dcrat | bad45d09789c95015bbf8d9a3733e8b7e40cc215ab97258851808ee8f966ae28

Analysis

max time kernel
92s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
14-05-2024 01:41

Target

bad45d09789c95015bbf8d9a3733e8b7e40cc215ab97258851808ee8f966ae28.exe
Size

1.4MB
MD5

89d86264b05d675db5fcc733a279abcd
SHA1

661d7cc4d3f431af464d783a1b8f8e5b0914169f
SHA256

bad45d09789c95015bbf8d9a3733e8b7e40cc215ab97258851808ee8f966ae28
SHA512

f88e69a4d61065c8721f68dc27d75baba80d4350769060bafde0f1ebc06e148ee68405d5feee256603e8db657c7bbca47e2da0ced30b024729ba64d55bfe5049
SSDEEP

24576:fnIJJ+4fNiVf796C5evM2ShdH+t0+lDC8KlxcfOFGNMzxv8x:EJXEft72Set7AIXMzB8

Score

10^/10

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

resource	yara_rule
behavioral2/memory/2192-1-0x0000000000580000-0x00000000006F6000-memory.dmp	dcrat

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2192	bad45d09789c95015bbf8d9a3733e8b7e40cc215ab97258851808ee8f966ae28.exe

C:\Users\Admin\AppData\Local\Temp\bad45d09789c95015bbf8d9a3733e8b7e40cc215ab97258851808ee8f966ae28.exe
"C:\Users\Admin\AppData\Local\Temp\bad45d09789c95015bbf8d9a3733e8b7e40cc215ab97258851808ee8f966ae28.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2192

memory/2192-0-0x00007FFC9BA73000-0x00007FFC9BA75000-memory.dmp

Filesize
8KB

Download
memory/2192-1-0x0000000000580000-0x00000000006F6000-memory.dmp

Filesize
1.5MB

Download
memory/2192-2-0x00007FFC9BA70000-0x00007FFC9C531000-memory.dmp

Filesize
10.8MB

Download
memory/2192-3-0x0000000001120000-0x000000000112E000-memory.dmp

Filesize
56KB

Download
memory/2192-5-0x00007FFC9BA70000-0x00007FFC9C531000-memory.dmp

Filesize
10.8MB

Download