File name:

wa_3rd_party_host_32.exe

Full analysis: https://app.any.run/tasks/32e00f8b-9cb6-4e03-a2c3-b1f988d7fede
Verdict: Malicious activity
Threats:

DCrat, also known as Dark Crystal RAT, is a remote access trojan (RAT), which was first introduced in 2018. It is a modular malware that can be customized to perform different tasks. For instance, it can steal passwords, crypto wallet information, hijack Telegram and Steam accounts, and more. Attackers may use a variety of methods to distribute DCrat, but phishing email campaigns are the most common.

Malware Trends Tracker     >>>
Analysis date: October 11, 2024, 20:27:45
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
rat
dcrat
remote
darkcrystal
upx
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

A211E2975C6F8B8350682198B237ABA7

SHA1:

00637164DE3CB747740EEC28466DC1C1F06C80B2

SHA256:

00EBCC0BE7BCC0F0CB132A42A922033EAE42C535DACC3094EBAFA1AD3F54A773

SSDEEP:

98304:0/qPyub0pJ5RnpkrbI2fiDipVDrTCYRtRVVHyKVLePXJ0h0Mm6p5v1eOGqlsUk1r:plwcrB

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 6216)

    • DARKCRYSTAL has been detected (SURICATA)

      • wa_3rd_party_host_32.exe (PID: 6432)

    • Connects to the CnC server

      • wa_3rd_party_host_32.exe (PID: 6432)

  • SUSPICIOUS

    • Starts POWERSHELL.EXE for commands execution

      • wa_3rd_party_host_32.exe (PID: 6432)

    • Connects to the server without a host name

      • wa_3rd_party_host_32.exe (PID: 6432)

    • Connects to unusual port

      • wa_3rd_party_host_32.exe (PID: 6432)

  • INFO

    • Checks supported languages

      • wa_3rd_party_host_32.exe (PID: 6432)

    • Creates files or folders in the user directory

      • wa_3rd_party_host_32.exe (PID: 6432)

    • Changes the registry key values via Powershell

      • wa_3rd_party_host_32.exe (PID: 6432)

    • Drops encrypted JS script (Microsoft Script Encoder)

      • wa_3rd_party_host_32.exe (PID: 6432)

    • UPX packer has been detected

      • wa_3rd_party_host_32.exe (PID: 6432)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (16.3)
.exe | Win64 Executable (generic) (14.5)
.dll | Win32 Dynamic Link Library (generic) (3.4)
.exe | Win32 Executable (generic) (2.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:05:16 11:08:48+00:00
ImageFileCharacteristics: No relocs, Executable, 32-bit
PEType: PE32
LinkerVersion: 14
CodeSize: 1703936
InitializedDataSize: 8816640
UninitializedDataSize: -
EntryPoint: 0x13c060
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 2024.5.16.1107
ProductVersionNumber: 4.3.4074.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: OPSWAT, Inc.
FileDescription: MDES SDK V4 3rd Party Host
FileVersion: 2024.5.16.1107
InternalName: wa_3rd_party_host_32.exe
LegalCopyright: © OPSWAT, Inc. All rights reserved.
OriginalFileName: wa_3rd_party_host_32.exe
ProductName: MDES SDK V4
ProductVersion: 4.3.4074.0
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
129
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #DARKCRYSTAL wa_3rd_party_host_32.exe powershell.exe no specs conhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
4792\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6216powershell -WindowStyle hidden -Command "if (-Not (Test-Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\App\")) { Set-ItemProperty -Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" -Name \"App\" -Value \"C:\Users\admin\Desktop\wa_3rd_party_host_32.exe\" }"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exewa_3rd_party_host_32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
6432"C:\Users\admin\Desktop\wa_3rd_party_host_32.exe" C:\Users\admin\Desktop\wa_3rd_party_host_32.exe
explorer.exe
User:
admin
Company:
OPSWAT, Inc.
Integrity Level:
MEDIUM
Description:
MDES SDK V4 3rd Party Host
Version:
2024.5.16.1107
Modules
Images
c:\users\admin\desktop\wa_3rd_party_host_32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
Total events
4 132
Read events
4 131
Write events
1
Delete events
0

Modification events

(PID) Process:(6216) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:App
Value:
C:\Users\admin\Desktop\wa_3rd_party_host_32.exe
Executable files
0
Suspicious files
2
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
6216powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:8167DFF613161DE6AB05C15B428D37BF
SHA256:DC51FE26CCDA33D56FEA28D1EAAB03ADC2914127324E60AF7AD92B698611A332
6216powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_y1no0ado.3xm.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6432wa_3rd_party_host_32.exeC:\Users\admin\AppData\Local\configbinary
MD5:11F71FBEA505F77E0181ABA35EDEBFC6
SHA256:27724959B2C50891D66F9DD23D33A44186DC0FDF6D3521F42C849DC7D384D35E
6216powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_waworjz4.0fs.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
14
TCP/UDP connections
30
DNS requests
7
Threats
19

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6944
svchost.exe
GET
200
2.16.164.120:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6944
svchost.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1584
RUXIMICS.exe
GET
200
2.16.164.120:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5488
MoUsoCoreWorker.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6432
wa_3rd_party_host_32.exe
POST
429
46.8.232.106:80
http://46.8.232.106/
unknown
unknown
6432
wa_3rd_party_host_32.exe
POST
429
93.185.159.253:80
http://93.185.159.253/
unknown
unknown
6432
wa_3rd_party_host_32.exe
POST
429
91.212.166.91:80
http://91.212.166.91/
unknown
unknown
6432
wa_3rd_party_host_32.exe
POST
429
46.8.236.61:80
http://46.8.236.61/
unknown
unknown
6432
wa_3rd_party_host_32.exe
POST
429
91.212.166.91:80
http://91.212.166.91/
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
6944
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
5488
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1584
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
6944
svchost.exe
2.16.164.120:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
1584
RUXIMICS.exe
2.16.164.120:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
6944
svchost.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5488
MoUsoCoreWorker.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
1584
RUXIMICS.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 40.127.240.158
  • 51.104.136.2
whitelisted
google.com
  • 142.250.186.142
whitelisted
crl.microsoft.com
  • 2.16.164.120
  • 2.16.164.18
  • 2.16.164.49
whitelisted
www.microsoft.com
  • 88.221.169.152
whitelisted
self.events.data.microsoft.com
  • 20.50.73.9
whitelisted

Threats

PID
Process
Class
Message
6432
wa_3rd_party_host_32.exe
Misc activity
ET USER_AGENTS Go HTTP Client User-Agent
6432
wa_3rd_party_host_32.exe
Misc activity
SUSPICIOUS [ANY.RUN] Possible DarkCrystal Rat Encrypted Connection
6432
wa_3rd_party_host_32.exe
Misc activity
ET USER_AGENTS Go HTTP Client User-Agent
6432
wa_3rd_party_host_32.exe
Misc activity
SUSPICIOUS [ANY.RUN] Possible DarkCrystal Rat Encrypted Connection
6432
wa_3rd_party_host_32.exe
Misc activity
ET USER_AGENTS Go HTTP Client User-Agent
6432
wa_3rd_party_host_32.exe
Misc Attack
ET DROP Spamhaus DROP Listed Traffic Inbound group 13
6432
wa_3rd_party_host_32.exe
Misc activity
SUSPICIOUS [ANY.RUN] Possible DarkCrystal Rat Encrypted Connection
6432
wa_3rd_party_host_32.exe
Misc activity
ET USER_AGENTS Go HTTP Client User-Agent
6432
wa_3rd_party_host_32.exe
Misc activity
SUSPICIOUS [ANY.RUN] Possible DarkCrystal Rat Encrypted Connection
6432
wa_3rd_party_host_32.exe
Misc activity
ET USER_AGENTS Go HTTP Client User-Agent
4 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
wa_3rd_party_host_32.exe