dcrat | e3b4620b85709a793de2b777da764d094f9a6dc19ead0a7fcad953c1fb3e8550

General

Target

XBinderOutput(1).exe
Size

607KB
MD5

19d31479381cfda2c9878b427f51a0c2
SHA1

5b8774c60b71dd32e7325d0fbceb3434975ca7cc
SHA256

e3b4620b85709a793de2b777da764d094f9a6dc19ead0a7fcad953c1fb3e8550
SHA512

14ce10c974af40f5ab3e93f3bb3ff5ada22a8c2245bf45f40be0a59a75bcd9bfb2bf2288416744a2cebb93b3eb487ba070670d553ea87ca8c0e566c727bf28a2
SSDEEP

12288:DikJ/Wmo/J594F3o472LiJgSifSdq/UByol53uFb/V4YUWpcZm83:TJ/+z4F3osuiKoqsyol54bWYUK

Score

10^/10

dcrat discovery infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe"	MoUsoCoreWorker.exe

Process spawned unexpected child process 19 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4584	2308	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1028	2308	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2960	2308	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3704	2308	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3396	2308	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3464	2308	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3920	2308	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2072	2308	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3036	2308	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3000	2308	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5096	2308	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4480	2308	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3704	2308	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2260	2308	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3464	2308	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5044	2308	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2112	2308	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4376	2308	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2676	2308	schtasks.exe	92

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x000500000001da19-7.dat	dcrat
behavioral2/files/0x0008000000023bb6-23.dat	dcrat
behavioral2/memory/1356-25-0x0000000000F70000-0x0000000001046000-memory.dmp	dcrat

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	XBinderOutput(1).exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	kendalcp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	reviewDll.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	MoUsoCoreWorker.exe

Executes dropped EXE 3 IoCs

pid	Process
956	kendalcp.exe
1356	reviewDll.exe
632	MoUsoCoreWorker.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Reference Assemblies\MoUsoCoreWorker.exe	reviewDll.exe
File created	C:\Program Files (x86)\Reference Assemblies\1f93f77a7f4778	reviewDll.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kendalcp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	kendalcp.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3464	schtasks.exe
4584	schtasks.exe
2960	schtasks.exe
3704	schtasks.exe
2072	schtasks.exe
3036	schtasks.exe
1028	schtasks.exe
3396	schtasks.exe
3920	schtasks.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1356	reviewDll.exe
1356	reviewDll.exe
1356	reviewDll.exe
632	MoUsoCoreWorker.exe
632	MoUsoCoreWorker.exe
632	MoUsoCoreWorker.exe
632	MoUsoCoreWorker.exe
632	MoUsoCoreWorker.exe
632	MoUsoCoreWorker.exe
632	MoUsoCoreWorker.exe
632	MoUsoCoreWorker.exe
632	MoUsoCoreWorker.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1356	reviewDll.exe
Token: SeDebugPrivilege	632	MoUsoCoreWorker.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 3148 wrote to memory of 956	3148	XBinderOutput(1).exe	87
PID 3148 wrote to memory of 956	3148	XBinderOutput(1).exe	87
PID 3148 wrote to memory of 956	3148	XBinderOutput(1).exe	87
PID 956 wrote to memory of 4468	956	kendalcp.exe	90
PID 956 wrote to memory of 4468	956	kendalcp.exe	90
PID 956 wrote to memory of 4468	956	kendalcp.exe	90
PID 4468 wrote to memory of 4304	4468	WScript.exe	99
PID 4468 wrote to memory of 4304	4468	WScript.exe	99
PID 4468 wrote to memory of 4304	4468	WScript.exe	99
PID 4304 wrote to memory of 1356	4304	cmd.exe	102
PID 4304 wrote to memory of 1356	4304	cmd.exe	102
PID 1356 wrote to memory of 632	1356	reviewDll.exe	112
PID 1356 wrote to memory of 632	1356	reviewDll.exe	112
PID 632 wrote to memory of 1192	632	MoUsoCoreWorker.exe	130
PID 632 wrote to memory of 1192	632	MoUsoCoreWorker.exe	130
PID 1192 wrote to memory of 1220	1192	cmd.exe	132
PID 1192 wrote to memory of 1220	1192	cmd.exe	132

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\XBinderOutput(1).exe
"C:\Users\Admin\AppData\Local\Temp\XBinderOutput(1).exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3148
- C:\Users\Admin\AppData\Local\Temp\kendalcp.exe
  "C:\Users\Admin\AppData\Local\Temp\kendalcp.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:956
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\blocksavesperfMonitorDll\R7uOS4kiQeNNM8oo5bGADNHtfWe.vbe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4468
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\blocksavesperfMonitorDll\SAymW4LctOmWulF1E6221.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4304
    - - C:\blocksavesperfMonitorDll\reviewDll.exe
        
        "C:\blocksavesperfMonitorDll\reviewDll.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1356
      - C:\Program Files (x86)\Reference Assemblies\MoUsoCoreWorker.exe
        
        "C:\Program Files (x86)\Reference Assemblies\MoUsoCoreWorker.exe"
        6⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:632
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\61cJPf1Vjg.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1192
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:1220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Cookies\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Users\Admin\Cookies\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Cookies\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Reference Assemblies\MoUsoCoreWorker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MoUsoCoreWorker" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\MoUsoCoreWorker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Reference Assemblies\MoUsoCoreWorker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Downloads\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Public\Downloads\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Downloads\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3036

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "reviewDll" /f
1⤵
- Process spawned unexpected child process
PID:3000

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "reviewDllr" /f
1⤵
- Process spawned unexpected child process
PID:5096

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "SppExtComObj" /f
1⤵
- Process spawned unexpected child process
PID:4480

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "SppExtComObjS" /f
1⤵
- Process spawned unexpected child process
PID:3704

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "MoUsoCoreWorker" /f
1⤵
- Process spawned unexpected child process
PID:2260

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "MoUsoCoreWorkerM" /f
1⤵
- Process spawned unexpected child process
PID:3464

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "RuntimeBroker" /f
1⤵
- Process spawned unexpected child process
PID:5044

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "RuntimeBrokerR" /f
1⤵
- Process spawned unexpected child process
PID:4376

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "MoUsoCoreWorker" /f
1⤵
- Process spawned unexpected child process
PID:2112

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "MoUsoCoreWorkerM" /f
1⤵
- Process spawned unexpected child process
PID:2676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Reference Assemblies\1f93f77a7f4778

Filesize
883B

MD5
cf4b14cb4409770154d17db637501672

SHA1
6f7bb0e734acaa319a443fd29d0c46563fa9e8db

SHA256
100c274aa35acc54804612b9446a6f644f4e3189b0b41a162afb99b09307d881

SHA512
f1b493f7c084f14055a1dc0f30a529454ae4c2c59829e194cdd0296e3fbf86d4bc5c67b642f070a594a7a5acbc36eb0db37abca371e616778063be9619740357

Download Submit
C:\Users\Admin\AppData\Local\Temp\61cJPf1Vjg.bat

Filesize
307B

MD5
edbaaf0e1e7825d89917a24e27d6fb67

SHA1
6310034ba1e85cde892c3385f0349b0a60ee7d06

SHA256
531491e67cfe9597f64e89a8de150cf78dc942e0144d8ecfea2ddd2d8630e08c

SHA512
b463d1c7fbea308f2c0c4cc3cebbca4528f587fdb3e602a4b70438658dca0aa4665b72a071526f8a435cbdb481e8724da52015be8f8d575eb464853590d12370

Download Submit
C:\Users\Admin\AppData\Local\Temp\kendalcp.exe

Filesize
1.1MB

MD5
0d015cc111d53a019e680b0bed11fcad

SHA1
3b3fb6eeba0c2ba286a4db5e850697399ccb5e36

SHA256
2b7365d9634016b0483009225b959692c290a6b17fad133e42434dc89fdf4150

SHA512
c3a7ea551d0151033dde83a3dda1042e8fe26702c84da2b630ecffb739aecb654730bb5f7ec8914189f72ca7d0ecf1352f0ca7effa938bc1d6f0ae56c3358eab

Download Submit
C:\Users\Admin\Cookies\e1ef82546f0b02

Filesize
952B

MD5
26eb205ee651849cf6da898c85af2c97

SHA1
dde187c838bc2ce5dd546d935ecfd05cbd7028c2

SHA256
949d75655d1988790c9956577182741d09d2d16d2f57f291adf1ed9cd8faab74

SHA512
8d9c325cf6b4ff995ad437b1bf6bd26606a471f6435f7d40687605f4c2a403532af7620537a4a901acadda9c06c4191ca5021b758e98f5561387160e830a8ff1

Download Submit
C:\Users\Public\Downloads\9e8d7a4ca61bd9

Filesize
51B

MD5
e6d6eb971fb73087fa78fd97d5d0b5e4

SHA1
5ce9685a03f97f576f4bcd94bad4be11dffb0326

SHA256
fc38ed46e5cf85c697614965f4da6306023fc21aba5a68f9603c04df808f5787

SHA512
6b76aceccb66517b40299b82ab0dbbb7c8f9f47e0e1d6ac5e4a3323450c22eafdf7c37bc0804e896e5ed0bc58cd08311298ef1e009c36a5a5cec48b393c309ad

Download Submit
C:\blocksavesperfMonitorDll\R7uOS4kiQeNNM8oo5bGADNHtfWe.vbe

Filesize
222B

MD5
a6f295a2e58c722b5935cc905e81fd8b

SHA1
a2a30408197320a639e3e2f18a57fc8578c97b58

SHA256
8bcebca170fc0768cb1afb63f1350d63c3a295b26ca04602e07ec43498b9691c

SHA512
839605d7eadcdc470dd4edd117cedd976cb9f36bf0a636d08afecc6378adadf0fccb80beb44de849b6dfec814845cef8ca83ca171b39c1f6d90d55485bd06635

Download Submit
C:\blocksavesperfMonitorDll\SAymW4LctOmWulF1E6221.bat

Filesize
43B

MD5
7c582abd8874b9cc60df72d62bd86440

SHA1
564e7b01338d08f657f2c02fa8fc5b8dadb92331

SHA256
c5e95b783c6ec1b98a40edf8663370c678de43e9b657e09ca1f054618277b329

SHA512
444cf67666329ea359e221560a229990013af07d1ed074b2406e903c7ee04cf279953ad0726a96c2ca875216da68369dfdde00f905adf1de9ed93b8582bf8828

Download Submit
C:\blocksavesperfMonitorDll\reviewDll.exe

Filesize
828KB

MD5
d9dac9e1d95e84e6aec084cf2ddb3f3a

SHA1
a231a41c7ad994879b15116dcea41fdc09bb5879

SHA256
0fbeb71fb1dfe793eace5ed167f035a8f4bcc6b56d0930b6b97481f2b222b1d5

SHA512
c4aa115de6f61c7311e8654d40537cd1ce08f0fb7efd0a225a42e06ad000ed420ba905e5cc26a19cb56af951ee1441aa257c073c47911a72fff733c0db1c2f9a

Download Submit
memory/1356-25-0x0000000000F70000-0x0000000001046000-memory.dmp

Filesize
856KB

Download
memory/3148-11-0x00007FF824830000-0x00007FF8252F1000-memory.dmp

Filesize
10.8MB

Download
memory/3148-0-0x00007FF824833000-0x00007FF824835000-memory.dmp

Filesize
8KB

Download
memory/3148-3-0x00007FF824830000-0x00007FF8252F1000-memory.dmp

Filesize
10.8MB

Download
memory/3148-1-0x0000000000CA0000-0x0000000000D3E000-memory.dmp

Filesize
632KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads