Overview

overview

10

Static

static

3

0b5266ad1c...a1.exe

windows7-x64

10

0b5266ad1c...a1.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    93s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-01-2025 02:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0b5266ad1c75b3a3d186a050f140ee2d11b076440320989bda85197d3716a3a1.exe

  • Size

    1.9MB

  • MD5

    f022320106ebe6ef239cb75c93f6b3ad

  • SHA1

    b183fb4f66d5327889a0440eca1a61a69ae9cc00

  • SHA256

    0b5266ad1c75b3a3d186a050f140ee2d11b076440320989bda85197d3716a3a1

  • SHA512

    e77d922f9bcc6e9f383d955623c532942f5d6fbc8f41f29d284a165abdb4d6a77ac76cbc1826dabf8bd14fbaa4257258e866c4330d30cf05f17e9b4313dd5f23

  • SSDEEP

    24576:0bTfyVA9AatfC65K16JPuO+Q3Qvi4m4B2g83KWlumjyICs7reNJCN5a4VznpQiCx:avpAwPDpa9mw2nKWljVeNJCyyVqVa

Score
10/10
dcratdiscoveryinfostealerratspywarestealer

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops file in Windows directory 4 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0b5266ad1c75b3a3d186a050f140ee2d11b076440320989bda85197d3716a3a1.exe
    "C:\Users\Admin\AppData\Local\Temp\0b5266ad1c75b3a3d186a050f140ee2d11b076440320989bda85197d3716a3a1.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1616
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YV3YpMvuXr.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:944
      • C:\Windows\system32\chcp.com
        chcp 65001
        3⤵
          PID:4252
        • C:\Windows\system32\w32tm.exe
          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
          3⤵
            PID:1552
          • C:\Windows\servicing\Editions\0b5266ad1c75b3a3d186a050f140ee2d11b076440320989bda85197d3716a3a1.exe
            "C:\Windows\servicing\Editions\0b5266ad1c75b3a3d186a050f140ee2d11b076440320989bda85197d3716a3a1.exe"
            3⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:3864

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Recovery\WindowsRE\csrss.exe
        Filesize

        1.9MB

        MD5

        f022320106ebe6ef239cb75c93f6b3ad

        SHA1

        b183fb4f66d5327889a0440eca1a61a69ae9cc00

        SHA256

        0b5266ad1c75b3a3d186a050f140ee2d11b076440320989bda85197d3716a3a1

        SHA512

        e77d922f9bcc6e9f383d955623c532942f5d6fbc8f41f29d284a165abdb4d6a77ac76cbc1826dabf8bd14fbaa4257258e866c4330d30cf05f17e9b4313dd5f23

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\0b5266ad1c75b3a3d186a050f140ee2d11b076440320989bda85197d3716a3a1.exe.log
        Filesize

        1KB

        MD5

        1eff74e45bb1f7104e691358cb209546

        SHA1

        253b13ffad516cc34704f5b882c6fa36953a953f

        SHA256

        7ad96be486e6058b19446b95bb734acdaf4addc557b2d059a66ee1acfe19b3fc

        SHA512

        44163ed001baf697ce66d3b386e13bf5cb94bc24ce6b1ae98665d766d5fcdf0ca28b41ecc26c5f11bbea117ac17099e87f204f9d5469bb102a769548edeead7e

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\YV3YpMvuXr.bat
        Filesize

        274B

        MD5

        6cc8e1eaadafd408504053eb3eadfa61

        SHA1

        ce034432502769f3d4a281947891a58386be7d36

        SHA256

        9855f25aa2781b14858d8846ea25d6682ec6d17ef23a5d3ac4ed0684736420dc

        SHA512

        f260296f03f00b616cd4e6b387b86579957d9a43332c621ed29fb3fdfc68382d440f0463c8eb2c7cd5abbe21252a6935d984519f140182a8b8ab074fd8d2b846

        Download Submit

      • memory/1616-11-0x000000001BD50000-0x000000001BDA0000-memory.dmp

        Filesize

        320KB

        Download

      • memory/1616-17-0x0000000002E40000-0x0000000002E4C000-memory.dmp

        Filesize

        48KB

        Download

      • memory/1616-6-0x0000000002E20000-0x0000000002E2E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/1616-7-0x00007FF81EA30000-0x00007FF81F4F1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1616-10-0x00007FF81EA30000-0x00007FF81F4F1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1616-9-0x0000000002EB0000-0x0000000002ECC000-memory.dmp

        Filesize

        112KB

        Download

      • memory/1616-13-0x0000000002ED0000-0x0000000002EE8000-memory.dmp

        Filesize

        96KB

        Download

      • memory/1616-0-0x00007FF81EA33000-0x00007FF81EA35000-memory.dmp

        Filesize

        8KB

        Download

      • memory/1616-15-0x0000000002E30000-0x0000000002E3E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/1616-4-0x00007FF81EA30000-0x00007FF81F4F1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1616-18-0x00007FF81EA30000-0x00007FF81F4F1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1616-3-0x00007FF81EA30000-0x00007FF81F4F1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1616-24-0x00007FF81EA30000-0x00007FF81F4F1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1616-31-0x00007FF81EA30000-0x00007FF81F4F1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1616-37-0x00007FF81EA30000-0x00007FF81F4F1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1616-38-0x00007FF81EA30000-0x00007FF81F4F1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1616-2-0x00007FF81EA30000-0x00007FF81F4F1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1616-1-0x0000000000B60000-0x0000000000D44000-memory.dmp

        Filesize

        1.9MB

        Download

      • memory/3864-44-0x00007FF81EDB3000-0x00007FF81EDB5000-memory.dmp

        Filesize

        8KB

        Download

      • memory/3864-50-0x00007FF81EDB3000-0x00007FF81EDB5000-memory.dmp

        Filesize

        8KB

        Download