dcrat | b3b5e03f84d34eb050580e5aa00f4324af3134b1a4d2aa4053a81824cef162c8

General

Target

b3b5e03f84d34eb050580e5aa00f4324af3134b1a4d2aa4053a81824cef162c8.exe
Size

1.1MB
MD5

5512b3a1a182131b7829c06e8b3ab318
SHA1

0eecd6925320b80af74c18a162e8313885dec8f4
SHA256

b3b5e03f84d34eb050580e5aa00f4324af3134b1a4d2aa4053a81824cef162c8
SHA512

5322426d7490e21ac960987479c8401ec58fb8b9b8dcddaf8145c2177c7a48531f02485e1583fd2801652814ef7b2145bab79558d6589af8c8dc614149afe987
SSDEEP

24576:U2G/nvxW3Ww0t03QsZQWzGPrR12EVMiLIc:UbA3003HqW0R12EZ

Score

10^/10

dcrat discovery evasion infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x000a000000023b92-10.dat	dcrat
behavioral2/memory/2688-13-0x00000000002F0000-0x00000000003C6000-memory.dmp	dcrat

Disables Task Manager via registry modification
evasion

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	b3b5e03f84d34eb050580e5aa00f4324af3134b1a4d2aa4053a81824cef162c8.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 1 IoCs

pid	Process
2688	Providerhost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b3b5e03f84d34eb050580e5aa00f4324af3134b1a4d2aa4053a81824cef162c8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	b3b5e03f84d34eb050580e5aa00f4324af3134b1a4d2aa4053a81824cef162c8.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
3288	reg.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2688	Providerhost.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2688	Providerhost.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 428 wrote to memory of 4608	428	b3b5e03f84d34eb050580e5aa00f4324af3134b1a4d2aa4053a81824cef162c8.exe	84
PID 428 wrote to memory of 4608	428	b3b5e03f84d34eb050580e5aa00f4324af3134b1a4d2aa4053a81824cef162c8.exe	84
PID 428 wrote to memory of 4608	428	b3b5e03f84d34eb050580e5aa00f4324af3134b1a4d2aa4053a81824cef162c8.exe	84
PID 4608 wrote to memory of 4988	4608	WScript.exe	88
PID 4608 wrote to memory of 4988	4608	WScript.exe	88
PID 4608 wrote to memory of 4988	4608	WScript.exe	88
PID 4988 wrote to memory of 2688	4988	cmd.exe	91
PID 4988 wrote to memory of 2688	4988	cmd.exe	91
PID 4988 wrote to memory of 3288	4988	cmd.exe	97
PID 4988 wrote to memory of 3288	4988	cmd.exe	97
PID 4988 wrote to memory of 3288	4988	cmd.exe	97

C:\Users\Admin\AppData\Local\Temp\b3b5e03f84d34eb050580e5aa00f4324af3134b1a4d2aa4053a81824cef162c8.exe
"C:\Users\Admin\AppData\Local\Temp\b3b5e03f84d34eb050580e5aa00f4324af3134b1a4d2aa4053a81824cef162c8.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:428
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\fontcommonsvc\cPVD56ggjjI0c65L2nioJKH2tML.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4608
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\fontcommonsvc\FmFPIMJMEY92OVIck7jH63l.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4988
  - - C:\fontcommonsvc\Providerhost.exe
      "C:\fontcommonsvc\Providerhost.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2688
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
      4⤵
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:3288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\fontcommonsvc\FmFPIMJMEY92OVIck7jH63l.bat

Filesize
147B

MD5
7c84f27cf38f124f5906e116c0e5e957

SHA1
6be7f7600a4408615f23562db3e81f704bf2ca96

SHA256
692a9b62c5e440079d1e942544a701442282acc24e46cb7f97c252fc36fc1bd5

SHA512
ef38fe6d2a3295b5c8b1288d9591683015ba68112a08b2fd6c7636a9db49175b0210d91c7b77d38d02c9e9d6edf9d68c500e27d0de22e006dac29a1a95528732

Download Submit
C:\fontcommonsvc\Providerhost.exe

Filesize
828KB

MD5
91b4e1542b8e5f3fa37983b70337dc59

SHA1
f12111a7c33352ad6329a26c2ef6c2971de5dce0

SHA256
25feb0fd67bff8ff2500c9d305129ae47a10170aac64bd87751d28251ef6728f

SHA512
a2d03174cee82b48ff6a3273bb018daa117634b5168fdd525e22162fd63f38628cc082e761baf217bc9f5df67e2a531e2c24fde3443099dd6681a843d29d3f2b

Download Submit
C:\fontcommonsvc\cPVD56ggjjI0c65L2nioJKH2tML.vbe

Filesize
213B

MD5
e66cac0e425493659b0e21e5d9de79d5

SHA1
188ef544c13b4a22ad9fdd05541ff5e712fab565

SHA256
7896b4d5a9d84ab187e23c60be0400bb6d534dc996a50bf42d9eb597022de5a7

SHA512
4f168b585f35b038f87091781ffd3982b89835c2b5b020d46417262aaf5bfdb0241745de1883a5f8e3480dac97a02b626133f9552eab7051b0332028bf8b3c8e

Download Submit
memory/2688-12-0x00007FFE0C093000-0x00007FFE0C095000-memory.dmp

Filesize
8KB

Download
memory/2688-13-0x00000000002F0000-0x00000000003C6000-memory.dmp

Filesize
856KB

Download
memory/2688-14-0x00007FFE0C093000-0x00007FFE0C095000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing