| File name: | 90a9d213bced2844dbf8a635244a85f29fa5af2c439ca7782709b1ebe304734a.exe |
| Full analysis: | https://app.any.run/tasks/27c0a845-2421-4a82-8cd2-b1301f8cb5fd |
| Verdict: | Malicious activity |
| Threats: | DCrat, also known as Dark Crystal RAT, is a remote access trojan (RAT), which was first introduced in 2018. It is a modular malware that can be customized to perform different tasks. For instance, it can steal passwords, crypto wallet information, hijack Telegram and Steam accounts, and more. Attackers may use a variety of methods to distribute DCrat, but phishing email campaigns are the most common. Malware Trends Tracker>>> |
| Analysis date: | July 03, 2024, 13:52:09 |
| OS: | Windows 10 Professional (build: 19045, 64 bit) |
| Tags: | rat dcrat remote darkcrystal |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5: | 2196EDD4AD9D7E8CA345339A66E2FED5 |
| SHA1: | D604A25D04700D19896C1DFE12586568FAE5C32F |
| SHA256: | |
| SSDEEP: | 49152:hy54h6mhJecJG+OzXelaxWmD4l5smrv27dB/GcuIyT8zuQHkzat1Aiq+Dx:hy54zhJBJGXzoasmDOOpv/GcuIM6P6ar |
ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
MALICIOUS
Drops the executable file immediately after the start
- 90a9d213bced2844dbf8a635244a85f29fa5af2c439ca7782709b1ebe304734a.exe (PID: 5184)
- ms_updater.exe (PID: 6224)
DcRAT is detected
- ms_updater.exe (PID: 6224)
Connects to the CnC server
- ms_updater.exe (PID: 6224)
Actions looks like stealing of personal data
- ms_updater.exe (PID: 6224)
DARKCRYSTAL has been detected (SURICATA)
- ms_updater.exe (PID: 6224)
DCRAT has been detected (YARA)
- ms_updater.exe (PID: 6224)
SUSPICIOUS
Process drops legitimate windows executable
- 90a9d213bced2844dbf8a635244a85f29fa5af2c439ca7782709b1ebe304734a.exe (PID: 5184)
Executable content was dropped or overwritten
- 90a9d213bced2844dbf8a635244a85f29fa5af2c439ca7782709b1ebe304734a.exe (PID: 5184)
- ms_updater.exe (PID: 6224)
Reads security settings of Internet Explorer
- 90a9d213bced2844dbf8a635244a85f29fa5af2c439ca7782709b1ebe304734a.exe (PID: 5184)
- ms_updater.exe (PID: 6224)
Reads the date of Windows installation
- 90a9d213bced2844dbf8a635244a85f29fa5af2c439ca7782709b1ebe304734a.exe (PID: 5184)
- ms_updater.exe (PID: 6224)
Executing commands from a ".bat" file
- ms_updater.exe (PID: 6224)
Starts application with an unusual extension
- cmd.exe (PID: 6252)
Probably delay the execution using 'w32tm.exe'
- cmd.exe (PID: 6252)
Starts CMD.EXE for commands execution
- ms_updater.exe (PID: 6224)
INFO
Checks supported languages
- 90a9d213bced2844dbf8a635244a85f29fa5af2c439ca7782709b1ebe304734a.exe (PID: 5184)
- ms_tool.exe (PID: 6188)
- ms_updater.exe (PID: 6224)
- chcp.com (PID: 3580)
Creates files or folders in the user directory
- 90a9d213bced2844dbf8a635244a85f29fa5af2c439ca7782709b1ebe304734a.exe (PID: 5184)
Reads the computer name
- 90a9d213bced2844dbf8a635244a85f29fa5af2c439ca7782709b1ebe304734a.exe (PID: 5184)
- ms_updater.exe (PID: 6224)
Process checks computer location settings
- 90a9d213bced2844dbf8a635244a85f29fa5af2c439ca7782709b1ebe304734a.exe (PID: 5184)
- ms_updater.exe (PID: 6224)
Reads the machine GUID from the registry
- ms_updater.exe (PID: 6224)
Reads Environment values
- ms_updater.exe (PID: 6224)
Checks proxy server information
- ms_updater.exe (PID: 6224)
Disables trace logs
- ms_updater.exe (PID: 6224)
Reads the software policy settings
- slui.exe (PID: 2360)
Create files in a temporary directory
- ms_updater.exe (PID: 6224)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the
full reportDcRat
(PID) Process(6224) ms_updater.exe
C2 (1)http://118621cm.n9shteam2.top/protecttrackDatalifePrivateCentral.php
Options
Version5.0.1
PluginConfigs
0{SYSTEMDRIVE}/Users/
1false
2false
3false
4false
5false
6false
7false
8true
9false
10false
11false
12true
13true
14true
No Malware configuration.
TRiD
| .exe | | | Win32 Executable MS Visual C++ (generic) (42.2) |
|---|---|---|
| .exe | | | Win64 Executable (generic) (37.3) |
| .dll | | | Win32 Dynamic Link Library (generic) (8.8) |
| .exe | | | Win32 Executable (generic) (6) |
| .exe | | | Generic Win/DOS Executable (2.7) |
EXIF
EXE
| Subsystem: | Windows GUI |
|---|---|
| SubsystemVersion: | 6 |
| ImageVersion: | - |
| OSVersion: | 6 |
| EntryPoint: | 0xafe6 |
| UninitializedDataSize: | - |
| InitializedDataSize: | 743424 |
| CodeSize: | 165888 |
| LinkerVersion: | 14.34 |
| PEType: | PE32 |
| ImageFileCharacteristics: | Executable, 32-bit |
| TimeStamp: | 2024:06:24 13:08:51+00:00 |
| MachineType: | Intel 386 or later, and compatibles |
No data.
Total processes
150
Monitored processes
11
Malicious processes
2
Suspicious processes
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 5184 | "C:\Users\admin\AppData\Local\Temp\90a9d213bced2844dbf8a635244a85f29fa5af2c439ca7782709b1ebe304734a.exe" | C:\Users\admin\AppData\Local\Temp\90a9d213bced2844dbf8a635244a85f29fa5af2c439ca7782709b1ebe304734a.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: Modules
| |||||||||||||||
| 6188 | "C:\Users\admin\AppData\Roaming\ms_tool.exe" | C:\Users\admin\AppData\Roaming\ms_tool.exe | — | 90a9d213bced2844dbf8a635244a85f29fa5af2c439ca7782709b1ebe304734a.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Mount Volume Utility Exit code: Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6196 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | ms_tool.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6224 | "C:\Users\admin\AppData\Roaming\ms_updater.exe" | C:\Users\admin\AppData\Roaming\ms_updater.exe | 90a9d213bced2844dbf8a635244a85f29fa5af2c439ca7782709b1ebe304734a.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: Version: 1.2.7.1277 Modules
DcRat(PID) Process(6224) ms_updater.exe C2 (1)http://118621cm.n9shteam2.top/protecttrackDatalifePrivateCentral.php Options Version5.0.1 PluginConfigs 0{SYSTEMDRIVE}/Users/ 1false 2false 3false 4false 5false 6false 7false 8true 9false 10false 11false 12true 13true 14true | |||||||||||||||
| 6352 | C:\WINDOWS\system32\SppExtComObj.exe -Embedding | C:\Windows\System32\SppExtComObj.Exe | — | svchost.exe | |||||||||||
User: NETWORK SERVICE Company: Microsoft Corporation Integrity Level: SYSTEM Description: KMS Connection Broker Version: 10.0.19041.3996 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2360 | "C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEvent | C:\Windows\System32\slui.exe | SppExtComObj.Exe | ||||||||||||
User: NETWORK SERVICE Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows Activation Client Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 5508 | C:\WINDOWS\System32\slui.exe -Embedding | C:\Windows\System32\slui.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Activation Client Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6252 | C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\iVu5YTRuDT.bat" " | C:\Windows\System32\cmd.exe | — | ms_updater.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7152 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 3580 | chcp 65001 | C:\Windows\System32\chcp.com | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Change CodePage Utility Exit code: Version: 10.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
9791
Read events
9758
Write events
33
Delete events
Modification events
| (PID) Process: | (5184)90a9d213bced2844dbf8a635244a85f29fa5af2c439ca7782709b1ebe304734a.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
| (PID) Process: | (5184)90a9d213bced2844dbf8a635244a85f29fa5af2c439ca7782709b1ebe304734a.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | IntranetName |
Value: 1 | |||
| (PID) Process: | (5184)90a9d213bced2844dbf8a635244a85f29fa5af2c439ca7782709b1ebe304734a.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
| (PID) Process: | (5184)90a9d213bced2844dbf8a635244a85f29fa5af2c439ca7782709b1ebe304734a.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | AutoDetect |
Value: | |||
| (PID) Process: | (6224)ms_updater.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\a7826988ae199588b0a428293d027e79d80232cd |
| Operation: | write | Name: | 171823069b6502484221899169503f7fbaed6ee1 |
Value: H4sIAAAAAAAEAIuOBQApu0wNAgAAAA== | |||
| (PID) Process: | (6224)ms_updater.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\AjqVFPjRdUMLGTTtnlMEjUReAbQurGJk |
| Operation: | write | Name: | AjqVFPjRdUMLGTTtnlMEjUReAbQurGJk |
Value: AjqVFPjRdUMLGTTtnlMEjUReAbQurGJk | |||
| (PID) Process: | (6224)ms_updater.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\ms_updater_RASAPI32 |
| Operation: | write | Name: | EnableFileTracing |
Value: | |||
| (PID) Process: | (6224)ms_updater.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\ms_updater_RASAPI32 |
| Operation: | write | Name: | EnableAutoFileTracing |
Value: | |||
| (PID) Process: | (6224)ms_updater.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\ms_updater_RASAPI32 |
| Operation: | write | Name: | EnableConsoleTracing |
Value: | |||
| (PID) Process: | (6224)ms_updater.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\ms_updater_RASAPI32 |
| Operation: | write | Name: | FileTracingMask |
Value: | |||
Executable files
4
Suspicious files
Text files
2
Unknown types
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 5184 | 90a9d213bced2844dbf8a635244a85f29fa5af2c439ca7782709b1ebe304734a.exe | C:\Users\admin\AppData\Roaming\ms_tool.exe | executable | |
MD5:F3EDFF85DE5FD002692D54A04BCB1C09 | SHA256:CAF29650446DB3842E1C1E8E5E1BAFADAF90FC82C5C37B9E2C75A089B7476131 | |||
| 6224 | ms_updater.exe | C:\Users\admin\AppData\Local\Temp\iVu5YTRuDT.bat | text | |
MD5:E233F4345F3FE8C0872A32C10E1AE108 | SHA256:7B821D078989814E2AC2209832625B2A246638E56949485B08007B6D6D2147F4 | |||
| 6224 | ms_updater.exe | C:\Users\admin\AppData\Local\Temp\zm3mAQw3mj | text | |
MD5:256C4DDDE52C557261B86D4A84A065A2 | SHA256:BF59443C5F5171FA445BD0C24740FA34A5DDB44509C4C9AAA79B90608407A90A | |||
| 6224 | ms_updater.exe | C:\Users\admin\Desktop\xUTbEqFT.log | executable | |
MD5:1DCDE09C6A8CE8F5179FB24D0C5A740D | SHA256:1F02230A8536ADB1D6F8DADFD7CA8CA66B5528EC98B15693E3E2F118A29D49D8 | |||
| 5184 | 90a9d213bced2844dbf8a635244a85f29fa5af2c439ca7782709b1ebe304734a.exe | C:\Users\admin\AppData\Roaming\ms_updater.exe | executable | |
MD5:CEAC3DE237F6B1DC4B279D8E5F5B3689 | SHA256:80BD7EC034AD211DC479ADCDE679F2D3EC28F478692AA84338CE057AB548E510 | |||
| 6224 | ms_updater.exe | C:\Users\admin\Desktop\KtdivPKt.log | executable | |
MD5:F4B38D0F95B7E844DD288B441EBC9AAF | SHA256:AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the
full reportHTTP(S) requests
65
TCP/UDP connections
65
DNS requests
19
Threats
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
1776 | MoUsoCoreWorker.exe | GET | 200 | 23.48.23.143:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | unknown |
2204 | svchost.exe | GET | 200 | 23.35.229.160:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | unknown |
1776 | MoUsoCoreWorker.exe | GET | 200 | 23.35.229.160:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | unknown |
2204 | svchost.exe | GET | 200 | 23.48.23.143:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | unknown |
2196 | RUXIMICS.exe | GET | 200 | 23.48.23.143:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | unknown |
2456 | svchost.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D | unknown | — | — | unknown |
2196 | RUXIMICS.exe | GET | 200 | 23.35.229.160:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | unknown |
4656 | SearchApp.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D | unknown | — | — | unknown |
6224 | ms_updater.exe | POST | 200 | 172.67.159.202:80 | http://118621cm.n9shteam2.top/protecttrackDatalifePrivateCentral.php | unknown | — | — | unknown |
6224 | ms_updater.exe | POST | 200 | 172.67.159.202:80 | http://118621cm.n9shteam2.top/protecttrackDatalifePrivateCentral.php | unknown | — | — | unknown |
Download PCAP, analyze network streams, HTTP content and a lot more at the
full reportConnections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4032 | svchost.exe | 239.255.255.250:1900 | — | — | — | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
2204 | svchost.exe | 23.48.23.143:80 | crl.microsoft.com | Akamai International B.V. | DE | unknown |
1776 | MoUsoCoreWorker.exe | 23.48.23.143:80 | crl.microsoft.com | Akamai International B.V. | DE | unknown |
2196 | RUXIMICS.exe | 23.48.23.143:80 | crl.microsoft.com | Akamai International B.V. | DE | unknown |
2204 | svchost.exe | 23.35.229.160:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
1776 | MoUsoCoreWorker.exe | 23.35.229.160:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
2196 | RUXIMICS.exe | 23.35.229.160:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
1776 | MoUsoCoreWorker.exe | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | unknown |
4656 | SearchApp.exe | 192.229.221.95:80 | ocsp.digicert.com | EDGECAST | US | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
118621cm.n9shteam2.top |
| unknown |
settings-win.data.microsoft.com |
| whitelisted |
login.live.com |
| whitelisted |
go.microsoft.com |
| whitelisted |
nexusrules.officeapps.live.com |
| whitelisted |
client.wns.windows.com |
| whitelisted |
arc.msn.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
— | — | Potentially Bad Traffic | ET DNS Query to a *.top domain - Likely Hostile |
6224 | ms_updater.exe | Potentially Bad Traffic | ET INFO HTTP Request to a *.top domain |
6224 | ms_updater.exe | A Network Trojan was detected | REMOTE [ANY.RUN] DarkCrystal Rat Check-in (POST) |
6224 | ms_updater.exe | A Network Trojan was detected | ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) |
6224 | ms_updater.exe | Misc activity | SUSPICIOUS [ANY.RUN] Possible DarkCrystal Rat Encrypted Connection |
6224 | ms_updater.exe | Potentially Bad Traffic | ET INFO HTTP Request to a *.top domain |
6224 | ms_updater.exe | Potentially Bad Traffic | ET INFO HTTP Request to a *.top domain |
6224 | ms_updater.exe | Misc activity | SUSPICIOUS [ANY.RUN] Possible DarkCrystal Rat Encrypted Connection |
No debug info
