dcrat | 48da1fa982cffab890ae643f4301ffa65949883ae6e6bbb746857a07b9485ef5

General

Target

c61e798b760688db6bc3f7ef8dc59019.exe
Size

2.3MB
MD5

c61e798b760688db6bc3f7ef8dc59019
SHA1

bbf23a7b79c81335c48cd6d27c8be15c08e51202
SHA256

48da1fa982cffab890ae643f4301ffa65949883ae6e6bbb746857a07b9485ef5
SHA512

8f4474b7ba40f7797203392553b73467296f9e27e569dd15b990322ad94b4bd3bca61b979817952fe0a82867f82232bd61688ba4ed47b6c133a95701e6fc3667
SSDEEP

49152:t/twBGYfNs6Vlo2sRsWFjnh5WeX2/tEaZ1XwiB:tlwBGYFZVOZFjXrm/tLZ1Ai

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 6 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2656	2672	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2988	2672	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2728	2672	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2560	2672	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2620	2672	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2964	2672	schtasks.exe	30

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2128-1-0x00000000003F0000-0x0000000000640000-memory.dmp	dcrat
behavioral1/files/0x0007000000016dd9-20.dat	dcrat
behavioral1/memory/2456-21-0x0000000000230000-0x0000000000480000-memory.dmp	dcrat

Executes dropped EXE 1 IoCs

pid	Process
2456	taskhost.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Reference Assemblies\taskhost.exe	c61e798b760688db6bc3f7ef8dc59019.exe
File created	C:\Program Files (x86)\Reference Assemblies\b75386f1303e64	c61e798b760688db6bc3f7ef8dc59019.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2656	schtasks.exe
2988	schtasks.exe
2728	schtasks.exe
2560	schtasks.exe
2620	schtasks.exe
2964	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2128	c61e798b760688db6bc3f7ef8dc59019.exe
2456	taskhost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2128	c61e798b760688db6bc3f7ef8dc59019.exe
Token: SeDebugPrivilege	2456	taskhost.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2128 wrote to memory of 1092	2128	c61e798b760688db6bc3f7ef8dc59019.exe	37
PID 2128 wrote to memory of 1092	2128	c61e798b760688db6bc3f7ef8dc59019.exe	37
PID 2128 wrote to memory of 1092	2128	c61e798b760688db6bc3f7ef8dc59019.exe	37
PID 1092 wrote to memory of 2404	1092	cmd.exe	39
PID 1092 wrote to memory of 2404	1092	cmd.exe	39
PID 1092 wrote to memory of 2404	1092	cmd.exe	39
PID 1092 wrote to memory of 2456	1092	cmd.exe	40
PID 1092 wrote to memory of 2456	1092	cmd.exe	40
PID 1092 wrote to memory of 2456	1092	cmd.exe	40

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\c61e798b760688db6bc3f7ef8dc59019.exe
"C:\Users\Admin\AppData\Local\Temp\c61e798b760688db6bc3f7ef8dc59019.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2128
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\daHDUzbFiW.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1092
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2404
- - C:\Program Files (x86)\Reference Assemblies\taskhost.exe
    "C:\Program Files (x86)\Reference Assemblies\taskhost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Reference Assemblies\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Reference Assemblies\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Reference Assemblies\taskhost.exe

Filesize
2.3MB

MD5
c61e798b760688db6bc3f7ef8dc59019

SHA1
bbf23a7b79c81335c48cd6d27c8be15c08e51202

SHA256
48da1fa982cffab890ae643f4301ffa65949883ae6e6bbb746857a07b9485ef5

SHA512
8f4474b7ba40f7797203392553b73467296f9e27e569dd15b990322ad94b4bd3bca61b979817952fe0a82867f82232bd61688ba4ed47b6c133a95701e6fc3667

Download Submit
C:\Users\Admin\AppData\Local\Temp\daHDUzbFiW.bat

Filesize
221B

MD5
1b7bcad8b4439a5c7e1c1cfcdb0424dc

SHA1
e4fdfb1c8bfed793a1add89551b2a81fab9c2b0d

SHA256
53ffff06c6ea19012ded69dcbe285e419c20122d128783a31718c4f53682392d

SHA512
ea53605ef24a87fc6e1535669df8af3bd03f122df7677c7a620b3a51e882af1560bfe27791d2fe1ff41d85da630b2932d952d9add750be6bd90aeb2377db2138

Download Submit
memory/2128-6-0x0000000000180000-0x0000000000192000-memory.dmp

Filesize
72KB

Download
memory/2128-3-0x0000000000140000-0x000000000015C000-memory.dmp

Filesize
112KB

Download
memory/2128-4-0x0000000000160000-0x0000000000176000-memory.dmp

Filesize
88KB

Download
memory/2128-5-0x0000000000390000-0x00000000003E6000-memory.dmp

Filesize
344KB

Download
memory/2128-0-0x000007FEF50C3000-0x000007FEF50C4000-memory.dmp

Filesize
4KB

Download
memory/2128-7-0x00000000003E0000-0x00000000003EE000-memory.dmp

Filesize
56KB

Download
memory/2128-8-0x00000000007B0000-0x00000000007B8000-memory.dmp

Filesize
32KB

Download
memory/2128-17-0x000007FEF50C0000-0x000007FEF5AAC000-memory.dmp

Filesize
9.9MB

Download
memory/2128-2-0x000007FEF50C0000-0x000007FEF5AAC000-memory.dmp

Filesize
9.9MB

Download
memory/2128-1-0x00000000003F0000-0x0000000000640000-memory.dmp

Filesize
2.3MB

Download
memory/2456-21-0x0000000000230000-0x0000000000480000-memory.dmp

Filesize
2.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads