dcrat | 8ac4f1dcdf7ce5276d4ee9dbdaeaa4232aa8ad0c383bf804472f156ae2a879c7

Analysis

max time kernel
149s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09-12-2024 02:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8ac4f1dcdf7ce5276d4ee9dbdaeaa4232aa8ad0c383bf804472f156ae2a879c7.exe
Size

3.9MB
MD5

5db95c4de9b6e98c653ac3dec5dce83d
SHA1

c3e1cb98b5450d21c8e9e975148c282afcf4ccae
SHA256

8ac4f1dcdf7ce5276d4ee9dbdaeaa4232aa8ad0c383bf804472f156ae2a879c7
SHA512

42e5504904f0db4e62d56c03c8e7e302df0eba488a966259aa686e7d952db8a25eb56b5ac72731400cfd2541b6429d82e95e3bb8e87565bdf0cbe2b488c47368
SSDEEP

98304:1VtCpBXG8uKobY22R0pbuov/BXG8uKobY22R0pbuovJ:2ghSRaCo3ghSRaCoR

Score

10^/10

dcrat discovery infostealer rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

DCRat payload 3 IoCs

rat

resource	yara_rule
behavioral2/files/0x0007000000023c78-22.dat	family_dcrat_v2
behavioral2/memory/2236-31-0x00000000008A0000-0x0000000000A48000-memory.dmp	family_dcrat_v2
behavioral2/memory/4288-29-0x0000000000400000-0x00000000005DF000-memory.dmp	family_dcrat_v2

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	YwCAFxMyqM.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	8ac4f1dcdf7ce5276d4ee9dbdaeaa4232aa8ad0c383bf804472f156ae2a879c7.exe

Executes dropped EXE 3 IoCs

pid	Process
3732	UC2TX4SLvH.exe
2236	YwCAFxMyqM.exe
4884	taskhostw.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4244 set thread context of 4288	4244	8ac4f1dcdf7ce5276d4ee9dbdaeaa4232aa8ad0c383bf804472f156ae2a879c7.exe	86

