dcrat | 9410a8eee0f8556bfa0f4231577706b437a14a79af1f2bfff6dc9288e54af828

Analysis

max time kernel
122s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
01/02/2025, 13:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

OsintAkulaDoxRelease2.0.exe
Size

1.6MB
MD5

17e5d1ccf6f2250f75bb5fa68f971767
SHA1

7d935074dbb166b4e481261c0aa855dd1e775d17
SHA256

9410a8eee0f8556bfa0f4231577706b437a14a79af1f2bfff6dc9288e54af828
SHA512

a7fd59c415e51fd57545a88c993d7ce8abbc4809e92e7dfc533778002f9492612880d4fab30e5d53358aedb9c3e1ee780bb3fe99313083d9232a3cbe6c5e47cc
SSDEEP

24576:U2G/nvxW3Ww0t2IwCzsb0EIYKBInv4BFooOQSK7WmmpC84H366W1e:UbA30twh0rTbF3/7mLz6P

Score

10^/10

dcrat discovery infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x00070000000192a9-11.dat	dcrat
behavioral1/memory/2192-13-0x0000000000B30000-0x0000000000C7C000-memory.dmp	dcrat

Executes dropped EXE 1 IoCs

pid	Process
2192	dhcpcommon.exe

Loads dropped DLL 2 IoCs

pid	Process
352	cmd.exe
352	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OsintAkulaDoxRelease2.0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2192	dhcpcommon.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2396 wrote to memory of 2392	2396	OsintAkulaDoxRelease2.0.exe	30
PID 2396 wrote to memory of 2392	2396	OsintAkulaDoxRelease2.0.exe	30
PID 2396 wrote to memory of 2392	2396	OsintAkulaDoxRelease2.0.exe	30
PID 2396 wrote to memory of 2392	2396	OsintAkulaDoxRelease2.0.exe	30
PID 2392 wrote to memory of 352	2392	WScript.exe	31
PID 2392 wrote to memory of 352	2392	WScript.exe	31
PID 2392 wrote to memory of 352	2392	WScript.exe	31
PID 2392 wrote to memory of 352	2392	WScript.exe	31
PID 352 wrote to memory of 2192	352	cmd.exe	33
PID 352 wrote to memory of 2192	352	cmd.exe	33
PID 352 wrote to memory of 2192	352	cmd.exe	33
PID 352 wrote to memory of 2192	352	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\OsintAkulaDoxRelease2.0.exe
"C:\Users\Admin\AppData\Local\Temp\OsintAkulaDoxRelease2.0.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2396
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\ComProviderservercrt\G1PwR19qmP3OREjedg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2392
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\ComProviderservercrt\3KEVYoQlVUbDaT.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:352
  - - C:\ComProviderservercrt\dhcpcommon.exe
      "C:\ComProviderservercrt\dhcpcommon.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2192

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ComProviderservercrt\3KEVYoQlVUbDaT.bat

Filesize
40B

MD5
9aaeb85b68b2c641d6ea8bbc3e7efb1f

SHA1
caa2ce69f5eea67e08aa40c844a38c669ef86db5

SHA256
d1de03f54cb15974c2e26d79af82446ca304413ae2634faf981dc1327325713e

SHA512
b486c4ae73c61b6996f1f902ca8533601361f72fbac93a2ef480f4729afc75b8615c562cfc579a6bce40555d356754839be60ec5cfb86036fd7274c8afa3c06c

Download Submit
C:\ComProviderservercrt\G1PwR19qmP3OREjedg.vbe

Filesize
211B

MD5
e061686d28660bb9114d963a2ff01c1d

SHA1
f4e81a4553722503c473eb7c7f77396aa3323c19

SHA256
c14ec59bae7b314a9cb5c9cc01053f93a89547ae882193a57a36d6c31b887e1d

SHA512
5fa0180dda99faf18849f9fd248e4de68c3220bd965d176f3c9a081d5c69f9ed100c80dc1cdf3f0a9b7c67c3a832bde565797756cc047d8f10662cb0ef683b9c

Download Submit
\ComProviderservercrt\dhcpcommon.exe

Filesize
1.3MB

MD5
493cf952e6aa65181c8458d312ee1421

SHA1
6065a925782b18b0e3e018750c5a760ebfaadf4f

SHA256
c3e0e8356bd4a52e07679935019f4474715f4b7ae291cfbda9d35bf0bc3e2460

SHA512
3db22d2dd54be931f8e55133a2eec56713d7199d803a290de7741c6b3afda50d98fd0c6c3feda7e835361319398bb2d11108a1cba9f8a2cd7fe2c43c7a36efb8

Download Submit
memory/2192-13-0x0000000000B30000-0x0000000000C7C000-memory.dmp

Filesize
1.3MB

Download
memory/2192-14-0x0000000000670000-0x000000000067E000-memory.dmp

Filesize
56KB

Download