| File name: | 5dbf5fcddf5030e711977d7d2833101cc155cc021469d1ae92f01bc0293ee857.exe |
| Full analysis: | https://app.any.run/tasks/5debe1cb-7c3c-4970-994e-bdaec745f25b |
| Verdict: | Malicious activity |
| Threats: | DCrat, also known as Dark Crystal RAT, is a remote access trojan (RAT), which was first introduced in 2018. It is a modular malware that can be customized to perform different tasks. For instance, it can steal passwords, crypto wallet information, hijack Telegram and Steam accounts, and more. Attackers may use a variety of methods to distribute DCrat, but phishing email campaigns are the most common. Malware Trends Tracker>>> |
| Analysis date: | May 14, 2024, 06:32:29 |
| OS: | Windows 10 Professional (build: 19045, 64 bit) |
| Tags: | dcrat rat backdoor remote stealer |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows |
| MD5: | 9F052BB878A9F37F266832B84DDE2C78 |
| SHA1: | D489EECA8763CD3CB5DB0EFCF8F9AD9F9D4DA58B |
| SHA256: | |
| SSDEEP: | 12288:StiN4ZtQUc3OJe6QtKQroLNvlpW3Ari4VVyZC0+1cCE1gig+fMHSyROFV8FBDjlD:SCOJeRKYyNN3iE0nwKIAxCGx6 |
ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
MALICIOUS
Drops the executable file immediately after the start
- 5dbf5fcddf5030e711977d7d2833101cc155cc021469d1ae92f01bc0293ee857.exe (PID: 6556)
- taskhostw.exe (PID: 7036)
DcRAT is detected
- 5dbf5fcddf5030e711977d7d2833101cc155cc021469d1ae92f01bc0293ee857.exe (PID: 6556)
- taskhostw.exe (PID: 7036)
Connects to the CnC server
- taskhostw.exe (PID: 7036)
DCRAT has been detected (SURICATA)
- taskhostw.exe (PID: 7036)
Steals credentials from Web Browsers
- taskhostw.exe (PID: 7036)
Actions looks like stealing of personal data
- taskhostw.exe (PID: 7036)
SUSPICIOUS
The process creates files with name similar to system file names
- 5dbf5fcddf5030e711977d7d2833101cc155cc021469d1ae92f01bc0293ee857.exe (PID: 6556)
Executable content was dropped or overwritten
- 5dbf5fcddf5030e711977d7d2833101cc155cc021469d1ae92f01bc0293ee857.exe (PID: 6556)
- taskhostw.exe (PID: 7036)
Probably delay the execution using 'w32tm.exe'
- cmd.exe (PID: 6616)
Executing commands from a ".bat" file
- 5dbf5fcddf5030e711977d7d2833101cc155cc021469d1ae92f01bc0293ee857.exe (PID: 6556)
Starts CMD.EXE for commands execution
- 5dbf5fcddf5030e711977d7d2833101cc155cc021469d1ae92f01bc0293ee857.exe (PID: 6556)
The executable file from the user directory is run by the CMD process
- taskhostw.exe (PID: 7036)
INFO
Checks supported languages
- 5dbf5fcddf5030e711977d7d2833101cc155cc021469d1ae92f01bc0293ee857.exe (PID: 6556)
- taskhostw.exe (PID: 7036)
Reads the computer name
- 5dbf5fcddf5030e711977d7d2833101cc155cc021469d1ae92f01bc0293ee857.exe (PID: 6556)
- taskhostw.exe (PID: 7036)
Reads Environment values
- 5dbf5fcddf5030e711977d7d2833101cc155cc021469d1ae92f01bc0293ee857.exe (PID: 6556)
- taskhostw.exe (PID: 7036)
Reads the machine GUID from the registry
- 5dbf5fcddf5030e711977d7d2833101cc155cc021469d1ae92f01bc0293ee857.exe (PID: 6556)
- taskhostw.exe (PID: 7036)
Creates files in the program directory
- 5dbf5fcddf5030e711977d7d2833101cc155cc021469d1ae92f01bc0293ee857.exe (PID: 6556)
Create files in a temporary directory
- 5dbf5fcddf5030e711977d7d2833101cc155cc021469d1ae92f01bc0293ee857.exe (PID: 6556)
- taskhostw.exe (PID: 7036)
Creates files or folders in the user directory
- 5dbf5fcddf5030e711977d7d2833101cc155cc021469d1ae92f01bc0293ee857.exe (PID: 6556)
Checks proxy server information
- taskhostw.exe (PID: 7036)
Reads the software policy settings
- slui.exe (PID: 6204)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the
full reportNo Malware configuration.
TRiD
| .exe | | | Generic CIL Executable (.NET, Mono, etc.) (55.8) |
|---|---|---|
| .exe | | | Win64 Executable (generic) (21) |
| .scr | | | Windows screen saver (9.9) |
| .dll | | | Win32 Dynamic Link Library (generic) (5) |
| .exe | | | Win32 Executable (generic) (3.4) |
EXIF
EXE
| ProductVersion: | 1.2.7.1277 |
|---|---|
| ProductName: | - |
| OriginalFileName: | SpotifyStartupTask.exe |
| LegalCopyright: | Copyright (c) 2023, Spotify Ltd |
| InternalName: | SpotifyStartupTask |
| FileVersion: | 1.2.7.1277 |
| FileDescription: | - |
| CompanyName: | - |
| CharacterSet: | Unicode |
| LanguageCode: | Neutral |
| FileSubtype: | - |
| ObjectFileType: | Executable application |
| FileOS: | Win32 |
| FileFlags: | (none) |
| FileFlagsMask: | 0x003f |
| ProductVersionNumber: | 1.2.7.1277 |
| FileVersionNumber: | 1.2.7.1277 |
| Subsystem: | Windows GUI |
| SubsystemVersion: | 4 |
| ImageVersion: | - |
| OSVersion: | 4 |
| EntryPoint: | 0x115d3e |
| UninitializedDataSize: | - |
| InitializedDataSize: | 1536 |
| CodeSize: | 1129984 |
| LinkerVersion: | 11 |
| PEType: | PE32 |
| ImageFileCharacteristics: | Executable, 32-bit |
| TimeStamp: | 2024:05:08 15:21:38+00:00 |
| MachineType: | Intel 386 or later, and compatibles |
No data.
Total processes
133
Monitored processes
9
Malicious processes
3
Suspicious processes
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 6556 | "C:\Users\admin\AppData\Local\Temp\5dbf5fcddf5030e711977d7d2833101cc155cc021469d1ae92f01bc0293ee857.exe" | C:\Users\admin\AppData\Local\Temp\5dbf5fcddf5030e711977d7d2833101cc155cc021469d1ae92f01bc0293ee857.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Version: 1.2.7.1277 Modules
| |||||||||||||||
| 6616 | C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\ayRoa5cdpG.bat" " | C:\Windows\System32\cmd.exe | — | 5dbf5fcddf5030e711977d7d2833101cc155cc021469d1ae92f01bc0293ee857.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 10.0.19041.1 (WinBuild.160101.0800) | |||||||||||||||
| 6628 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: Version: 10.0.19041.1 (WinBuild.160101.0800) | |||||||||||||||
| 6700 | w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 | C:\Windows\System32\w32tm.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Time Service Diagnostic Tool Exit code: Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7036 | "C:\Users\admin\Local Settings\taskhostw.exe" | C:\Users\admin\AppData\Local\taskhostw.exe | cmd.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Version: 1.2.7.1277 Modules
| |||||||||||||||
| 116 | C:\WINDOWS\system32\SppExtComObj.exe -Embedding | C:\Windows\System32\SppExtComObj.Exe | — | svchost.exe | |||||||||||
User: NETWORK SERVICE Company: Microsoft Corporation Integrity Level: SYSTEM Description: KMS Connection Broker Version: 10.0.19041.3996 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6204 | "C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEvent | C:\Windows\System32\slui.exe | SppExtComObj.Exe | ||||||||||||
User: NETWORK SERVICE Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows Activation Client Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6436 | C:\WINDOWS\System32\slui.exe -Embedding | C:\Windows\System32\slui.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Activation Client Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6752 | C:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileCoAuth.exe -Embedding | C:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileCoAuth.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft OneDriveFile Co-Authoring Executable Exit code: Version: 19.043.0304.0013 Modules
| |||||||||||||||
Total events
6016
Read events
6000
Write events
16
Delete events
Modification events
| (PID) Process: | (6556)5dbf5fcddf5030e711977d7d2833101cc155cc021469d1ae92f01bc0293ee857.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\9ae3d46f9d06b4828c444653c0bcf0562c369160 |
| Operation: | write | Name: | 0b38c3e8da72706484a97228459153586520d601 |
Value: H4sIAAAAAAAEAHWPQQ+CMAyF/wrhbMzGnHPejB41MVFP1sPoihJBCR3izxcNB6Ph1Ob1vfelx3g5Bzgw1QzgfJnfANZ3dEW0oxDy27mTg+Pr5c6hHdOT4tF3YtukRY4Am4bfw7flv6dvbS7MD/w/L4oi6tchyw8FuWYe5CyqauWC698A2FNZAWifZjpD7zMtlCAjpTXGG5/MlJJCIkqtEUUiJ1PrpSObZEKmnWAV0UybD+70ArqMMoEuAQAA | |||
| (PID) Process: | (7036)taskhostw.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\taskhostw_RASAPI32 |
| Operation: | write | Name: | EnableFileTracing |
Value: | |||
| (PID) Process: | (7036)taskhostw.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\taskhostw_RASAPI32 |
| Operation: | write | Name: | EnableAutoFileTracing |
Value: | |||
| (PID) Process: | (7036)taskhostw.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\taskhostw_RASAPI32 |
| Operation: | write | Name: | EnableConsoleTracing |
Value: | |||
| (PID) Process: | (7036)taskhostw.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\taskhostw_RASAPI32 |
| Operation: | write | Name: | FileTracingMask |
Value: | |||
| (PID) Process: | (7036)taskhostw.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\taskhostw_RASAPI32 |
| Operation: | write | Name: | ConsoleTracingMask |
Value: | |||
| (PID) Process: | (7036)taskhostw.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\taskhostw_RASAPI32 |
| Operation: | write | Name: | MaxFileSize |
Value: 1048576 | |||
| (PID) Process: | (7036)taskhostw.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\taskhostw_RASAPI32 |
| Operation: | write | Name: | FileDirectory |
Value: %windir%\tracing | |||
| (PID) Process: | (7036)taskhostw.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\taskhostw_RASMANCS |
| Operation: | write | Name: | EnableFileTracing |
Value: | |||
| (PID) Process: | (7036)taskhostw.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\taskhostw_RASMANCS |
| Operation: | write | Name: | EnableAutoFileTracing |
Value: | |||
Executable files
13
Suspicious files
20
Text files
9
Unknown types
2
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 6556 | 5dbf5fcddf5030e711977d7d2833101cc155cc021469d1ae92f01bc0293ee857.exe | C:\Users\admin\Desktop\ZyMJJtbe.log | executable | |
MD5:F4B38D0F95B7E844DD288B441EBC9AAF | SHA256:AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97 | |||
| 7036 | taskhostw.exe | C:\Users\admin\Desktop\OaMLMWGj.log | executable | |
MD5:F4B38D0F95B7E844DD288B441EBC9AAF | SHA256:AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97 | |||
| 6556 | 5dbf5fcddf5030e711977d7d2833101cc155cc021469d1ae92f01bc0293ee857.exe | C:\Users\Public\Music\csrss.exe | executable | |
MD5:9F052BB878A9F37F266832B84DDE2C78 | SHA256:5DBF5FCDDF5030E711977D7D2833101CC155CC021469D1AE92F01BC0293EE857 | |||
| 6556 | 5dbf5fcddf5030e711977d7d2833101cc155cc021469d1ae92f01bc0293ee857.exe | C:\Users\admin\uhssvc.exe | executable | |
MD5:9F052BB878A9F37F266832B84DDE2C78 | SHA256:5DBF5FCDDF5030E711977D7D2833101CC155CC021469D1AE92F01BC0293EE857 | |||
| 7036 | taskhostw.exe | C:\Users\admin\Desktop\CPxxzPRO.log | executable | |
MD5:D8BF2A0481C0A17A634D066A711C12E9 | SHA256:2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669 | |||
| 6556 | 5dbf5fcddf5030e711977d7d2833101cc155cc021469d1ae92f01bc0293ee857.exe | C:\Users\admin\Desktop\aDXkJcQf.log | executable | |
MD5:E9CE850DB4350471A62CC24ACB83E859 | SHA256:7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A | |||
| 6556 | 5dbf5fcddf5030e711977d7d2833101cc155cc021469d1ae92f01bc0293ee857.exe | C:\ProgramData\105eec298f1910 | text | |
MD5:197C6FFBA18FD4EDD314BD94404F10DA | SHA256:7512E97AF15E48F7E7E102898506C18B1901574F81FFD7B14315FE23D790A0EE | |||
| 6556 | 5dbf5fcddf5030e711977d7d2833101cc155cc021469d1ae92f01bc0293ee857.exe | C:\Users\admin\AppData\Local\taskhostw.exe | executable | |
MD5:9F052BB878A9F37F266832B84DDE2C78 | SHA256:5DBF5FCDDF5030E711977D7D2833101CC155CC021469D1AE92F01BC0293EE857 | |||
| 6556 | 5dbf5fcddf5030e711977d7d2833101cc155cc021469d1ae92f01bc0293ee857.exe | C:\Users\Public\Music\886983d96e3d3e | text | |
MD5:AA535ECB786EDB778D96588B54D3F3A3 | SHA256:6EA2912B04FEFB671F6FBE7BE5B655B4204A66A40FAF9B561DB1C03D3EADAB6B | |||
| 6556 | 5dbf5fcddf5030e711977d7d2833101cc155cc021469d1ae92f01bc0293ee857.exe | C:\Users\admin\Desktop\ULvLgwLq.log | executable | |
MD5:D8BF2A0481C0A17A634D066A711C12E9 | SHA256:2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the
full reportHTTP(S) requests
30
TCP/UDP connections
52
DNS requests
17
Threats
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
2392 | svchost.exe | GET | 200 | 2.16.100.137:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | unknown |
2392 | svchost.exe | GET | 200 | 95.101.149.131:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | unknown |
5940 | svchost.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D | unknown | — | — | unknown |
7036 | taskhostw.exe | POST | 200 | 172.67.167.60:80 | http://taketa.top/imageTocpuupdateApiTemporary.php | unknown | — | — | unknown |
7036 | taskhostw.exe | POST | 200 | 172.67.167.60:80 | http://taketa.top/imageTocpuupdateApiTemporary.php | unknown | — | — | unknown |
7036 | taskhostw.exe | POST | 200 | 172.67.167.60:80 | http://taketa.top/imageTocpuupdateApiTemporary.php | unknown | — | — | unknown |
7036 | taskhostw.exe | POST | 200 | 172.67.167.60:80 | http://taketa.top/imageTocpuupdateApiTemporary.php | unknown | — | — | unknown |
7036 | taskhostw.exe | POST | 200 | 172.67.167.60:80 | http://taketa.top/imageTocpuupdateApiTemporary.php | unknown | — | — | unknown |
7036 | taskhostw.exe | POST | 200 | 172.67.167.60:80 | http://taketa.top/imageTocpuupdateApiTemporary.php | unknown | — | — | unknown |
7036 | taskhostw.exe | POST | 200 | 172.67.167.60:80 | http://taketa.top/imageTocpuupdateApiTemporary.php | unknown | — | — | unknown |
Download PCAP, analyze network streams, HTTP content and a lot more at the
full reportConnections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
— | — | 40.127.240.158:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | IE | unknown |
— | — | 2.23.209.150:443 | — | Akamai International B.V. | GB | unknown |
4364 | svchost.exe | 239.255.255.250:1900 | — | — | — | unknown |
2392 | svchost.exe | 40.127.240.158:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | IE | unknown |
2392 | svchost.exe | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
2392 | svchost.exe | 2.16.100.137:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
2392 | svchost.exe | 95.101.149.131:80 | www.microsoft.com | Akamai International B.V. | NL | unknown |
4680 | SearchApp.exe | 2.23.209.140:443 | — | Akamai International B.V. | GB | unknown |
5940 | svchost.exe | 40.126.32.133:443 | login.live.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
login.live.com |
| whitelisted |
taketa.top |
| unknown |
go.microsoft.com |
| whitelisted |
client.wns.windows.com |
| whitelisted |
arc.msn.com |
| whitelisted |
fd.api.iris.microsoft.com |
| whitelisted |
slscr.update.microsoft.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
— | — | Potentially Bad Traffic | ET DNS Query to a *.top domain - Likely Hostile |
7036 | taskhostw.exe | Potentially Bad Traffic | ET INFO HTTP Request to a *.top domain |
7036 | taskhostw.exe | A Network Trojan was detected | ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) |
7036 | taskhostw.exe | A Network Trojan was detected | REMOTE [ANY.RUN] DarkCrystal Rat Check-in (POST) |
— | — | Misc activity | SUSPICIOUS [ANY.RUN] Possible DarkCrystal Rat Encrypted Connection |
— | — | Potentially Bad Traffic | ET INFO HTTP Request to a *.top domain |
No debug info
