dcrat | 8f4da657a98dd34b30d0f73d6779c1bff53e8e7258420ef3c6343d8fd0f1a558

Analysis

max time kernel
90s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
09/01/2023, 14:38

Target

8f4da657a98dd34b30d0f73d6779c1bff53e8e7258420ef3c6343d8fd0f1a558.exe
Size

2.0MB
MD5

880a2814118f8cedb133b7bbe7718f15
SHA1

c384a8111263389f6136f7f4ae454a652957c5e1
SHA256

8f4da657a98dd34b30d0f73d6779c1bff53e8e7258420ef3c6343d8fd0f1a558
SHA512

4cef55970ad0e0f7ee6b5894b00fb128154968af79a4164fce99f69300e616c6819851725e7613db3736fa5baa68abf5e837039a651feb8c6fed1b75b226d925
SSDEEP

49152:9ndSiKG7Idc6Rm8sDJMSgkdEiVTpnjyv:9hURm8vSFVov

Score

10^/10

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

resource	yara_rule
behavioral2/memory/1508-132-0x0000000000DE0000-0x0000000000FDA000-memory.dmp	dcrat

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1508	8f4da657a98dd34b30d0f73d6779c1bff53e8e7258420ef3c6343d8fd0f1a558.exe

C:\Users\Admin\AppData\Local\Temp\8f4da657a98dd34b30d0f73d6779c1bff53e8e7258420ef3c6343d8fd0f1a558.exe
"C:\Users\Admin\AppData\Local\Temp\8f4da657a98dd34b30d0f73d6779c1bff53e8e7258420ef3c6343d8fd0f1a558.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1508

memory/1508-132-0x0000000000DE0000-0x0000000000FDA000-memory.dmp

Filesize
2.0MB

Download
memory/1508-133-0x00007FF9D4C80000-0x00007FF9D5741000-memory.dmp

Filesize
10.8MB

Download
memory/1508-134-0x00007FF9D4C80000-0x00007FF9D5741000-memory.dmp

Filesize
10.8MB

Download