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Mail\ea9f0e6c9e2dcd	YwCAFxMyqM.exe
File created	C:\Program Files (x86)\Windows Mail\taskhostw.exe	YwCAFxMyqM.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8ac4f1dcdf7ce5276d4ee9dbdaeaa4232aa8ad0c383bf804472f156ae2a879c7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8ac4f1dcdf7ce5276d4ee9dbdaeaa4232aa8ad0c383bf804472f156ae2a879c7.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	YwCAFxMyqM.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2236	YwCAFxMyqM.exe
2236	YwCAFxMyqM.exe
2236	YwCAFxMyqM.exe
2236	YwCAFxMyqM.exe
2236	YwCAFxMyqM.exe
2236	YwCAFxMyqM.exe
2236	YwCAFxMyqM.exe
2236	YwCAFxMyqM.exe
2236	YwCAFxMyqM.exe
2236	YwCAFxMyqM.exe
2236	YwCAFxMyqM.exe
2236	YwCAFxMyqM.exe
2236	YwCAFxMyqM.exe
2236	YwCAFxMyqM.exe
2236	YwCAFxMyqM.exe
2236	YwCAFxMyqM.exe
2236	YwCAFxMyqM.exe
2236	YwCAFxMyqM.exe
2236	YwCAFxMyqM.exe
2236	YwCAFxMyqM.exe
2236	YwCAFxMyqM.exe
2236	YwCAFxMyqM.exe
2236	YwCAFxMyqM.exe
2236	YwCAFxMyqM.exe
2236	YwCAFxMyqM.exe
2236	YwCAFxMyqM.exe
2236	YwCAFxMyqM.exe
2236	YwCAFxMyqM.exe
2236	YwCAFxMyqM.exe
2236	YwCAFxMyqM.exe
2236	YwCAFxMyqM.exe
2236	YwCAFxMyqM.exe
2236	YwCAFxMyqM.exe
2236	YwCAFxMyqM.exe
2236	YwCAFxMyqM.exe
2236	YwCAFxMyqM.exe
2236	YwCAFxMyqM.exe
2236	YwCAFxMyqM.exe
2236	YwCAFxMyqM.exe
2236	YwCAFxMyqM.exe
2236	YwCAFxMyqM.exe
2236	YwCAFxMyqM.exe
2236	YwCAFxMyqM.exe
2236	YwCAFxMyqM.exe
2236	YwCAFxMyqM.exe
2236	YwCAFxMyqM.exe
2236	YwCAFxMyqM.exe
2236	YwCAFxMyqM.exe
2236	YwCAFxMyqM.exe
2236	YwCAFxMyqM.exe
2236	YwCAFxMyqM.exe
2236	YwCAFxMyqM.exe
2236	YwCAFxMyqM.exe
2236	YwCAFxMyqM.exe
2236	YwCAFxMyqM.exe
2236	YwCAFxMyqM.exe
2236	YwCAFxMyqM.exe
2236	YwCAFxMyqM.exe
2236	YwCAFxMyqM.exe
2236	YwCAFxMyqM.exe
2236	YwCAFxMyqM.exe
2236	YwCAFxMyqM.exe
2236	YwCAFxMyqM.exe
2236	YwCAFxMyqM.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4884	taskhostw.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2236	YwCAFxMyqM.exe
Token: SeDebugPrivilege	4884	taskhostw.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 4244 wrote to memory of 4288	4244	8ac4f1dcdf7ce5276d4ee9dbdaeaa4232aa8ad0c383bf804472f156ae2a879c7.exe	86
PID 4244 wrote to memory of 4288	4244	8ac4f1dcdf7ce5276d4ee9dbdaeaa4232aa8ad0c383bf804472f156ae2a879c7.exe	86
PID 4244 wrote to memory of 4288	4244	8ac4f1dcdf7ce5276d4ee9dbdaeaa4232aa8ad0c383bf804472f156ae2a879c7.exe	86
PID 4244 wrote to memory of 4288	4244	8ac4f1dcdf7ce5276d4ee9dbdaeaa4232aa8ad0c383bf804472f156ae2a879c7.exe	86
PID 4244 wrote to memory of 4288	4244	8ac4f1dcdf7ce5276d4ee9dbdaeaa4232aa8ad0c383bf804472f156ae2a879c7.exe	86
PID 4244 wrote to memory of 4288	4244	8ac4f1dcdf7ce5276d4ee9dbdaeaa4232aa8ad0c383bf804472f156ae2a879c7.exe	86
PID 4244 wrote to memory of 4288	4244	8ac4f1dcdf7ce5276d4ee9dbdaeaa4232aa8ad0c383bf804472f156ae2a879c7.exe	86
PID 4244 wrote to memory of 4288	4244	8ac4f1dcdf7ce5276d4ee9dbdaeaa4232aa8ad0c383bf804472f156ae2a879c7.exe	86
PID 4244 wrote to memory of 4288	4244	8ac4f1dcdf7ce5276d4ee9dbdaeaa4232aa8ad0c383bf804472f156ae2a879c7.exe	86
PID 4244 wrote to memory of 4288	4244	8ac4f1dcdf7ce5276d4ee9dbdaeaa4232aa8ad0c383bf804472f156ae2a879c7.exe	86
PID 4288 wrote to memory of 3732	4288	8ac4f1dcdf7ce5276d4ee9dbdaeaa4232aa8ad0c383bf804472f156ae2a879c7.exe	87
PID 4288 wrote to memory of 3732	4288	8ac4f1dcdf7ce5276d4ee9dbdaeaa4232aa8ad0c383bf804472f156ae2a879c7.exe	87
PID 4288 wrote to memory of 2236	4288	8ac4f1dcdf7ce5276d4ee9dbdaeaa4232aa8ad0c383bf804472f156ae2a879c7.exe	89
PID 4288 wrote to memory of 2236	4288	8ac4f1dcdf7ce5276d4ee9dbdaeaa4232aa8ad0c383bf804472f156ae2a879c7.exe	89
PID 2236 wrote to memory of 2652	2236	YwCAFxMyqM.exe	90
PID 2236 wrote to memory of 2652	2236	YwCAFxMyqM.exe	90
PID 2652 wrote to memory of 1820	2652	cmd.exe	92
PID 2652 wrote to memory of 1820	2652	cmd.exe	92
PID 2652 wrote to memory of 4788	2652	cmd.exe	93
PID 2652 wrote to memory of 4788	2652	cmd.exe	93
PID 2652 wrote to memory of 4884	2652	cmd.exe	95
PID 2652 wrote to memory of 4884	2652	cmd.exe	95

