Overview

overview

10

Static

static

10

OsintAkula...0).exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    6s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    01-02-2025 13:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    OsintAkulaDox(Release 2.0).exe

  • Size

    1.6MB

  • MD5

    17e5d1ccf6f2250f75bb5fa68f971767

  • SHA1

    7d935074dbb166b4e481261c0aa855dd1e775d17

  • SHA256

    9410a8eee0f8556bfa0f4231577706b437a14a79af1f2bfff6dc9288e54af828

  • SHA512

    a7fd59c415e51fd57545a88c993d7ce8abbc4809e92e7dfc533778002f9492612880d4fab30e5d53358aedb9c3e1ee780bb3fe99313083d9232a3cbe6c5e47cc

  • SSDEEP

    24576:U2G/nvxW3Ww0t2IwCzsb0EIYKBInv4BFooOQSK7WmmpC84H366W1e:UbA30twh0rTbF3/7mLz6P

Score
10/10
dcratdiscoveryinfostealerrat

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • DCRat payload 2 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\OsintAkulaDox(Release 2.0).exe
    "C:\Users\Admin\AppData\Local\Temp\OsintAkulaDox(Release 2.0).exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2312
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\ComProviderservercrt\G1PwR19qmP3OREjedg.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2472
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\ComProviderservercrt\3KEVYoQlVUbDaT.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3768
        • C:\ComProviderservercrt\dhcpcommon.exe
          "C:\ComProviderservercrt\dhcpcommon.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:3580

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ComProviderservercrt\3KEVYoQlVUbDaT.bat
    Filesize

    40B

    MD5

    9aaeb85b68b2c641d6ea8bbc3e7efb1f

    SHA1

    caa2ce69f5eea67e08aa40c844a38c669ef86db5

    SHA256

    d1de03f54cb15974c2e26d79af82446ca304413ae2634faf981dc1327325713e

    SHA512

    b486c4ae73c61b6996f1f902ca8533601361f72fbac93a2ef480f4729afc75b8615c562cfc579a6bce40555d356754839be60ec5cfb86036fd7274c8afa3c06c

    Download Submit

  • C:\ComProviderservercrt\G1PwR19qmP3OREjedg.vbe
    Filesize

    211B

    MD5

    e061686d28660bb9114d963a2ff01c1d

    SHA1

    f4e81a4553722503c473eb7c7f77396aa3323c19

    SHA256

    c14ec59bae7b314a9cb5c9cc01053f93a89547ae882193a57a36d6c31b887e1d

    SHA512

    5fa0180dda99faf18849f9fd248e4de68c3220bd965d176f3c9a081d5c69f9ed100c80dc1cdf3f0a9b7c67c3a832bde565797756cc047d8f10662cb0ef683b9c

    Download Submit

  • C:\ComProviderservercrt\dhcpcommon.exe
    Filesize

    1.3MB

    MD5

    493cf952e6aa65181c8458d312ee1421

    SHA1

    6065a925782b18b0e3e018750c5a760ebfaadf4f

    SHA256

    c3e0e8356bd4a52e07679935019f4474715f4b7ae291cfbda9d35bf0bc3e2460

    SHA512

    3db22d2dd54be931f8e55133a2eec56713d7199d803a290de7741c6b3afda50d98fd0c6c3feda7e835361319398bb2d11108a1cba9f8a2cd7fe2c43c7a36efb8

    Download Submit

  • memory/3580-12-0x00007FFF95453000-0x00007FFF95455000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3580-13-0x00000000006D0000-0x000000000081C000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/3580-14-0x00000000029A0000-0x00000000029AE000-memory.dmp

    Filesize

    56KB

    Download