dcrat | 429b305d240c130b141eb3d4c0ba1fa731b4ba3fcfbebe3b3de0c329d947ed8c

Analysis

max time kernel
103s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
09-01-2023 14:41

Target

429b305d240c130b141eb3d4c0ba1fa731b4ba3fcfbebe3b3de0c329d947ed8c.exe
Size

2.0MB
MD5

5bc462a7ed28ccdf5afbcdbbe85d1b76
SHA1

9aea646d5ddb0c75294b2e8a61aa99b7003d0b56
SHA256

429b305d240c130b141eb3d4c0ba1fa731b4ba3fcfbebe3b3de0c329d947ed8c
SHA512

85de4e7f2bc6183a13c361a9b5d388fa42a5e653d62b1585444f55cac2717c5f6c0408bf2cbcc783c3b08b40dbc0cab940cbf57e2f0e58f3b5b8693ca1e82d2f
SSDEEP

49152:dndSiKG7Idc6Rm8sDJMSgkdEiVTpnjyv:dhURm8vSFVov

Score

10^/10

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

Processes:

resource	yara_rule
behavioral2/memory/3968-132-0x0000000000DA0000-0x0000000000F9A000-memory.dmp	dcrat

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

429b305d240c130b141eb3d4c0ba1fa731b4ba3fcfbebe3b3de0c329d947ed8c.exe

description pid process

Token: SeDebugPrivilege 3968 429b305d240c130b141eb3d4c0ba1fa731b4ba3fcfbebe3b3de0c329d947ed8c.exe

description	pid	process
Token: SeDebugPrivilege	3968	429b305d240c130b141eb3d4c0ba1fa731b4ba3fcfbebe3b3de0c329d947ed8c.exe

C:\Users\Admin\AppData\Local\Temp\429b305d240c130b141eb3d4c0ba1fa731b4ba3fcfbebe3b3de0c329d947ed8c.exe
"C:\Users\Admin\AppData\Local\Temp\429b305d240c130b141eb3d4c0ba1fa731b4ba3fcfbebe3b3de0c329d947ed8c.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3968

memory/3968-132-0x0000000000DA0000-0x0000000000F9A000-memory.dmp

Filesize
2.0MB

Download
memory/3968-133-0x00007FF963CA0000-0x00007FF964761000-memory.dmp

Filesize
10.8MB

Download
memory/3968-134-0x00007FF963CA0000-0x00007FF964761000-memory.dmp

Filesize
10.8MB

Download