Statik Analiz — DCRat | YÜKSEK | CVSS: 7.5

Dosya

SHA256ed26235201eea09495fb664489ae2628d877b7ed693293c14503b757af957d57
MD5d5385b537e7cc6a0a6a3461edd3d61ca
Dosyaed26235201eea09495fb664489ae2628d877b7ed693293c14503b757af957d57.exe
Boyut1,498,112 byte
TürPE32 executable for MS Windows 4.00 (GUI), Intel i386 Mono/.Net assembly, 3 sections
Stringler3,211

Bölümler

AdEntropi
.text8.0
.rsrc3.75
.reloc0.1

Import Tablosu

  • mscoree.dll

IOC

SHA256ed26235201eea09495fb664489ae2628d877b7ed693293c14503b757af957d57
MD5d5385b537e7cc6a0a6a3461edd3d61ca
IP1.0.0.0, 14.0.0.0, 4.0.0.0
Domainsystem.io, output.com
MutexCreateMutex
C2system.io, output.com

DCRat — Malware Profile

DCRat Rusça RAT. sostener1.vbs VBScript dropper. PowerShell ExecutionPolicy Bypass. geutqmonpmjthuux.ru DGA C2.

Malware Type
RAT
Programming Language
C#/.NET
C2 Protocol
HTTP
Target Systems
Windows
Also Known As (AKA)
DarkCrystal

Technical Details

.NET C#, AES-128-CBC sifreleme, plugin mimarisi (DLLler), TCP varsayilan port 5552, SQLite lokal depolama, Anti-VM/Sandbox (Process check, Registry), Loader, Stealer, RAT modulleri ayri

Capabilities & Behavior

Uzaktan Erişim & Kontrol
Keylogger
Ekran Görüntüsü
Webcam Erişimi
Dosya Yönetimi
Süreç Yönetimi
Komut Yürütme
Kalıcılık Mekanizması

IOC List (6 indicators)

IOC — DCRat
# IP 1.0.0.0 # IP 14.0.0.0 # IP 4.0.0.0 # DOMAIN system.io # DOMAIN output.com # MUTEX CreateMutex
TypeValueNote
ip 1.0.0.0 C2 aday
ip 14.0.0.0 C2 aday
ip 4.0.0.0 C2 aday
domain system.io C2 domain
domain output.com C2 domain
mutex CreateMutex Mutex

C2 Servers (8 recorded servers for this family)

Address Type Port Protocol Status Country
microsoft.com domain — TCP active —
system.io domain — TCP active —
system.io domain — TCP active —
digicert.com domain — TCP active —
system.io domain — TCP active —
crypto.io domain — TCP active —
system.io domain — TCP active —
microsoft.com domain — TCP active —

C2 addresses are provided only from malware samples manually verified by the KEYDAL team. Commercial use is prohibited.

Tags
DCRatmalwarestatik-analizIOC