Overview

overview

10

Static

static

1

2ab209c8b1...10.exe

windows7-x64

10

2ab209c8b1...10.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    84s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    14-06-2023 01:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2ab209c8b13fc820c0f2cd15de422053e94e2ca02b939ff97eeb2abceb5bb810.exe

  • Size

    897KB

  • MD5

    3a68a2cbeb827588f3749568b121a79b

  • SHA1

    a40fc3b0c547826353088baf247b379f1e10f25d

  • SHA256

    2ab209c8b13fc820c0f2cd15de422053e94e2ca02b939ff97eeb2abceb5bb810

  • SHA512

    7ab8bb1605cfed214d05c6dac5dc05df0b66c90e7abe67629e8c879483d5f2784edae832f48acfc92c968a3da1f13e76e5db699890ed85b0c00bb551e0e70b7d

  • SSDEEP

    12288:x7Gmaojeh4hLyhLk9el5ih7XrIqEMbs0qFvPrVc8Ml1T5J4rNl99uF04r4hZZ1v6:MTMYP2tP4CKdKh

Score
10/10
dcratinfostealerrat

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • DCRat payload 3 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 13 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2ab209c8b13fc820c0f2cd15de422053e94e2ca02b939ff97eeb2abceb5bb810.exe
    "C:\Users\Admin\AppData\Local\Temp\2ab209c8b13fc820c0f2cd15de422053e94e2ca02b939ff97eeb2abceb5bb810.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1700
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:928

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/928-54-0x0000000000400000-0x00000000004CE000-memory.dmp

    Filesize

    824KB

    Download

  • memory/928-55-0x0000000000400000-0x00000000004CE000-memory.dmp

    Filesize

    824KB

    Download

  • memory/928-59-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/928-62-0x0000000000400000-0x00000000004CE000-memory.dmp

    Filesize

    824KB

    Download

  • memory/928-61-0x0000000000400000-0x00000000004CE000-memory.dmp

    Filesize

    824KB

    Download

  • memory/928-63-0x0000000000750000-0x000000000076C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/928-64-0x0000000000770000-0x0000000000786000-memory.dmp

    Filesize

    88KB

    Download

  • memory/928-65-0x00000000008A0000-0x00000000008B2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/928-66-0x00000000009F0000-0x00000000009FE000-memory.dmp

    Filesize

    56KB

    Download

  • memory/928-67-0x0000000004DD0000-0x0000000004E10000-memory.dmp

    Filesize

    256KB

    Download

  • memory/928-68-0x0000000004DD0000-0x0000000004E10000-memory.dmp

    Filesize

    256KB

    Download