dcrat | 0b5266ad1c75b3a3d186a050f140ee2d11b076440320989bda85197d3716a3a1

Analysis

max time kernel
118s
max time network
147s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
08-01-2025 02:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0b5266ad1c75b3a3d186a050f140ee2d11b076440320989bda85197d3716a3a1.exe
Size

1.9MB
MD5

f022320106ebe6ef239cb75c93f6b3ad
SHA1

b183fb4f66d5327889a0440eca1a61a69ae9cc00
SHA256

0b5266ad1c75b3a3d186a050f140ee2d11b076440320989bda85197d3716a3a1
SHA512

e77d922f9bcc6e9f383d955623c532942f5d6fbc8f41f29d284a165abdb4d6a77ac76cbc1826dabf8bd14fbaa4257258e866c4330d30cf05f17e9b4313dd5f23
SSDEEP

24576:0bTfyVA9AatfC65K16JPuO+Q3Qvi4m4B2g83KWlumjyICs7reNJCN5a4VznpQiCx:avpAwPDpa9mw2nKWljVeNJCyyVqVa

Score

10^/10

dcrat discovery infostealer rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Executes dropped EXE 1 IoCs

pid	Process
2680	sppsvc.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2796	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2796	PING.EXE

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
2680	sppsvc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2076	0b5266ad1c75b3a3d186a050f140ee2d11b076440320989bda85197d3716a3a1.exe
2076	0b5266ad1c75b3a3d186a050f140ee2d11b076440320989bda85197d3716a3a1.exe
2076	0b5266ad1c75b3a3d186a050f140ee2d11b076440320989bda85197d3716a3a1.exe
2076	0b5266ad1c75b3a3d186a050f140ee2d11b076440320989bda85197d3716a3a1.exe
2076	0b5266ad1c75b3a3d186a050f140ee2d11b076440320989bda85197d3716a3a1.exe
2076	0b5266ad1c75b3a3d186a050f140ee2d11b076440320989bda85197d3716a3a1.exe
2076	0b5266ad1c75b3a3d186a050f140ee2d11b076440320989bda85197d3716a3a1.exe
2076	0b5266ad1c75b3a3d186a050f140ee2d11b076440320989bda85197d3716a3a1.exe
2076	0b5266ad1c75b3a3d186a050f140ee2d11b076440320989bda85197d3716a3a1.exe
2076	0b5266ad1c75b3a3d186a050f140ee2d11b076440320989bda85197d3716a3a1.exe
2076	0b5266ad1c75b3a3d186a050f140ee2d11b076440320989bda85197d3716a3a1.exe
2076	0b5266ad1c75b3a3d186a050f140ee2d11b076440320989bda85197d3716a3a1.exe
2076	0b5266ad1c75b3a3d186a050f140ee2d11b076440320989bda85197d3716a3a1.exe
2076	0b5266ad1c75b3a3d186a050f140ee2d11b076440320989bda85197d3716a3a1.exe
2076	0b5266ad1c75b3a3d186a050f140ee2d11b076440320989bda85197d3716a3a1.exe
2076	0b5266ad1c75b3a3d186a050f140ee2d11b076440320989bda85197d3716a3a1.exe
2076	0b5266ad1c75b3a3d186a050f140ee2d11b076440320989bda85197d3716a3a1.exe
2076	0b5266ad1c75b3a3d186a050f140ee2d11b076440320989bda85197d3716a3a1.exe
2076	0b5266ad1c75b3a3d186a050f140ee2d11b076440320989bda85197d3716a3a1.exe
2076	0b5266ad1c75b3a3d186a050f140ee2d11b076440320989bda85197d3716a3a1.exe
2076	0b5266ad1c75b3a3d186a050f140ee2d11b076440320989bda85197d3716a3a1.exe
2076	0b5266ad1c75b3a3d186a050f140ee2d11b076440320989bda85197d3716a3a1.exe
2076	0b5266ad1c75b3a3d186a050f140ee2d11b076440320989bda85197d3716a3a1.exe
2076	0b5266ad1c75b3a3d186a050f140ee2d11b076440320989bda85197d3716a3a1.exe
2076	0b5266ad1c75b3a3d186a050f140ee2d11b076440320989bda85197d3716a3a1.exe
2076	0b5266ad1c75b3a3d186a050f140ee2d11b076440320989bda85197d3716a3a1.exe
2076	0b5266ad1c75b3a3d186a050f140ee2d11b076440320989bda85197d3716a3a1.exe
2076	0b5266ad1c75b3a3d186a050f140ee2d11b076440320989bda85197d3716a3a1.exe
2076	0b5266ad1c75b3a3d186a050f140ee2d11b076440320989bda85197d3716a3a1.exe
2076	0b5266ad1c75b3a3d186a050f140ee2d11b076440320989bda85197d3716a3a1.exe
2076	0b5266ad1c75b3a3d186a050f140ee2d11b076440320989bda85197d3716a3a1.exe
2076	0b5266ad1c75b3a3d186a050f140ee2d11b076440320989bda85197d3716a3a1.exe
