File name:

[CRACKED BY L1nc0In]BLTools v2.6.2.rar

Full analysis: https://app.any.run/tasks/1365b040-e260-450d-b556-ccc5d089a5a9
Verdict: Malicious activity
Threats:

DCrat, also known as Dark Crystal RAT, is a remote access trojan (RAT), which was first introduced in 2018. It is a modular malware that can be customized to perform different tasks. For instance, it can steal passwords, crypto wallet information, hijack Telegram and Steam accounts, and more. Attackers may use a variety of methods to distribute DCrat, but phishing email campaigns are the most common.

Malware Trends Tracker     >>>
Analysis date: April 07, 2024, 15:55:34
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
dcrat
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

36990D5928E917D875C9FF63C6704836

SHA1:

CA0DD62162273BA109040AD4B32E34ED8F6E94DC

SHA256:

D4979FB42C5CEDD4E6787166510BE44ADE799FBADAE1805C9520B70821A677D9

SSDEEP:

98304:1CAN25uP+N6tQQ+wMVOqiCH6K8Cp5v0GyYPCYHKSed/6qZ+JBLogG5jZkN8W5Ho/:XTmuQAg6

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • DCRatBuild.exe (PID: 2184)
      • BLTools v2.6.2 by L1nc0In.exe (PID: 3964)
      • Websaves.exe (PID: 1576)

    • Uses sleep, probably for evasion detection (SCRIPT)

      • wscript.exe (PID: 3068)

    • UAC/LUA settings modification

      • Websaves.exe (PID: 1576)

    • Adds path to the Windows Defender exclusion list

      • Websaves.exe (PID: 1576)

    • DCRAT has been detected (YARA)

      • Websaves.exe (PID: 1576)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • BLTools v2.6.2 by L1nc0In.exe (PID: 3964)
      • WinRAR.exe (PID: 4008)
      • DCRatBuild.exe (PID: 2184)
      • Websaves.exe (PID: 1576)

    • Reads the Internet Settings

      • BLTools v2.6.2 by L1nc0In.exe (PID: 3964)
      • DCRatBuild.exe (PID: 2184)
      • wscript.exe (PID: 3068)
      • powershell.exe (PID: 572)
      • Websaves.exe (PID: 1576)
      • powershell.exe (PID: 2492)
      • powershell.exe (PID: 4084)
      • powershell.exe (PID: 1820)
      • powershell.exe (PID: 4072)
      • powershell.exe (PID: 1504)
      • powershell.exe (PID: 3792)
      • powershell.exe (PID: 1172)
      • powershell.exe (PID: 584)
      • powershell.exe (PID: 1424)
      • powershell.exe (PID: 3492)
      • powershell.exe (PID: 1604)

    • The process creates files with name similar to system file names

      • Websaves.exe (PID: 1576)

    • Executed via WMI

      • schtasks.exe (PID: 2336)
      • schtasks.exe (PID: 3544)
      • schtasks.exe (PID: 712)
      • schtasks.exe (PID: 3088)
      • schtasks.exe (PID: 3224)
      • schtasks.exe (PID: 2468)
      • schtasks.exe (PID: 3616)
      • schtasks.exe (PID: 3444)
      • schtasks.exe (PID: 1780)
      • schtasks.exe (PID: 316)
      • schtasks.exe (PID: 1796)
      • schtasks.exe (PID: 3620)
      • schtasks.exe (PID: 3404)
      • schtasks.exe (PID: 2096)
      • schtasks.exe (PID: 2112)
      • schtasks.exe (PID: 3980)
      • schtasks.exe (PID: 1484)
      • schtasks.exe (PID: 3496)
      • schtasks.exe (PID: 3984)
      • schtasks.exe (PID: 1608)
      • schtasks.exe (PID: 3036)
      • schtasks.exe (PID: 984)
      • schtasks.exe (PID: 2808)
      • schtasks.exe (PID: 2584)
      • schtasks.exe (PID: 2308)
      • schtasks.exe (PID: 1020)
      • schtasks.exe (PID: 3172)
      • schtasks.exe (PID: 3232)
      • schtasks.exe (PID: 3336)
      • schtasks.exe (PID: 2984)
      • schtasks.exe (PID: 2024)
      • schtasks.exe (PID: 3352)
      • schtasks.exe (PID: 1936)
      • schtasks.exe (PID: 2480)
      • schtasks.exe (PID: 2344)
      • schtasks.exe (PID: 3100)

