dcrat | 189c456c653e587b81b4f3950b102a94c4570c2a7057c50b138b511162a2c46a

Analysis

max time kernel
103s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20250313-en
resource tags

arch:x64arch:x86image:win10v2004-20250313-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

89000a0d0047c48b96288186968f343d17f06f470b2985cfdd4ebcf56f9efe5b.exe
Size

2.1MB
MD5

e5ab3ea88a2bc87c9e5b2dc45d2a4dd4
SHA1

2f58fa70410dedf700982f8c7a63e599c98ecff1
SHA256

89000a0d0047c48b96288186968f343d17f06f470b2985cfdd4ebcf56f9efe5b
SHA512

d7c7cf4283f9a1d0b5fa0b077fb4e99d9285a8872e55f34c1e0b849d9a85c21148a9bcc8b357766e8d5967b0e2f1f42c45e299d3746a5b8c775658963b20cfb2
SSDEEP

49152:6/PzW6Bg//wzCaq4UfvOGh3m1aQOsemlAT33zNgz1Sjcj4N1:wPzWDwG4U3hmcQO18bz1Sje4N

Score

10^/10

dcrat defense_evasion discovery infostealer rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat
Disables Task Manager via registry modification
defense_evasion

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	89000a0d0047c48b96288186968f343d17f06f470b2985cfdd4ebcf56f9efe5b.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	312213.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	refNet.exe

Executes dropped EXE 4 IoCs

pid	Process
3332	312213.exe
2984	cGlzeWFwb3_crypted_LAB.exe
1632	refNet.exe
4104	upfc.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2984 set thread context of 5856	2984	cGlzeWFwb3_crypted_LAB.exe	91

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\edge_BITS_4388_1241950146\services.exe	refNet.exe
File created	C:\Program Files\edge_BITS_4388_1241950146\c5b4cb5e9653cc	refNet.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\AppReadiness\f3b6ecef712a24	refNet.exe
File created	C:\Windows\SchCache\System.exe	refNet.exe
File created	C:\Windows\SchCache\27d1bcfc3c54e0	refNet.exe
File created	C:\Windows\AppReadiness\spoolsv.exe	refNet.exe
File opened for modification	C:\Windows\AppReadiness\spoolsv.exe	refNet.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	312213.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
5036	PING.EXE

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\Local Settings	refNet.exe
Key created	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\Local Settings	312213.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
624	reg.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
5036	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1632	refNet.exe
1632	refNet.exe
1632	refNet.exe
1632	refNet.exe
1632	refNet.exe
1632	refNet.exe
1632	refNet.exe
1632	refNet.exe
1632	refNet.exe
1632	refNet.exe
1632	refNet.exe
1632	refNet.exe
1632	refNet.exe
1632	refNet.exe
1632	refNet.exe
1632	refNet.exe
1632	refNet.exe
1632	refNet.exe
1632	refNet.exe
1632	refNet.exe
1632	refNet.exe
1632	refNet.exe
1632	refNet.exe
1632	refNet.exe
1632	refNet.exe
1632	refNet.exe
1632	refNet.exe
1632	refNet.exe
1632	refNet.exe
1632	refNet.exe
1632	refNet.exe
1632	refNet.exe
1632	refNet.exe
1632	refNet.exe
1632	refNet.exe
1632	refNet.exe
1632	refNet.exe
1632	refNet.exe
1632	refNet.exe
1632	refNet.exe
1632	refNet.exe
1632	refNet.exe
1632	refNet.exe
1632	refNet.exe
1632	refNet.exe
1632	refNet.exe
1632	refNet.exe
1632	refNet.exe
1632	refNet.exe
1632	refNet.exe
1632	refNet.exe
1632	refNet.exe
1632	refNet.exe
1632	refNet.exe
1632	refNet.exe
1632	refNet.exe
1632	refNet.exe
1632	refNet.exe
1632	refNet.exe
1632	refNet.exe
1632	refNet.exe
1632	refNet.exe
1632	refNet.exe
1632	refNet.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1632	refNet.exe
Token: SeDebugPrivilege	4104	upfc.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 5328 wrote to memory of 3332	5328	89000a0d0047c48b96288186968f343d17f06f470b2985cfdd4ebcf56f9efe5b.exe	88
PID 5328 wrote to memory of 3332	5328	89000a0d0047c48b96288186968f343d17f06f470b2985cfdd4ebcf56f9efe5b.exe	88
PID 5328 wrote to memory of 3332	5328	89000a0d0047c48b96288186968f343d17f06f470b2985cfdd4ebcf56f9efe5b.exe	88
PID 5328 wrote to memory of 2984	5328	89000a0d0047c48b96288186968f343d17f06f470b2985cfdd4ebcf56f9efe5b.exe	89
PID 5328 wrote to memory of 2984	5328	89000a0d0047c48b96288186968f343d17f06f470b2985cfdd4ebcf56f9efe5b.exe	89
PID 2984 wrote to memory of 5856	2984	cGlzeWFwb3_crypted_LAB.exe	91
PID 2984 wrote to memory of 5856	2984	cGlzeWFwb3_crypted_LAB.exe	91
PID 2984 wrote to memory of 5856	2984	cGlzeWFwb3_crypted_LAB.exe	91
PID 2984 wrote to memory of 5856	2984	cGlzeWFwb3_crypted_LAB.exe	91
PID 2984 wrote to memory of 5856	2984	cGlzeWFwb3_crypted_LAB.exe	91
PID 2984 wrote to memory of 5856	2984	cGlzeWFwb3_crypted_LAB.exe	91
PID 2984 wrote to memory of 5856	2984	cGlzeWFwb3_crypted_LAB.exe	91
PID 2984 wrote to memory of 5856	2984	cGlzeWFwb3_crypted_LAB.exe	91
PID 2984 wrote to memory of 5856	2984	cGlzeWFwb3_crypted_LAB.exe	91
PID 3332 wrote to memory of 4532	3332	312213.exe	92
PID 3332 wrote to memory of 4532	3332	312213.exe	92
PID 3332 wrote to memory of 4532	3332	312213.exe	92
PID 4532 wrote to memory of 4480	4532	WScript.exe	93
PID 4532 wrote to memory of 4480	4532	WScript.exe	93
PID 4532 wrote to memory of 4480	4532	WScript.exe	93
PID 4480 wrote to memory of 624	4480	cmd.exe	95
PID 4480 wrote to memory of 624	4480	cmd.exe	95
PID 4480 wrote to memory of 624	4480	cmd.exe	95
PID 4480 wrote to memory of 1632	4480	cmd.exe	96
PID 4480 wrote to memory of 1632	4480	cmd.exe	96
PID 1632 wrote to memory of 4700	1632	refNet.exe	97
PID 1632 wrote to memory of 4700	1632	refNet.exe	97
PID 4700 wrote to memory of 3404	4700	cmd.exe	99
PID 4700 wrote to memory of 3404	4700	cmd.exe	99
PID 4700 wrote to memory of 5036	4700	cmd.exe	100
PID 4700 wrote to memory of 5036	4700	cmd.exe	100
PID 4700 wrote to memory of 4104	4700	cmd.exe	102
PID 4700 wrote to memory of 4104	4700	cmd.exe	102

C:\Users\Admin\AppData\Local\Temp\89000a0d0047c48b96288186968f343d17f06f470b2985cfdd4ebcf56f9efe5b.exe
"C:\Users\Admin\AppData\Local\Temp\89000a0d0047c48b96288186968f343d17f06f470b2985cfdd4ebcf56f9efe5b.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5328
- C:\Users\Admin\AppData\Local\Temp\312213.exe
  "C:\Users\Admin\AppData\Local\Temp\312213.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3332
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\PortComAgentserverHost\Znb3Kfyp6V6O4bcQ.vbe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4532
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PortComAgentserverHost\jQuUq4BxkQ7YPdkLPwU2V7M1bbhMug.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4480
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        5⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:624
    - - C:\Users\Admin\AppData\Local\Temp\PortComAgentserverHost\refNet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PortComAgentserverHost/refNet.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Program Files directory
        Drops file in Windows directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1632
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\p5JCVJhOvU.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4700
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:3404
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5036
        
        C:\ebea8a0c5b7ebb8dc5b60da7\upfc.exe
        
        "C:\ebea8a0c5b7ebb8dc5b60da7\upfc.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4104
- C:\Users\Admin\AppData\Local\Temp\cGlzeWFwb3_crypted_LAB.exe
  "C:\Users\Admin\AppData\Local\Temp\cGlzeWFwb3_crypted_LAB.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2984
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\312213.exe

Filesize
2.2MB

MD5
1213f4fc1eb5dca213df57f1f5034a1b

SHA1
e925aaf8a58c25e45a57cd6727e3de68fea1d267

SHA256
d587bb2da2148bb0fed00e3d8ce93e5bb8207a77d7acbe735078b2372e737340

SHA512
1886cb1fb166f44cc8a6aaa9dc0f07faf7bf9e14e1be908e4cee67c95c04151b3df921d9ac71e70a28c2ba9110117670b41d270000300434d9a84f1561ccc942

Download Submit
C:\Users\Admin\AppData\Local\Temp\PortComAgentserverHost\Znb3Kfyp6V6O4bcQ.vbe

Filesize
234B

MD5
7453933cc2d2d8ad0040f4dcf0cf478b

SHA1
25a3fdd6e9194ba888c0ca50eb1494e645cad5b7

SHA256
23fc1f6b78cdac4e63ab8fabecea0a0b5016dbc312cf4a5562b1e0991ac64266

SHA512
db9c5997203971b7fab2977a753795193f978909a466af2a639104b5f43c0f2386a6c50be3f701aa3ca156345fe2bd5e1fbf71528254237dbd0214d0fb618427

Download Submit
C:\Users\Admin\AppData\Local\Temp\PortComAgentserverHost\jQuUq4BxkQ7YPdkLPwU2V7M1bbhMug.bat

Filesize
189B

MD5
1d0a67c059050e768d731a6f5f308b53

SHA1
4b411281d7255b2512e0b56966f254260b010eb2

SHA256
4a8c1eb659ab57354d2255e6071d72f437e1535619b261e922fffb37aec4c145

SHA512
97c8f984091fd5a36384e20f00fb9aee5bc22aaf5673a7c0a4c307ecf687a5e6a068ab6b6be0e64be49c0c5679d3da0794fb80a429db5eace8a70389046c9ea5

Download Submit
C:\Users\Admin\AppData\Local\Temp\PortComAgentserverHost\refNet.exe

Filesize
1.9MB

MD5
d2aaad4ccfc17fda2df263f515095e28

SHA1
9bfbdb3d4e5c724a4c45f72b4386cd4a9cacd219

SHA256
a85bef4cf91e1dc1940124c6d2576d486be7868d996e01dc981c11b8a0dc1b40

SHA512
6544effb5c43d28b0905dbf5bf7596197dd83b8bb1d8ade5fbdc7da85b2de9d6a02ac6f98297a04fdf997dde364c1a4a3c52360f6a495a2b57920c1b05c89b54

Download Submit
C:\Users\Admin\AppData\Local\Temp\cGlzeWFwb3_crypted_LAB.exe

Filesize
569KB

MD5
a46f9a51a1e4926a077ddf9420394364

SHA1
2573735414873bb050f5b35a4fa637c005488c06

SHA256
b47c8f7c749732fc1d5c49f2f0dc830fc47fd19ddb10a8dea9717535e0d630ee

SHA512
e97ff39ffa2abb743dbaf739daae99535b18a5958acf5ed0e1338d25ebf131bb8fd6cd4c6801ebfec08bfb83a6412e526eee16d238879a41649d1556bd81543f

Download Submit
C:\Users\Admin\AppData\Local\Temp\p5JCVJhOvU.bat

Filesize
164B

MD5
e99ee3fbbecde4ebe29380080c1bfd5a

SHA1
4899310717529454ef1ae6b33a2ac7a4e46b435d

SHA256
cfbe2c313835016f9b65c0e2cdce7a5d779ab4c4f2002f093865670675088c2c

SHA512
8e2c8c833b20d57632ef122abc2e73d557bed9fd790ef7a79320952602eaef5344e979b2d5de45ab790e889eb3c4217881101e137e64d75e3fa70c430bfe1b43

Download Submit
memory/1632-42-0x00000000024D0000-0x0000000002520000-memory.dmp

Filesize
320KB

Download
memory/1632-44-0x0000000002480000-0x0000000002498000-memory.dmp

Filesize
96KB

Download
memory/1632-48-0x0000000000CA0000-0x0000000000CAC000-memory.dmp

Filesize
48KB

Download
memory/1632-46-0x0000000000C90000-0x0000000000C9E000-memory.dmp

Filesize
56KB

Download
memory/1632-41-0x0000000002460000-0x000000000247C000-memory.dmp

Filesize
112KB

Download
memory/1632-39-0x0000000000C80000-0x0000000000C8E000-memory.dmp

Filesize
56KB

Download
memory/1632-37-0x0000000000150000-0x0000000000336000-memory.dmp

Filesize
1.9MB

Download
memory/5328-3-0x00007FFAA3DF0000-0x00007FFAA48B1000-memory.dmp

Filesize
10.8MB

Download
memory/5328-18-0x00007FFAA3DF0000-0x00007FFAA48B1000-memory.dmp

Filesize
10.8MB

Download
memory/5328-0-0x00007FFAA3DF3000-0x00007FFAA3DF5000-memory.dmp

Filesize
8KB

Download
memory/5328-1-0x00000000008F0000-0x0000000000B10000-memory.dmp

Filesize
2.1MB

Download
memory/5856-22-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/5856-20-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/5856-23-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/5856-66-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download