Overview

overview

10

Static

static

3

DCRatBuild.exe

windows7-x64

10

DCRatBuild.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    157s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    08-12-2024 00:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    DCRatBuild.exe

  • Size

    1.9MB

  • MD5

    1ee8448fea979c3ecbd21141a0ea84ef

  • SHA1

    f19958c4e816d94b10d7787ce693251d7c93a16f

  • SHA256

    bb7131d57c39a57b3e35acc18093a76c932a889c592fe2843eb4065ec8b646f0

  • SHA512

    941c038b15068362aec2efb174a324d88566fc7013c2659fbbee4e3f41073b9a50772b45e93a144e178c110b065369d7140fbf5c299221d301c9216066ac5ba7

  • SSDEEP

    24576:2TbBv5rUyXVKhCwi/IrsiTqwhFplFG8P1eI8qzvJ0C0wjZ1xjzj9fIXVIgeTryO2:IBJMVXFG89X8qzhfN1xD9QXVIgeTr7iN

Score
10/10
dcratdiscoveryinfostealerrat

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in Program Files directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 27 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
    "C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3052
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Containerbroker\lKOMtCPL4q4SacgMeC7cXhP8ahbvPWguTV.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2764
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Containerbroker\BhHu3cOSeq1FnFNHV6w5d9GBhXYpDdXk5OtvWMmGHkL6BT20n5qn40Hh.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2548
        • C:\Containerbroker\portsurrogate.exe
          "C:\Containerbroker/portsurrogate.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2616
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VplopemDw0.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2968
            • C:\Windows\system32\chcp.com
              chcp 65001
              6⤵
                PID:2168
              • C:\Windows\system32\w32tm.exe
                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                6⤵
                  PID:2364
                • C:\Program Files (x86)\Internet Explorer\en-US\csrss.exe
                  "C:\Program Files (x86)\Internet Explorer\en-US\csrss.exe"
                  6⤵
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2128

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Containerbroker\BhHu3cOSeq1FnFNHV6w5d9GBhXYpDdXk5OtvWMmGHkL6BT20n5qn40Hh.bat
        Filesize

        98B

        MD5

        fd5e33ad0c2bf4e91f2a7deded611b86

        SHA1

        90d7127257f68dc76fd9747c9898a7c2ba5a0cfc

        SHA256

        afaa21d706fdc3d86d851861deb016c3de2e865bdea8e0be9ae67e6b1f10420b

        SHA512

        e849701be2703330c32cbaf0bd5fe02a8eb13b763563a6b262a2e327baf5b8424811a70e6df47395f5cafdba1f710a3d32bf724cd7bd720b8d9b0303250c609e

        Download Submit

      • C:\Containerbroker\lKOMtCPL4q4SacgMeC7cXhP8ahbvPWguTV.vbe
        Filesize

        250B

        MD5

        a87ac73f766078fed72e240a824940e5

        SHA1

        79877cdebf53a7c1ef9b361e9656ec4c364f206e

        SHA256

        a5d1d9718f09b6d13105d5a1a561512609762f4b9d204efaf7e0cfe466871469

        SHA512

        4f7f92c41b31a8bcc89b2fafee9efa46ea65ae6da6c74379eb3be98f060dcb2a3237687e1083d79df78e669cb28431cfdcdb7f0189bff169e43b222a230dd220

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\VplopemDw0.bat
        Filesize

        232B

        MD5

        0e9b2367eaeaec0f1255b4418f5e4077

        SHA1

        f6be5a4648425d2a010b4273166185bee5802b60

        SHA256

        aa712293cf8e5b6760f8703d96aa092ed9fa9da3e2f13723e0d65ad14ff5cdbe

        SHA512

        21637979f772e8b1fbe939ab021052768c16e917391fdb47432fefe5a770be9a739da3cfdfcf4800cba25111480a3922fd7a4dfcbefe9e899a5733868b5951ab

        Download Submit

      • \Containerbroker\portsurrogate.exe
        Filesize

        1.6MB

        MD5

        041176338487edefef14877b1e2050d5

        SHA1

        945f5005db47d433fbdabb599ca2790710f0a056

        SHA256

        e1b7ce41ce5f12fb9466fcb9cf687e82883547d6f2c21480fcb7408b9e315fdb

        SHA512

        292f43151ce11b81f096127a9c7d131f423f96f5b31fa54a72c1e4800180837cdf369a7480ed397a18be2fc6803face50ffee172c07ef0a8f9b82793f8b40145

        Download Submit

      • memory/2128-32-0x0000000000FB0000-0x0000000001148000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/2616-13-0x0000000001050000-0x00000000011E8000-memory.dmp

        Filesize

        1.6MB

        Download