File name: | GTA 6 Builder-Install.rar |
Full analysis: | https://app.any.run/tasks/a7442f26-8820-4b41-afcf-9c69fdef15b5 |
Verdict: | Malicious activity |
Threats: | DCrat, also known as Dark Crystal RAT, is a remote access trojan (RAT), which was first introduced in 2018. It is a modular malware that can be customized to perform different tasks. For instance, it can steal passwords, crypto wallet information, hijack Telegram and Steam accounts, and more. Attackers may use a variety of methods to distribute DCrat, but phishing email campaigns are the most common. |
Analysis date: | July 07, 2024, 18:38:52 |
OS: | Windows 10 Professional (build: 19045, 64 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-rar |
File info: | RAR archive data, v5 |
MD5: | 6A7189BB6B47EB3637AFF370BD6D04BE |
SHA1: | 09A2132FA1C20A2B9298B801B4603CFEA84D7AC1 |
SHA256: | FF635DB42400A8B73BFB2E2428ACE9F527393DD3429F6E8422A453CA2FE98720 |
SSDEEP: | 98304:WsbA/uxT5Q9D66QMDsZ/qTjqqQSQhdcXFIJ0Rrn7ru0yldctdg5nysWHc8W+YAig:N7PePKakYwzQZxYV/uFxpjmLZp0 |
.rar | | | RAR compressed archive (v5.0) (61.5) |
---|---|---|
.rar | | | RAR compressed archive (gen) (38.4) |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
2704 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\GTA 6 Builder-Install.rar" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | ||||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.91.0 Modules
| |||||||||||||||
1956 | "C:\Users\admin\Desktop\GTA 6 Builder-Install.exe" | C:\Users\admin\Desktop\GTA 6 Builder-Install.exe | — | explorer.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 3221226540 Modules
| |||||||||||||||
5940 | "C:\Users\admin\Desktop\GTA 6 Builder-Install.exe" | C:\Users\admin\Desktop\GTA 6 Builder-Install.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
| |||||||||||||||
1760 | "C:\Users\admin\AppData\Local\Temp\ComHostSvc.exe" | C:\Users\admin\AppData\Local\Temp\ComHostSvc.exe | GTA 6 Builder-Install.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Version: 1.2.7.1277 Modules
DcRat(PID) Process(1760) ComHostSvc.exe C2 (1)http://968620cm.nyashkoon.top/PythonLowProcesswpdownloads.php Options PluginConfigs 0{SYSTEMDRIVE}/Users/ 1false 2false 3true 4true 5true 6true 7false 8true 9true 10true 11true 12true 13true 14true Version5.0.1 (PID) Process(1760) ComHostSvc.exe C2 (1)http://968620cm.nyashkoon.top/PythonLowProcesswpdownloads.php Options PluginConfigs 0{SYSTEMDRIVE}/Users/ 1false 2false 3true 4true 5true 6true 7false 8true 9true 10true 11true 12true 13true 14true Version5.0.1 Plugins (2)TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAAKX/2QAAAAAAAAAAOAAIiALAQgAAEYBAAAGAAAAAAAA7mUBAAAgAAAAgAEAAABAAAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAADAAQAAAgAAm0ACAAMAQIUA... TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDALI7+mQAAAAAAAAAAOAAIiALAQgAAAgBAAAGAAAAAAAAricBAAAgAAAAQAEAAABAAAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAACAAQAAAgAArNABAAMAQIUA... | |||||||||||||||
2412 | "C:\Users\admin\AppData\Local\Temp\Runtime64.exe" | C:\Users\admin\AppData\Local\Temp\Runtime64.exe | GTA 6 Builder-Install.exe | ||||||||||||
User: admin Company: Microsoft Windows Integrity Level: HIGH Description: system32 Version: 15.6.13.6 Modules
| |||||||||||||||
1924 | "C:\WINDOWS\System32\cmd.exe" /C "C:\Users\admin\AppData\Local\Temp\iOYCRAfa0D.bat" | C:\Windows\System32\cmd.exe | — | ComHostSvc.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 1 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
4264 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
3228 | chcp 65001 | C:\Windows\System32\chcp.com | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Change CodePage Utility Exit code: 0 Version: 10.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
1452 | ping -n 10 localhost | C:\Windows\System32\PING.EXE | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: TCP/IP Ping Command Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
|
(PID) Process: | (2704) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtBMP |
Value: | |||
(PID) Process: | (2704) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtIcon |
Value: | |||
(PID) Process: | (2704) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\GoogleChromeEnterpriseBundle64.zip | |||
(PID) Process: | (2704) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
Operation: | write | Name: | 0 |
Value: C:\Users\admin\Desktop\GTA 6 Builder-Install.rar | |||
(PID) Process: | (2704) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | name |
Value: 120 | |||
(PID) Process: | (2704) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | size |
Value: 80 | |||
(PID) Process: | (2704) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | type |
Value: 120 | |||
(PID) Process: | (2704) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | mtime |
Value: 100 | |||
(PID) Process: | (5940) GTA 6 Builder-Install.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
(PID) Process: | (5940) GTA 6 Builder-Install.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | IntranetName |
Value: 1 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2704 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa2704.35624\README.txt | text | |
