dcrat | 189c456c653e587b81b4f3950b102a94c4570c2a7057c50b138b511162a2c46a

Analysis

max time kernel
119s
max time network
142s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

89000a0d0047c48b96288186968f343d17f06f470b2985cfdd4ebcf56f9efe5b.exe
Size

2.1MB
MD5

e5ab3ea88a2bc87c9e5b2dc45d2a4dd4
SHA1

2f58fa70410dedf700982f8c7a63e599c98ecff1
SHA256

89000a0d0047c48b96288186968f343d17f06f470b2985cfdd4ebcf56f9efe5b
SHA512

d7c7cf4283f9a1d0b5fa0b077fb4e99d9285a8872e55f34c1e0b849d9a85c21148a9bcc8b357766e8d5967b0e2f1f42c45e299d3746a5b8c775658963b20cfb2
SSDEEP

49152:6/PzW6Bg//wzCaq4UfvOGh3m1aQOsemlAT33zNgz1Sjcj4N1:wPzWDwG4U3hmcQO18bz1Sje4N

Score

10^/10

dcrat defense_evasion discovery infostealer rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat
Disables Task Manager via registry modification
defense_evasion

Executes dropped EXE 4 IoCs

pid	Process
2748	312213.exe
2972	cGlzeWFwb3_crypted_LAB.exe
2936	refNet.exe
2212	Idle.exe

Loads dropped DLL 9 IoCs

pid	Process
2636	89000a0d0047c48b96288186968f343d17f06f470b2985cfdd4ebcf56f9efe5b.exe
2636	89000a0d0047c48b96288186968f343d17f06f470b2985cfdd4ebcf56f9efe5b.exe
2968	Process not Found
2872	WerFault.exe
2872	WerFault.exe
2872	WerFault.exe
2872	WerFault.exe
1060	cmd.exe
1060	cmd.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Internet Explorer\fr-FR\Idle.exe	refNet.exe
File created	C:\Program Files\Internet Explorer\fr-FR\6ccacd8608530f	refNet.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\L2Schemas\dwm.exe	refNet.exe
File created	C:\Windows\L2Schemas\6cb0b6c459d5d3	refNet.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	312213.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
600	PING.EXE

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2920	reg.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
600	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2936	refNet.exe
2936	refNet.exe
2936	refNet.exe
2936	refNet.exe
2936	refNet.exe
2936	refNet.exe
2936	refNet.exe
2936	refNet.exe
2936	refNet.exe
2936	refNet.exe
2936	refNet.exe
2936	refNet.exe
2936	refNet.exe
2936	refNet.exe
2936	refNet.exe
2936	refNet.exe
2936	refNet.exe
2936	refNet.exe
2936	refNet.exe
2936	refNet.exe
2936	refNet.exe
2936	refNet.exe
2936	refNet.exe
2936	refNet.exe
2936	refNet.exe
2936	refNet.exe
2936	refNet.exe
2936	refNet.exe
2936	refNet.exe
2936	refNet.exe
2936	refNet.exe
2936	refNet.exe
2936	refNet.exe
2936	refNet.exe
2936	refNet.exe
2936	refNet.exe
2936	refNet.exe
2936	refNet.exe
2936	refNet.exe
2936	refNet.exe
2936	refNet.exe
2936	refNet.exe
2936	refNet.exe
2936	refNet.exe
2936	refNet.exe
2936	refNet.exe
2936	refNet.exe
2936	refNet.exe
2936	refNet.exe
2936	refNet.exe
2936	refNet.exe
2936	refNet.exe
2936	refNet.exe
2936	refNet.exe
2936	refNet.exe
2936	refNet.exe
2936	refNet.exe
2936	refNet.exe
2936	refNet.exe
2936	refNet.exe
2936	refNet.exe
2936	refNet.exe
2936	refNet.exe
2936	refNet.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2936	refNet.exe
Token: SeDebugPrivilege	2212	Idle.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 2636 wrote to memory of 2748	2636	89000a0d0047c48b96288186968f343d17f06f470b2985cfdd4ebcf56f9efe5b.exe	30
PID 2636 wrote to memory of 2748	2636	89000a0d0047c48b96288186968f343d17f06f470b2985cfdd4ebcf56f9efe5b.exe	30
PID 2636 wrote to memory of 2748	2636	89000a0d0047c48b96288186968f343d17f06f470b2985cfdd4ebcf56f9efe5b.exe	30
PID 2636 wrote to memory of 2748	2636	89000a0d0047c48b96288186968f343d17f06f470b2985cfdd4ebcf56f9efe5b.exe	30
PID 2636 wrote to memory of 2972	2636	89000a0d0047c48b96288186968f343d17f06f470b2985cfdd4ebcf56f9efe5b.exe	31
PID 2636 wrote to memory of 2972	2636	89000a0d0047c48b96288186968f343d17f06f470b2985cfdd4ebcf56f9efe5b.exe	31
PID 2636 wrote to memory of 2972	2636	89000a0d0047c48b96288186968f343d17f06f470b2985cfdd4ebcf56f9efe5b.exe	31
PID 2972 wrote to memory of 2872	2972	cGlzeWFwb3_crypted_LAB.exe	33
PID 2972 wrote to memory of 2872	2972	cGlzeWFwb3_crypted_LAB.exe	33
PID 2972 wrote to memory of 2872	2972	cGlzeWFwb3_crypted_LAB.exe	33
PID 2748 wrote to memory of 2608	2748	312213.exe	34
PID 2748 wrote to memory of 2608	2748	312213.exe	34
PID 2748 wrote to memory of 2608	2748	312213.exe	34
PID 2748 wrote to memory of 2608	2748	312213.exe	34
PID 2608 wrote to memory of 1060	2608	WScript.exe	35
PID 2608 wrote to memory of 1060	2608	WScript.exe	35
PID 2608 wrote to memory of 1060	2608	WScript.exe	35
PID 2608 wrote to memory of 1060	2608	WScript.exe	35
PID 1060 wrote to memory of 2920	1060	cmd.exe	37
PID 1060 wrote to memory of 2920	1060	cmd.exe	37
PID 1060 wrote to memory of 2920	1060	cmd.exe	37
PID 1060 wrote to memory of 2920	1060	cmd.exe	37
PID 1060 wrote to memory of 2936	1060	cmd.exe	38
PID 1060 wrote to memory of 2936	1060	cmd.exe	38
PID 1060 wrote to memory of 2936	1060	cmd.exe	38
PID 1060 wrote to memory of 2936	1060	cmd.exe	38
PID 2936 wrote to memory of 332	2936	refNet.exe	39
PID 2936 wrote to memory of 332	2936	refNet.exe	39
PID 2936 wrote to memory of 332	2936	refNet.exe	39
PID 332 wrote to memory of 2424	332	cmd.exe	41
PID 332 wrote to memory of 2424	332	cmd.exe	41
PID 332 wrote to memory of 2424	332	cmd.exe	41
PID 332 wrote to memory of 600	332	cmd.exe	42
PID 332 wrote to memory of 600	332	cmd.exe	42
PID 332 wrote to memory of 600	332	cmd.exe	42
PID 332 wrote to memory of 2212	332	cmd.exe	43
PID 332 wrote to memory of 2212	332	cmd.exe	43
PID 332 wrote to memory of 2212	332	cmd.exe	43

C:\Users\Admin\AppData\Local\Temp\89000a0d0047c48b96288186968f343d17f06f470b2985cfdd4ebcf56f9efe5b.exe
"C:\Users\Admin\AppData\Local\Temp\89000a0d0047c48b96288186968f343d17f06f470b2985cfdd4ebcf56f9efe5b.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2636
- C:\Users\Admin\AppData\Local\Temp\312213.exe
  "C:\Users\Admin\AppData\Local\Temp\312213.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2748
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\PortComAgentserverHost\Znb3Kfyp6V6O4bcQ.vbe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2608
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\PortComAgentserverHost\jQuUq4BxkQ7YPdkLPwU2V7M1bbhMug.bat" "
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1060
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        5⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2920
    - - C:\Users\Admin\AppData\Local\Temp\PortComAgentserverHost\refNet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PortComAgentserverHost/refNet.exe"
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2936
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FBwDEQ99fC.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:332
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:2424
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:600
        
        C:\Program Files\Internet Explorer\fr-FR\Idle.exe
        
        "C:\Program Files\Internet Explorer\fr-FR\Idle.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2212
- C:\Users\Admin\AppData\Local\Temp\cGlzeWFwb3_crypted_LAB.exe
  "C:\Users\Admin\AppData\Local\Temp\cGlzeWFwb3_crypted_LAB.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2972
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 2972 -s 36
    3⤵
    - Loads dropped DLL
    PID:2872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\312213.exe

Filesize
2.2MB

MD5
1213f4fc1eb5dca213df57f1f5034a1b

SHA1
e925aaf8a58c25e45a57cd6727e3de68fea1d267

SHA256
d587bb2da2148bb0fed00e3d8ce93e5bb8207a77d7acbe735078b2372e737340

SHA512
1886cb1fb166f44cc8a6aaa9dc0f07faf7bf9e14e1be908e4cee67c95c04151b3df921d9ac71e70a28c2ba9110117670b41d270000300434d9a84f1561ccc942