C:\Users\Admin\AppData\Local\Temp\8ac4f1dcdf7ce5276d4ee9dbdaeaa4232aa8ad0c383bf804472f156ae2a879c7.exe
"C:\Users\Admin\AppData\Local\Temp\8ac4f1dcdf7ce5276d4ee9dbdaeaa4232aa8ad0c383bf804472f156ae2a879c7.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4244
- C:\Users\Admin\AppData\Local\Temp\8ac4f1dcdf7ce5276d4ee9dbdaeaa4232aa8ad0c383bf804472f156ae2a879c7.exe
  "C:\Users\Admin\AppData\Local\Temp\8ac4f1dcdf7ce5276d4ee9dbdaeaa4232aa8ad0c383bf804472f156ae2a879c7.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4288
- - C:\Users\Admin\AppData\Roaming\UC2TX4SLvH.exe
    "C:\Users\Admin\AppData\Roaming\UC2TX4SLvH.exe"
    3⤵
    - Executes dropped EXE
    PID:3732
- - C:\Users\Admin\AppData\Roaming\YwCAFxMyqM.exe
    "C:\Users\Admin\AppData\Roaming\YwCAFxMyqM.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2236
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MS0linP4GL.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2652
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:1820
    - - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        5⤵
        
        PID:4788
    - - C:\Program Files (x86)\Windows Mail\taskhostw.exe
        
        "C:\Program Files (x86)\Windows Mail\taskhostw.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:4884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MS0linP4GL.bat

Filesize
225B

MD5
c16cd6605885bd20c9e5fdca97e587c2

SHA1
c44707095efb419e333441d73c83cabb17f4f731

SHA256
53f6eb66f93d1998185be61b2cee2be5ec1a589f77e6fd22b2f6cbaa85c28cc4

SHA512
3f03cadad62f4aabae8a9498ab209d7d8d9cc87072e3014b705928af05a80cb2a15c0a6a5877c97a11aa1852c4f88b0a1611dd49134379c0e73c500f19520879

Download Submit
C:\Users\Admin\AppData\Roaming\UC2TX4SLvH.exe

Filesize
18KB

MD5
f3edff85de5fd002692d54a04bcb1c09

SHA1
4c844c5b0ee7cb230c9c28290d079143e00cb216

SHA256
caf29650446db3842e1c1e8e5e1bafadaf90fc82c5c37b9e2c75a089b7476131

SHA512
531d920e2567f58e8169afc786637c1a0f7b9b5c27b27b5f0eddbfc3e00cecd7bea597e34061d836647c5f8c7757f2fe02952a9793344e21b39ddd4bf7985f9d

Download Submit
C:\Users\Admin\AppData\Roaming\YwCAFxMyqM.exe

Filesize
1.6MB

MD5
579fd24f4cacc972f63f47214f9c3c34

SHA1
20be9c6e9aa29d57b670d6809ffad1786a8508e5

SHA256
f80bd8eb42194df565e3152d35bad6a40fdae70e221e9e66873587bffb73d64b

SHA512
1a8f7918b931fa10cbc4b47a88405c0b28255360ac27e1d44ba00554186ed20139fbaaa278a362c34a20083f4fff30dc83876c3f382397f831f781fb6a9aab91

