Overview

overview

10

Static

static

3

RakBot.exe

windows7-x64

10

RakBot.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    139s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/10/2024, 01:09

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    RakBot.exe

  • Size

    1.1MB

  • MD5

    0a4bcbacfca9876e5914933a8481391e

  • SHA1

    91876f816adca7cd5eace2b23134eac094ea78ae

  • SHA256

    708f1bcec066db275b751c43a2b92fe54ea5f82e33c61b0114a249476a9ad8d6

  • SHA512

    7b089c7c6c6f22015cda9d74b8fbfcd7c29fad97c1eb62b3af6c3ab4b0b6994a07e258795ede117b7fab6057fca3c34de1afde010b830a5cbffdc78d42a598f7

  • SSDEEP

    24576:l9h9ghwRVQAOBdlSER9MysrYx4ltFbc+Dyd8oC:lr9k3lPLMJYxEv0C

Score
10/10
dcratdiscoveryinfostealerratspywarestealer

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • DCRat payload 3 IoCs
    rat
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\RakBot.exe
    "C:\Users\Admin\AppData\Local\Temp\RakBot.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3412
    • C:\Users\Admin\AppData\Local\Temp\RakBot.exe
      "C:\Users\Admin\AppData\Local\Temp\RakBot.exe"
      2⤵
        PID:4216
      • C:\Users\Admin\AppData\Local\Temp\RakBot.exe
        "C:\Users\Admin\AppData\Local\Temp\RakBot.exe"
        2⤵
        • Checks computer location settings
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2984
        • C:\Users\Admin\AppData\Roaming\olunf8EAGw.exe
          "C:\Users\Admin\AppData\Roaming\olunf8EAGw.exe"
          3⤵
          • Executes dropped EXE
          PID:1344
        • C:\Users\Admin\AppData\Roaming\zrtMbE5WcO.exe
          "C:\Users\Admin\AppData\Roaming\zrtMbE5WcO.exe"
          3⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3276
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\56Xzv9CPOa.bat"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2956
            • C:\Windows\system32\chcp.com
              chcp 65001
              5⤵
                PID:2972
              • C:\Windows\system32\w32tm.exe
                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                5⤵
                  PID:1220
                • C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\lsass.exe
                  "C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\lsass.exe"
                  5⤵
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious behavior: GetForegroundWindowSpam
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1132

        Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\56Xzv9CPOa.bat
                Filesize

                239B

                MD5

                b1e1a68a0c54adfaa522ccd242da0be6

                SHA1

                36f176281d2d24755243a2612f55cde1230e83db

                SHA256

                b35737c6d590f21fa2f7b16447061b8e28e1fe3ed61d4a48e0d806c674ac5a1f

                SHA512

                7820e5a2ba4dc8b5e2ca6da9b7957ce138c6d8f4e97dcf13e2b24171eaf1180dbf9f8617f832478495b9731413920568adb649befee788d7a854cb5afe02c3ad

                Download Submit

              • C:\Users\Admin\AppData\Roaming\olunf8EAGw.exe
                Filesize

                18KB

                MD5

                f3edff85de5fd002692d54a04bcb1c09

                SHA1

                4c844c5b0ee7cb230c9c28290d079143e00cb216

                SHA256

                caf29650446db3842e1c1e8e5e1bafadaf90fc82c5c37b9e2c75a089b7476131

                SHA512

                531d920e2567f58e8169afc786637c1a0f7b9b5c27b27b5f0eddbfc3e00cecd7bea597e34061d836647c5f8c7757f2fe02952a9793344e21b39ddd4bf7985f9d

                Download Submit

              • C:\Users\Admin\AppData\Roaming\zrtMbE5WcO.exe
                Filesize

                674KB

                MD5

                1088e239e86c2316358d4e5b82810fa2

                SHA1

                5a16e420b1aa52c4dcd9f0bced05a59e679997a5

                SHA256

                0fa75c70f7304d35a4aed13dfe72793008610b429820ab8bc2ad45d3abd5e1b2

                SHA512

                2b79a3aca00ab269d1d8a1874bc0ce3ab06d18aa8c0d1af363f54b569e16e3a0c0fbf88ca4e76f5db3e2302e7d7b20a59bf6c76295c96179ded03c71060ac073

                Download Submit

              • memory/2984-1-0x0000000000400000-0x00000000004E6000-memory.dmp

                Filesize

                920KB

                Download

              • memory/2984-4-0x0000000000400000-0x00000000004E6000-memory.dmp

                Filesize

                920KB

                Download

              • memory/2984-5-0x0000000000940000-0x0000000000A5C000-memory.dmp

                Filesize

                1.1MB

                Download

              • memory/2984-3-0x0000000000400000-0x00000000004E6000-memory.dmp

                Filesize

                920KB

                Download

              • memory/2984-2-0x0000000000400000-0x00000000004E6000-memory.dmp

                Filesize

                920KB

                Download

              • memory/2984-27-0x0000000000400000-0x00000000004E6000-memory.dmp

                Filesize

                920KB

                Download

              • memory/3276-31-0x0000000000A90000-0x0000000000B40000-memory.dmp

                Filesize

                704KB

                Download

              • memory/3276-32-0x00007FFCC9180000-0x00007FFCC9C41000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/3276-34-0x0000000002AB0000-0x0000000002ACC000-memory.dmp

                Filesize

                112KB

                Download

              • memory/3276-35-0x00007FFCC9180000-0x00007FFCC9C41000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/3276-36-0x0000000002B20000-0x0000000002B70000-memory.dmp

                Filesize

                320KB

                Download

              • memory/3276-38-0x0000000002AD0000-0x0000000002AE8000-memory.dmp

                Filesize

                96KB

                Download

              • memory/3276-45-0x00007FFCC9180000-0x00007FFCC9C41000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/3276-53-0x00007FFCC9180000-0x00007FFCC9C41000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/3276-30-0x00007FFCC9183000-0x00007FFCC9185000-memory.dmp

                Filesize

                8KB

                Download

              • memory/3276-57-0x00007FFCC9180000-0x00007FFCC9C41000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/3412-0-0x0000000000A55000-0x0000000000A56000-memory.dmp

                Filesize

                4KB

                Download