File name:	stealerchecker.zip
Full analysis:	https://app.any.run/tasks/82e54f3a-655a-4262-a3d4-4f63eaea2b8b
Verdict:	Malicious activity
Threats:	DCrat, also known as Dark Crystal RAT, is a remote access trojan (RAT), which was first introduced in 2018. It is a modular malware that can be customized to perform different tasks. For instance, it can steal passwords, crypto wallet information, hijack Telegram and Steam accounts, and more. Attackers may use a variety of methods to distribute DCrat, but phishing email campaigns are the most common. Malware Trends Tracker >>>
Analysis date:	July 20, 2024, 00:31:24
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	dcrat
Indicators:
MIME:	application/zip
File info:	Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:	5792F2E296D98C0B9846CF29CF3840E4
SHA1:	906C210B3813EA776C46AEEF704DAA7F9CFD26BF
SHA256:	6F35CEABE14F3AB8BA5C644B8486BACBF8AF2E71094098A18F4A6FEFBCF099F0
SSDEEP:	393216:XxMCz9Mi3j3hjfV7xw9DEK+5OG1E3xEKO1X7ld5OIvgYY:qK3D1V7xwCK+L1EhG1XAIv/Y

ZipRequiredVersion:	20
ZipBitFlag:	-
ZipCompression:	Deflated
ZipModifyDate:	2020:12:14 07:43:46
ZipCRC:	0xdb31a137
ZipCompressedSize:	32744
ZipUncompressedSize:	90624
ZipFileName:	Colorful.Console.dll


(PID) Process:	(6364) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtBMP
Value:
(PID) Process:	(6364) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtIcon
Value:
(PID) Process:	(6364) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	1
Value: C:\Users\admin\Desktop\GoogleChromeEnterpriseBundle64.zip
(PID) Process:	(6364) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\Desktop\stealerchecker.zip
(PID) Process:	(6364) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(6364) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(6364) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(6364) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(6364) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\ArcColumnWidths
Operation:	write	Name:	name
Value: 256
(PID) Process:	(6364) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\ArcColumnWidths
Operation:	write	Name:	size
Value: 80

PID	Process	Filename		Type
1940	WinRAR.exe	C:\Users\admin\Desktop\stealerchecker\Everything.pdb		binary
		MD5:5BF86321410026383694295106A11E3A	SHA256:CE348E62D74117AEC74744084A354F55CD1177B63DA2C0E3E56FACB15AE940D9
1940	WinRAR.exe	C:\Users\admin\Desktop\stealerchecker\CommandLine.xml		xml
		MD5:7EAB7372442FB1A2891C9B61EABCC747	SHA256:5F9DCD98CFE54ABDBB21CE39E48DBEF6B967B26B23D6C6A71AA15AAB2411327E
1940	WinRAR.exe	C:\Users\admin\Desktop\stealerchecker\CommandLine.dll		executable
		MD5:2F345B6D207489E52DB3F85C2E4E617D	SHA256:2135B40FA819E58CF1942453E4409BFDEA2BE631077A354B878DE8402BE7E026
1940	WinRAR.exe	C:\Users\admin\Desktop\stealerchecker\Everything32.dll		executable
		MD5:97EDA9E469C19F1E328A27D99456E973	SHA256:89D8EAEB7727B4ECCBF3A540181CBD04A37E2F18784E731265A7AF75AEBB45E9
6364	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DIa6364.35113\CommandLine.dll		executable
		MD5:2F345B6D207489E52DB3F85C2E4E617D	SHA256:2135B40FA819E58CF1942453E4409BFDEA2BE631077A354B878DE8402BE7E026
1940	WinRAR.exe	C:\Users\admin\Desktop\stealerchecker\Leaf.xNet.dll		executable
		MD5:EA87F37E78FB9AF4BF805F6E958F68F4	SHA256:DE9AEA105F31F3541CBC5C460B0160D0689A2872D80748CA1456E6E223F0A4AA
1940	WinRAR.exe	C:\Users\admin\Desktop\stealerchecker\HtmlAgilityPack.xml		xml
		MD5:B97059977E8A4090CFD38F0EF31D3226	SHA256:82796C4BA1C995DB66B01D1096D938BD6C1C96EAEC3615EBF4078E6915F5DAA2
1940	WinRAR.exe	C:\Users\admin\Desktop\stealerchecker\Colorful.Console.dll		executable
		MD5:9F6CE7FF934FB2E786CED3516705EFAD	SHA256:59A3696950AC3525E31CDD26727DABD9FECD2E1BDC1C47C370D4B04420592436
1940	WinRAR.exe	C:\Users\admin\Desktop\stealerchecker\EverythingNet.pdb		pdb
		MD5:48EDA790EC904A45E11EF60D55F27B14	SHA256:9ED17B75113F8E60EAEED3A457BEB5CD321C8AAB4D45D5FB18A195576E6F6E82
1940	WinRAR.exe	C:\Users\admin\Desktop\stealerchecker\FluentFTP.xml		xml
		MD5:AA6D45CAEFD55FFB3F9B6BE7F21C9EC2	SHA256:2E80E3E37E898C2C10075EFCE02A7E9F4DC77B13D8CFA5FDBAA7A40B762275A6

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	200	20.3.187.198:443	https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping	unknown	—	—	—
—	—	GET	200	20.12.23.50:443	https://slscr.update.microsoft.com/sls/ping	unknown	—	—	—
—	—	GET	304	20.12.23.50:443	https://slscr.update.microsoft.com/SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL	unknown	—	—	—
—	—	GET	200	20.199.58.43:443	https://fd.api.iris.microsoft.com/v4/api/selection?&asid=52B503DE342043A68D0A80B2E5577BFE&nct=1&placement=88000677&bcnt=30&country=US&locale=en-US&poptin=0&fmt=json&arch=AMD64&chassis=1&concp=0&d3dfl=D3D_FEATURE_LEVEL_12_1&devfam=Windows.Desktop&devosver=10.0.19045.4046&dinst=1661339444&dmret=0&flightbranch=&flightring=Retail&icluc=0&localid=w%3AAC7699B0-48EA-FD22-C8DC-06A02098A0F0&oem=DELL&osbranch=vb_release&oslocale=en-US&osret=1&ossku=Professional&osskuid=48&prccn=4&prccs=3094&prcmf=AuthenticAMD&procm=Intel%28R%29%20Core%28TM%29%20i5-6400%20CPU%20%40%202.70GHz&ram=4096&tinst=Client&tl=1&pat=0&smc=0&sac=0&disphorzres=1280&dispsize=15.3&dispvertres=720&ldisphorzres=1280&ldispvertres=720&moncnt=1&cpdsk=260281&frdsk=218542&lo=3611071&tsu=1001601	unknown	binary	102 b	—
—	—	GET	200	184.86.251.22:443	https://www.bing.com/client/config?cc=US&setlang=en-US	unknown	binary	2.15 Kb	—
—	—	POST	—	20.190.159.75:443	https://login.live.com/RST2.srf	unknown	—	—	—
—	—	GET	200	20.12.23.50:443	https://slscr.update.microsoft.com/SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL	unknown	compressed	24.8 Kb	—
—	—	POST	500	20.83.72.98:443	https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail	unknown	xml	512 b	—
—	—	GET	200	140.82.121.5:443	https://api.github.com/repos/kzorin52/stealerchecker/releases/latest	unknown	binary	3.84 Kb	—
—	—	POST	200	20.103.156.88:443	https://arc.msn.com/v4/api/register?asid=543E7852DDF149A4B809D5CAC10DF60C&placement=cdmdevreg&country=US&locale=en-US&poptin=0&fmt=json&arch=AMD64&chassis=1&concp=0&d3dfl=D3D_FEATURE_LEVEL_12_1&devfam=Windows.Desktop&devosver=10.0.19045.4046&dinst=1661339444&dmret=0&flightbranch=&flightring=Retail&icluc=0&localid=w%3AAC7699B0-48EA-FD22-C8DC-06A02098A0F0&oem=DELL&osbranch=vb_release&oslocale=en-US&osret=1&ossku=Professional&osskuid=48&prccn=4&prccs=3094&prcmf=AuthenticAMD&procm=Intel%28R%29%20Core%28TM%29%20i5-6400%20CPU%20%40%202.70GHz&ram=4096&tinst=Client&tl=1&pat=0&smc=0&sac=0&disphorzres=1280&dispsize=15.3&dispvertres=720&ldisphorzres=1280&ldispvertres=720&moncnt=1&cpdsk=260281&frdsk=218542&lo=3611071&tsu=1001600	unknown	—	—	—

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:138	—	—	—	whitelisted
—	—	20.190.159.4:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
—	—	4.208.221.206:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	US	unknown
—	—	239.255.255.250:1900	—	—	—	whitelisted
—	—	20.83.72.98:443	activation-v2.sls.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
—	—	40.115.3.253:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
—	—	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
6592	backgroundTaskHost.exe	184.86.251.7:443	www.bing.com	Akamai International B.V.	DE	unknown
6556	backgroundTaskHost.exe	20.223.35.26:443	arc.msn.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown

Domain	IP	Reputation
login.live.com	20.190.159.4 20.190.159.68 20.190.159.71 40.126.31.73 40.126.31.67 20.190.159.73 40.126.31.71 40.126.31.69	whitelisted
settings-win.data.microsoft.com	51.124.78.146 4.231.128.59	whitelisted
activation-v2.sls.microsoft.com	20.83.72.98	whitelisted
google.com	142.250.185.238	whitelisted
www.bing.com	184.86.251.7 184.86.251.22 184.86.251.19 184.86.251.27	whitelisted
arc.msn.com	20.223.35.26	whitelisted
fd.api.iris.microsoft.com	20.223.35.26	whitelisted
fe3cr.delivery.mp.microsoft.com	13.85.23.206	whitelisted
slscr.update.microsoft.com	20.12.23.50	whitelisted
api.github.com	140.82.121.6	whitelisted

General Info

stealerchecker.zip

5792F2E296D98C0B9846CF29CF3840E4

906C210B3813EA776C46AEEF704DAA7F9CFD26BF

6F35CEABE14F3AB8BA5C644B8486BACBF8AF2E71094098A18F4A6FEFBCF099F0

393216:XxMCz9Mi3j3hjfV7xw9DEK+5OG1E3xEKO1X7ld5OIvgYY:qK3D1V7xwCK+L1EhG1XAIv/Y

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Drops the executable file immediately after the start

DCRAT has been detected (YARA)

SUSPICIOUS

Process drops legitimate windows executable

INFO

Manual execution by a user

Executable content was dropped or overwritten

Reads Microsoft Office registry keys

Drops the executable file immediately after the start

Checks supported languages

Reads the computer name

Reads the machine GUID from the registry

Disables trace logs

Reads Environment values

Checks proxy server information

Reads the software policy settings

Malware configuration

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings