dcrat | 8bed0227175fdad5e7f3c17003af481764230711f774b10af6b55d1ab58b25ec | Triage

Analysis

max time kernel
61s
max time network
51s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
30-01-2023 02:13

Sharing

Report Analysis Logs

General

Target

libcrypto.exe
Size

317KB
MD5

61ee39f5537e65720ec629a593809c02
SHA1

a3ce1a9970fdb69c5f4bde0ffa49ca4cbd0c69bd
SHA256

8bed0227175fdad5e7f3c17003af481764230711f774b10af6b55d1ab58b25ec
SHA512

2e3c1ae897060820b0d5734c2c74740c22f4d45426fd51917a37cef652917ad12efdda7f3f9352e983f6f029a0d739317630928b82f247d1bbb00685ce97f284
SSDEEP

6144:H3yyN3U5XMNNWmfb7DyiUwCyJvjmk65mLRFe+i5SHbrVwCqy:HnNE5XM/j7DFJvAmLRFQ5S/R

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

Processes:

resource	yara_rule
behavioral1/memory/2044-54-0x00000000000C0000-0x0000000000116000-memory.dmp	dcrat

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

libcrypto.exe

pid process

2044 libcrypto.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

libcrypto.exe

description pid process

Token: SeDebugPrivilege 2044 libcrypto.exe

C:\Users\Admin\AppData\Local\Temp\libcrypto.exe
"C:\Users\Admin\AppData\Local\Temp\libcrypto.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2044

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2044-54-0x00000000000C0000-0x0000000000116000-memory.dmp

Filesize
344KB

Download