dcrat | 3c5d4007aabc7835b586d15313645af2e823dfad1d487cad46453dc3474e2693

Analysis

max time kernel
59s
max time network
64s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 20:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8601303574d298fe6d9a433d6fab9854ff5fb81d357d01f5065dccdb4407bb8e.exe
Size

827KB
MD5

7d14c283441fdefcf681cc58017bb841
SHA1

cdfe7ca961f11fd078a314335ce8c19f3acf2409
SHA256

8601303574d298fe6d9a433d6fab9854ff5fb81d357d01f5065dccdb4407bb8e
SHA512

413f00a1c2dc19c43bf1a61738ac605c405f4834095a0e410091cfbb10085d56afe8bd99928477b5dec24c3b323c387da1e3bc6680409681a1d66a7318d3eb9f
SSDEEP

12288:sNtD0qKiyhtFrXketHevYS6Rc/OOi1GuHQiEHRu3oDK:snKiyhXket+vYNSi+iEE3oO

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 12 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1048	224	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3568	224	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4160	224	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5252	224	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1464	224	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4188	224	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2224	224	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2656	224	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5796	224	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2304	224	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4740	224	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4728	224	schtasks.exe	88

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral22/memory/4720-1-0x00000000000D0000-0x00000000001A6000-memory.dmp	dcrat
behavioral22/files/0x00050000000227be-11.dat	dcrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	8601303574d298fe6d9a433d6fab9854ff5fb81d357d01f5065dccdb4407bb8e.exe

Executes dropped EXE 1 IoCs

pid	Process
4884	TextInputHost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 12 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1048	schtasks.exe
3568	schtasks.exe
4160	schtasks.exe
5252	schtasks.exe
1464	schtasks.exe
2656	schtasks.exe
5796	schtasks.exe
4728	schtasks.exe
4188	schtasks.exe
2224	schtasks.exe
2304	schtasks.exe
4740	schtasks.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
4720	8601303574d298fe6d9a433d6fab9854ff5fb81d357d01f5065dccdb4407bb8e.exe
4720	8601303574d298fe6d9a433d6fab9854ff5fb81d357d01f5065dccdb4407bb8e.exe
4720	8601303574d298fe6d9a433d6fab9854ff5fb81d357d01f5065dccdb4407bb8e.exe
4720	8601303574d298fe6d9a433d6fab9854ff5fb81d357d01f5065dccdb4407bb8e.exe
4720	8601303574d298fe6d9a433d6fab9854ff5fb81d357d01f5065dccdb4407bb8e.exe
4720	8601303574d298fe6d9a433d6fab9854ff5fb81d357d01f5065dccdb4407bb8e.exe
4720	8601303574d298fe6d9a433d6fab9854ff5fb81d357d01f5065dccdb4407bb8e.exe
4884	TextInputHost.exe
4884	TextInputHost.exe
4884	TextInputHost.exe
4884	TextInputHost.exe
4884	TextInputHost.exe
4884	TextInputHost.exe
4884	TextInputHost.exe
4884	TextInputHost.exe
4884	TextInputHost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4720	8601303574d298fe6d9a433d6fab9854ff5fb81d357d01f5065dccdb4407bb8e.exe
Token: SeDebugPrivilege	4884	TextInputHost.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4720 wrote to memory of 4884	4720	8601303574d298fe6d9a433d6fab9854ff5fb81d357d01f5065dccdb4407bb8e.exe	101
PID 4720 wrote to memory of 4884	4720	8601303574d298fe6d9a433d6fab9854ff5fb81d357d01f5065dccdb4407bb8e.exe	101

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\8601303574d298fe6d9a433d6fab9854ff5fb81d357d01f5065dccdb4407bb8e.exe
"C:\Users\Admin\AppData\Local\Temp\8601303574d298fe6d9a433d6fab9854ff5fb81d357d01f5065dccdb4407bb8e.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4720
- C:\4d7dcf6448637544ea7e961be1ad\TextInputHost.exe
  "C:\4d7dcf6448637544ea7e961be1ad\TextInputHost.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 13 /tr "'C:\4d7dcf6448637544ea7e961be1ad\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\4d7dcf6448637544ea7e961be1ad\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 8 /tr "'C:\4d7dcf6448637544ea7e961be1ad\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\4d7dcf6448637544ea7e961be1ad\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\4d7dcf6448637544ea7e961be1ad\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\4d7dcf6448637544ea7e961be1ad\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Users\Default\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Users\Default\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\4d7dcf6448637544ea7e961be1ad\TextInputHost.exe

Filesize
827KB

MD5
7d14c283441fdefcf681cc58017bb841

SHA1
cdfe7ca961f11fd078a314335ce8c19f3acf2409

SHA256
8601303574d298fe6d9a433d6fab9854ff5fb81d357d01f5065dccdb4407bb8e

SHA512
413f00a1c2dc19c43bf1a61738ac605c405f4834095a0e410091cfbb10085d56afe8bd99928477b5dec24c3b323c387da1e3bc6680409681a1d66a7318d3eb9f

Download Submit
memory/4720-0-0x00007FFCB6EA3000-0x00007FFCB6EA5000-memory.dmp

Filesize
8KB

Download
memory/4720-1-0x00000000000D0000-0x00000000001A6000-memory.dmp

Filesize
856KB

Download
memory/4720-2-0x00007FFCB6EA0000-0x00007FFCB7961000-memory.dmp

Filesize
10.8MB

Download
memory/4720-22-0x00007FFCB6EA0000-0x00007FFCB7961000-memory.dmp

Filesize
10.8MB

Download