dcrat | 519bcb8d930b658fa5d0b975c7f74efd297e37c2067753b2020f09147fe86cfa

Analysis

max time kernel
122s
max time network
148s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
01-02-2025 15:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

F868DDCB54E0C6AC37B4F7858D871083.exe
Size

737KB
MD5

f868ddcb54e0c6ac37b4f7858d871083
SHA1

996f978b1498c8fd01ec1caa5a35e202545b4e14
SHA256

519bcb8d930b658fa5d0b975c7f74efd297e37c2067753b2020f09147fe86cfa
SHA512

bfd37ab7cf85c1a75c9ab81333ccdc0d9583433002cb2866831e4dba617f1adeb0d735e86179e0302ab02afd4dda7349252529ef8ce255687644f3b7a1aef62c
SSDEEP

12288:sRTnNNfL/Yr2kNnmSHJJMA+HCpW3Ari4VVyZC0+1cqwwZ6:sRTnfYTmSpJMA+i3iE0nq/6

Score

10^/10

dcrat infostealer rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1684	2256	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2324	2256	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2528	2256	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2576	2256	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2636	2256	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2588	2256	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2796	2256	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2732	2256	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2464	2256	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2604	2256	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2440	2256	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2512	2256	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2872	2256	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2376	2256	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2356	2256	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1736	2256	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1440	2256	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	464	2256	schtasks.exe	28

DCRat payload 3 IoCs

rat

resource	yara_rule
behavioral1/memory/2792-1-0x0000000000310000-0x00000000003CE000-memory.dmp	family_dcrat_v2
behavioral1/files/0x00050000000186ee-19.dat	family_dcrat_v2
behavioral1/memory/1996-31-0x00000000002F0000-0x00000000003AE000-memory.dmp	family_dcrat_v2

Executes dropped EXE 1 IoCs

pid	Process
1996	explorer.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Defender\winlogon.exe	F868DDCB54E0C6AC37B4F7858D871083.exe
File created	C:\Program Files (x86)\Windows Defender\cc11b995f2a76d	F868DDCB54E0C6AC37B4F7858D871083.exe
File created	C:\Program Files\Windows Mail\es-ES\explorer.exe	F868DDCB54E0C6AC37B4F7858D871083.exe
File created	C:\Program Files\Windows Mail\es-ES\7a0fd90576e088	F868DDCB54E0C6AC37B4F7858D871083.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1440	schtasks.exe
464	schtasks.exe
1684	schtasks.exe
2440	schtasks.exe
2324	schtasks.exe
2588	schtasks.exe
2732	schtasks.exe
2872	schtasks.exe
1736	schtasks.exe
2528	schtasks.exe
2576	schtasks.exe
2636	schtasks.exe
2796	schtasks.exe
2464	schtasks.exe
2604	schtasks.exe
2512	schtasks.exe
2376	schtasks.exe
2356	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2792	F868DDCB54E0C6AC37B4F7858D871083.exe
2792	F868DDCB54E0C6AC37B4F7858D871083.exe
2792	F868DDCB54E0C6AC37B4F7858D871083.exe
2792	F868DDCB54E0C6AC37B4F7858D871083.exe
2792	F868DDCB54E0C6AC37B4F7858D871083.exe
2792	F868DDCB54E0C6AC37B4F7858D871083.exe
2792	F868DDCB54E0C6AC37B4F7858D871083.exe
2792	F868DDCB54E0C6AC37B4F7858D871083.exe
2792	F868DDCB54E0C6AC37B4F7858D871083.exe
2792	F868DDCB54E0C6AC37B4F7858D871083.exe
2792	F868DDCB54E0C6AC37B4F7858D871083.exe
2792	F868DDCB54E0C6AC37B4F7858D871083.exe
2792	F868DDCB54E0C6AC37B4F7858D871083.exe
2792	F868DDCB54E0C6AC37B4F7858D871083.exe
2792	F868DDCB54E0C6AC37B4F7858D871083.exe
2792	F868DDCB54E0C6AC37B4F7858D871083.exe
2792	F868DDCB54E0C6AC37B4F7858D871083.exe
2792	F868DDCB54E0C6AC37B4F7858D871083.exe
2792	F868DDCB54E0C6AC37B4F7858D871083.exe
2792	F868DDCB54E0C6AC37B4F7858D871083.exe
2792	F868DDCB54E0C6AC37B4F7858D871083.exe
2792	F868DDCB54E0C6AC37B4F7858D871083.exe
2792	F868DDCB54E0C6AC37B4F7858D871083.exe
2792	F868DDCB54E0C6AC37B4F7858D871083.exe
2792	F868DDCB54E0C6AC37B4F7858D871083.exe
2792	F868DDCB54E0C6AC37B4F7858D871083.exe
2792	F868DDCB54E0C6AC37B4F7858D871083.exe
2792	F868DDCB54E0C6AC37B4F7858D871083.exe
2792	F868DDCB54E0C6AC37B4F7858D871083.exe
2792	F868DDCB54E0C6AC37B4F7858D871083.exe
2792	F868DDCB54E0C6AC37B4F7858D871083.exe
2792	F868DDCB54E0C6AC37B4F7858D871083.exe
2792	F868DDCB54E0C6AC37B4F7858D871083.exe
2792	F868DDCB54E0C6AC37B4F7858D871083.exe
2792	F868DDCB54E0C6AC37B4F7858D871083.exe
2792	F868DDCB54E0C6AC37B4F7858D871083.exe
2792	F868DDCB54E0C6AC37B4F7858D871083.exe
2792	F868DDCB54E0C6AC37B4F7858D871083.exe
2792	F868DDCB54E0C6AC37B4F7858D871083.exe
2792	F868DDCB54E0C6AC37B4F7858D871083.exe
2792	F868DDCB54E0C6AC37B4F7858D871083.exe
2792	F868DDCB54E0C6AC37B4F7858D871083.exe
2792	F868DDCB54E0C6AC37B4F7858D871083.exe
2792	F868DDCB54E0C6AC37B4F7858D871083.exe
2792	F868DDCB54E0C6AC37B4F7858D871083.exe
2792	F868DDCB54E0C6AC37B4F7858D871083.exe
2792	F868DDCB54E0C6AC37B4F7858D871083.exe
2792	F868DDCB54E0C6AC37B4F7858D871083.exe
2792	F868DDCB54E0C6AC37B4F7858D871083.exe
2792	F868DDCB54E0C6AC37B4F7858D871083.exe
2792	F868DDCB54E0C6AC37B4F7858D871083.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2792	F868DDCB54E0C6AC37B4F7858D871083.exe
Token: SeDebugPrivilege	1996	explorer.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2792 wrote to memory of 1576	2792	F868DDCB54E0C6AC37B4F7858D871083.exe	47
PID 2792 wrote to memory of 1576	2792	F868DDCB54E0C6AC37B4F7858D871083.exe	47
PID 2792 wrote to memory of 1576	2792	F868DDCB54E0C6AC37B4F7858D871083.exe	47
PID 1576 wrote to memory of 2212	1576	cmd.exe	49
PID 1576 wrote to memory of 2212	1576	cmd.exe	49
PID 1576 wrote to memory of 2212	1576	cmd.exe	49
PID 1576 wrote to memory of 2020	1576	cmd.exe	50
PID 1576 wrote to memory of 2020	1576	cmd.exe	50
PID 1576 wrote to memory of 2020	1576	cmd.exe	50
PID 1576 wrote to memory of 1996	1576	cmd.exe	51
PID 1576 wrote to memory of 1996	1576	cmd.exe	51
PID 1576 wrote to memory of 1996	1576	cmd.exe	51

