dcrat | fd198cf3ef764ffa17e7bd465d666057804a25ed5c6061074c0de7b6df43a667

Analysis

max time kernel
108s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:09

Target

2f61e23326b11de39e126e1baf46488e.exe
Size

2.0MB
MD5

2f61e23326b11de39e126e1baf46488e
SHA1

530a94ef319c7ef102cc3ddc19ff2f0dcd891565
SHA256

d5c20e1b5c91b69d26064a9a539d6e262218630a99cfb06955bcb7e3a4108f36
SHA512

beaea9e6314ab6ef4123666cb50da724c774713fcadb9106f15513e20d8ddebd67a6e84875f0e037e6f53acc2dc6f696061f27d0a5a32bb2196ee81e6dad10fd
SSDEEP

49152:7rYU+Yy4J8jao9UVlWAOjhRzsiYHjo++xTN:7dxVJC9UqRzsu+8N

Score

10^/10

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

resource	yara_rule
behavioral18/memory/5852-1-0x0000000000FD0000-0x00000000011DA000-memory.dmp	dcrat

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	5852	2f61e23326b11de39e126e1baf46488e.exe

C:\Users\Admin\AppData\Local\Temp\2f61e23326b11de39e126e1baf46488e.exe
"C:\Users\Admin\AppData\Local\Temp\2f61e23326b11de39e126e1baf46488e.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5852

memory/5852-0-0x00007FF909C73000-0x00007FF909C75000-memory.dmp

Filesize
8KB

Download
memory/5852-1-0x0000000000FD0000-0x00000000011DA000-memory.dmp

Filesize
2.0MB

Download
memory/5852-2-0x00007FF909C70000-0x00007FF90A731000-memory.dmp

Filesize
10.8MB

Download
memory/5852-3-0x0000000001B30000-0x0000000001B3E000-memory.dmp

Filesize
56KB

Download
memory/5852-4-0x0000000001B40000-0x0000000001B4E000-memory.dmp

Filesize
56KB

Download
memory/5852-6-0x00007FF909C70000-0x00007FF90A731000-memory.dmp

Filesize
10.8MB

Download