Download Submit
memory/2236-41-0x00000000029E0000-0x00000000029F0000-memory.dmp

Filesize
64KB

Download
memory/2236-61-0x00007FFA07A30000-0x00007FFA084F1000-memory.dmp

Filesize
10.8MB

Download
memory/2236-83-0x00007FFA07A30000-0x00007FFA084F1000-memory.dmp

Filesize
10.8MB

Download
memory/2236-67-0x00007FFA07A30000-0x00007FFA084F1000-memory.dmp

Filesize
10.8MB

Download
memory/2236-44-0x000000001C040000-0x000000001C058000-memory.dmp

Filesize
96KB

Download
memory/2236-30-0x00007FFA07A33000-0x00007FFA07A35000-memory.dmp

Filesize
8KB

Download
memory/2236-31-0x00000000008A0000-0x0000000000A48000-memory.dmp

Filesize
1.7MB

Download
memory/2236-46-0x00000000029F0000-0x0000000002A00000-memory.dmp

Filesize
64KB

Download
memory/2236-32-0x00007FFA07A30000-0x00007FFA084F1000-memory.dmp

Filesize
10.8MB

Download
memory/2236-47-0x00007FFA07A30000-0x00007FFA084F1000-memory.dmp

Filesize
10.8MB

Download
memory/2236-37-0x00000000029D0000-0x00000000029EC000-memory.dmp

Filesize
112KB

Download
memory/2236-35-0x00007FFA07A30000-0x00007FFA084F1000-memory.dmp

Filesize
10.8MB

Download
memory/2236-39-0x000000001BFF0000-0x000000001C040000-memory.dmp

Filesize
320KB

Download
memory/2236-38-0x0000000001200000-0x000000000121C000-memory.dmp

Filesize
112KB

Download
memory/2236-42-0x00007FFA07A30000-0x00007FFA084F1000-memory.dmp

Filesize
10.8MB

Download
memory/2236-63-0x00007FFA07A30000-0x00007FFA084F1000-memory.dmp

Filesize
10.8MB

Download
memory/2236-65-0x000000001C0B0000-0x000000001C0C8000-memory.dmp

Filesize
96KB

Download
memory/2236-62-0x00007FFA07A30000-0x00007FFA084F1000-memory.dmp

Filesize
10.8MB

Download
memory/2236-34-0x0000000002A00000-0x0000000002A26000-memory.dmp

Filesize
152KB

Download
memory/2236-49-0x000000001B650000-0x000000001B660000-memory.dmp

Filesize
64KB

Download
memory/2236-51-0x000000001B660000-0x000000001B66E000-memory.dmp

Filesize
56KB

Download
memory/2236-56-0x000000001C060000-0x000000001C070000-memory.dmp

Filesize
64KB

Download
memory/2236-54-0x00007FFA07A30000-0x00007FFA084F1000-memory.dmp

Filesize
10.8MB

Download
memory/2236-53-0x000000001BFE0000-0x000000001BFEC000-memory.dmp

Filesize
48KB

Download
memory/2236-58-0x000000001C090000-0x000000001C0A6000-memory.dmp

Filesize
88KB

Download
memory/2236-60-0x000000001C110000-0x000000001C16A000-memory.dmp

Filesize
360KB

Download
memory/4244-0-0x0000000000A66000-0x0000000000A67000-memory.dmp

Filesize
4KB

Download
memory/4288-4-0x0000000000400000-0x00000000005DF000-memory.dmp

Filesize
1.9MB

Download
memory/4288-29-0x0000000000400000-0x00000000005DF000-memory.dmp

Filesize
1.9MB

Download
memory/4288-2-0x0000000000400000-0x00000000005DF000-memory.dmp

Filesize
1.9MB

Download
memory/4288-5-0x0000000000A30000-0x0000000000E23000-memory.dmp

Filesize
3.9MB

Download
memory/4288-3-0x0000000000400000-0x00000000005DF000-memory.dmp

Filesize
1.9MB

Download
memory/4288-1-0x0000000000400000-0x00000000005DF000-memory.dmp

Filesize
1.9MB

Download
memory/4884-99-0x000000001D1B0000-0x000000001D2C5000-memory.dmp

Filesize
1.1MB

Download