    • Executing commands from a ".bat" file

      • wscript.exe (PID: 3068)
      • Websaves.exe (PID: 1576)

    • Starts CMD.EXE for commands execution

      • wscript.exe (PID: 3068)
      • Websaves.exe (PID: 1576)

    • Runs shell command (SCRIPT)

      • wscript.exe (PID: 3068)

    • Probably delay the execution using 'w32tm.exe'

      • cmd.exe (PID: 2764)

    • Using PowerShell to operate with local accounts

      • powershell.exe (PID: 4072)
      • powershell.exe (PID: 2492)
      • powershell.exe (PID: 4084)
      • powershell.exe (PID: 572)
      • powershell.exe (PID: 1820)
      • powershell.exe (PID: 1504)
      • powershell.exe (PID: 584)
      • powershell.exe (PID: 1172)
      • powershell.exe (PID: 3792)
      • powershell.exe (PID: 1604)
      • powershell.exe (PID: 1424)
      • powershell.exe (PID: 3492)

    • Script adds exclusion path to Windows Defender

      • Websaves.exe (PID: 1576)

    • Starts POWERSHELL.EXE for commands execution

      • Websaves.exe (PID: 1576)

  • INFO

    • Checks supported languages

      • BLTools v2.6.2 by L1nc0In.exe (PID: 3964)
      • BLTools v2.6.2 by L1nc0In.exe (PID: 1928)
      • DCRatBuild.exe (PID: 2184)
      • Websaves.exe (PID: 1576)
      • SearchProtocolHost.exe (PID: 1380)

    • Reads the computer name

      • BLTools v2.6.2 by L1nc0In.exe (PID: 3964)
      • BLTools v2.6.2 by L1nc0In.exe (PID: 1928)
      • DCRatBuild.exe (PID: 2184)
      • Websaves.exe (PID: 1576)
      • SearchProtocolHost.exe (PID: 1380)

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 4008)

    • Reads the machine GUID from the registry

      • BLTools v2.6.2 by L1nc0In.exe (PID: 1928)
      • Websaves.exe (PID: 1576)
      • SearchProtocolHost.exe (PID: 1380)

    • Create files in a temporary directory

      • BLTools v2.6.2 by L1nc0In.exe (PID: 3964)
      • Websaves.exe (PID: 1576)

    • Reads Environment values

      • Websaves.exe (PID: 1576)
      • SearchProtocolHost.exe (PID: 1380)

    • Process checks whether UAC notifications are on

      • Websaves.exe (PID: 1576)

    • Reads product name

      • Websaves.exe (PID: 1576)
      • SearchProtocolHost.exe (PID: 1380)

    • Creates files in the program directory

      • Websaves.exe (PID: 1576)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 2492)
      • powershell.exe (PID: 1820)
      • powershell.exe (PID: 572)
      • powershell.exe (PID: 4084)
      • powershell.exe (PID: 4072)
      • powershell.exe (PID: 1504)
      • powershell.exe (PID: 1172)
      • powershell.exe (PID: 3792)
      • powershell.exe (PID: 584)
      • powershell.exe (PID: 1424)
      • powershell.exe (PID: 1604)
      • powershell.exe (PID: 3492)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
115
Monitored processes
60
Malicious processes
6
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs bltools v2.6.2 by l1nc0in.exe no specs bltools v2.6.2 by l1nc0in.exe no specs dcratbuild.exe no specs bltools v2.6.2 by l1nc0in.exe dcratbuild.exe wscript.exe no specs cmd.exe no specs #DCRAT websaves.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs cmd.exe no specs w32tm.exe no specs searchprotocolhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
116"C:\Users\admin\AppData\Local\Temp\BLTools v2.6.2 by L1nc0In.exe" C:\Users\admin\AppData\Local\Temp\BLTools v2.6.2 by L1nc0In.exeBLTools v2.6.2 by L1nc0In.exe
User:
admin
Integrity Level:
MEDIUM
Description:
BLTools
Exit code:
3221226540
Version:
2.6.2.0
Modules
Images
c:\users\admin\appdata\local\temp\bltools v2.6.2 by l1nc0in.exe
c:\windows\system32\ntdll.dll
316schtasks.exe /create /tn "SearchProtocolHostS" /sc MINUTE /mo 7 /tr "'C:\ComagentServerCommon\SearchProtocolHost.exe'" /rl HIGHEST /fC:\Windows\System32\schtasks.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Manages scheduled tasks
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
572"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWebsaves.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
584"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWebsaves.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
712schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\ComagentServerCommon\taskhost.exe'" /rl HIGHEST /fC:\Windows\System32\schtasks.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Manages scheduled tasks
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
848"C:\Users\admin\AppData\Local\Temp\DCRatBuild.exe" C:\Users\admin\AppData\Local\Temp\DCRatBuild.exeBLTools v2.6.2 by L1nc0In.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\appdata\local\temp\dcratbuild.exe
c:\windows\system32\ntdll.dll
984schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Recovery\345b46fe-a9f9-11e7-a83c-e8a4f72b1d33\dwm.exe'" /rl HIGHEST /fC:\Windows\System32\schtasks.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Manages scheduled tasks
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
1020schtasks.exe /create /tn "msiexecm" /sc MINUTE /mo 12 /tr "'C:\Program Files\Opera\msiexec.exe'" /fC:\Windows\System32\schtasks.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Manages scheduled tasks
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
1172"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWebsaves.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
1380"C:\ComagentServerCommon\SearchProtocolHost.exe" C:\ComagentServerCommon\SearchProtocolHost.execmd.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Version:
5.15.2.0
Modules
Images
c:\comagentservercommon\searchprotocolhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
Total events
35 958
Read events
35 805
Write events
153
Delete events
0

Modification events

(PID) Process:(4008) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(4008) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(4008) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(4008) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(4008) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(4008) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip
(PID) Process:(4008) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\[CRACKED BY L1nc0In]BLTools v2.6.2.rar
(PID) Process:(4008) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(4008) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(4008) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
Executable files
21
Suspicious files
2
Text files
19
Unknown types
24

Dropped files

PID
Process
Filename
Type
4008WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb4008.34025\[CRACKED BY L1nc0In]BLTools v2.6.2\AlphaFS.dllexecutable
MD5:
SHA256:
4008WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb4008.34025\[CRACKED BY L1nc0In]BLTools v2.6.2\BLTools v2.6.2 by L1nc0In.exeexecutable
MD5:
SHA256:
4008WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb4008.34025\[CRACKED BY L1nc0In]BLTools v2.6.2\CookiesCreator.exeexecutable
MD5:
SHA256:
4008WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb4008.34025\[CRACKED BY L1nc0In]BLTools v2.6.2\Extreme.Net.dllexecutable
MD5:
SHA256:
4008WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb4008.34025\[CRACKED BY L1nc0In]BLTools v2.6.2\FilesRemover.initext
MD5:
SHA256:
4008WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb4008.34025\[CRACKED BY L1nc0In]BLTools v2.6.2\FoldersRemover.initext
MD5:
SHA256:
4008WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb4008.34025\[CRACKED BY L1nc0In]BLTools v2.6.2\License.dlltext
MD5:
SHA256:
4008WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb4008.34025\[CRACKED BY L1nc0In]BLTools v2.6.2\Newtonsoft.Json.dllexecutable
MD5:
SHA256:
4008WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb4008.34025\[CRACKED BY L1nc0In]BLTools v2.6.2\Ookii.Dialogs.Wpf.dllexecutable
MD5:
SHA256:
4008WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb4008.34025\[CRACKED BY L1nc0In]BLTools v2.6.2\Settings.initext
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
224.0.0.252:5355
unknown
1080
svchost.exe
224.0.0.252:5355
unknown

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
[CRACKED BY L1nc0In]BLTools v2.6.2.rar