dcrat | 1b5114a819cd0f44d02a11ac1f896e934a93cef4375292ca9aa763b8e41bddd9 | Triage

Analysis

max time kernel
47s
max time network
50s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
23-03-2023 18:03

Sharing

Report Analysis Logs

General

Target

038.exe
Size

698KB
MD5

52ac6ad9bec9773531d170fe025f8cfe
SHA1

fd15564483854d8d26610de2ff8f8dafcb861b02
SHA256

1b5114a819cd0f44d02a11ac1f896e934a93cef4375292ca9aa763b8e41bddd9
SHA512

2b8e283d903da80ae5e11301d7acfb304d78a6c08f52bd7437348654c5f942fab6594679ff1579217fcd9c2d4ee08a59acff28714367e8b39f164055ded50c56
SSDEEP

12288:Z4w1tMWi5bzSICSpy0jFx+uve102bo1U+kCRqn:Z4AtZICSn+y92boyQ+

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

Processes:

resource	yara_rule
behavioral1/memory/4884-133-0x000001EF938C0000-0x000001EF93976000-memory.dmp	dcrat

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

038.exe

pid process

4884 038.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

038.exe

description pid process

Token: SeDebugPrivilege 4884 038.exe

C:\Users\Admin\AppData\Local\Temp\038.exe
"C:\Users\Admin\AppData\Local\Temp\038.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4884

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4884-133-0x000001EF938C0000-0x000001EF93976000-memory.dmp

Filesize
728KB

Download
memory/4884-134-0x000001EFAF450000-0x000001EFAF460000-memory.dmp

Filesize
64KB

Download