2076	0b5266ad1c75b3a3d186a050f140ee2d11b076440320989bda85197d3716a3a1.exe
2076	0b5266ad1c75b3a3d186a050f140ee2d11b076440320989bda85197d3716a3a1.exe
2076	0b5266ad1c75b3a3d186a050f140ee2d11b076440320989bda85197d3716a3a1.exe
2076	0b5266ad1c75b3a3d186a050f140ee2d11b076440320989bda85197d3716a3a1.exe
2076	0b5266ad1c75b3a3d186a050f140ee2d11b076440320989bda85197d3716a3a1.exe
2076	0b5266ad1c75b3a3d186a050f140ee2d11b076440320989bda85197d3716a3a1.exe
2076	0b5266ad1c75b3a3d186a050f140ee2d11b076440320989bda85197d3716a3a1.exe
2076	0b5266ad1c75b3a3d186a050f140ee2d11b076440320989bda85197d3716a3a1.exe
2076	0b5266ad1c75b3a3d186a050f140ee2d11b076440320989bda85197d3716a3a1.exe
2076	0b5266ad1c75b3a3d186a050f140ee2d11b076440320989bda85197d3716a3a1.exe
2076	0b5266ad1c75b3a3d186a050f140ee2d11b076440320989bda85197d3716a3a1.exe
2076	0b5266ad1c75b3a3d186a050f140ee2d11b076440320989bda85197d3716a3a1.exe
2076	0b5266ad1c75b3a3d186a050f140ee2d11b076440320989bda85197d3716a3a1.exe
2076	0b5266ad1c75b3a3d186a050f140ee2d11b076440320989bda85197d3716a3a1.exe
2076	0b5266ad1c75b3a3d186a050f140ee2d11b076440320989bda85197d3716a3a1.exe
2076	0b5266ad1c75b3a3d186a050f140ee2d11b076440320989bda85197d3716a3a1.exe
2076	0b5266ad1c75b3a3d186a050f140ee2d11b076440320989bda85197d3716a3a1.exe
2076	0b5266ad1c75b3a3d186a050f140ee2d11b076440320989bda85197d3716a3a1.exe
2076	0b5266ad1c75b3a3d186a050f140ee2d11b076440320989bda85197d3716a3a1.exe
2076	0b5266ad1c75b3a3d186a050f140ee2d11b076440320989bda85197d3716a3a1.exe
2076	0b5266ad1c75b3a3d186a050f140ee2d11b076440320989bda85197d3716a3a1.exe
2076	0b5266ad1c75b3a3d186a050f140ee2d11b076440320989bda85197d3716a3a1.exe
2076	0b5266ad1c75b3a3d186a050f140ee2d11b076440320989bda85197d3716a3a1.exe
2076	0b5266ad1c75b3a3d186a050f140ee2d11b076440320989bda85197d3716a3a1.exe
2076	0b5266ad1c75b3a3d186a050f140ee2d11b076440320989bda85197d3716a3a1.exe
2076	0b5266ad1c75b3a3d186a050f140ee2d11b076440320989bda85197d3716a3a1.exe
2076	0b5266ad1c75b3a3d186a050f140ee2d11b076440320989bda85197d3716a3a1.exe
2076	0b5266ad1c75b3a3d186a050f140ee2d11b076440320989bda85197d3716a3a1.exe
2076	0b5266ad1c75b3a3d186a050f140ee2d11b076440320989bda85197d3716a3a1.exe
2076	0b5266ad1c75b3a3d186a050f140ee2d11b076440320989bda85197d3716a3a1.exe
2076	0b5266ad1c75b3a3d186a050f140ee2d11b076440320989bda85197d3716a3a1.exe
2076	0b5266ad1c75b3a3d186a050f140ee2d11b076440320989bda85197d3716a3a1.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2076	0b5266ad1c75b3a3d186a050f140ee2d11b076440320989bda85197d3716a3a1.exe
Token: SeDebugPrivilege	2680	sppsvc.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2076 wrote to memory of 1836	2076	0b5266ad1c75b3a3d186a050f140ee2d11b076440320989bda85197d3716a3a1.exe	30
PID 2076 wrote to memory of 1836	2076	0b5266ad1c75b3a3d186a050f140ee2d11b076440320989bda85197d3716a3a1.exe	30
PID 2076 wrote to memory of 1836	2076	0b5266ad1c75b3a3d186a050f140ee2d11b076440320989bda85197d3716a3a1.exe	30
PID 1836 wrote to memory of 2792	1836	cmd.exe	32
PID 1836 wrote to memory of 2792	1836	cmd.exe	32
PID 1836 wrote to memory of 2792	1836	cmd.exe	32
PID 1836 wrote to memory of 2796	1836	cmd.exe	33
PID 1836 wrote to memory of 2796	1836	cmd.exe	33
PID 1836 wrote to memory of 2796	1836	cmd.exe	33
PID 1836 wrote to memory of 2680	1836	cmd.exe	35
PID 1836 wrote to memory of 2680	1836	cmd.exe	35
PID 1836 wrote to memory of 2680	1836	cmd.exe	35
PID 1836 wrote to memory of 2680	1836	cmd.exe	35
PID 1836 wrote to memory of 2680	1836	cmd.exe	35

C:\Users\Admin\AppData\Local\Temp\0b5266ad1c75b3a3d186a050f140ee2d11b076440320989bda85197d3716a3a1.exe
"C:\Users\Admin\AppData\Local\Temp\0b5266ad1c75b3a3d186a050f140ee2d11b076440320989bda85197d3716a3a1.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2076
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0jOreHat5V.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1836
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2792
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2796
- - C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\sppsvc.exe
    "C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\sppsvc.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    - Suspicious use of AdjustPrivilegeToken
    PID:2680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\sppsvc.exe

Filesize
1.9MB

MD5
f022320106ebe6ef239cb75c93f6b3ad

SHA1
b183fb4f66d5327889a0440eca1a61a69ae9cc00

SHA256
0b5266ad1c75b3a3d186a050f140ee2d11b076440320989bda85197d3716a3a1

SHA512
e77d922f9bcc6e9f383d955623c532942f5d6fbc8f41f29d284a165abdb4d6a77ac76cbc1826dabf8bd14fbaa4257258e866c4330d30cf05f17e9b4313dd5f23

Download Submit
C:\Users\Admin\AppData\Local\Temp\0jOreHat5V.bat

Filesize
187B

MD5
ecc235b93da0e26d0a04ce3ea4edff63

SHA1
06f342a153a9244fe84e71221577ea97a23e3460

SHA256
b99aa8cf0bf377ac9342a405d9338534829e89b7b3a4df8ee785af5765656ac4

SHA512
8f3ae04e4474e70954674807ddd1ad0714ffb61ee66d1d1780309cce04cc816d6eea564cb113261e848c9e4686031dec8b0fc3488a900bfceb0b9c02d682492e

Download Submit
memory/2076-4-0x000007FEF5570000-0x000007FEF5F5C000-memory.dmp

Filesize
9.9MB

Download
memory/2076-13-0x0000000000420000-0x000000000042E000-memory.dmp

Filesize
56KB

Download
memory/2076-0-0x000007FEF5573000-0x000007FEF5574000-memory.dmp

Filesize
4KB

Download
memory/2076-6-0x0000000000410000-0x000000000041E000-memory.dmp

Filesize
56KB

Download
memory/2076-8-0x0000000000440000-0x000000000045C000-memory.dmp

Filesize
112KB

Download
memory/2076-11-0x000007FEF5570000-0x000007FEF5F5C000-memory.dmp

Filesize
9.9MB

Download
memory/2076-10-0x0000000000460000-0x0000000000478000-memory.dmp

Filesize
96KB

Download
memory/2076-3-0x000007FEF5570000-0x000007FEF5F5C000-memory.dmp

Filesize
9.9MB

Download
memory/2076-15-0x0000000000430000-0x000000000043C000-memory.dmp

Filesize
48KB

Download
memory/2076-16-0x000007FEF5570000-0x000007FEF5F5C000-memory.dmp

Filesize
9.9MB

Download
memory/2076-2-0x000007FEF5570000-0x000007FEF5F5C000-memory.dmp

Filesize
9.9MB

Download
memory/2076-28-0x000007FEF5570000-0x000007FEF5F5C000-memory.dmp

Filesize
9.9MB

Download
memory/2076-32-0x000007FEF5570000-0x000007FEF5F5C000-memory.dmp

Filesize
9.9MB

Download
memory/2076-34-0x000007FEF5570000-0x000007FEF5F5C000-memory.dmp

Filesize
9.9MB

Download
memory/2076-1-0x0000000001250000-0x0000000001434000-memory.dmp

Filesize
1.9MB

Download
memory/2680-38-0x0000000001090000-0x0000000001274000-memory.dmp

Filesize
1.9MB

Download