
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\blocksavesperfMonitorDll\SAymW4LctOmWulF1E6221.bat" "
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2760
    - - C:\blocksavesperfMonitorDll\reviewDll.exe
        
        "C:\blocksavesperfMonitorDll\reviewDll.exe"
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2736
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cSGzlsGc5j.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2960
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:580
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\lsm.exe
        
        "C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\lsm.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\blocksavesperfMonitorDll\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\blocksavesperfMonitorDll\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\blocksavesperfMonitorDll\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Windows\Resources\Ease of Access Themes\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\Resources\Ease of Access Themes\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Windows\Resources\Ease of Access Themes\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cSGzlsGc5j.bat

Filesize
221B

MD5
1d2614213bd0ab6092c2c424a8073b25

SHA1
f0014d1bcd55c692b692045bc7c1ca75276317ea

SHA256
dc0c22079a46468cf270a7dcf272908b81b10452906da57314574da5ecc48f6c

SHA512
772a0a4b23464e4048a186caa770357dff9aea2755af461d8b26eadfee917c97e3de81d6cd13ad79f5c48bea64fe951c64931ffdaf29f651e3b05e364e0c58a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\kendalcp.exe

Filesize
1.1MB

MD5
0d015cc111d53a019e680b0bed11fcad

SHA1
3b3fb6eeba0c2ba286a4db5e850697399ccb5e36

SHA256
2b7365d9634016b0483009225b959692c290a6b17fad133e42434dc89fdf4150

SHA512
c3a7ea551d0151033dde83a3dda1042e8fe26702c84da2b630ecffb739aecb654730bb5f7ec8914189f72ca7d0ecf1352f0ca7effa938bc1d6f0ae56c3358eab

Download Submit
C:\blocksavesperfMonitorDll\R7uOS4kiQeNNM8oo5bGADNHtfWe.vbe

Filesize
222B

MD5
a6f295a2e58c722b5935cc905e81fd8b

SHA1
a2a30408197320a639e3e2f18a57fc8578c97b58

SHA256
8bcebca170fc0768cb1afb63f1350d63c3a295b26ca04602e07ec43498b9691c

SHA512
839605d7eadcdc470dd4edd117cedd976cb9f36bf0a636d08afecc6378adadf0fccb80beb44de849b6dfec814845cef8ca83ca171b39c1f6d90d55485bd06635

Download Submit
C:\blocksavesperfMonitorDll\SAymW4LctOmWulF1E6221.bat

Filesize
43B

MD5
7c582abd8874b9cc60df72d62bd86440

SHA1
564e7b01338d08f657f2c02fa8fc5b8dadb92331

SHA256
c5e95b783c6ec1b98a40edf8663370c678de43e9b657e09ca1f054618277b329

SHA512
444cf67666329ea359e221560a229990013af07d1ed074b2406e903c7ee04cf279953ad0726a96c2ca875216da68369dfdde00f905adf1de9ed93b8582bf8828

Download Submit
C:\blocksavesperfMonitorDll\reviewDll.exe

Filesize
828KB

MD5
d9dac9e1d95e84e6aec084cf2ddb3f3a

SHA1
a231a41c7ad994879b15116dcea41fdc09bb5879

SHA256
0fbeb71fb1dfe793eace5ed167f035a8f4bcc6b56d0930b6b97481f2b222b1d5

SHA512
c4aa115de6f61c7311e8654d40537cd1ce08f0fb7efd0a225a42e06ad000ed420ba905e5cc26a19cb56af951ee1441aa257c073c47911a72fff733c0db1c2f9a

Download Submit
memory/1620-0-0x000007FEF5833000-0x000007FEF5834000-memory.dmp

Filesize
4KB

Download
memory/1620-1-0x0000000001050000-0x00000000010EE000-memory.dmp

Filesize
632KB

Download
memory/1620-8-0x000007FEF5830000-0x000007FEF621C000-memory.dmp

Filesize
9.9MB

Download
memory/2736-22-0x0000000000A20000-0x0000000000AF6000-memory.dmp

Filesize
856KB

Download
memory/2956-44-0x0000000000830000-0x0000000000906000-memory.dmp

Filesize
856KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads