dcrat | 5bd525310bcd5c98592f1ccfc15b9d2b6b60dedb381e99028712381ac7bfec02

General

Target

nixwar crack.exe
Size

2.8MB
MD5

dccac8ad9d669af1e2010c4fc3117987
SHA1

60abbe80a65eae70681d56968890e99d961c9a56
SHA256

667d56e9383d71602c4424914cbf6a058ba54aaadf3f4bdca96b9f0b3f98472a
SHA512

3955087f29d372af583609e692882c192b7dd04395f439d588d662b2ab6f5a08079983617d1809dd93d978670eb9de57462a22ef6103cb5edd9454d376058f32
SSDEEP

49152:UbA30ONOGoXs9oflUvpWz6325lgtXl4BhqrlR5D9LY0WVV:Ub6Ws9oflEWstV46rTrLY0WVV

Score

10^/10

dcrat discovery infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0007000000023c74-15.dat	dcrat
behavioral1/memory/4280-17-0x0000000000220000-0x000000000049C000-memory.dmp	dcrat

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	nixwar crack.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 1 IoCs

pid	Process
4280	serverMonitor.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nixwar crack.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	nixwar crack.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4280	serverMonitor.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2576 wrote to memory of 444	2576	nixwar crack.exe	83
PID 2576 wrote to memory of 444	2576	nixwar crack.exe	83
PID 2576 wrote to memory of 444	2576	nixwar crack.exe	83
PID 2576 wrote to memory of 3624	2576	nixwar crack.exe	84
PID 2576 wrote to memory of 3624	2576	nixwar crack.exe	84
PID 2576 wrote to memory of 3624	2576	nixwar crack.exe	84
PID 444 wrote to memory of 2088	444	WScript.exe	86
PID 444 wrote to memory of 2088	444	WScript.exe	86
PID 444 wrote to memory of 2088	444	WScript.exe	86
PID 2088 wrote to memory of 4280	2088	cmd.exe	88
PID 2088 wrote to memory of 4280	2088	cmd.exe	88

C:\Users\Admin\AppData\Local\Temp\nixwar crack.exe
"C:\Users\Admin\AppData\Local\Temp\nixwar crack.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2576
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\WebInto\nSozJ1dyBj8wiNXEk.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:444
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\WebInto\qRb4p1pB7PbnXpdQ.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2088
  - - C:\WebInto\serverMonitor.exe
      "C:\WebInto\serverMonitor.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:4280
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\WebInto\file.vbs"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WebInto\file.vbs

Filesize
34B

MD5
677cc4360477c72cb0ce00406a949c61

SHA1
b679e8c3427f6c5fc47c8ac46cd0e56c9424de05

SHA256
f1cccb5ae4aa51d293bd3c7d2a1a04cb7847d22c5db8e05ac64e9a6d7455aa0b

SHA512
7cfe2cc92f9e659f0a15a295624d611b3363bd01eb5bcf9bc7681ea9b70b0564d192d570d294657c8dc2c93497fa3b4526c975a9bf35d69617c31d9936573c6a

Download Submit
C:\WebInto\nSozJ1dyBj8wiNXEk.vbe

Filesize
200B

MD5
1ec76b27cb22780a9629004889a9314b

SHA1
a285ad4ed32e0b23e429ac556a49d2bf40d1a87e

SHA256
95eeb7d02cfa88ef6b823f74e94dad6cd3712e32c28aa459dd21ac3a7203e52c

SHA512
257f539d51aa8c71faaa049447c2f0827f7bf4c7b5bc49b06285c6f48d4b5a4caeb39704567fc8970e151eea7d5195c76f72ab223819a4db1893220b7d341470

Download Submit
C:\WebInto\qRb4p1pB7PbnXpdQ.bat

Filesize
30B

MD5
b7bd9ac985155b8d7835c88076a1079d

SHA1
d4cdeb6a2515ec83a4bca53b1dcdefecbd3f3a66

SHA256
56acac90b04931e59960f48c355cbb6d2fe905dc7840ea901f2bba3bcff2da22

SHA512
ad4a856dee4bfe0990d58f87cf657cb0e95c74c9046a8b8f08671088212f0cb231db72e913890a162fcf48f0931cba187335df3ffd4c7611b4dfd829a049082b

Download Submit
C:\WebInto\serverMonitor.exe

Filesize
2.5MB

MD5
9788401a75105680a18d28dd5780d3ed

SHA1
5d2c05e7bab595c5df1f8c8eed1e75006ac7e3ca

SHA256
7b99999e93a7861481f9f4532d2b391215512737d9893b1d89f46ca79fae98a6

SHA512
a1481f6c4d20a21f497bee65b2d5f86c3b84d3d8bb259ef68ea7499affa78cb245fb19bd2911644d95aef06fdb44047ccfa8609a86e8296c46a5329415de4f5f

Download Submit
memory/4280-17-0x0000000000220000-0x000000000049C000-memory.dmp

Filesize
2.5MB

Download
memory/4280-18-0x000000001B060000-0x000000001B06E000-memory.dmp

Filesize
56KB

Download

Analysis

Sharing