Overview

overview

10

Static

static

1

08002399.exe

windows7-x64

10

08002399.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/06/2023, 12:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    08002399.exe

  • Size

    807KB

  • MD5

    1daeb81d9c3201beb8ea848fd869fc80

  • SHA1

    33aaf3d172952a169e97b4912506b08df3e01c75

  • SHA256

    5d3511735bed246367c3fa97c21ce7bdc9ade8ce5212d4a40504ddc9a9330122

  • SHA512

    1b998a59a2c4d746b270ba5fddd1c1000f457d627c2bef114ea6d116085004deffbfd83d0f50ad56bc1bc366b3647da2499357b704fc4a303e3bbc74f242c115

  • SSDEEP

    24576:KUHKH42cH3Gz0BwDbu2fglQPvX+QZZUI1L3:KuKHGHWgIu+f+QD3

Score
10/10
dcratinfostealerrat

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • DCRat payload 1 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 13 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\08002399.exe
    "C:\Users\Admin\AppData\Local\Temp\08002399.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4144
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      PID:4772

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/4772-134-0x0000000000400000-0x00000000004A4000-memory.dmp

    Filesize

    656KB

    Download

  • memory/4772-139-0x0000000006140000-0x00000000066E4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/4772-140-0x0000000005580000-0x0000000005590000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4772-141-0x0000000005E90000-0x0000000005EE0000-memory.dmp

    Filesize

    320KB

    Download

  • memory/4772-142-0x0000000006E10000-0x0000000006EA2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/4772-143-0x0000000007020000-0x0000000007086000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4772-144-0x0000000005580000-0x0000000005590000-memory.dmp

    Filesize

    64KB

    Download