dcrat | aafd35488559a2ef64b3758eff767046369f540af491f9325d344c2ef214587a

General

Target

aafd35488559a2ef64b3758eff767046369f540af491f9325d344c2ef214587a.exe
Size

391KB
MD5

43d30c776f593efdf5416ab4142442d6
SHA1

3f7f251511aa918a3c221cb4d039e406e9449132
SHA256

aafd35488559a2ef64b3758eff767046369f540af491f9325d344c2ef214587a
SHA512

8b1b195775c3de13cc281fe9d92580230fcdb48a9dab001eaa442328aa88e1ec27ced4cdaaa941bb42141a269e7f844f4dd945d8a9a6df06bb05393271987238
SSDEEP

6144:sSg0P0VgwhTfR4NATIVDHPfq1NRHR5/nQibDVDeFtJ9JDwzTE3GL0:+hLR4vq1N354iHQj1X3G

Score

10^/10

dcrat infostealer rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

DCRat payload 2 IoCs

rat

resource	yara_rule
behavioral2/files/0x000b000000023b82-13.dat	family_dcrat_v2
behavioral2/memory/2092-20-0x00000000000A0000-0x0000000000184000-memory.dmp	family_dcrat_v2

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	aafd35488559a2ef64b3758eff767046369f540af491f9325d344c2ef214587a.exe

Executes dropped EXE 1 IoCs

pid	Process
2092	xs33foke.5cx.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
7	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	aafd35488559a2ef64b3758eff767046369f540af491f9325d344c2ef214587a.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	aafd35488559a2ef64b3758eff767046369f540af491f9325d344c2ef214587a.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4712	aafd35488559a2ef64b3758eff767046369f540af491f9325d344c2ef214587a.exe
4712	aafd35488559a2ef64b3758eff767046369f540af491f9325d344c2ef214587a.exe
4712	aafd35488559a2ef64b3758eff767046369f540af491f9325d344c2ef214587a.exe
4712	aafd35488559a2ef64b3758eff767046369f540af491f9325d344c2ef214587a.exe
4712	aafd35488559a2ef64b3758eff767046369f540af491f9325d344c2ef214587a.exe
4712	aafd35488559a2ef64b3758eff767046369f540af491f9325d344c2ef214587a.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4712	aafd35488559a2ef64b3758eff767046369f540af491f9325d344c2ef214587a.exe
Token: SeDebugPrivilege	2092	xs33foke.5cx.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4712 wrote to memory of 2092	4712	aafd35488559a2ef64b3758eff767046369f540af491f9325d344c2ef214587a.exe	84
PID 4712 wrote to memory of 2092	4712	aafd35488559a2ef64b3758eff767046369f540af491f9325d344c2ef214587a.exe	84
PID 4712 wrote to memory of 436	4712	aafd35488559a2ef64b3758eff767046369f540af491f9325d344c2ef214587a.exe	85
PID 4712 wrote to memory of 436	4712	aafd35488559a2ef64b3758eff767046369f540af491f9325d344c2ef214587a.exe	85
PID 436 wrote to memory of 4880	436	cmd.exe	87
PID 436 wrote to memory of 4880	436	cmd.exe	87

C:\Users\Admin\AppData\Local\Temp\aafd35488559a2ef64b3758eff767046369f540af491f9325d344c2ef214587a.exe
"C:\Users\Admin\AppData\Local\Temp\aafd35488559a2ef64b3758eff767046369f540af491f9325d344c2ef214587a.exe"
1⤵
- Checks computer location settings
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4712
- C:\Users\Admin\AppData\Local\Temp\xs33foke.5cx.exe
  "C:\Users\Admin\AppData\Local\Temp\xs33foke.5cx.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2092
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\aafd35488559a2ef64b3758eff767046369f540af491f9325d344c2ef214587a.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:436
- - C:\Windows\system32\choice.exe
    choice /C Y /N /D Y /T 3
    3⤵
    PID:4880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\xs33foke.5cx.exe

Filesize
882KB

MD5
02e08842c25f66b1ffe53ce0f50f1758

SHA1
a5d1e71b9e6484a5ebc555dd41a5450909387cb2

SHA256
eb3ff36d945d22d68d24690566115eac07c6666154ec18dd37527673375e41fa

SHA512
807a3a8c5a223f843989ff1488198c7700a0e1ad779b7e055ce93ad44fef24c62a4025325621ee7b402cb771584ec847e9cb63177bee8672b31b3c7f6f5b5db3

Download Submit
memory/2092-31-0x0000000002250000-0x000000000225E000-memory.dmp

Filesize
56KB

Download
memory/2092-32-0x0000000002260000-0x000000000226C000-memory.dmp

Filesize
48KB

Download
memory/2092-22-0x00007FFB5E6D0000-0x00007FFB5F191000-memory.dmp

Filesize
10.8MB

Download
memory/2092-24-0x0000000000A20000-0x0000000000A28000-memory.dmp

Filesize
32KB

Download
memory/2092-25-0x00007FFB5E6D0000-0x00007FFB5F191000-memory.dmp

Filesize
10.8MB

Download
memory/2092-26-0x0000000000A30000-0x0000000000A3E000-memory.dmp

Filesize
56KB

Download
memory/2092-27-0x00000000021F0000-0x000000000220C000-memory.dmp

Filesize
112KB

Download
memory/2092-28-0x0000000002210000-0x0000000002228000-memory.dmp

Filesize
96KB

Download
memory/2092-30-0x0000000002240000-0x000000000224C000-memory.dmp

Filesize
48KB

Download
memory/2092-20-0x00000000000A0000-0x0000000000184000-memory.dmp

Filesize
912KB

Download
memory/2092-34-0x00007FFB5E6D0000-0x00007FFB5F191000-memory.dmp

Filesize
10.8MB

Download
memory/2092-29-0x0000000002230000-0x000000000223E000-memory.dmp

Filesize
56KB

Download
memory/4712-7-0x0000023CFE1C0000-0x0000023CFE236000-memory.dmp

Filesize
472KB

Download
memory/4712-1-0x0000023CE3C70000-0x0000023CE3CD8000-memory.dmp

Filesize
416KB

Download
memory/4712-0-0x00007FFB5E6D3000-0x00007FFB5E6D5000-memory.dmp

Filesize
8KB

Download
memory/4712-4-0x00007FFB5E6D0000-0x00007FFB5F191000-memory.dmp

Filesize
10.8MB

Download
memory/4712-8-0x0000023CE58C0000-0x0000023CE58DE000-memory.dmp

Filesize
120KB

Download
memory/4712-2-0x0000023CE5870000-0x0000023CE58C0000-memory.dmp

Filesize
320KB

Download
memory/4712-6-0x0000023CE5840000-0x0000023CE5852000-memory.dmp

Filesize
72KB

Download
memory/4712-5-0x0000023C80EE0000-0x0000023C81408000-memory.dmp

Filesize
5.2MB

Download
memory/4712-3-0x0000023CFE390000-0x0000023CFE552000-memory.dmp

Filesize
1.8MB

Download
memory/4712-23-0x00007FFB5E6D0000-0x00007FFB5F191000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads