dcrat | eae062b9aa062793a84a0c5b60223aab93f29f995de6250720610ba248945162

General

Target

eae062b9aa062793a84a0c5b60223aab93f29f995de6250720610ba248945162.exe
Size

829KB
MD5

39080b718b5fd386e181eae293d3dd8e
SHA1

d08ff7cf2dd523b14453fc3a2403fc08adc8185e
SHA256

eae062b9aa062793a84a0c5b60223aab93f29f995de6250720610ba248945162
SHA512

11744429f505482bd88d17947ef192f468966b7d7b875ed67ae7a908313f300ef0bbf9cb326d526a169a93c23fa7417bb71a04bd9fa07d6bd5ef9e37f9987aff
SSDEEP

12288:KowrLE6IKSq9aZxoHH6+LsHmRWR1httY5B2ycgPATuUc4wGOx:KoevIKSq9aZ46+LR2YeyPPUy4tOx

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 21 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3048	2176	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2452	2176	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2272	2176	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2828	2176	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2880	2176	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2900	2176	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2748	2176	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2912	2176	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2960	2176	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2780	2176	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2904	2176	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2636	2176	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2692	2176	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2908	2176	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2088	2176	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	596	2176	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1784	2176	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2956	2176	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	300	2176	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2684	2176	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2836	2176	schtasks.exe	30

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/600-1-0x0000000000290000-0x0000000000366000-memory.dmp	dcrat
behavioral1/files/0x0006000000016d47-11.dat	dcrat
behavioral1/memory/772-25-0x0000000000840000-0x0000000000916000-memory.dmp	dcrat

Executes dropped EXE 1 IoCs

pid	Process
772	smss.exe

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Journal\spoolsv.exe	eae062b9aa062793a84a0c5b60223aab93f29f995de6250720610ba248945162.exe
File opened for modification	C:\Program Files\Windows Journal\spoolsv.exe	eae062b9aa062793a84a0c5b60223aab93f29f995de6250720610ba248945162.exe
File created	C:\Program Files\Windows Journal\f3b6ecef712a24	eae062b9aa062793a84a0c5b60223aab93f29f995de6250720610ba248945162.exe
File created	C:\Program Files\Uninstall Information\b75386f1303e64	eae062b9aa062793a84a0c5b60223aab93f29f995de6250720610ba248945162.exe
File created	C:\Program Files\Google\lsm.exe	eae062b9aa062793a84a0c5b60223aab93f29f995de6250720610ba248945162.exe
File created	C:\Program Files\Uninstall Information\taskhost.exe	eae062b9aa062793a84a0c5b60223aab93f29f995de6250720610ba248945162.exe
File created	C:\Program Files (x86)\Windows Media Player\lsm.exe	eae062b9aa062793a84a0c5b60223aab93f29f995de6250720610ba248945162.exe
File created	C:\Program Files (x86)\Windows Media Player\101b941d020240	eae062b9aa062793a84a0c5b60223aab93f29f995de6250720610ba248945162.exe
File created	C:\Program Files\Google\101b941d020240	eae062b9aa062793a84a0c5b60223aab93f29f995de6250720610ba248945162.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Panther\setup.exe\spoolsv.exe	eae062b9aa062793a84a0c5b60223aab93f29f995de6250720610ba248945162.exe
File created	C:\Windows\Panther\setup.exe\f3b6ecef712a24	eae062b9aa062793a84a0c5b60223aab93f29f995de6250720610ba248945162.exe
File created	C:\Windows\de-DE\smss.exe	eae062b9aa062793a84a0c5b60223aab93f29f995de6250720610ba248945162.exe
File created	C:\Windows\de-DE\69ddcba757bf72	eae062b9aa062793a84a0c5b60223aab93f29f995de6250720610ba248945162.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 21 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2908	schtasks.exe
2836	schtasks.exe
2880	schtasks.exe
2900	schtasks.exe
2904	schtasks.exe
596	schtasks.exe
2956	schtasks.exe
2452	schtasks.exe
2828	schtasks.exe
2088	schtasks.exe
300	schtasks.exe
2272	schtasks.exe
2912	schtasks.exe
2636	schtasks.exe
2780	schtasks.exe
2692	schtasks.exe
1784	schtasks.exe
2684	schtasks.exe
3048	schtasks.exe
2748	schtasks.exe
2960	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
600	eae062b9aa062793a84a0c5b60223aab93f29f995de6250720610ba248945162.exe
772	smss.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	600	eae062b9aa062793a84a0c5b60223aab93f29f995de6250720610ba248945162.exe
Token: SeDebugPrivilege	772	smss.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 600 wrote to memory of 3016	600	eae062b9aa062793a84a0c5b60223aab93f29f995de6250720610ba248945162.exe	52
PID 600 wrote to memory of 3016	600	eae062b9aa062793a84a0c5b60223aab93f29f995de6250720610ba248945162.exe	52
PID 600 wrote to memory of 3016	600	eae062b9aa062793a84a0c5b60223aab93f29f995de6250720610ba248945162.exe	52
PID 3016 wrote to memory of 1228	3016	cmd.exe	54
PID 3016 wrote to memory of 1228	3016	cmd.exe	54
PID 3016 wrote to memory of 1228	3016	cmd.exe	54
PID 3016 wrote to memory of 772	3016	cmd.exe	55
PID 3016 wrote to memory of 772	3016	cmd.exe	55
PID 3016 wrote to memory of 772	3016	cmd.exe	55

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\eae062b9aa062793a84a0c5b60223aab93f29f995de6250720610ba248945162.exe
"C:\Users\Admin\AppData\Local\Temp\eae062b9aa062793a84a0c5b60223aab93f29f995de6250720610ba248945162.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:600
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tAV1Y7tqnp.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3016
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1228
- - C:\Windows\de-DE\smss.exe
    "C:\Windows\de-DE\smss.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Journal\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Journal\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Program Files\Uninstall Information\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Program Files\Uninstall Information\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Media Player\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Media Player\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Program Files\Google\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\Google\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Program Files\Google\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\All Users\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Windows\Panther\setup.exe\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\Panther\setup.exe\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Windows\Panther\setup.exe\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Windows\de-DE\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\de-DE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Windows\de-DE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\System.exe

Filesize
829KB

MD5
39080b718b5fd386e181eae293d3dd8e

SHA1
d08ff7cf2dd523b14453fc3a2403fc08adc8185e

SHA256
eae062b9aa062793a84a0c5b60223aab93f29f995de6250720610ba248945162

SHA512
11744429f505482bd88d17947ef192f468966b7d7b875ed67ae7a908313f300ef0bbf9cb326d526a169a93c23fa7417bb71a04bd9fa07d6bd5ef9e37f9987aff

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabE3FB.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarE41D.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tAV1Y7tqnp.bat

Filesize
190B

MD5
d5e8b33070c23cedd0596f61a579304c

SHA1
19c33b34618b85a6523d72e5c02a65f232ad1011

SHA256
c82c9a9f3758cc3137f4bd2cbc772de032883aaaf5f92c568df4eb6eaaeb5033

SHA512
0f3a135314c174c7fd56a2fad9615dd2f9aa918c3c0e9ef6c82321c511ae5bd48e98a4f576e53cec7d0f67a661c91791cbafaaf04d978a6e59d90e82f3bc1b13

Download Submit
memory/600-0-0x000007FEF5883000-0x000007FEF5884000-memory.dmp

Filesize
4KB

Download
memory/600-1-0x0000000000290000-0x0000000000366000-memory.dmp

Filesize
856KB

Download
memory/600-2-0x000007FEF5880000-0x000007FEF626C000-memory.dmp

Filesize
9.9MB

Download
memory/600-21-0x000007FEF5880000-0x000007FEF626C000-memory.dmp

Filesize
9.9MB

Download
memory/772-25-0x0000000000840000-0x0000000000916000-memory.dmp

Filesize
856KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads