dcrat | 21f916b721f00ac97997267dfb601165e5718f9253fcf7b07938575c531ccef0

Analysis

max time kernel
51s
max time network
147s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
27/05/2023, 17:58

Target

01522199.exe
Size

800KB
MD5

adac3ea10f4ed158473fe3680fc1efb2
SHA1

08b6afa1523b959c8c1cbbfd4ad0188ed65956f9
SHA256

21f916b721f00ac97997267dfb601165e5718f9253fcf7b07938575c531ccef0
SHA512

e41344a67ab71dbe21f5a83a001f264925eea5ead065463d73b81d4ad9c865fd45c820e66536a91e8e2dcfd69393f222c6f81d68a8bed4067611f7a4d881ebad
SSDEEP

24576:IK4Sbx1gpQxETtWMrNtKRxU+MBqBPMwsY:Ibm2pQabpQRa+MBqa

Score

10^/10

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

resource	yara_rule
behavioral1/memory/880-56-0x0000000000400000-0x00000000004A4000-memory.dmp	dcrat
behavioral1/memory/880-62-0x0000000000400000-0x00000000004A4000-memory.dmp	dcrat
behavioral1/memory/880-63-0x0000000000400000-0x00000000004A4000-memory.dmp	dcrat
behavioral1/memory/880-64-0x0000000004A00000-0x0000000004A40000-memory.dmp	dcrat

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 920 set thread context of 880	920	01522199.exe	29

Suspicious behavior: EnumeratesProcesses 13 IoCs

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	880	AppLaunch.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 920 wrote to memory of 880	920	01522199.exe	29
PID 920 wrote to memory of 880	920	01522199.exe	29
PID 920 wrote to memory of 880	920	01522199.exe	29
PID 920 wrote to memory of 880	920	01522199.exe	29
PID 920 wrote to memory of 880	920	01522199.exe	29
PID 920 wrote to memory of 880	920	01522199.exe	29
PID 920 wrote to memory of 880	920	01522199.exe	29
PID 920 wrote to memory of 880	920	01522199.exe	29
PID 920 wrote to memory of 880	920	01522199.exe	29

memory/880-55-0x0000000000400000-0x00000000004A4000-memory.dmp

Filesize
656KB

Download
memory/880-56-0x0000000000400000-0x00000000004A4000-memory.dmp

Filesize
656KB

Download
memory/880-60-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/880-62-0x0000000000400000-0x00000000004A4000-memory.dmp

Filesize
656KB

Download
memory/880-63-0x0000000000400000-0x00000000004A4000-memory.dmp

Filesize
656KB

Download
memory/880-64-0x0000000004A00000-0x0000000004A40000-memory.dmp

Filesize
256KB

Download
memory/880-65-0x0000000000AD0000-0x0000000000AEC000-memory.dmp

Filesize
112KB

Download
memory/880-66-0x0000000000B40000-0x0000000000B56000-memory.dmp

Filesize
88KB

Download
memory/880-67-0x0000000004A00000-0x0000000004A40000-memory.dmp

Filesize
256KB

Download