dcrat | bca73c47a374e5afe3a2ffbb42c1692fd096ebfe0af45ad5c5e12a9e37cd0e2e

Analysis

max time kernel
121s
max time network
148s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
31-10-2024 03:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bca73c47a374e5afe3a2ffbb42c1692fd096ebfe0af45ad5c5e12a9e37cd0e2e.exe
Size

2.8MB
MD5

d1e1ae8dced915651e8f1db114c073ea
SHA1

ae0f6cd564fd95889eb166c54bee37567f27add4
SHA256

bca73c47a374e5afe3a2ffbb42c1692fd096ebfe0af45ad5c5e12a9e37cd0e2e
SHA512

e0ff5e949117808d631680a27d27483679f174a6cedcdf16f0e2c1bb479144c6c59c7754ef7eb8aa65a0562c624ed06864dc8ad9d0e2c53428bbcc0b6cd6c2ad
SSDEEP

49152:qR5omlL3SICIhCj3q4Hdliu/syu/m4cq1Inf6ZkYU6wUd9D9+tho51N009:qR5oiiICy8HTiuPiR1If6iYUMmy51yO

Score

10^/10

dcrat discovery infostealer rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

DCRat payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/files/0x00050000000194a7-63.dat	family_dcrat_v2
behavioral1/memory/2600-66-0x0000000000130000-0x00000000001FA000-memory.dmp	family_dcrat_v2
behavioral1/memory/2000-94-0x0000000000390000-0x000000000045A000-memory.dmp	family_dcrat_v2

Executes dropped EXE 8 IoCs

Processes:

7z.exe7z.exe7z.exe7z.exe7z.exe7z.exeInstaller.exeexplorer.exe

pid	Process
2772	7z.exe
2716	7z.exe
2784	7z.exe
2928	7z.exe
2872	7z.exe
2724	7z.exe
2600	Installer.exe
2000	explorer.exe

Loads dropped DLL 12 IoCs

Processes:

cmd.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe

pid	Process
2312	cmd.exe
2772	7z.exe
2312	cmd.exe
2716	7z.exe
2312	cmd.exe
2784	7z.exe
2312	cmd.exe
2928	7z.exe
2312	cmd.exe
2872	7z.exe
2312	cmd.exe
2724	7z.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in Program Files directory 7 IoCs

Processes:

Installer.exe

description	ioc	Process
File created	C:\Program Files (x86)\Internet Explorer\fr-FR\taskhost.exe	Installer.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\fr-FR\taskhost.exe	Installer.exe
File created	C:\Program Files (x86)\Internet Explorer\fr-FR\b75386f1303e64	Installer.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\explorer.exe	Installer.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\7a0fd90576e088	Installer.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\wininit.exe	Installer.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\56085415360792	Installer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

bca73c47a374e5afe3a2ffbb42c1692fd096ebfe0af45ad5c5e12a9e37cd0e2e.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bca73c47a374e5afe3a2ffbb42c1692fd096ebfe0af45ad5c5e12a9e37cd0e2e.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

Processes:

PING.EXE

pid	Process
1764	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

Processes:

PING.EXE

pid	Process
1764	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Installer.exe

pid	Process
2600	Installer.exe
2600	Installer.exe
2600	Installer.exe
2600	Installer.exe
2600	Installer.exe
2600	Installer.exe
2600	Installer.exe
2600	Installer.exe
2600	Installer.exe
2600	Installer.exe
2600	Installer.exe
2600	Installer.exe
2600	Installer.exe
2600	Installer.exe
2600	Installer.exe
2600	Installer.exe
2600	Installer.exe
2600	Installer.exe
2600	Installer.exe
2600	Installer.exe
2600	Installer.exe
2600	Installer.exe
2600	Installer.exe
2600	Installer.exe
2600	Installer.exe
2600	Installer.exe
2600	Installer.exe
2600	Installer.exe
2600	Installer.exe
2600	Installer.exe
2600	Installer.exe
2600	Installer.exe
2600	Installer.exe
2600	Installer.exe
2600	Installer.exe
2600	Installer.exe
2600	Installer.exe
2600	Installer.exe
2600	Installer.exe
2600	Installer.exe
2600	Installer.exe
2600	Installer.exe
2600	Installer.exe
2600	Installer.exe
2600	Installer.exe
2600	Installer.exe
2600	Installer.exe
2600	Installer.exe
2600	Installer.exe
2600	Installer.exe
2600	Installer.exe
2600	Installer.exe
2600	Installer.exe
2600	Installer.exe
2600	Installer.exe
2600	Installer.exe
2600	Installer.exe
2600	Installer.exe
2600	Installer.exe
2600	Installer.exe
2600	Installer.exe
2600	Installer.exe
2600	Installer.exe
2600	Installer.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

Processes:

7z.exe7z.exe7z.exe7z.exe7z.exe7z.exeInstaller.exeexplorer.exe

description	pid	Process
Token: SeRestorePrivilege	2772	7z.exe
Token: 35	2772	7z.exe
Token: SeSecurityPrivilege	2772	7z.exe
Token: SeSecurityPrivilege	2772	7z.exe
Token: SeRestorePrivilege	2716	7z.exe
Token: 35	2716	7z.exe
Token: SeSecurityPrivilege	2716	7z.exe
Token: SeSecurityPrivilege	2716	7z.exe
Token: SeRestorePrivilege	2784	7z.exe
Token: 35	2784	7z.exe
Token: SeSecurityPrivilege	2784	7z.exe
Token: SeSecurityPrivilege	2784	7z.exe
Token: SeRestorePrivilege	2928	7z.exe
Token: 35	2928	7z.exe
Token: SeSecurityPrivilege	2928	7z.exe
Token: SeSecurityPrivilege	2928	7z.exe
Token: SeRestorePrivilege	2872	7z.exe
Token: 35	2872	7z.exe
Token: SeSecurityPrivilege	2872	7z.exe
Token: SeSecurityPrivilege	2872	7z.exe
Token: SeRestorePrivilege	2724	7z.exe
Token: 35	2724	7z.exe
Token: SeSecurityPrivilege	2724	7z.exe
Token: SeSecurityPrivilege	2724	7z.exe
Token: SeDebugPrivilege	2600	Installer.exe
Token: SeDebugPrivilege	2000	explorer.exe

Suspicious use of WriteProcessMemory 43 IoCs

Processes:

bca73c47a374e5afe3a2ffbb42c1692fd096ebfe0af45ad5c5e12a9e37cd0e2e.execmd.exeInstaller.execmd.exe

description	pid	Process	procid_target
PID 2076 wrote to memory of 2312	2076	bca73c47a374e5afe3a2ffbb42c1692fd096ebfe0af45ad5c5e12a9e37cd0e2e.exe	30
PID 2076 wrote to memory of 2312	2076	bca73c47a374e5afe3a2ffbb42c1692fd096ebfe0af45ad5c5e12a9e37cd0e2e.exe	30
PID 2076 wrote to memory of 2312	2076	bca73c47a374e5afe3a2ffbb42c1692fd096ebfe0af45ad5c5e12a9e37cd0e2e.exe	30
PID 2076 wrote to memory of 2312	2076	bca73c47a374e5afe3a2ffbb42c1692fd096ebfe0af45ad5c5e12a9e37cd0e2e.exe	30
PID 2312 wrote to memory of 2096	2312	cmd.exe	32
PID 2312 wrote to memory of 2096	2312	cmd.exe	32
PID 2312 wrote to memory of 2096	2312	cmd.exe	32
PID 2312 wrote to memory of 2772	2312	cmd.exe	33
PID 2312 wrote to memory of 2772	2312	cmd.exe	33
PID 2312 wrote to memory of 2772	2312	cmd.exe	33
PID 2312 wrote to memory of 2716	2312	cmd.exe	34
PID 2312 wrote to memory of 2716	2312	cmd.exe	34
PID 2312 wrote to memory of 2716	2312	cmd.exe	34
PID 2312 wrote to memory of 2784	2312	cmd.exe	35
PID 2312 wrote to memory of 2784	2312	cmd.exe	35
PID 2312 wrote to memory of 2784	2312	cmd.exe	35
PID 2312 wrote to memory of 2928	2312	cmd.exe	36
PID 2312 wrote to memory of 2928	2312	cmd.exe	36
PID 2312 wrote to memory of 2928	2312	cmd.exe	36
PID 2312 wrote to memory of 2872	2312	cmd.exe	37
PID 2312 wrote to memory of 2872	2312	cmd.exe	37
PID 2312 wrote to memory of 2872	2312	cmd.exe	37
PID 2312 wrote to memory of 2724	2312	cmd.exe	38
PID 2312 wrote to memory of 2724	2312	cmd.exe	38
PID 2312 wrote to memory of 2724	2312	cmd.exe	38
PID 2312 wrote to memory of 2592	2312	cmd.exe	39
PID 2312 wrote to memory of 2592	2312	cmd.exe	39
PID 2312 wrote to memory of 2592	2312	cmd.exe	39
PID 2312 wrote to memory of 2600	2312	cmd.exe	40
PID 2312 wrote to memory of 2600	2312	cmd.exe	40
PID 2312 wrote to memory of 2600	2312	cmd.exe	40
PID 2600 wrote to memory of 1808	2600	Installer.exe	41
PID 2600 wrote to memory of 1808	2600	Installer.exe	41
PID 2600 wrote to memory of 1808	2600	Installer.exe	41
PID 1808 wrote to memory of 1172	1808	cmd.exe	43
PID 1808 wrote to memory of 1172	1808	cmd.exe	43
PID 1808 wrote to memory of 1172	1808	cmd.exe	43
PID 1808 wrote to memory of 1764	1808	cmd.exe	44
PID 1808 wrote to memory of 1764	1808	cmd.exe	44
PID 1808 wrote to memory of 1764	1808	cmd.exe	44
PID 1808 wrote to memory of 2000	1808	cmd.exe	45
PID 1808 wrote to memory of 2000	1808	cmd.exe	45
PID 1808 wrote to memory of 2000	1808	cmd.exe	45

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Processes:

attrib.exe

pid	Process
2592	attrib.exe

C:\Users\Admin\AppData\Local\Temp\bca73c47a374e5afe3a2ffbb42c1692fd096ebfe0af45ad5c5e12a9e37cd0e2e.exe
"C:\Users\Admin\AppData\Local\Temp\bca73c47a374e5afe3a2ffbb42c1692fd096ebfe0af45ad5c5e12a9e37cd0e2e.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2076
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2312
- - C:\Windows\system32\mode.com
    mode 65,10
    3⤵
    PID:2096
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e file.zip -p237578392143213652313078912 -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:2772
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_5.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:2716
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_4.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:2784
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_3.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:2928
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_2.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:2872
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_1.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:2724
- - C:\Windows\system32\attrib.exe
    attrib +H "Installer.exe"
    3⤵
    - Views/modifies file attributes
    PID:2592
- - C:\Users\Admin\AppData\Local\Temp\main\Installer.exe
    "Installer.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2600
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3l1CWBECHl.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1808
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:1172
    - - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1764
    - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\explorer.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\explorer.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3l1CWBECHl.bat

Filesize
198B

MD5
51d34f5e1078729d796d9cea0d575e93

SHA1
c9f1e788da937bc28561c433762f20f08004c046

SHA256
27031add988270fec560d4e8c2b2957f2817bb70d268b0074e1f9bd541b70124

SHA512
904cd4d29b29b5641cc675e44dfac80c7c40cdc1936dbad2b202f4bc47858b0193b2b844ce2c29678067251db3081cdb67943c53c49d7bf979528bad40c470e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.dll

Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.exe

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\ANTIAV~1.DAT

Filesize
2.2MB

MD5
7e703968b4e13722892cf227f37b392d

SHA1
4eba1cbed7b31cdb2ffc9ee7c200bd977af068b0

SHA256
965d0ba59eb90d3b89212ab5d7d02ecd5712feb91eee7bf9e82303d872341953

SHA512
74099ed995ce1b92a95243cebfefbcb32e660468032d12c65437e412ebfb2d23efdf6a6ea7158e06e2574775258862307143efd9ff662b1587e97383f87e299b

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\Installer.exe

Filesize
785KB

MD5
acdd5f8a230ebcf456977ac3d1ea6eca

SHA1
e0a985b5c9e99d3b1e1141938afeecdc02811946

SHA256
45fc98c0fe74f360e57e80e42142c4d5745652c198b298ca7f8ecf4dba560c21

SHA512
5372fc4ed4ff8cb54f2139e552c7710f2ad8b4f59bc5743d02a1830a98f2c45553bf807545bf6c93952ae786bc1bd9eb480b98ddf5c924dcc0f5aef9abee2f3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_1.zip

