dcrat | 519bcb8d930b658fa5d0b975c7f74efd297e37c2067753b2020f09147fe86cfa

Analysis

max time kernel
93s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
01-02-2025 15:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

F868DDCB54E0C6AC37B4F7858D871083.exe
Size

737KB
MD5

f868ddcb54e0c6ac37b4f7858d871083
SHA1

996f978b1498c8fd01ec1caa5a35e202545b4e14
SHA256

519bcb8d930b658fa5d0b975c7f74efd297e37c2067753b2020f09147fe86cfa
SHA512

bfd37ab7cf85c1a75c9ab81333ccdc0d9583433002cb2866831e4dba617f1adeb0d735e86179e0302ab02afd4dda7349252529ef8ce255687644f3b7a1aef62c
SSDEEP

12288:sRTnNNfL/Yr2kNnmSHJJMA+HCpW3Ari4VVyZC0+1cqwwZ6:sRTnfYTmSpJMA+i3iE0nq/6

Score

10^/10

dcrat discovery infostealer rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3300	2380	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3632	2380	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2732	2380	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1948	2380	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	8	2380	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	724	2380	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4168	2380	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2336	2380	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4144	2380	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	116	2380	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4136	2380	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3028	2380	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1312	2380	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2092	2380	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2820	2380	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2120	2380	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1932	2380	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2172	2380	schtasks.exe	84

DCRat payload 2 IoCs

rat

resource	yara_rule
behavioral2/memory/2964-1-0x0000000000140000-0x00000000001FE000-memory.dmp	family_dcrat_v2
behavioral2/files/0x000a000000023ba0-19.dat	family_dcrat_v2

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation	F868DDCB54E0C6AC37B4F7858D871083.exe

