dcrat | 65b0c87250c7207266c3106b971952371a617a6d8a71961261f9cee48d3b5af1

General

Target

DCRatBuild.exe
Size

1.3MB
MD5

28c9205807203203b71d3bd96798998a
SHA1

1e5a4a9e3b3f32a177d00919d48ef8d8375bf91b
SHA256

65b0c87250c7207266c3106b971952371a617a6d8a71961261f9cee48d3b5af1
SHA512

eafc27377283d50890c2212aa73dd8474974dc81a358774ae2aab4bd4678680d187281a45338b86ba50d41c01772c69fc3816d6688173da78bcf333d867274e8
SSDEEP

24576:U2G/nvxW3Ww0tQT2vWFQ/NJcu6EpfGr5ys8NL/IRNWdtmV:UbA30TNJcKGrJkzIDW2

Score

10^/10

dcrat discovery infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4152	236	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2980	236	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	608	236	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3376	236	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4864	236	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3896	236	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4392	236	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5044	236	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1760	236	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3664	236	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4536	236	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2388	236	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2620	236	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	456	236	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1740	236	schtasks.exe	81

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x001b00000002ab97-10.dat	dcrat
behavioral2/memory/5084-13-0x0000000000F70000-0x000000000107C000-memory.dmp	dcrat

Executes dropped EXE 2 IoCs

pid	Process
5084	mscontainer.exe
1628	sppsvc.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\da-DK\OfficeClickToRun.exe	mscontainer.exe
File created	C:\Windows\SysWOW64\da-DK\e6c9b481da804f	mscontainer.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Defender\sppsvc.exe	mscontainer.exe
File created	C:\Program Files (x86)\Windows Defender\0a1fd5f707cd16	mscontainer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DCRatBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings	DCRatBuild.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3376	schtasks.exe
4392	schtasks.exe
3664	schtasks.exe
4536	schtasks.exe
456	schtasks.exe
1740	schtasks.exe
4152	schtasks.exe
2980	schtasks.exe
5044	schtasks.exe
1760	schtasks.exe
4864	schtasks.exe
3896	schtasks.exe
2388	schtasks.exe
608	schtasks.exe
2620	schtasks.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
5084	mscontainer.exe
5084	mscontainer.exe
5084	mscontainer.exe
5084	mscontainer.exe
5084	mscontainer.exe
5084	mscontainer.exe
5084	mscontainer.exe
1628	sppsvc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	5084	mscontainer.exe
Token: SeDebugPrivilege	1628	sppsvc.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 3788 wrote to memory of 1448	3788	DCRatBuild.exe	77
PID 3788 wrote to memory of 1448	3788	DCRatBuild.exe	77
PID 3788 wrote to memory of 1448	3788	DCRatBuild.exe	77
PID 1448 wrote to memory of 4456	1448	WScript.exe	78
PID 1448 wrote to memory of 4456	1448	WScript.exe	78
PID 1448 wrote to memory of 4456	1448	WScript.exe	78
PID 4456 wrote to memory of 5084	4456	cmd.exe	80
PID 4456 wrote to memory of 5084	4456	cmd.exe	80
PID 5084 wrote to memory of 1628	5084	mscontainer.exe	97
PID 5084 wrote to memory of 1628	5084	mscontainer.exe	97

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
"C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3788
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\FontCrt\khuXVZNLT8lHU57dZRLpVAxj9.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1448
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\FontCrt\ahBTPS2VPnUCyISJ3w9RBP1jNcT.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4456
  - - C:\FontCrt\mscontainer.exe
      "C:\FontCrt\mscontainer.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:5084
    - - C:\Program Files (x86)\Windows Defender\sppsvc.exe
        
        "C:\Program Files (x86)\Windows Defender\sppsvc.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\FontCrt\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\FontCrt\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\FontCrt\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 12 /tr "'C:\Windows\SysWOW64\da-DK\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Windows\SysWOW64\da-DK\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 6 /tr "'C:\Windows\SysWOW64\da-DK\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\FontCrt\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\FontCrt\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\FontCrt\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Defender\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Defender\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FontCrt\ahBTPS2VPnUCyISJ3w9RBP1jNcT.bat

Filesize
28B

MD5
e1f58127ae786ef52764c622753d3e8a

SHA1
c45e0842b04d8fbb0374ccdef5e950b7fceca1b6

SHA256
d16ade0fe8e1865172f17305962ba1c4cae5f8ad4d3618a5d87ea62732e2cab5

SHA512
f6393ad6f076b77bd57b25308588d43d3cbc4bd3b6d08fad62ba5ca74f1b140aedb69b8a14900570d0ac81cdb4b6cb8453a2920337d14877dd11cb293870b598

Download Submit
C:\FontCrt\khuXVZNLT8lHU57dZRLpVAxj9.vbe

Filesize
211B

MD5
694d3b43806f860222387aa75f580204

SHA1
c2059e5e815c25a75dc2ee377b2dec21993c14ab

SHA256
ab69e634aa7e7cf4fc538d611f116bd7a935d04ac5c9a5b7b9801e9e67ca8bc9

SHA512
4980edf01d5e988caac1320f38b7a3dc0a3f12c6b361f8b4423ebd7f3a68271e508f520463a6598c750e13340498858ea3dd77561578a5ce1e9c22687a4a04c2

Download Submit
C:\FontCrt\mscontainer.exe

Filesize
1.0MB

MD5
6e419c52de7ea417517eb6b05d282976

SHA1
7c24c07261e8738d2ff5cc71ff12b45806433f13

SHA256
34b11186c045bb01af30e36590e39fa1ae8dacb6bb97c4fe0d4ebbec10a33948

SHA512
b464974f1d251638f173279d9fbdc6ed81b541de92975740b16c47b8a0273f08a742439cdcf3aed5c2b177cfc2ff3c1daa64f3ccfa8b4905fecf3cbe29352b9e

Download Submit
memory/5084-12-0x00007FF881773000-0x00007FF881775000-memory.dmp

Filesize
8KB

Download
memory/5084-13-0x0000000000F70000-0x000000000107C000-memory.dmp

Filesize
1.0MB

Download
memory/5084-14-0x0000000003300000-0x0000000003316000-memory.dmp

Filesize
88KB

Download
memory/5084-15-0x0000000003320000-0x000000000332E000-memory.dmp

Filesize
56KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads