dcrat | 6e493132db3dfb86fe69552649d14eee2771430d42ff1a50f96e3e640acbf2f0

General

Target

DCRatBuild.exe
Size

1.3MB
MD5

eec69775acc89f2f67ecb0d80dc029a5
SHA1

dcd800fd58fec732c0feae2febfe947f45d3944e
SHA256

6e493132db3dfb86fe69552649d14eee2771430d42ff1a50f96e3e640acbf2f0
SHA512

efb125891360665b85c5b11004da2de33e2f13abcf9406aa13ceb222e5ccbf5779d802cedf0f27f8e41d1a84d523a6a279e6d1bf303e035369f0bfe426457053
SSDEEP

24576:u2G/nvxW3WieCGKjeM+4v4Rr6joRBbULA70dqMgkXIdu3GbyP+m:ubA3jGKTmMmULA7CbId8Gbo

Score

10^/10

dcrat discovery evasion infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x00280000000462f8-13.dat	dcrat
behavioral1/memory/5016-16-0x0000000000650000-0x000000000075C000-memory.dmp	dcrat

Disables Task Manager via registry modification
evasion

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2826969134-2088669430-2680400721-1000\Control Panel\International\Geo\Nation	DCRatBuild.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2826969134-2088669430-2680400721-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2826969134-2088669430-2680400721-1000\Control Panel\International\Geo\Nation	mscontainer.exe

Executes dropped EXE 2 IoCs

pid	Process
5016	mscontainer.exe
1140	sysmon.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\Mozilla Firefox\conhost.exe	mscontainer.exe
File created	C:\Program Files\Mozilla Firefox\088424020bedd6	mscontainer.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\sysmon.exe	mscontainer.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\121e5b5079f7c0	mscontainer.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Speech_OneCore\Engines\dllhost.exe	mscontainer.exe
File created	C:\Windows\Speech_OneCore\Engines\5940a34987c991	mscontainer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DCRatBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2826969134-2088669430-2680400721-1000_Classes\Local Settings	DCRatBuild.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
4668	reg.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1508	schtasks.exe
4964	schtasks.exe
2976	schtasks.exe
4748	schtasks.exe
3844	schtasks.exe
4448	schtasks.exe
1028	schtasks.exe
4308	schtasks.exe
860	schtasks.exe
1608	schtasks.exe
1016	schtasks.exe
2208	schtasks.exe
820	schtasks.exe
2440	schtasks.exe
4672	schtasks.exe
900	schtasks.exe
3068	schtasks.exe
2112	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
5016	mscontainer.exe
5016	mscontainer.exe
5016	mscontainer.exe
5016	mscontainer.exe
5016	mscontainer.exe
1140	sysmon.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	5016	mscontainer.exe
Token: SeDebugPrivilege	1140	sysmon.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 4328 wrote to memory of 4436	4328	DCRatBuild.exe	83
PID 4328 wrote to memory of 4436	4328	DCRatBuild.exe	83
PID 4328 wrote to memory of 4436	4328	DCRatBuild.exe	83
PID 4436 wrote to memory of 2800	4436	WScript.exe	85
PID 4436 wrote to memory of 2800	4436	WScript.exe	85
PID 4436 wrote to memory of 2800	4436	WScript.exe	85
PID 2800 wrote to memory of 5016	2800	cmd.exe	87
PID 2800 wrote to memory of 5016	2800	cmd.exe	87
PID 5016 wrote to memory of 1140	5016	mscontainer.exe	107
PID 5016 wrote to memory of 1140	5016	mscontainer.exe	107
PID 2800 wrote to memory of 4668	2800	cmd.exe	108
PID 2800 wrote to memory of 4668	2800	cmd.exe	108
PID 2800 wrote to memory of 4668	2800	cmd.exe	108

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
"C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4328
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\FontCrt\v4EBhvwDDus8dpGTc7sOOHNMF.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4436
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\FontCrt\8nndisOR96jQX.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2800
  - - C:\FontCrt\mscontainer.exe
      "C:\FontCrt\mscontainer.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:5016
    - - C:\Program Files (x86)\Mozilla Maintenance Service\logs\sysmon.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\logs\sysmon.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1140
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
      4⤵
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:4668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\sysmon.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\sysmon.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\sysmon.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Windows\Speech_OneCore\Engines\dllhost.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Speech_OneCore\Engines\dllhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Windows\Speech_OneCore\Engines\dllhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Mozilla Firefox\conhost.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\conhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Mozilla Firefox\conhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Users\Default\explorer.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Default\explorer.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Users\Default\explorer.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\FontCrt\fontdrvhost.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\FontCrt\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\FontCrt\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FontCrt\8nndisOR96jQX.bat

Filesize
140B

MD5
737a23a43a713bfbc620911d72b08568

SHA1
2d28cdd42b491dc5a71c263f4de89a9b267c3b2e

SHA256
cae33e20f4d512b20b7d8a8ced8ff2dbfecdd5af4bdf2cfa894e4392063ed7ac

SHA512
c07da131453f034e4d2350eaa2b66a14cece703f1f05f25460720fb866ba289d8ebfaf50b9252f644d8dae831b49bfb1fd700d00e2dd2e29ba534ce22d30c02e

Download Submit
C:\FontCrt\mscontainer.exe

Filesize
1.0MB

MD5
90a9b016691488e01001035d6e3c7332

SHA1
41c1ad2edb97e455fb1dd42af6aa42bccf2ca6e7

SHA256
ed8edc329949c6ef8d6ea189e07636bfb51d9153f3bbe25876ea6d2ce0437ba6

SHA512
f427654e3312e42368d8c3c4cf7060747e5cfea28b86712e7fcafc1645dcae82469db05b3d2f38346e34c9f668d35ea5ab6ef65a69862840eda31b6cd7a8c529

Download Submit
C:\FontCrt\v4EBhvwDDus8dpGTc7sOOHNMF.vbe

Filesize
197B

MD5
eebc6c035f2d4b3627375f3ff2d7a83b

SHA1
efd05b0496a20d6007002b94a187e868f3cf828f

SHA256
dedfb300ca692b2ae95643f1bbd7fb33253673d57991e9dedf47362b3a5741f4

SHA512
de4e387db50cae06ae408b7f9947c2413cdc9d94c663156c80f6b2151c66f9c530753969a744d62efe972cd00624bbb9b75a20b124276957b31138c5ba966be6

Download Submit
memory/5016-16-0x0000000000650000-0x000000000075C000-memory.dmp

Filesize
1.0MB

Download
memory/5016-15-0x00007FFE03BF3000-0x00007FFE03BF5000-memory.dmp

Filesize
8KB

Download
memory/5016-18-0x0000000001060000-0x000000000106E000-memory.dmp

Filesize
56KB

Download
memory/5016-17-0x0000000001080000-0x0000000001096000-memory.dmp

Filesize
88KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads