File name:

CRACKEDBYL1nc0InNEWDCRat.rar

Full analysis: https://app.any.run/tasks/cbd0356d-4a8a-4cee-bf1c-a5adb0258662
Verdict: Malicious activity
Threats:

DCrat, also known as Dark Crystal RAT, is a remote access trojan (RAT), which was first introduced in 2018. It is a modular malware that can be customized to perform different tasks. For instance, it can steal passwords, crypto wallet information, hijack Telegram and Steam accounts, and more. Attackers may use a variety of methods to distribute DCrat, but phishing email campaigns are the most common.

Malware Trends Tracker     >>>
Analysis date: March 25, 2025, 06:47:29
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
dcrat
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

7E51293BC2161CB1DAF677E7C95F4811

SHA1:

A228A7C2E2EFD5ABD891B8CFC0D33F3B536A36F3

SHA256:

01CC2B1BCA4A1A99BB6AE311FF222B788700913CB0BA765DBDEE7F25160BF91A

SSDEEP:

786432:AKT6ft2WVltBlgXPW3kuDKoh814Y9Ir/0yGR7wYYKfd4Q6N:AKel2CtBlgXPW3DCqY9Ir/bGR7wfuz6N

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • DCRAT has been detected (YARA)

      • slui.exe (PID: 7984)
      • conhost.exe (PID: 8064)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • WinRAR.exe (PID: 7836)

    • Drops 7-zip archiver for unpacking

      • WinRAR.exe (PID: 7836)

    • Starts CMD.EXE for commands execution

      • WinRAR.exe (PID: 7836)

    • Executing commands from a ".bat" file

      • WinRAR.exe (PID: 7836)

    • There is functionality for taking screenshot (YARA)

      • conhost.exe (PID: 8064)

  • INFO

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 7836)

    • The sample compiled with english language support

      • WinRAR.exe (PID: 7836)

    • Drops encrypted VBS script (Microsoft Script Encoder)

      • WinRAR.exe (PID: 7836)

    • Checks supported languages

      • MpCmdRun.exe (PID: 8116)

    • Reads the computer name

      • MpCmdRun.exe (PID: 8116)

    • Create files in a temporary directory

      • MpCmdRun.exe (PID: 8116)

    • Checks proxy server information

      • slui.exe (PID: 7984)

    • Reads the software policy settings

      • slui.exe (PID: 7984)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)

EXIF

ZIP

FileVersion: RAR v5
CompressedSize: 31988444
UncompressedSize: 32177408
OperatingSystem: Win32
ArchivedFileName: [CRACKED BY L1nc0In] NEW DCRat/DCRat/background.cache
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
121
Monitored processes
5
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe #DCRAT slui.exe cmd.exe no specs #DCRAT conhost.exe no specs mpcmdrun.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
7836"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\Desktop\CRACKEDBYL1nc0InNEWDCRat.rarC:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
7984C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
8056C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\Rar$VR7836.16277\Rar$Scan40748.bat" "C:\Windows\System32\cmd.exeWinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
c:\windows\system32\advapi32.dll
8064\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
8116"C:\Program Files\Windows Defender\MpCmdRun.exe" -Scan -ScanType 3 -File "C:\Users\admin\AppData\Local\Temp\Rar$VR7836.16277"C:\Program Files\Windows Defender\MpCmdRun.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Malware Protection Command Line Utility
Exit code:
2
Version:
4.18.1909.6 (WinBuild.160101.0800)
Modules
Images
c:\program files\windows defender\mpcmdrun.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
Total events
4 955
Read events
4 946
Write events
9
Delete events
0

Modification events

(PID) Process:(7836) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(7836) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(7836) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(7836) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\CRACKEDBYL1nc0InNEWDCRat.rar
(PID) Process:(7836) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(7836) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(7836) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(7836) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(7836) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\VirusScan
Operation:writeName:DefScanner
Value:
Windows Defender
Executable files
24
Suspicious files
87
Text files
63
Unknown types
0

Dropped files

PID
Process
Filename
Type
7836WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$VR7836.16277\CRACKEDBYL1nc0InNEWDCRat.rar\[CRACKED BY L1nc0In] NEW DCRat\DCRat\background.cache
MD5:
SHA256:
7836WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$VR7836.16277\CRACKEDBYL1nc0InNEWDCRat.rar\[CRACKED BY L1nc0In] NEW DCRat\DCRat\data\dotNET_Reactor.Console.exeexecutable
MD5:69D18A3245F3C2FD02C82304C494E977
SHA256:B55B0A652538836ED681C2AFD985310FD39AD2F31AC159847FC46A6065F3232E
7836WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$VR7836.16277\CRACKEDBYL1nc0InNEWDCRat.rar\[CRACKED BY L1nc0In] NEW DCRat\DCRat\data\DCRBC.exeexecutable
MD5:14A56E4B7BD40512B49D6F72086E8FC1
SHA256:86C45FB7473E5C1DF78B8CBB2003033C37B4CB01A677C1EF30CA1573E84EC692
7836WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$VR7836.16277\CRACKEDBYL1nc0InNEWDCRat.rar\[CRACKED BY L1nc0In] NEW DCRat\DCRat\data\Default.SFXexecutable
MD5:A7993E5A520B17FEC65435FB4838A08F
SHA256:C39C4466F622B7320076076EA3EB13FA0F784B9B097DFF46D802F905FC39D851
7836WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$VR7836.16277\CRACKEDBYL1nc0InNEWDCRat.rar\[CRACKED BY L1nc0In] NEW DCRat\DCRat\data\7zxa.dllexecutable
MD5:C6C778752B11C3E443C97C55E60720E8
SHA256:863F6BF4F51E08A4604A4E175781B35C251BB204F479EAC58AF0DB11C7F019A2
7836WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$VR7836.16277\CRACKEDBYL1nc0InNEWDCRat.rar\[CRACKED BY L1nc0In] NEW DCRat\DCRat\data\DCRLC.exeexecutable
MD5:A1BCCB81F525F46B8E0994157F0DBB58
SHA256:574F0612CEF481F5BDE5667586F1BF1C4DF4B7672CD6093B6A8F3B2CADC10725
7836WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$VR7836.16277\CRACKEDBYL1nc0InNEWDCRat.rar\[CRACKED BY L1nc0In] NEW DCRat\DCRat\data\DCRBT.exeexecutable
MD5:32E2BC4F79C776B542F6775895BEAF21
SHA256:98EC5492A2F0AEBA5B39A9F41498D98C73643BF6D8D177E5831FB0AD6E6F8521
7836WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$VR7836.16277\CRACKEDBYL1nc0InNEWDCRat.rar\[CRACKED BY L1nc0In] NEW DCRat\DCRat\data\wrar.exeexecutable
MD5:719E61C6E73B9BD856414664366FA049
SHA256:14F3322FA4E6FCE0A30F01BD53DAC40F8F8D48991480DE2BEDD8C4AB6E2FA477
7836WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$VR7836.16277\CRACKEDBYL1nc0InNEWDCRat.rar\[CRACKED BY L1nc0In] NEW DCRat\DCRat\data\RarExt64.dllexecutable
MD5:3E78AC1A5CA308B6EFB1B457D5E4B147
SHA256:AD149A11B96939A6E129CFF0C90BA6CAC57EF3ED535649A73717D8223C48BBCB
7836WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$VR7836.16277\CRACKEDBYL1nc0InNEWDCRat.rar\[CRACKED BY L1nc0In] NEW DCRat\DCRat\data\RarExt.dllexecutable
MD5:1F3BB0F89E7CD67A76220EA2E3E7D8C6
SHA256:68ECB747F523D122C1C2094B3FB6035F7F76FBD948A97E3D42EE526824546FEC
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
22
DNS requests
5
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2104
svchost.exe
GET
200
23.216.77.42:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
POST
500
20.83.72.98:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
2104
svchost.exe
23.216.77.42:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
7492
slui.exe
20.83.72.98:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
7984
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
google.com
  • 216.58.212.142
whitelisted
crl.microsoft.com
  • 23.216.77.42
  • 23.216.77.36
  • 23.216.77.20
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
  • 40.91.76.224
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
CRACKEDBYL1nc0InNEWDCRat.rar