Overview

overview

10

Static

static

3

0b5266ad1c...a1.exe

windows7-x64

10

0b5266ad1c...a1.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    127s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-01-2025 02:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0b5266ad1c75b3a3d186a050f140ee2d11b076440320989bda85197d3716a3a1.exe

  • Size

    1.9MB

  • MD5

    f022320106ebe6ef239cb75c93f6b3ad

  • SHA1

    b183fb4f66d5327889a0440eca1a61a69ae9cc00

  • SHA256

    0b5266ad1c75b3a3d186a050f140ee2d11b076440320989bda85197d3716a3a1

  • SHA512

    e77d922f9bcc6e9f383d955623c532942f5d6fbc8f41f29d284a165abdb4d6a77ac76cbc1826dabf8bd14fbaa4257258e866c4330d30cf05f17e9b4313dd5f23

  • SSDEEP

    24576:0bTfyVA9AatfC65K16JPuO+Q3Qvi4m4B2g83KWlumjyICs7reNJCN5a4VznpQiCx:avpAwPDpa9mw2nKWljVeNJCyyVqVa

Score
10/10
dcratdiscoveryinfostealerratspywarestealer

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops file in Program Files directory 6 IoCs
  • Drops file in Windows directory 5 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0b5266ad1c75b3a3d186a050f140ee2d11b076440320989bda85197d3716a3a1.exe
    "C:\Users\Admin\AppData\Local\Temp\0b5266ad1c75b3a3d186a050f140ee2d11b076440320989bda85197d3716a3a1.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4028
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xclrWszVoz.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:960
      • C:\Windows\system32\chcp.com
        chcp 65001
        3⤵
          PID:4784
        • C:\Windows\system32\w32tm.exe
          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
          3⤵
            PID:2644
          • C:\Users\Admin\AppData\Local\Temp\0b5266ad1c75b3a3d186a050f140ee2d11b076440320989bda85197d3716a3a1.exe
            "C:\Users\Admin\AppData\Local\Temp\0b5266ad1c75b3a3d186a050f140ee2d11b076440320989bda85197d3716a3a1.exe"
            3⤵
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of AdjustPrivilegeToken
            PID:1036

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Windows Sidebar\Gadgets\explorer.exe
        Filesize

        1.9MB

        MD5

        f022320106ebe6ef239cb75c93f6b3ad

        SHA1

        b183fb4f66d5327889a0440eca1a61a69ae9cc00

        SHA256

        0b5266ad1c75b3a3d186a050f140ee2d11b076440320989bda85197d3716a3a1

        SHA512

        e77d922f9bcc6e9f383d955623c532942f5d6fbc8f41f29d284a165abdb4d6a77ac76cbc1826dabf8bd14fbaa4257258e866c4330d30cf05f17e9b4313dd5f23

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\0b5266ad1c75b3a3d186a050f140ee2d11b076440320989bda85197d3716a3a1.exe.log
        Filesize

        1KB

        MD5

        1eff74e45bb1f7104e691358cb209546

        SHA1

        253b13ffad516cc34704f5b882c6fa36953a953f

        SHA256

        7ad96be486e6058b19446b95bb734acdaf4addc557b2d059a66ee1acfe19b3fc

        SHA512

        44163ed001baf697ce66d3b386e13bf5cb94bc24ce6b1ae98665d766d5fcdf0ca28b41ecc26c5f11bbea117ac17099e87f204f9d5469bb102a769548edeead7e

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\xclrWszVoz.bat
        Filesize

        278B

        MD5

        712659602f0e54b0bccf4438e42f6942

        SHA1

        02d64a23302131cdeaac8141167d63db972fdce3

        SHA256

        90a20071821818a5601ac8d4ba1e0a5b851536b918b74f19f38c284bdfc0543a

        SHA512

        55b527523c3bb445e841d80df2433734adac981550c94ce9d707e570091c1a2f23501e88fa32dec0b1b39ec6d0d422ddac6d823c5b535fbdd86567c8256c79a0

        Download Submit

      • memory/1036-47-0x00007FF92BD90000-0x00007FF92C851000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1036-41-0x00007FF92BD90000-0x00007FF92C851000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4028-6-0x0000000000DA0000-0x0000000000DAE000-memory.dmp

        Filesize

        56KB

        Download

      • memory/4028-24-0x00007FF92BD90000-0x00007FF92C851000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4028-7-0x00007FF92BD90000-0x00007FF92C851000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4028-11-0x00007FF92BD90000-0x00007FF92C851000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4028-10-0x000000001B550000-0x000000001B5A0000-memory.dmp

        Filesize

        320KB

        Download

      • memory/4028-13-0x000000001B500000-0x000000001B518000-memory.dmp

        Filesize

        96KB

        Download

      • memory/4028-15-0x00000000027A0000-0x00000000027AE000-memory.dmp

        Filesize

        56KB

        Download

      • memory/4028-17-0x00000000027B0000-0x00000000027BC000-memory.dmp

        Filesize

        48KB

        Download

      • memory/4028-19-0x00007FF92BD90000-0x00007FF92C851000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4028-9-0x00000000027C0000-0x00000000027DC000-memory.dmp

        Filesize

        112KB

        Download

      • memory/4028-0-0x00007FF92BD93000-0x00007FF92BD95000-memory.dmp

        Filesize

        8KB

        Download

      • memory/4028-31-0x00007FF92BD90000-0x00007FF92C851000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4028-35-0x00007FF92BD90000-0x00007FF92C851000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4028-4-0x00007FF92BD90000-0x00007FF92C851000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4028-39-0x00007FF92BD90000-0x00007FF92C851000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4028-3-0x00007FF92BD90000-0x00007FF92C851000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4028-2-0x00007FF92BD90000-0x00007FF92C851000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4028-1-0x0000000000380000-0x0000000000564000-memory.dmp

        Filesize

        1.9MB

        Download