dcrat | f8ee97725f7f1cdf37b5899e287c8497293e76ab372ee22bd9922ba3624e1b52

Analysis

max time kernel
122s
max time network
127s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
17/08/2023, 18:36

Target

agentbrowser.exe
Size

947KB
MD5

9a84688aca96d89b149e213f6d059bfb
SHA1

043c929249d1dcbdddf4cfd278be4425f25bb644
SHA256

f8ee97725f7f1cdf37b5899e287c8497293e76ab372ee22bd9922ba3624e1b52
SHA512

c623def7e6276f72993e52c0ad603dbaaabbe85c4856c09c4a03f7180d333f16f5c159722c511e8ae8ccdc9a5d65d1d553b8686f13fdb9f336aaf41b39ef84b5
SSDEEP

12288:Xy0xAU7MjsetEfSDi22d7ysdcdvvO++zzYmn2Ybb7VqExqpGzX+UlzF9tpzJ:XAOMjsh722VyJXxCnzoEvzXPhJ

Score

10^/10

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

resource	yara_rule
behavioral1/memory/2388-53-0x0000000001040000-0x0000000001134000-memory.dmp	dcrat

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2388	agentbrowser.exe

C:\Users\Admin\AppData\Local\Temp\agentbrowser.exe
"C:\Users\Admin\AppData\Local\Temp\agentbrowser.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2388

memory/2388-53-0x0000000001040000-0x0000000001134000-memory.dmp

Filesize
976KB

Download
memory/2388-54-0x000007FEF6150000-0x000007FEF6B3C000-memory.dmp

Filesize
9.9MB

Download
memory/2388-55-0x000000001AF10000-0x000000001AF90000-memory.dmp

Filesize
512KB

Download
memory/2388-56-0x00000000003C0000-0x00000000003CE000-memory.dmp

Filesize
56KB

Download
memory/2388-57-0x000007FEF6150000-0x000007FEF6B3C000-memory.dmp

Filesize
9.9MB

Download