Overview

overview

10

Static

static

10

DCRatBuild.exe

windows7-x64

10

DCRatBuild.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    16-01-2025 21:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    DCRatBuild.exe

  • Size

    1.3MB

  • MD5

    28c9205807203203b71d3bd96798998a

  • SHA1

    1e5a4a9e3b3f32a177d00919d48ef8d8375bf91b

  • SHA256

    65b0c87250c7207266c3106b971952371a617a6d8a71961261f9cee48d3b5af1

  • SHA512

    eafc27377283d50890c2212aa73dd8474974dc81a358774ae2aab4bd4678680d187281a45338b86ba50d41c01772c69fc3816d6688173da78bcf333d867274e8

  • SSDEEP

    24576:U2G/nvxW3Ww0tQT2vWFQ/NJcu6EpfGr5ys8NL/IRNWdtmV:UbA30TNJcKGrJkzIDW2

Score
10/10
dcratdiscoveryinfostealerrat

Malware Config

Signatures

  • DcRat 35 IoCs

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Process spawned unexpected child process 33 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 3 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 33 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
    "C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"
    1⤵
    • DcRat
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2660
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\FontCrt\khuXVZNLT8lHU57dZRLpVAxj9.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2792
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\FontCrt\ahBTPS2VPnUCyISJ3w9RBP1jNcT.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2776
        • C:\FontCrt\mscontainer.exe
          "C:\FontCrt\mscontainer.exe"
          4⤵
          • DcRat
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2840
          • C:\FontCrt\mscontainer.exe
            "C:\FontCrt\mscontainer.exe"
            5⤵
            • Executes dropped EXE
            • Drops file in Program Files directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1752
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JYJDyLaZc4.bat"
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:2980
              • C:\Windows\system32\w32tm.exe
                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                7⤵
                  PID:1920
                • C:\MSOCache\All Users\spoolsv.exe
                  "C:\MSOCache\All Users\spoolsv.exe"
                  7⤵
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:628
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\conhost.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2824
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\conhost.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3012
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\conhost.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1192
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Windows\inf\TermService\winlogon.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2912
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\inf\TermService\winlogon.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2892
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Windows\inf\TermService\winlogon.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3032
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\explorer.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2236
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\explorer.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2128
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\explorer.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2216
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\OSPPSVC.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2352
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\OSPPSVC.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1336
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\OSPPSVC.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2612
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 9 /tr "'C:\FontCrt\schtasks.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2640
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "schtasks" /sc ONLOGON /tr "'C:\FontCrt\schtasks.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:584
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 12 /tr "'C:\FontCrt\schtasks.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1224
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Program Files\Mozilla Firefox\uninstall\lsm.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:604
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\uninstall\lsm.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2200
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Program Files\Mozilla Firefox\uninstall\lsm.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2948
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\wininit.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2208
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\wininit.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2940
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\wininit.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:272
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\spoolsv.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:704
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\spoolsv.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2172
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\spoolsv.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2176
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Defender\fr-FR\services.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1440
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\fr-FR\services.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2392
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Defender\fr-FR\services.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2044
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\FontCrt\wininit.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1320
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\FontCrt\wininit.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1800
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\FontCrt\wininit.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1212
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 11 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\schtasks.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1696
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "schtasks" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\schtasks.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:356
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 12 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\schtasks.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2212

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\FontCrt\ahBTPS2VPnUCyISJ3w9RBP1jNcT.bat
      Filesize

      28B

      MD5

      e1f58127ae786ef52764c622753d3e8a

      SHA1

      c45e0842b04d8fbb0374ccdef5e950b7fceca1b6

      SHA256

      d16ade0fe8e1865172f17305962ba1c4cae5f8ad4d3618a5d87ea62732e2cab5

      SHA512

      f6393ad6f076b77bd57b25308588d43d3cbc4bd3b6d08fad62ba5ca74f1b140aedb69b8a14900570d0ac81cdb4b6cb8453a2920337d14877dd11cb293870b598

      Download Submit

    • C:\FontCrt\khuXVZNLT8lHU57dZRLpVAxj9.vbe
      Filesize

      211B

      MD5

      694d3b43806f860222387aa75f580204

      SHA1

      c2059e5e815c25a75dc2ee377b2dec21993c14ab

      SHA256

      ab69e634aa7e7cf4fc538d611f116bd7a935d04ac5c9a5b7b9801e9e67ca8bc9

      SHA512

      4980edf01d5e988caac1320f38b7a3dc0a3f12c6b361f8b4423ebd7f3a68271e508f520463a6598c750e13340498858ea3dd77561578a5ce1e9c22687a4a04c2

      Download Submit

    • C:\FontCrt\mscontainer.exe
      Filesize

      1.0MB

      MD5

      6e419c52de7ea417517eb6b05d282976

      SHA1

      7c24c07261e8738d2ff5cc71ff12b45806433f13

      SHA256

      34b11186c045bb01af30e36590e39fa1ae8dacb6bb97c4fe0d4ebbec10a33948

      SHA512

      b464974f1d251638f173279d9fbdc6ed81b541de92975740b16c47b8a0273f08a742439cdcf3aed5c2b177cfc2ff3c1daa64f3ccfa8b4905fecf3cbe29352b9e

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\JYJDyLaZc4.bat
      Filesize

      198B

      MD5

      3609d9f6b4fdcf7b9c978e2f881427ed

      SHA1

      2dc578aed35e7f23ff16c3df5b8ac7dc2a86d3f8

      SHA256

      faa8183d20d1e9f3c9fbd5419db8f1df66fd81083d72bf2b8d6cc89d466457b3

      SHA512

      c4ec12cda1b39388cffb2198dcc2a188d3d0f68b9685ecb9aeba0c99142908fa7a669392f4dcf5789738f37e5c704eda8991067a5ef1f1b8533a559f1a5ec947

      Download Submit

    • memory/628-46-0x0000000001260000-0x000000000136C000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/2840-13-0x0000000000AC0000-0x0000000000BCC000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/2840-14-0x00000000003C0000-0x00000000003D6000-memory.dmp

      Filesize

      88KB

      Download

    • memory/2840-15-0x0000000000470000-0x000000000047E000-memory.dmp

      Filesize

      56KB

      Download