Filesize
315KB

MD5
55a752087f41b97f460d16cd084c1e5d

SHA1
9b1379a8d2fba0322e4ca6274b609d032d703efc

SHA256
47b472974b1d440f6754b09fb0f053d11deb10734cb60a69d2c7bcbdb9ddd4f6

SHA512
22d00f24358854bb79dfe244e9033e14969fe1181a9adff9f4be56864af401da821b2087ef0e9c03419f097d4d21451b290bc5243a015f95844094c6bcb913e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_2.zip

Filesize
315KB

MD5
99941e921b39fbdbbad43c87f518488a

SHA1
6413ddd612ba05a330761c6d0ecec67e6f08b557

SHA256
d521a8feb747997745848003e56981246828cc02f2534c7620442886c38d30a3

SHA512
502b30672bc20713e3a0e8d28c1d649b24301f067367fd41e086deb55daf90da86665771ca0fedb07ed637deb10f789717c3377261ec96d6f6d4c4d88ce504a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_3.zip

Filesize
315KB

MD5
6a9bd1c18b86241e8752bd9d1a9fcdc5

SHA1
77cc56608cc38c8e1295299af82eb661ae8b41bf

SHA256
0285293c2c4829281fdc81ce4e1755425ed884364883008b608dca0d0421914b

SHA512
a1f2ed6c9e63ddfc8897b494593f8188a91b217e92509caca8f92f47184b1212bc1ec5e8885aa8f4e8076e081ff85278107101b45d476fbc3d12494082735807

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_4.zip

Filesize
316KB

MD5
45b44488f58e268aee145714065d01b1

SHA1
57d788efaa8e83d909a2bfd54fe735925818c574

SHA256
fae5dc0c1e2965b4e1f156e27ebfae84a5a392a9c1d238c023f4635c520815e0

SHA512
54c2144629f75d4e1d563270cc206ec568bf844ff66634626153797c1ea47224928301defc13823b2d79de861302e2b69b753e88b99b7c852fbb85f736cdbc9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_5.zip

Filesize
1.9MB

MD5
1b7169f7136811025acefcbd57c4c3aa

SHA1
6b0ce940277dc6573248ee817a17101d0c8e8d82

SHA256
b02e6aa68ee324b379a371f1f28960fabad6a7d3aef1bb7ca9e47e96f86ee55e

SHA512
aed911a939ea65f2700ecb9493cb53ca2966538ff343c0145961ba5d343f1a94e136d70bac0b25cc21e6c22d51ecd6edd7177c96e751c417c317c3f967488b0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\file.bin

Filesize
1.9MB

MD5
3ca63b69b8fecf3105fe03db79fe485e

SHA1
299b02bc2ea3534300304afdc2fcdede1c50aaae

SHA256
143aedd2b9be4342531a716d6c06e57ed02cd3e6fd0e61a5f0b810754b3d8931

SHA512
185f0c807b895da4a46e06f540fbca3d93a38d42d7c5667925ca012cd67852fff5d2de0aa8eb75a29ac8f069fd7d6d7349ac3d81174c2d61495eac99985c5024

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\main.bat

Filesize
473B

MD5
888d8edcc3b71e613ea61ea10c012783

SHA1
a5985a3a80b00287e7987262c5d452c4c5e92cfe

SHA256
4a0ebfb38b6023319aee0249a2616a9153db091dcb8abb5189c165c0b3f47c3e

SHA512
5d49219c24df5e88d66e704a9315e2015787a68f085bb6f2cf548abb96137e329ef5d551e9b2417df04392102824e0ac0e024809ed6088d8e429557a43e2b554

Download Submit
memory/2000-94-0x0000000000390000-0x000000000045A000-memory.dmp

Filesize
808KB

Download
memory/2600-66-0x0000000000130000-0x00000000001FA000-memory.dmp

Filesize
808KB

Download
memory/2600-68-0x0000000000320000-0x000000000032E000-memory.dmp

Filesize
56KB

Download
memory/2600-70-0x0000000000690000-0x00000000006AC000-memory.dmp

Filesize
112KB

Download
memory/2600-72-0x00000000006B0000-0x00000000006C8000-memory.dmp

Filesize
96KB

Download
memory/2600-74-0x0000000000350000-0x000000000035E000-memory.dmp

Filesize
56KB

Download
memory/2600-76-0x00000000003F0000-0x00000000003FC000-memory.dmp

Filesize
48KB

Download