dcrat | 2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce

Resubmissions

14-11-2024 23:57

241114-3zzkpavhpf 10

14-11-2024 23:44

14-11-2024 23:36

14-11-2024 23:24

14-11-2024 23:10

Analysis

max time kernel
55s
max time network
62s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
14-11-2024 23:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4363463463464363463463463.exe
Size

10KB
MD5

2a94f3960c58c6e70826495f76d00b85
SHA1

e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
SHA256

2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
SHA512

fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
SSDEEP

192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K

Score

10^/10

dcrat discovery infostealer rat vmprotect

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

DCRat payload 3 IoCs

rat

resource	yara_rule
behavioral1/files/0x001b00000002ab0b-8.dat	family_dcrat_v2
behavioral1/files/0x001a00000002ab10-39.dat	family_dcrat_v2
behavioral1/memory/1532-41-0x00000000006F0000-0x000000000079E000-memory.dmp	family_dcrat_v2

Downloads MZ/PE file

Executes dropped EXE 7 IoCs

pid	Process
4892	onlysteal.exe
2952	epp32.exe
1532	hyperBlockCrtCommon.exe
3252	dllhost.exe
2968	svchost.exe
1640	14.exe
2292	dllhost.exe

VMProtect packed file 4 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/files/0x001a00000002ab13-75.dat	vmprotect
behavioral1/memory/2968-81-0x00007FF725690000-0x00007FF7258C7000-memory.dmp	vmprotect
behavioral1/memory/2968-83-0x00007FF725690000-0x00007FF7258C7000-memory.dmp	vmprotect
behavioral1/memory/2968-85-0x00007FF725690000-0x00007FF7258C7000-memory.dmp	vmprotect

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\StartMenuExperienceHost.exe	hyperBlockCrtCommon.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\55b276f4edf653	hyperBlockCrtCommon.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4363463463464363463463463.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	onlysteal.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	epp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings	onlysteal.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings	hyperBlockCrtCommon.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings	dllhost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1532	hyperBlockCrtCommon.exe
1532	hyperBlockCrtCommon.exe
1532	hyperBlockCrtCommon.exe
1532	hyperBlockCrtCommon.exe
1532	hyperBlockCrtCommon.exe
1532	hyperBlockCrtCommon.exe
1532	hyperBlockCrtCommon.exe
1532	hyperBlockCrtCommon.exe
1532	hyperBlockCrtCommon.exe
1532	hyperBlockCrtCommon.exe
1532	hyperBlockCrtCommon.exe
1532	hyperBlockCrtCommon.exe
1532	hyperBlockCrtCommon.exe
1532	hyperBlockCrtCommon.exe
1532	hyperBlockCrtCommon.exe
1532	hyperBlockCrtCommon.exe
1532	hyperBlockCrtCommon.exe
1532	hyperBlockCrtCommon.exe
1532	hyperBlockCrtCommon.exe
1532	hyperBlockCrtCommon.exe
1532	hyperBlockCrtCommon.exe
1532	hyperBlockCrtCommon.exe
1532	hyperBlockCrtCommon.exe
1532	hyperBlockCrtCommon.exe
1532	hyperBlockCrtCommon.exe
1532	hyperBlockCrtCommon.exe
1532	hyperBlockCrtCommon.exe
1532	hyperBlockCrtCommon.exe
1532	hyperBlockCrtCommon.exe
1532	hyperBlockCrtCommon.exe
1532	hyperBlockCrtCommon.exe
1532	hyperBlockCrtCommon.exe
1532	hyperBlockCrtCommon.exe
1532	hyperBlockCrtCommon.exe
1532	hyperBlockCrtCommon.exe
1532	hyperBlockCrtCommon.exe
1532	hyperBlockCrtCommon.exe
1532	hyperBlockCrtCommon.exe
1532	hyperBlockCrtCommon.exe
1532	hyperBlockCrtCommon.exe
1532	hyperBlockCrtCommon.exe
1532	hyperBlockCrtCommon.exe
1532	hyperBlockCrtCommon.exe
1532	hyperBlockCrtCommon.exe
1532	hyperBlockCrtCommon.exe
1532	hyperBlockCrtCommon.exe
3252	dllhost.exe
3252	dllhost.exe
3252	dllhost.exe
3252	dllhost.exe
3252	dllhost.exe
3252	dllhost.exe
3252	dllhost.exe
3252	dllhost.exe
3252	dllhost.exe
3252	dllhost.exe
3252	dllhost.exe
3252	dllhost.exe
3252	dllhost.exe
3252	dllhost.exe
3252	dllhost.exe
3252	dllhost.exe
3252	dllhost.exe
3252	dllhost.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	3376	4363463463464363463463463.exe
Token: SeDebugPrivilege	1532	hyperBlockCrtCommon.exe
Token: SeDebugPrivilege	3252	dllhost.exe
Token: SeDebugPrivilege	2292	dllhost.exe

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 3376 wrote to memory of 4892	3376	4363463463464363463463463.exe	79
PID 3376 wrote to memory of 4892	3376	4363463463464363463463463.exe	79
PID 3376 wrote to memory of 4892	3376	4363463463464363463463463.exe	79
PID 4892 wrote to memory of 2836	4892	onlysteal.exe	80
PID 4892 wrote to memory of 2836	4892	onlysteal.exe	80
PID 4892 wrote to memory of 2836	4892	onlysteal.exe	80
PID 3376 wrote to memory of 2952	3376	4363463463464363463463463.exe	81
PID 3376 wrote to memory of 2952	3376	4363463463464363463463463.exe	81
PID 3376 wrote to memory of 2952	3376	4363463463464363463463463.exe	81
PID 2836 wrote to memory of 760	2836	WScript.exe	82
PID 2836 wrote to memory of 760	2836	WScript.exe	82
PID 2836 wrote to memory of 760	2836	WScript.exe	82
PID 760 wrote to memory of 1532	760	cmd.exe	84
PID 760 wrote to memory of 1532	760	cmd.exe	84
PID 1532 wrote to memory of 2720	1532	hyperBlockCrtCommon.exe	85
PID 1532 wrote to memory of 2720	1532	hyperBlockCrtCommon.exe	85
PID 2720 wrote to memory of 1912	2720	cmd.exe	87
PID 2720 wrote to memory of 1912	2720	cmd.exe	87
PID 2720 wrote to memory of 2760	2720	cmd.exe	88
PID 2720 wrote to memory of 2760	2720	cmd.exe	88
PID 2720 wrote to memory of 3252	2720	cmd.exe	89
PID 2720 wrote to memory of 3252	2720	cmd.exe	89
PID 3376 wrote to memory of 2968	3376	4363463463464363463463463.exe	90
PID 3376 wrote to memory of 2968	3376	4363463463464363463463463.exe	90
PID 3376 wrote to memory of 1640	3376	4363463463464363463463463.exe	91
PID 3376 wrote to memory of 1640	3376	4363463463464363463463463.exe	91
PID 3252 wrote to memory of 2708	3252	dllhost.exe	92
PID 3252 wrote to memory of 2708	3252	dllhost.exe	92
PID 2708 wrote to memory of 4576	2708	cmd.exe	94
PID 2708 wrote to memory of 4576	2708	cmd.exe	94
PID 2708 wrote to memory of 3884	2708	cmd.exe	95
PID 2708 wrote to memory of 3884	2708	cmd.exe	95
PID 2708 wrote to memory of 2292	2708	cmd.exe	96
PID 2708 wrote to memory of 2292	2708	cmd.exe	96

C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe
"C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3376
- C:\Users\Admin\AppData\Local\Temp\Files\onlysteal.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\onlysteal.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4892
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Intorefnet\wF0tJ2zNcmafpzDn9Ons.vbe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2836
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Intorefnet\Te60v9QbFjSF8KEQUR.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:760
    - - C:\Intorefnet\hyperBlockCrtCommon.exe
        
        "C:\Intorefnet/hyperBlockCrtCommon.exe"
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1532
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\U3oCNWkxqD.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2720
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:1912
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2760
        
        C:\Intorefnet\dllhost.exe
        
        "C:\Intorefnet\dllhost.exe"
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3252
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ADRb0ZiLyY.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2708
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:4576
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:3884
        
        C:\Intorefnet\dllhost.exe
        
        "C:\Intorefnet\dllhost.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2292
- C:\Users\Admin\AppData\Local\Temp\Files\epp32.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\epp32.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2952
- C:\Users\Admin\AppData\Local\Temp\Files\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\svchost.exe"
  2⤵
  - Executes dropped EXE
  PID:2968
- C:\Users\Admin\AppData\Local\Temp\Files\14.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\14.exe"
  2⤵
  - Executes dropped EXE
  PID:1640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Intorefnet\Te60v9QbFjSF8KEQUR.bat

Filesize
84B

MD5
7fef6d8e0a11e2dec6af7a0e3b952b06

SHA1
b95534abb31712b49087005da4cdd4c92fe35edd

SHA256
6bb327123f7ec740bb03b3405c5cd790199ba132091d1ceae4f098a29c0e9592

SHA512
2c19d8ac297e3e0d790f844aedac3be3934a274ba834b66f36994ccdfd8e8c49b836d7a0df1e28de999cec7e1b5984a90199f4e08bc30d8113c4852fb9a27703

Download Submit
C:\Intorefnet\hyperBlockCrtCommon.exe

Filesize
673KB

MD5
88475ffcf70bafda27644064bd214f2a

SHA1
650deb8eee1f3614ff924c2ac5dad5a2f230dce1

SHA256
f2bd4f56c501098299b88cefecfd79e763d95d801016eaaf4e2707c5ffc7c767

SHA512
c3e7c4d38d43571fd81926aecf3f0bd75f728f1e7056af02955eed96bea67efd30f295089300df809841c0565a9ea4aa793e2f5c6b93e3eb86132cccc267376f

Download Submit
C:\Intorefnet\wF0tJ2zNcmafpzDn9Ons.vbe

Filesize
206B

MD5
926c428eaa357b6ff5474252ee2821fe

SHA1
623205127383f9cc804a3af035448cc396e704e3

SHA256
80675c3ae85f284b0e291b368560cc5727d416f1f52577e6505db41b0add9bc1

SHA512
cdb460848edbc5b8053b0b5211fce7d5f5eb92b347526b3e1d98becbfe1d4f8fb277ac3c58eab64b532f57c4c3b6f5642a9fad04c22f2910eecb0633079fb4ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\dllhost.exe.log

Filesize
1KB

MD5
677ed12bc681eec796f3a0936660f33d

SHA1
5828d1fc5a880a7e0f5c3ff261b75e9c8360a05c

SHA256
38ddfb9e53bb5cceda056534eb0ec106a125077f372f7b79c40acb47e840b040

SHA512
76d14534bd9b879b531faefecf005a5b715af10c0eae53878822b8160bd19ce0a5d4d92b347c063b70919fbdede308f5e683ec17343102eb69a3d055bce072f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ADRb0ZiLyY.bat

Filesize
201B

MD5
4cc2f8024e45abe339d88666c8966a18

SHA1
ad4bb77f2db7ff2d6ee5866214d84490fed3af3e

SHA256
a678f490b1a83046508a9624b5c354defbf01cee6c64baf7573c761283f7c9d0

SHA512
e49455db27f01b114a74e8c36a645b941bbfc3d2843e63e9736450a16c9c32af24ab46a6832ac8f1d98a57cb32791f73da3c12176d7e53493847c6cb12896693

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\14.exe

Filesize
5.1MB

MD5
c3d40db87e2d003757ab2b77e7554d19

SHA1
b9ac9ca7baef2aa316dd2c375a7ad11f5d4c1e06

SHA256
9a5d6c1f159845e29cb079b20fab7fbc05246924b76dfb9fb482e049ea85d35f

SHA512
fda6a37a789cedd91bb1190d69c718c3fab7bdad63e3bc5ddaf4ed4d09b870dd8f8e55cdf590b27464b6ce7f39a7afc161d0b73a5f70630544ac3122124d41f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\epp32.exe

Filesize
1.1MB

MD5
7440694cba7601b5c1cbf10e1a71bf5d

SHA1
c9110e7984ed98854de7becf58c29223f321cdb4

SHA256
7da893d1061d53820df739a6917d18c2ad891e479c926bd7f0e1b2c33b696463

SHA512
ac7649a3566231385515e0fa313d6f2a5a979ae13558dd4b5d3b60a1c3061bfbb9673384221758eebdd7fe6ed052c4c6213e4ed6c2dfd284923208f673b3c65f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\onlysteal.exe

Filesize
987KB

MD5
8f81ac89b9f6dbccf07a86af59faa6ba

SHA1
0d97a27bacaae103f2f15637f623d3d13a568d91

SHA256
766b497466955f86e0d049c25aa6f99880d230acbb8d1141408fe0e8169fb46a

SHA512
452c04ec647dd84123ffb84f1ff37aef81057edf0c1a069113d0b1d89f2462c373301aa84355d0fafd8bb6c4b3d4b6bf580952f29189157edaea376711be16ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\svchost.exe

Filesize
1.1MB

MD5
8911e8d889f59b52df80729faac2c99c

SHA1
31b87d601a3c5c518d82abb8324a53fe8fe89ea1

SHA256
8d0c2f35092d606d015bd250b534b670857b0dba8004a4e7588482dd257c9342

SHA512
029fd7b8b8b03a174cdc1c52d12e4cf925161d6201bbe14888147a396cd0ba463fd586d49daf90ec00e88d75d290abfeb0bb7482816b8a746e9c5ce58e464bcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\U3oCNWkxqD.bat

Filesize
201B

MD5
1311b4bc9b823df6dc93d374c22aeb25

SHA1
a0a6a469dc8a68c462d2014df1beadc2ceb1f4c1

SHA256
e6246ac176123b50a27a76ebf37f549b63ab10eff9f0d83147cebe49009b68da

SHA512
38e6fce2207fa4dad28e5227eaf0d52eea849fec74b2c89dab3cf29c10ef257e07de3cf709d3bf34ecb5df1acb48d5675935eab00d2ea0a743b381c397d0e444

Download Submit
memory/1532-41-0x00000000006F0000-0x000000000079E000-memory.dmp

Filesize
696KB

Download
memory/1532-43-0x00000000029A0000-0x00000000029BC000-memory.dmp

Filesize
112KB

Download
memory/1532-44-0x000000001B3F0000-0x000000001B440000-memory.dmp

Filesize
320KB

Download
memory/1532-46-0x00000000029C0000-0x00000000029D8000-memory.dmp

Filesize
96KB

Download
memory/2952-34-0x0000000004A80000-0x0000000004AA2000-memory.dmp

Filesize
136KB

Download
memory/2952-36-0x0000000004D10000-0x0000000004DA2000-memory.dmp

Filesize
584KB

Download
memory/2952-35-0x00000000051E0000-0x0000000005786000-memory.dmp

Filesize
5.6MB

Download
memory/2952-33-0x00000000000C0000-0x00000000001DA000-memory.dmp

Filesize
1.1MB

Download
memory/2968-83-0x00007FF725690000-0x00007FF7258C7000-memory.dmp

Filesize
2.2MB

Download
memory/2968-81-0x00007FF725690000-0x00007FF7258C7000-memory.dmp

Filesize
2.2MB

Download
memory/2968-85-0x00007FF725690000-0x00007FF7258C7000-memory.dmp

Filesize
2.2MB

Download
memory/3376-65-0x00000000745A0000-0x0000000074D51000-memory.dmp

Filesize
7.7MB

Download
memory/3376-64-0x00000000745AE000-0x00000000745AF000-memory.dmp

Filesize
4KB

Download
memory/3376-0-0x00000000745AE000-0x00000000745AF000-memory.dmp

Filesize
4KB

Download
memory/3376-3-0x00000000745A0000-0x0000000074D51000-memory.dmp

Filesize
7.7MB

Download
memory/3376-2-0x0000000005190000-0x000000000522C000-memory.dmp

Filesize
624KB

Download
memory/3376-1-0x00000000006E0000-0x00000000006E8000-memory.dmp

Filesize
32KB

Download