MD5:229BFB07694F123E2CB4986F47100A62 | SHA256:8DF26B1F550C80646F01D25B8AAFCABB1342BBB2BE1CD335CDB8D254BE8C4090 | |||
2412 | Runtime64.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.exe | executable | |
MD5:DA23F44A96E6AA3A8B80F1CC40169DAE | SHA256:2D86AB0D97A265AA7B465439AC97C0C6B428A3BDC18000625F3FD66C07FF6F70 | |||
5940 | GTA 6 Builder-Install.exe | C:\Users\admin\AppData\Local\Temp\ComHostSvc.exe | executable | |
MD5:31E5E3AC5A03D60D67188B6B0C3D152B | SHA256:DC73CE51066FDCD5F0C7C88FD6FDFB9A4A3722EBE3D2DEF1DC593FBC1AF9E467 | |||
2704 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa2704.35624\NlsData004a.dll | executable | |
MD5:BE007B645B9D1332E3346107727320D9 | SHA256:7B128BE8D77398CBC3BB789A34E21AFC984C2E87276907A01326F8FB4504E9DA | |||
1760 | ComHostSvc.exe | C:\Users\admin\Desktop\PlmRteWR.log | executable | |
MD5:F4B38D0F95B7E844DD288B441EBC9AAF | SHA256:AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97 | |||
2704 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa2704.35624\NL7Data0404.dll | executable | |
MD5:81B14FD1C9D2B830E55C93C4C38AFA2F | SHA256:878E2DBAC4B6A6BCCE54742F3C7BFD87AA93A6637CCCC1E5D18AB65215D81BEE | |||
1760 | ComHostSvc.exe | C:\Users\admin\Desktop\OgbrtvgQ.log | executable | |
MD5:E84DCD8370FAC91DE71DEF8DCF09BFEC | SHA256:DD7AC164E789CAD96D30930EFE9BBA99698473EDEA38252C2C0EA44043FB1DB5 | |||
1760 | ComHostSvc.exe | C:\Users\admin\AppData\Local\Temp\5RFWL0pJtK | sqlite | |
MD5:1AA08FF2105515DE3602F503E87DFF1A | SHA256:D7446E2F307027C9BDA2A92D1DF1C13C376581372F6AE8708F4D5BACCB2E6813 | |||
5940 | GTA 6 Builder-Install.exe | C:\Users\admin\AppData\Local\Temp\Runtime64.exe | executable | |
MD5:DA23F44A96E6AA3A8B80F1CC40169DAE | SHA256:2D86AB0D97A265AA7B465439AC97C0C6B428A3BDC18000625F3FD66C07FF6F70 | |||
1760 | ComHostSvc.exe | C:\Users\admin\AppData\Local\Temp\tx525s3UbQ | sqlite | |
MD5:A5B55EF875A290F8739655274B5CFAE6 | SHA256:3C6E069A7DF07EE5ECA265821545BD9B5A0BE65DCA21805D42B10133D12916CF |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
1760 | ComHostSvc.exe | POST | 200 | 172.67.185.34:80 | http://968620cm.nyashkoon.top/PythonLowProcesswpdownloads.php | unknown | — | — | unknown |
1968 | svchost.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | unknown |
1436 | svchost.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D | unknown | — | — | unknown |
4656 | SearchApp.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D | unknown | — | — | unknown |
1968 | svchost.exe | GET | 200 | 23.48.23.143:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | unknown |
1760 | ComHostSvc.exe | POST | 200 | 172.67.185.34:80 | http://968620cm.nyashkoon.top/PythonLowProcesswpdownloads.php | unknown | — | — | unknown |
1760 | ComHostSvc.exe | POST | 200 | 172.67.185.34:80 | http://968620cm.nyashkoon.top/PythonLowProcesswpdownloads.php | unknown | — | — | unknown |
1760 | ComHostSvc.exe | POST | 200 | 172.67.185.34:80 | http://968620cm.nyashkoon.top/PythonLowProcesswpdownloads.php | unknown | — | — | unknown |
6816 | SIHClient.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl | unknown | — | — | unknown |
1760 | ComHostSvc.exe | POST | 200 | 172.67.185.34:80 | http://968620cm.nyashkoon.top/PythonLowProcesswpdownloads.php | unknown | — | — | unknown |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
1968 | svchost.exe | 20.73.194.208:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
4032 | svchost.exe | 239.255.255.250:1900 | — | — | — | whitelisted |
3828 | RUXIMICS.exe | 20.73.194.208:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
3808 | MoUsoCoreWorker.exe | 20.73.194.208:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
1968 | svchost.exe | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | unknown |
1968 | svchost.exe | 23.48.23.143:80 | crl.microsoft.com | Akamai International B.V. | DE | unknown |
1968 | svchost.exe | 184.30.21.171:80 | www.microsoft.com | AKAMAI-AS | DE | unknown |
1968 | svchost.exe | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
Domain | IP | Reputation |
---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
968620cm.nyashkoon.top |
| unknown |
www.bing.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
login.live.com |
| whitelisted |
go.microsoft.com |
| whitelisted |
client.wns.windows.com |
| whitelisted |
slscr.update.microsoft.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
— | — | Potentially Bad Traffic | ET DNS Query to a *.top domain - Likely Hostile |
1760 | ComHostSvc.exe | Potentially Bad Traffic | ET INFO HTTP Request to a *.top domain |
1760 | ComHostSvc.exe | A Network Trojan was detected | ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) |
1760 | ComHostSvc.exe | A Network Trojan was detected | REMOTE [ANY.RUN] DarkCrystal Rat Check-in (POST) |
1760 | ComHostSvc.exe | Misc activity | SUSPICIOUS [ANY.RUN] Possible DarkCrystal Rat Encrypted Connection |
1760 | ComHostSvc.exe | Potentially Bad Traffic | ET INFO HTTP Request to a *.top domain |
1760 | ComHostSvc.exe | Potentially Bad Traffic | ET INFO HTTP Request to a *.top domain |
1760 | ComHostSvc.exe | Misc activity | SUSPICIOUS [ANY.RUN] Possible DarkCrystal Rat Encrypted Connection |