dcrat | 286e0821c9dff60f28f608fbc48788495e4fc25616f718991a9b1979fce08cac

Analysis

max time kernel
121s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:15

Target

b26193ca5677aa19cbc3bfd5c170c161.exe
Size

2.0MB
MD5

b26193ca5677aa19cbc3bfd5c170c161
SHA1

b2c537420b5b3ac516429b582e93779a8deb8f47
SHA256

2120942a943fe120041957c6291068cd177e6b9d5148228229b8fddae7f01dc7
SHA512

d7484d537721962741d8e930880c8de51b4c992b3e91f8cc414eb7b980de44e758f073ab113ac5a9ee75840c4c2fd62a9166ce08a6a1b5c180c3e4ec8f4c0253
SSDEEP

49152:brYU+Yy4J8jao9UVlWAOjhRzsiYHjo++xTN:bdxVJC9UqRzsu+8N

Score

10^/10

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

resource	yara_rule
behavioral23/memory/2004-1-0x0000000000080000-0x000000000028A000-memory.dmp	dcrat

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2004	b26193ca5677aa19cbc3bfd5c170c161.exe

C:\Users\Admin\AppData\Local\Temp\b26193ca5677aa19cbc3bfd5c170c161.exe
"C:\Users\Admin\AppData\Local\Temp\b26193ca5677aa19cbc3bfd5c170c161.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2004

memory/2004-0-0x000007FEF5F93000-0x000007FEF5F94000-memory.dmp

Filesize
4KB

Download
memory/2004-1-0x0000000000080000-0x000000000028A000-memory.dmp

Filesize
2.0MB

Download
memory/2004-2-0x000007FEF5F90000-0x000007FEF697C000-memory.dmp

Filesize
9.9MB

Download
memory/2004-3-0x0000000000450000-0x000000000045E000-memory.dmp

Filesize
56KB

Download
memory/2004-4-0x0000000000460000-0x000000000046E000-memory.dmp

Filesize
56KB

Download
memory/2004-5-0x000007FEF5F90000-0x000007FEF697C000-memory.dmp

Filesize
9.9MB

Download