Executes dropped EXE 1 IoCs

pid	Process
5020	backgroundTaskHost.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Reference Assemblies\fontdrvhost.exe	F868DDCB54E0C6AC37B4F7858D871083.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\fontdrvhost.exe	F868DDCB54E0C6AC37B4F7858D871083.exe
File created	C:\Program Files (x86)\Reference Assemblies\5b884080fd4f94	F868DDCB54E0C6AC37B4F7858D871083.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\backgroundTaskHost.exe	F868DDCB54E0C6AC37B4F7858D871083.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\eddb19405b7ce1	F868DDCB54E0C6AC37B4F7858D871083.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\schemas\EAPMethods\TextInputHost.exe	F868DDCB54E0C6AC37B4F7858D871083.exe
File created	C:\Windows\DiagTrack\Scenarios\MusNotification.exe	F868DDCB54E0C6AC37B4F7858D871083.exe
File created	C:\Windows\DiagTrack\Scenarios\aa97147c4c782d	F868DDCB54E0C6AC37B4F7858D871083.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
508	PING.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings	F868DDCB54E0C6AC37B4F7858D871083.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
508	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3300	schtasks.exe
1948	schtasks.exe
724	schtasks.exe
3028	schtasks.exe
2092	schtasks.exe
2120	schtasks.exe
4168	schtasks.exe
2336	schtasks.exe
3632	schtasks.exe
2732	schtasks.exe
116	schtasks.exe
2820	schtasks.exe
1932	schtasks.exe
2172	schtasks.exe
8	schtasks.exe
4144	schtasks.exe
4136	schtasks.exe
1312	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2964	F868DDCB54E0C6AC37B4F7858D871083.exe
2964	F868DDCB54E0C6AC37B4F7858D871083.exe
2964	F868DDCB54E0C6AC37B4F7858D871083.exe
2964	F868DDCB54E0C6AC37B4F7858D871083.exe
2964	F868DDCB54E0C6AC37B4F7858D871083.exe
2964	F868DDCB54E0C6AC37B4F7858D871083.exe
2964	F868DDCB54E0C6AC37B4F7858D871083.exe
2964	F868DDCB54E0C6AC37B4F7858D871083.exe
2964	F868DDCB54E0C6AC37B4F7858D871083.exe
2964	F868DDCB54E0C6AC37B4F7858D871083.exe
2964	F868DDCB54E0C6AC37B4F7858D871083.exe
2964	F868DDCB54E0C6AC37B4F7858D871083.exe
2964	F868DDCB54E0C6AC37B4F7858D871083.exe
2964	F868DDCB54E0C6AC37B4F7858D871083.exe
2964	F868DDCB54E0C6AC37B4F7858D871083.exe
2964	F868DDCB54E0C6AC37B4F7858D871083.exe
2964	F868DDCB54E0C6AC37B4F7858D871083.exe
2964	F868DDCB54E0C6AC37B4F7858D871083.exe
2964	F868DDCB54E0C6AC37B4F7858D871083.exe
2964	F868DDCB54E0C6AC37B4F7858D871083.exe
2964	F868DDCB54E0C6AC37B4F7858D871083.exe
2964	F868DDCB54E0C6AC37B4F7858D871083.exe
2964	F868DDCB54E0C6AC37B4F7858D871083.exe
2964	F868DDCB54E0C6AC37B4F7858D871083.exe
2964	F868DDCB54E0C6AC37B4F7858D871083.exe
2964	F868DDCB54E0C6AC37B4F7858D871083.exe
2964	F868DDCB54E0C6AC37B4F7858D871083.exe
2964	F868DDCB54E0C6AC37B4F7858D871083.exe
2964	F868DDCB54E0C6AC37B4F7858D871083.exe
2964	F868DDCB54E0C6AC37B4F7858D871083.exe
2964	F868DDCB54E0C6AC37B4F7858D871083.exe
2964	F868DDCB54E0C6AC37B4F7858D871083.exe
2964	F868DDCB54E0C6AC37B4F7858D871083.exe
2964	F868DDCB54E0C6AC37B4F7858D871083.exe
2964	F868DDCB54E0C6AC37B4F7858D871083.exe
2964	F868DDCB54E0C6AC37B4F7858D871083.exe
2964	F868DDCB54E0C6AC37B4F7858D871083.exe
2964	F868DDCB54E0C6AC37B4F7858D871083.exe
2964	F868DDCB54E0C6AC37B4F7858D871083.exe
2964	F868DDCB54E0C6AC37B4F7858D871083.exe
2964	F868DDCB54E0C6AC37B4F7858D871083.exe
2964	F868DDCB54E0C6AC37B4F7858D871083.exe
2964	F868DDCB54E0C6AC37B4F7858D871083.exe
2964	F868DDCB54E0C6AC37B4F7858D871083.exe
2964	F868DDCB54E0C6AC37B4F7858D871083.exe
2964	F868DDCB54E0C6AC37B4F7858D871083.exe
2964	F868DDCB54E0C6AC37B4F7858D871083.exe
2964	F868DDCB54E0C6AC37B4F7858D871083.exe
2964	F868DDCB54E0C6AC37B4F7858D871083.exe
2964	F868DDCB54E0C6AC37B4F7858D871083.exe
2964	F868DDCB54E0C6AC37B4F7858D871083.exe
2964	F868DDCB54E0C6AC37B4F7858D871083.exe
2964	F868DDCB54E0C6AC37B4F7858D871083.exe
2964	F868DDCB54E0C6AC37B4F7858D871083.exe
2964	F868DDCB54E0C6AC37B4F7858D871083.exe
2964	F868DDCB54E0C6AC37B4F7858D871083.exe
2964	F868DDCB54E0C6AC37B4F7858D871083.exe
2964	F868DDCB54E0C6AC37B4F7858D871083.exe
2964	F868DDCB54E0C6AC37B4F7858D871083.exe
5020	backgroundTaskHost.exe
5020	backgroundTaskHost.exe
5020	backgroundTaskHost.exe
5020	backgroundTaskHost.exe
5020	backgroundTaskHost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2964	F868DDCB54E0C6AC37B4F7858D871083.exe
Token: SeDebugPrivilege	5020	backgroundTaskHost.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2964 wrote to memory of 1560	2964	F868DDCB54E0C6AC37B4F7858D871083.exe	105
PID 2964 wrote to memory of 1560	2964	F868DDCB54E0C6AC37B4F7858D871083.exe	105
PID 1560 wrote to memory of 2100	1560	cmd.exe	107
PID 1560 wrote to memory of 2100	1560	cmd.exe	107
PID 1560 wrote to memory of 508	1560	cmd.exe	108
PID 1560 wrote to memory of 508	1560	cmd.exe	108
PID 1560 wrote to memory of 5020	1560	cmd.exe	110
PID 1560 wrote to memory of 5020	1560	cmd.exe	110

