Derin Statik Analiz — DCRat | Tehdit: high

Dosya Kimliği

SHA2563c742975836a7071afbb7d23820029f89a48d99f79b85291658a710eb096f9b3
MD5213d5f40829abe4a0c6ee32ec1ebb1a8
SHA161dda991022dbdb4e66f11caa2e3fa91d8d27cab
Dosya Adı213d5f40829abe4a0c6ee32ec1ebb1a8.exe
Boyut846848 byte
Tür/opt/ksentinel/samples/3c742975836a7071_213d5f40829abe4a0c6ee32ec: PE32 executable (GUI) Intel 80386
Derleme TarihiBilinmiyor
PackerUPX

C2 Sunucuları / Dropper Domainleri

AdresTipDurum
System.IODomainactive
System.NetDomainactive

Tespit Edilen IOC'lar

DeğerTip
System.IODomain
System.NetDomain

Yetenekler

Şifreleme: RijndaelManaged

Base64 Decode:

B64:3ROMXmCl7lDwHEmDDaNsOEg21tyGtfTRhOF9zqQ => l8H6
B64:BAFEGEHEIEJELKMLNKOKQPUTWVXVYVZV =>  BD,
B64:MDiUIrfkb3RenMwFQkU+wB3EsCfqDFQQaehkK7P+J5j5iufpYOZSYj9oXPp => Rb?h\

Geliştirici İpuçları

Telegram: @2d2x2 @agxD @EJpkV @LALc

PE Analizi

PE Güvenlik Taraması

file entropy:                    6.084187 (normal)
fpu anti-disassembly:            no
imagebase:                       normal
entrypoint:                      normal
DOS stub:                        normal
TLS directory:                   not found
timestamp:                       normal
section co

Import Tablosu (özet)

Imported functions
    Library
        Name:                            mscoree.dll
        Functions
            Function
                Hint:                            0
                Name:                            _CorExeMain

Aile Tespiti — String Kanıtı

String kanıtı bulunamadı (obfuscated).

DCRat — Malware Profile

DCRat Rusça RAT. sostener1.vbs VBScript dropper. PowerShell ExecutionPolicy Bypass. geutqmonpmjthuux.ru DGA C2.

Malware Type
RAT
Programming Language
C#/.NET
C2 Protocol
HTTP
Target Systems
Windows
Also Known As (AKA)
DarkCrystal

Technical Details

.NET C#, AES-128-CBC sifreleme, plugin mimarisi (DLLler), TCP varsayilan port 5552, SQLite lokal depolama, Anti-VM/Sandbox (Process check, Registry), Loader, Stealer, RAT modulleri ayri

Capabilities & Behavior

Uzaktan Erişim & Kontrol
Keylogger
Ekran Görüntüsü
Webcam Erişimi
Dosya Yönetimi
Süreç Yönetimi
Komut Yürütme
Kalıcılık Mekanizması

IOC List (5 indicators)

IOC — DCRat
# 61dda991022dbdb4e66f11caa2e3fa91d8d27cab # SHA256 3c742975836a7071afbb7d23820029f89a48d99f79b85291658a710eb096f9b3 # MD5 213d5f40829abe4a0c6ee32ec1ebb1a8 # DOMAIN System.IO # DOMAIN System.Net
TypeValueNote
61dda991022dbdb4e66f11caa2e3fa91d8d27cab
sha256 3c742975836a7071afbb7d23820029f89a48d99f79b85291658a710eb096f9b3
md5 213d5f40829abe4a0c6ee32ec1ebb1a8
domain System.IO
domain System.Net

C2 Servers (8 recorded servers for this family)

Address Type Port Protocol Status Country
microsoft.com domain — TCP active —
system.io domain — TCP active —
system.io domain — TCP active —
digicert.com domain — TCP active —
system.io domain — TCP active —
crypto.io domain — TCP active —
system.io domain — TCP active —
microsoft.com domain — TCP active —

C2 addresses are provided only from malware samples manually verified by the KEYDAL team. Commercial use is prohibited.

Tags
dcratstatik-analizhighc2iocpe-analiz