dcrat | 8a4d689ca73de857fc5a2f8424f12d335699cfe0e7885545d88589ca4b3b58a1

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
11/05/2024, 07:07

Target

9a6ad4774eaeee90702e743b864c01d0_NeikiAnalytics.exe
Size

2.0MB
MD5

9a6ad4774eaeee90702e743b864c01d0
SHA1

916a08908f999ce4154713ffcb287246d9769707
SHA256

8a4d689ca73de857fc5a2f8424f12d335699cfe0e7885545d88589ca4b3b58a1
SHA512

f07cb826385b9531ed1f29e6d9d48f3ddbeba0cd7adfd8ea32061ad2bcbfe5682e8ca8b7745efeec8e7e23c8ad616bc74bee219ae0a8fa2a64c9870e83ea41f0
SSDEEP

49152:TrYU+Yy4J8jao9UVlWAOjhRzsiYHjo++xTN:TdxVJC9UqRzsu+8N

Score

10^/10

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

resource	yara_rule
behavioral2/memory/872-1-0x00000000009F0000-0x0000000000BFA000-memory.dmp	dcrat

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	872	9a6ad4774eaeee90702e743b864c01d0_NeikiAnalytics.exe

C:\Users\Admin\AppData\Local\Temp\9a6ad4774eaeee90702e743b864c01d0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\9a6ad4774eaeee90702e743b864c01d0_NeikiAnalytics.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:872

memory/872-0-0x00007FF980EF3000-0x00007FF980EF5000-memory.dmp

Filesize
8KB

Download
memory/872-1-0x00000000009F0000-0x0000000000BFA000-memory.dmp

Filesize
2.0MB

Download
memory/872-2-0x00007FF980EF0000-0x00007FF9819B1000-memory.dmp

Filesize
10.8MB

Download
memory/872-3-0x0000000002D00000-0x0000000002D0E000-memory.dmp

Filesize
56KB

Download
memory/872-4-0x0000000002D10000-0x0000000002D1E000-memory.dmp

Filesize
56KB

Download
memory/872-6-0x00007FF980EF0000-0x00007FF9819B1000-memory.dmp

Filesize
10.8MB

Download