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\F868DDCB54E0C6AC37B4F7858D871083.exe
"C:\Users\Admin\AppData\Local\Temp\F868DDCB54E0C6AC37B4F7858D871083.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2964
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RTPg2WCgRB.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1560
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2100
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:508
- - C:\Program Files\Google\Chrome\Application\123.0.6312.123\backgroundTaskHost.exe
    "C:\Program Files\Google\Chrome\Application\123.0.6312.123\backgroundTaskHost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 12 /tr "'C:\Program Files\Google\Chrome\Application\123.0.6312.123\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\123.0.6312.123\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 12 /tr "'C:\Program Files\Google\Chrome\Application\123.0.6312.123\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:8

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MusNotificationM" /sc MINUTE /mo 5 /tr "'C:\Windows\DiagTrack\Scenarios\MusNotification.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MusNotification" /sc ONLOGON /tr "'C:\Windows\DiagTrack\Scenarios\MusNotification.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MusNotificationM" /sc MINUTE /mo 7 /tr "'C:\Windows\DiagTrack\Scenarios\MusNotification.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Reference Assemblies\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Reference Assemblies\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "F868DDCB54E0C6AC37B4F7858D871083F" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\AppData\Local\Temp\F868DDCB54E0C6AC37B4F7858D871083.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "F868DDCB54E0C6AC37B4F7858D871083" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\F868DDCB54E0C6AC37B4F7858D871083.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "F868DDCB54E0C6AC37B4F7858D871083F" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\AppData\Local\Temp\F868DDCB54E0C6AC37B4F7858D871083.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\Application\123.0.6312.123\backgroundTaskHost.exe

Filesize
737KB

MD5
f868ddcb54e0c6ac37b4f7858d871083

SHA1
996f978b1498c8fd01ec1caa5a35e202545b4e14

SHA256
519bcb8d930b658fa5d0b975c7f74efd297e37c2067753b2020f09147fe86cfa

SHA512
bfd37ab7cf85c1a75c9ab81333ccdc0d9583433002cb2866831e4dba617f1adeb0d735e86179e0302ab02afd4dda7349252529ef8ce255687644f3b7a1aef62c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RTPg2WCgRB.bat

Filesize
208B

MD5
ab8b48b000a013c4dd1fc0e10110ce9d

SHA1
b2c701540fe0986fc8100598bda636aad068f5b3

SHA256
50867788cf1c5ac9e7531a17a7eb8696767e32a7b00f312e339beffa67bdfdc5

SHA512
305827d25ab8ae923d2631eea57164a6ca6072a8fa00ad3e561f9ef448551ddc036cf85a66baa21eaa7b8becc32c8d2d1631746c55d63adf170f142ac752f1e3

Download Submit
memory/2964-7-0x000000001AE80000-0x000000001AED0000-memory.dmp

Filesize
320KB

Download
memory/2964-4-0x0000000000AB0000-0x0000000000ABE000-memory.dmp

Filesize
56KB

Download
memory/2964-6-0x00000000022B0000-0x00000000022CC000-memory.dmp

Filesize
112KB

Download
memory/2964-9-0x00000000022D0000-0x00000000022E8000-memory.dmp

Filesize
96KB

Download
memory/2964-0-0x00007FFAA1DB3000-0x00007FFAA1DB5000-memory.dmp

Filesize
8KB

Download
memory/2964-2-0x00007FFAA1DB0000-0x00007FFAA2871000-memory.dmp

Filesize
10.8MB

Download
memory/2964-21-0x00007FFAA1DB0000-0x00007FFAA2871000-memory.dmp

Filesize
10.8MB

Download
memory/2964-22-0x00007FFAA1DB0000-0x00007FFAA2871000-memory.dmp

Filesize
10.8MB

Download
memory/2964-23-0x00007FFAA1DB0000-0x00007FFAA2871000-memory.dmp

Filesize
10.8MB

Download
memory/2964-29-0x00007FFAA1DB0000-0x00007FFAA2871000-memory.dmp

Filesize
10.8MB

Download
memory/2964-1-0x0000000000140000-0x00000000001FE000-memory.dmp

Filesize
760KB

Download