dcrat | b9cae0739fc6daee051551b3e1dfabd39db41c2996f3a905254a71def555ba36

Analysis

max time kernel
118s
max time network
126s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:11 UTC

Target

612990113a2323e56af3abbbb03e5002.exe
Size

2.0MB
MD5

612990113a2323e56af3abbbb03e5002
SHA1

9f34edf4e0a59efa9f44da074f2a9c09f013bff9
SHA256

c6f13a0bf3c4f3b5f76cb3f74c912b06f2cff22ae079297e863432c3278cd7c7
SHA512

c3efdac615fd521a096259f58e406aff5658b3bbd082abf6fc65e89489c81b58b662654e472bc8dc41dd5b5ae5b031273811a779776a1b93627922e825624ef7
SSDEEP

49152:7rYU+Yy4J8jao9UVlWAOjhRzsiYHjo++xTN:7dxVJC9UqRzsu+8N

Score

10^/10

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

resource	yara_rule
behavioral29/memory/2156-1-0x0000000001300000-0x000000000150A000-memory.dmp	dcrat

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2156	612990113a2323e56af3abbbb03e5002.exe

C:\Users\Admin\AppData\Local\Temp\612990113a2323e56af3abbbb03e5002.exe
"C:\Users\Admin\AppData\Local\Temp\612990113a2323e56af3abbbb03e5002.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2156

memory/2156-0-0x000007FEF6103000-0x000007FEF6104000-memory.dmp

Filesize
4KB

Download
memory/2156-1-0x0000000001300000-0x000000000150A000-memory.dmp

Filesize
2.0MB

Download
memory/2156-2-0x000007FEF6100000-0x000007FEF6AEC000-memory.dmp

Filesize
9.9MB

Download
memory/2156-3-0x00000000001C0000-0x00000000001CE000-memory.dmp

Filesize
56KB

Download
memory/2156-4-0x00000000001D0000-0x00000000001DE000-memory.dmp

Filesize
56KB

Download
memory/2156-5-0x000007FEF6100000-0x000007FEF6AEC000-memory.dmp

Filesize
9.9MB

Download