dcrat | a5291979129ded5f9d4e74deed3b2b68d8116f92cd5429ce47301cd727971b04

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05-02-2025 15:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a5291979129ded5f9d4e74deed3b2b68d8116f92cd5429ce47301cd727971b04N.exe
Size

2.0MB
MD5

9dacfc9d6a218957387e1beccc9bc670
SHA1

f52fb040aad686ff8bde1c5e7f4f382332a988a7
SHA256

a5291979129ded5f9d4e74deed3b2b68d8116f92cd5429ce47301cd727971b04
SHA512

062e71b6f27ed4feb004a5ecd2eb7b938f3aef18209bff0b6150a765c0eab6c30c4cc8a694735c4e0d033b8ffa222e199ae7699d4fae0c9d19d5d24d68201e9d
SSDEEP

24576:N3s6IAVPf6cr+jZRRGjzpRjns1NpJz8jEQ0tg284YVv9baETptpGntxvboFDQvWl:FjUQjzTbs1NpJzg0tg2G9bZpUt1mD

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Executes dropped EXE 1 IoCs

pid	Process
2996	a5291979129ded5f9d4e74deed3b2b68d8116f92cd5429ce47301cd727971b04N.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Photo Viewer\it-IT\3718c7be6ebc34	a5291979129ded5f9d4e74deed3b2b68d8116f92cd5429ce47301cd727971b04N.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\it-IT\a5291979129ded5f9d4e74deed3b2b68d8116f92cd5429ce47301cd727971b04N.exe	a5291979129ded5f9d4e74deed3b2b68d8116f92cd5429ce47301cd727971b04N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1964	a5291979129ded5f9d4e74deed3b2b68d8116f92cd5429ce47301cd727971b04N.exe
1964	a5291979129ded5f9d4e74deed3b2b68d8116f92cd5429ce47301cd727971b04N.exe
1964	a5291979129ded5f9d4e74deed3b2b68d8116f92cd5429ce47301cd727971b04N.exe
1964	a5291979129ded5f9d4e74deed3b2b68d8116f92cd5429ce47301cd727971b04N.exe
1964	a5291979129ded5f9d4e74deed3b2b68d8116f92cd5429ce47301cd727971b04N.exe
1964	a5291979129ded5f9d4e74deed3b2b68d8116f92cd5429ce47301cd727971b04N.exe
1964	a5291979129ded5f9d4e74deed3b2b68d8116f92cd5429ce47301cd727971b04N.exe
1964	a5291979129ded5f9d4e74deed3b2b68d8116f92cd5429ce47301cd727971b04N.exe
1964	a5291979129ded5f9d4e74deed3b2b68d8116f92cd5429ce47301cd727971b04N.exe
1964	a5291979129ded5f9d4e74deed3b2b68d8116f92cd5429ce47301cd727971b04N.exe
1964	a5291979129ded5f9d4e74deed3b2b68d8116f92cd5429ce47301cd727971b04N.exe
1964	a5291979129ded5f9d4e74deed3b2b68d8116f92cd5429ce47301cd727971b04N.exe
1964	a5291979129ded5f9d4e74deed3b2b68d8116f92cd5429ce47301cd727971b04N.exe
1964	a5291979129ded5f9d4e74deed3b2b68d8116f92cd5429ce47301cd727971b04N.exe
1964	a5291979129ded5f9d4e74deed3b2b68d8116f92cd5429ce47301cd727971b04N.exe
1964	a5291979129ded5f9d4e74deed3b2b68d8116f92cd5429ce47301cd727971b04N.exe
1964	a5291979129ded5f9d4e74deed3b2b68d8116f92cd5429ce47301cd727971b04N.exe
1964	a5291979129ded5f9d4e74deed3b2b68d8116f92cd5429ce47301cd727971b04N.exe
1964	a5291979129ded5f9d4e74deed3b2b68d8116f92cd5429ce47301cd727971b04N.exe
1964	a5291979129ded5f9d4e74deed3b2b68d8116f92cd5429ce47301cd727971b04N.exe
1964	a5291979129ded5f9d4e74deed3b2b68d8116f92cd5429ce47301cd727971b04N.exe
1964	a5291979129ded5f9d4e74deed3b2b68d8116f92cd5429ce47301cd727971b04N.exe
1964	a5291979129ded5f9d4e74deed3b2b68d8116f92cd5429ce47301cd727971b04N.exe
1964	a5291979129ded5f9d4e74deed3b2b68d8116f92cd5429ce47301cd727971b04N.exe
1964	a5291979129ded5f9d4e74deed3b2b68d8116f92cd5429ce47301cd727971b04N.exe
1964	a5291979129ded5f9d4e74deed3b2b68d8116f92cd5429ce47301cd727971b04N.exe
1964	a5291979129ded5f9d4e74deed3b2b68d8116f92cd5429ce47301cd727971b04N.exe
1964	a5291979129ded5f9d4e74deed3b2b68d8116f92cd5429ce47301cd727971b04N.exe
1964	a5291979129ded5f9d4e74deed3b2b68d8116f92cd5429ce47301cd727971b04N.exe
1964	a5291979129ded5f9d4e74deed3b2b68d8116f92cd5429ce47301cd727971b04N.exe
1964	a5291979129ded5f9d4e74deed3b2b68d8116f92cd5429ce47301cd727971b04N.exe
1964	a5291979129ded5f9d4e74deed3b2b68d8116f92cd5429ce47301cd727971b04N.exe
1964	a5291979129ded5f9d4e74deed3b2b68d8116f92cd5429ce47301cd727971b04N.exe
1964	a5291979129ded5f9d4e74deed3b2b68d8116f92cd5429ce47301cd727971b04N.exe
1964	a5291979129ded5f9d4e74deed3b2b68d8116f92cd5429ce47301cd727971b04N.exe
1964	a5291979129ded5f9d4e74deed3b2b68d8116f92cd5429ce47301cd727971b04N.exe
1964	a5291979129ded5f9d4e74deed3b2b68d8116f92cd5429ce47301cd727971b04N.exe
1964	a5291979129ded5f9d4e74deed3b2b68d8116f92cd5429ce47301cd727971b04N.exe
1964	a5291979129ded5f9d4e74deed3b2b68d8116f92cd5429ce47301cd727971b04N.exe
1964	a5291979129ded5f9d4e74deed3b2b68d8116f92cd5429ce47301cd727971b04N.exe
1964	a5291979129ded5f9d4e74deed3b2b68d8116f92cd5429ce47301cd727971b04N.exe
1964	a5291979129ded5f9d4e74deed3b2b68d8116f92cd5429ce47301cd727971b04N.exe
1964	a5291979129ded5f9d4e74deed3b2b68d8116f92cd5429ce47301cd727971b04N.exe
1964	a5291979129ded5f9d4e74deed3b2b68d8116f92cd5429ce47301cd727971b04N.exe
1964	a5291979129ded5f9d4e74deed3b2b68d8116f92cd5429ce47301cd727971b04N.exe
1964	a5291979129ded5f9d4e74deed3b2b68d8116f92cd5429ce47301cd727971b04N.exe
1964	a5291979129ded5f9d4e74deed3b2b68d8116f92cd5429ce47301cd727971b04N.exe
1964	a5291979129ded5f9d4e74deed3b2b68d8116f92cd5429ce47301cd727971b04N.exe
1964	a5291979129ded5f9d4e74deed3b2b68d8116f92cd5429ce47301cd727971b04N.exe
1964	a5291979129ded5f9d4e74deed3b2b68d8116f92cd5429ce47301cd727971b04N.exe
1964	a5291979129ded5f9d4e74deed3b2b68d8116f92cd5429ce47301cd727971b04N.exe
1964	a5291979129ded5f9d4e74deed3b2b68d8116f92cd5429ce47301cd727971b04N.exe
1964	a5291979129ded5f9d4e74deed3b2b68d8116f92cd5429ce47301cd727971b04N.exe
1964	a5291979129ded5f9d4e74deed3b2b68d8116f92cd5429ce47301cd727971b04N.exe
1964	a5291979129ded5f9d4e74deed3b2b68d8116f92cd5429ce47301cd727971b04N.exe
1964	a5291979129ded5f9d4e74deed3b2b68d8116f92cd5429ce47301cd727971b04N.exe
1964	a5291979129ded5f9d4e74deed3b2b68d8116f92cd5429ce47301cd727971b04N.exe
1964	a5291979129ded5f9d4e74deed3b2b68d8116f92cd5429ce47301cd727971b04N.exe
1964	a5291979129ded5f9d4e74deed3b2b68d8116f92cd5429ce47301cd727971b04N.exe
2996	a5291979129ded5f9d4e74deed3b2b68d8116f92cd5429ce47301cd727971b04N.exe
2996	a5291979129ded5f9d4e74deed3b2b68d8116f92cd5429ce47301cd727971b04N.exe
2996	a5291979129ded5f9d4e74deed3b2b68d8116f92cd5429ce47301cd727971b04N.exe
2996	a5291979129ded5f9d4e74deed3b2b68d8116f92cd5429ce47301cd727971b04N.exe
2996	a5291979129ded5f9d4e74deed3b2b68d8116f92cd5429ce47301cd727971b04N.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1964	a5291979129ded5f9d4e74deed3b2b68d8116f92cd5429ce47301cd727971b04N.exe
Token: SeDebugPrivilege	2996	a5291979129ded5f9d4e74deed3b2b68d8116f92cd5429ce47301cd727971b04N.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1964 wrote to memory of 2340	1964	a5291979129ded5f9d4e74deed3b2b68d8116f92cd5429ce47301cd727971b04N.exe	30
PID 1964 wrote to memory of 2340	1964	a5291979129ded5f9d4e74deed3b2b68d8116f92cd5429ce47301cd727971b04N.exe	30
PID 1964 wrote to memory of 2340	1964	a5291979129ded5f9d4e74deed3b2b68d8116f92cd5429ce47301cd727971b04N.exe	30
PID 2340 wrote to memory of 2868	2340	cmd.exe	32
PID 2340 wrote to memory of 2868	2340	cmd.exe	32
PID 2340 wrote to memory of 2868	2340	cmd.exe	32
PID 2340 wrote to memory of 2884	2340	cmd.exe	33
PID 2340 wrote to memory of 2884	2340	cmd.exe	33
PID 2340 wrote to memory of 2884	2340	cmd.exe	33
PID 2340 wrote to memory of 2996	2340	cmd.exe	35
PID 2340 wrote to memory of 2996	2340	cmd.exe	35
PID 2340 wrote to memory of 2996	2340	cmd.exe	35

C:\Users\Admin\AppData\Local\Temp\a5291979129ded5f9d4e74deed3b2b68d8116f92cd5429ce47301cd727971b04N.exe
"C:\Users\Admin\AppData\Local\Temp\a5291979129ded5f9d4e74deed3b2b68d8116f92cd5429ce47301cd727971b04N.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1964
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Js5olpWjxF.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2340
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2868
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2884
- - C:\Program Files (x86)\Windows Photo Viewer\it-IT\a5291979129ded5f9d4e74deed3b2b68d8116f92cd5429ce47301cd727971b04N.exe
    "C:\Program Files (x86)\Windows Photo Viewer\it-IT\a5291979129ded5f9d4e74deed3b2b68d8116f92cd5429ce47301cd727971b04N.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2996

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows Photo Viewer\it-IT\a5291979129ded5f9d4e74deed3b2b68d8116f92cd5429ce47301cd727971b04N.exe

Filesize
2.0MB

MD5
9dacfc9d6a218957387e1beccc9bc670

SHA1
f52fb040aad686ff8bde1c5e7f4f382332a988a7

SHA256
a5291979129ded5f9d4e74deed3b2b68d8116f92cd5429ce47301cd727971b04

SHA512
062e71b6f27ed4feb004a5ecd2eb7b938f3aef18209bff0b6150a765c0eab6c30c4cc8a694735c4e0d033b8ffa222e199ae7699d4fae0c9d19d5d24d68201e9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Js5olpWjxF.bat

Filesize
295B

MD5
c74c43b51bba14a29465101f7e52b138

SHA1
da62f76a91790b5e1a777dbc4751610af1425f64

SHA256
ae616315e0ac431e4de596659e642ba8d3d1aae7f3febf4319b02b31e6c213be

SHA512
54ac06788e89b68374b2b8270697eed2dd0b4953e249441748bd18c98ef47582e5a9eb1da316eb7d988c44908d5542f2debf84eb01fc05ef53faa4b5aff7d43b

Download Submit
memory/1964-11-0x00000000006D0000-0x00000000006E8000-memory.dmp

Filesize
96KB

Download
memory/1964-13-0x0000000000390000-0x000000000039C000-memory.dmp

Filesize
48KB

Download
memory/1964-4-0x000007FEF5900000-0x000007FEF62EC000-memory.dmp

Filesize
9.9MB

Download
memory/1964-6-0x0000000000380000-0x000000000038E000-memory.dmp

Filesize
56KB

Download
memory/1964-8-0x00000000003C0000-0x00000000003DC000-memory.dmp

Filesize
112KB

Download
memory/1964-9-0x000007FEF5900000-0x000007FEF62EC000-memory.dmp

Filesize
9.9MB

Download
memory/1964-0-0x000007FEF5903000-0x000007FEF5904000-memory.dmp

Filesize
4KB

Download
memory/1964-3-0x000007FEF5900000-0x000007FEF62EC000-memory.dmp

Filesize
9.9MB

Download
memory/1964-14-0x000007FEF5900000-0x000007FEF62EC000-memory.dmp

Filesize
9.9MB

Download
memory/1964-2-0x000007FEF5900000-0x000007FEF62EC000-memory.dmp

Filesize
9.9MB

Download
memory/1964-26-0x000007FEF5900000-0x000007FEF62EC000-memory.dmp

Filesize
9.9MB

Download
memory/1964-30-0x000007FEF5900000-0x000007FEF62EC000-memory.dmp

Filesize
9.9MB

Download
memory/1964-33-0x000007FEF5900000-0x000007FEF62EC000-memory.dmp

Filesize
9.9MB

Download
memory/1964-32-0x000007FEF5900000-0x000007FEF62EC000-memory.dmp

Filesize
9.9MB

Download
memory/1964-1-0x0000000000DA0000-0x0000000000F7C000-memory.dmp

Filesize
1.9MB

Download
memory/2996-37-0x0000000000DB0000-0x0000000000F8C000-memory.dmp

Filesize
1.9MB

Download