Overview

overview

10

Static

static

3

DCRatBuild.exe

windows7-x64

10

DCRatBuild.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-12-2024 00:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    DCRatBuild.exe

  • Size

    1.9MB

  • MD5

    1ee8448fea979c3ecbd21141a0ea84ef

  • SHA1

    f19958c4e816d94b10d7787ce693251d7c93a16f

  • SHA256

    bb7131d57c39a57b3e35acc18093a76c932a889c592fe2843eb4065ec8b646f0

  • SHA512

    941c038b15068362aec2efb174a324d88566fc7013c2659fbbee4e3f41073b9a50772b45e93a144e178c110b065369d7140fbf5c299221d301c9216066ac5ba7

  • SSDEEP

    24576:2TbBv5rUyXVKhCwi/IrsiTqwhFplFG8P1eI8qzvJ0C0wjZ1xjzj9fIXVIgeTryO2:IBJMVXFG89X8qzhfN1xD9QXVIgeTr7iN

Score
10/10
dcratdiscoveryinfostealerrat

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 13 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
    "C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3144
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Containerbroker\lKOMtCPL4q4SacgMeC7cXhP8ahbvPWguTV.vbe"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1452
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Containerbroker\BhHu3cOSeq1FnFNHV6w5d9GBhXYpDdXk5OtvWMmGHkL6BT20n5qn40Hh.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3308
        • C:\Containerbroker\portsurrogate.exe
          "C:\Containerbroker/portsurrogate.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2472
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YfAW7VXQXU.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:1928
            • C:\Windows\system32\chcp.com
              chcp 65001
              6⤵
                PID:4768
              • C:\Windows\system32\w32tm.exe
                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                6⤵
                  PID:4692
                • C:\Users\All Users\Microsoft OneDrive\setup\cmd.exe
                  "C:\Users\All Users\Microsoft OneDrive\setup\cmd.exe"
                  6⤵
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:548

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Containerbroker\BhHu3cOSeq1FnFNHV6w5d9GBhXYpDdXk5OtvWMmGHkL6BT20n5qn40Hh.bat
        Filesize

        98B

        MD5

        fd5e33ad0c2bf4e91f2a7deded611b86

        SHA1

        90d7127257f68dc76fd9747c9898a7c2ba5a0cfc

        SHA256

        afaa21d706fdc3d86d851861deb016c3de2e865bdea8e0be9ae67e6b1f10420b

        SHA512

        e849701be2703330c32cbaf0bd5fe02a8eb13b763563a6b262a2e327baf5b8424811a70e6df47395f5cafdba1f710a3d32bf724cd7bd720b8d9b0303250c609e

        Download Submit

      • C:\Containerbroker\lKOMtCPL4q4SacgMeC7cXhP8ahbvPWguTV.vbe
        Filesize

        250B

        MD5

        a87ac73f766078fed72e240a824940e5

        SHA1

        79877cdebf53a7c1ef9b361e9656ec4c364f206e

        SHA256

        a5d1d9718f09b6d13105d5a1a561512609762f4b9d204efaf7e0cfe466871469

        SHA512

        4f7f92c41b31a8bcc89b2fafee9efa46ea65ae6da6c74379eb3be98f060dcb2a3237687e1083d79df78e669cb28431cfdcdb7f0189bff169e43b222a230dd220

        Download Submit

      • C:\Containerbroker\portsurrogate.exe
        Filesize

        1.6MB

        MD5

        041176338487edefef14877b1e2050d5

        SHA1

        945f5005db47d433fbdabb599ca2790710f0a056

        SHA256

        e1b7ce41ce5f12fb9466fcb9cf687e82883547d6f2c21480fcb7408b9e315fdb

        SHA512

        292f43151ce11b81f096127a9c7d131f423f96f5b31fa54a72c1e4800180837cdf369a7480ed397a18be2fc6803face50ffee172c07ef0a8f9b82793f8b40145

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\YfAW7VXQXU.bat
        Filesize

        227B

        MD5

        28ddca93ef6d0ff0577ed54e41ebc0bf

        SHA1

        8ec21f5da528235b214d5b2bd5c115d9546debdd

        SHA256

        7f7a3f2535b7e780cac0877a20cc9e964ef69d62109b02951b12b3ce1f976e91

        SHA512

        0200e70d3466a450ff7cbe24ef461a62e3820f1c3aee632f070fe836f725e63d290c1f20ceac4fdc0cd9c4f134058ae5544479c2796d0cc11d7ed84302dc5655

        Download Submit

      • memory/2472-12-0x00007FFA80313000-0x00007FFA80315000-memory.dmp

        Filesize

        8KB

        Download

      • memory/2472-13-0x0000000000C60000-0x0000000000DF8000-memory.dmp

        Filesize

        1.6MB

        Download