Overview

overview

10

Static

static

1

1daeb81d9c...80.exe

windows7-x64

10

1daeb81d9c...80.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-06-2023 10:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1daeb81d9c3201beb8ea848fd869fc80.exe

  • Size

    807KB

  • MD5

    1daeb81d9c3201beb8ea848fd869fc80

  • SHA1

    33aaf3d172952a169e97b4912506b08df3e01c75

  • SHA256

    5d3511735bed246367c3fa97c21ce7bdc9ade8ce5212d4a40504ddc9a9330122

  • SHA512

    1b998a59a2c4d746b270ba5fddd1c1000f457d627c2bef114ea6d116085004deffbfd83d0f50ad56bc1bc366b3647da2499357b704fc4a303e3bbc74f242c115

  • SSDEEP

    24576:KUHKH42cH3Gz0BwDbu2fglQPvX+QZZUI1L3:KuKHGHWgIu+f+QD3

Score
10/10
dcratinfostealerrat

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • DCRat payload 1 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 13 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1daeb81d9c3201beb8ea848fd869fc80.exe
    "C:\Users\Admin\AppData\Local\Temp\1daeb81d9c3201beb8ea848fd869fc80.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:3940
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      PID:3688

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/3688-134-0x0000000000810000-0x00000000008B4000-memory.dmp
    Filesize

    656KB

    Download
  • memory/3688-139-0x0000000005B20000-0x00000000060C4000-memory.dmp
    Filesize

    5.6MB

    Download
  • memory/3688-140-0x0000000005060000-0x0000000005070000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3688-141-0x0000000005870000-0x00000000058C0000-memory.dmp
    Filesize

    320KB

    Download
  • memory/3688-142-0x00000000067F0000-0x0000000006882000-memory.dmp
    Filesize

    584KB

    Download
  • memory/3688-143-0x0000000006A00000-0x0000000006A66000-memory.dmp
    Filesize

    408KB

    Download
  • memory/3688-179-0x0000000005060000-0x0000000005070000-memory.dmp
    Filesize

    64KB

    Download