Download Submit
C:\Users\Admin\AppData\Local\Temp\FBwDEQ99fC.bat

Filesize
177B

MD5
81eba0cf22d1b30479461c14f432f886

SHA1
ece3fbc2aacb0ea7e2efe9786322a329bf677a0c

SHA256
9a4b73a1bb99dda5c9b2f71010a42793322fab65396738fdf9acfb1f6ce8c153

SHA512
01bba5fb92119657d94dc6e252ebcef8845576134940af16145f03a750ecaa998c74bb2c08f2954132b3563cad40e00d3e0f262ec8472c66a6499285be2db29c

Download Submit
C:\Users\Admin\AppData\Local\Temp\PortComAgentserverHost\Znb3Kfyp6V6O4bcQ.vbe

Filesize
234B

MD5
7453933cc2d2d8ad0040f4dcf0cf478b

SHA1
25a3fdd6e9194ba888c0ca50eb1494e645cad5b7

SHA256
23fc1f6b78cdac4e63ab8fabecea0a0b5016dbc312cf4a5562b1e0991ac64266

SHA512
db9c5997203971b7fab2977a753795193f978909a466af2a639104b5f43c0f2386a6c50be3f701aa3ca156345fe2bd5e1fbf71528254237dbd0214d0fb618427

Download Submit
C:\Users\Admin\AppData\Local\Temp\PortComAgentserverHost\jQuUq4BxkQ7YPdkLPwU2V7M1bbhMug.bat

Filesize
189B

MD5
1d0a67c059050e768d731a6f5f308b53

SHA1
4b411281d7255b2512e0b56966f254260b010eb2

SHA256
4a8c1eb659ab57354d2255e6071d72f437e1535619b261e922fffb37aec4c145

SHA512
97c8f984091fd5a36384e20f00fb9aee5bc22aaf5673a7c0a4c307ecf687a5e6a068ab6b6be0e64be49c0c5679d3da0794fb80a429db5eace8a70389046c9ea5

Download Submit
C:\Users\Admin\AppData\Local\Temp\cGlzeWFwb3_crypted_LAB.exe

Filesize
569KB

MD5
a46f9a51a1e4926a077ddf9420394364

SHA1
2573735414873bb050f5b35a4fa637c005488c06

SHA256
b47c8f7c749732fc1d5c49f2f0dc830fc47fd19ddb10a8dea9717535e0d630ee

SHA512
e97ff39ffa2abb743dbaf739daae99535b18a5958acf5ed0e1338d25ebf131bb8fd6cd4c6801ebfec08bfb83a6412e526eee16d238879a41649d1556bd81543f

Download Submit
\Users\Admin\AppData\Local\Temp\PortComAgentserverHost\refNet.exe

Filesize
1.9MB

MD5
d2aaad4ccfc17fda2df263f515095e28

SHA1
9bfbdb3d4e5c724a4c45f72b4386cd4a9cacd219

SHA256
a85bef4cf91e1dc1940124c6d2576d486be7868d996e01dc981c11b8a0dc1b40

SHA512
6544effb5c43d28b0905dbf5bf7596197dd83b8bb1d8ade5fbdc7da85b2de9d6a02ac6f98297a04fdf997dde364c1a4a3c52360f6a495a2b57920c1b05c89b54

Download Submit
memory/2212-65-0x0000000001100000-0x00000000012E6000-memory.dmp

Filesize
1.9MB

Download
memory/2636-1-0x0000000000C70000-0x0000000000E90000-memory.dmp

Filesize
2.1MB

Download
memory/2636-17-0x000007FEF54C0000-0x000007FEF5EAC000-memory.dmp

Filesize
9.9MB

Download
memory/2636-0-0x000007FEF54C3000-0x000007FEF54C4000-memory.dmp

Filesize
4KB

Download
memory/2936-36-0x00000000009C0000-0x0000000000BA6000-memory.dmp

Filesize
1.9MB

Download
memory/2936-42-0x00000000003B0000-0x00000000003C8000-memory.dmp

Filesize
96KB

Download
memory/2936-46-0x00000000003E0000-0x00000000003EC000-memory.dmp

Filesize
48KB

Download
memory/2936-44-0x00000000003D0000-0x00000000003DE000-memory.dmp

Filesize
56KB

Download
memory/2936-40-0x0000000000190000-0x00000000001AC000-memory.dmp

Filesize
112KB

Download
memory/2936-38-0x0000000000180000-0x000000000018E000-memory.dmp

Filesize
56KB

Download