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\F868DDCB54E0C6AC37B4F7858D871083.exe
"C:\Users\Admin\AppData\Local\Temp\F868DDCB54E0C6AC37B4F7858D871083.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2792
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tJkF1zEPYf.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1576
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2212
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2020
- - C:\Program Files\Windows Mail\es-ES\explorer.exe
    "C:\Program Files\Windows Mail\es-ES\explorer.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Mail\es-ES\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\es-ES\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Mail\es-ES\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Defender\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Defender\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Videos\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Admin\Videos\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Videos\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "F868DDCB54E0C6AC37B4F7858D871083F" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\AppData\Local\Temp\F868DDCB54E0C6AC37B4F7858D871083.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "F868DDCB54E0C6AC37B4F7858D871083" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\F868DDCB54E0C6AC37B4F7858D871083.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "F868DDCB54E0C6AC37B4F7858D871083F" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\AppData\Local\Temp\F868DDCB54E0C6AC37B4F7858D871083.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows Mail\es-ES\explorer.exe

Filesize
737KB

MD5
f868ddcb54e0c6ac37b4f7858d871083

SHA1
996f978b1498c8fd01ec1caa5a35e202545b4e14

SHA256
519bcb8d930b658fa5d0b975c7f74efd297e37c2067753b2020f09147fe86cfa

SHA512
bfd37ab7cf85c1a75c9ab81333ccdc0d9583433002cb2866831e4dba617f1adeb0d735e86179e0302ab02afd4dda7349252529ef8ce255687644f3b7a1aef62c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tJkF1zEPYf.bat

Filesize
224B

MD5
5daf60a2df0620b0f711804ea2728d39

SHA1
0153ec3c68879372ef95b80cb320518df1a50f4b

SHA256
3b4d8ca284cc34054a8ddc883519a843abf062da4e9dff32670997c31bf04f7a

SHA512
16883bae0ce068a269c3b85aed2e82b5cd4b2cc1b2e5405e60636741781882d050804f6982e1f2a157dd7f5b14c09dc01ba15545e28145f497f323b664521165

Download Submit
memory/1996-31-0x00000000002F0000-0x00000000003AE000-memory.dmp

Filesize
760KB

Download
memory/2792-9-0x000007FEF5CC0000-0x000007FEF66AC000-memory.dmp

Filesize
9.9MB

Download
memory/2792-6-0x00000000004F0000-0x000000000050C000-memory.dmp

Filesize
112KB

Download
memory/2792-8-0x0000000000510000-0x0000000000528000-memory.dmp

Filesize
96KB

Download
memory/2792-0-0x000007FEF5CC3000-0x000007FEF5CC4000-memory.dmp

Filesize
4KB

Download
memory/2792-4-0x00000000002F0000-0x00000000002FE000-memory.dmp

Filesize
56KB

Download
memory/2792-21-0x000007FEF5CC0000-0x000007FEF66AC000-memory.dmp

Filesize
9.9MB

Download
memory/2792-22-0x000007FEF5CC0000-0x000007FEF66AC000-memory.dmp

Filesize
9.9MB

Download
memory/2792-2-0x000007FEF5CC0000-0x000007FEF66AC000-memory.dmp

Filesize
9.9MB

Download
memory/2792-28-0x000007FEF5CC0000-0x000007FEF66AC000-memory.dmp

Filesize
9.9MB

Download
memory/2792-1-0x0000000000310000-0x00000000003CE000-memory.dmp

Filesize
760KB

Download