Derin Statik Analiz — DCRat | Tehdit: high
Dosya Kimligi
| SHA256 | 59ce29a8e44e2065bd3defb6c51fbab502cd39ab69c530244caabfc293422b5b |
|---|---|
| MD5 | b612347cc44edb21170cd00bbfff03fa |
| SHA1 | 6a87adf7322f7a7a0a0f4fa2203f10b3e36ca877 |
| Boyut | 425350 byte |
| Tur | /opt/ksentinel/samples/3c742975836a7071afbb7d23820029f89a48d99f79b85291658a710eb |
| Derleme | Bilinmiyor |
| Packer | UPX |
C2 Adresi: Sifrelenmis/obfuskeli config (statik analizle cozulemedi)
Yetenekler
- Tespit edilemedi (obfuskeli)
Gelistirici Ipuclari
PDB Yolu: bash: -c: line 1: syntax error near unexpected token `|'
bash: -c: line 1: `grep -oiE '[A-Za-z]:\\Users\\[^\\]{2,30}\\[^
Telegram: @LHsI @SddE @UDEl @yNYA
PE Analizi
Binwalk / Packer
DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 0 0x0 Zip archive data, encrypted compressed size: 42
Aile Tespiti
String kaniti bulunamadi (sifrelenmis/obfuskeli).
DCRat — Malware Profile
DCRat Rusça RAT. sostener1.vbs VBScript dropper. PowerShell ExecutionPolicy Bypass. geutqmonpmjthuux.ru DGA C2.
Malware Type
RAT
Programming Language
C#/.NET
C2 Protocol
HTTP
Target Systems
Windows
Also Known As (AKA)
DarkCrystal
Technical Details
.NET C#, AES-128-CBC sifreleme, plugin mimarisi (DLLler), TCP varsayilan port 5552, SQLite lokal depolama, Anti-VM/Sandbox (Process check, Registry), Loader, Stealer, RAT modulleri ayri
Capabilities & Behavior
Uzaktan Erişim & Kontrol
Keylogger
Ekran Görüntüsü
Webcam Erişimi
Dosya Yönetimi
Süreç Yönetimi
Komut Yürütme
Kalıcılık Mekanizması
IOC List (5 indicators)
IOC — DCRat
#
6a87adf7322f7a7a0a0f4fa2203f10b3e36ca877
# SHA256
59ce29a8e44e2065bd3defb6c51fbab502cd39ab69c530244caabfc293422b5b
# MD5
b612347cc44edb21170cd00bbfff03fa
# FILEPATH
bash: -c: line 1: syntax error near unexpected token `|'
# FILEPATH
bash: -c: line 1: `grep -oiE '[A-Za-z]:\\[^\s\"'\'<>|*?]{5,150}' /tmp/all.txt | grep -viE '(msbuild|nuget|packages|Microsoft\.NET)' | sort -u | head -10'
| Type | Value | Note |
|---|---|---|
| 6a87adf7322f7a7a0a0f4fa2203f10b3e36ca877 | ||
| sha256 | 59ce29a8e44e2065bd3defb6c51fbab502cd39ab69c530244caabfc293422b5b | |
| md5 | b612347cc44edb21170cd00bbfff03fa | |
| filepath | bash: -c: line 1: syntax error near unexpected token `|' | |
| filepath | bash: -c: line 1: `grep -oiE '[A-Za-z]:\\[^\s\"'\'<>|*?]{5,150}' /tmp/all.txt | grep -viE '(msbuild|nuget|packages|Microsoft\.NET)' | sort -u | head -10' |
C2 Servers (8 recorded servers for this family)
| Address | Type | Port | Protocol | Status | Country |
|---|---|---|---|---|---|
| microsoft.com | domain | — | TCP | active | — |
| system.io | domain | — | TCP | active | — |
| system.io | domain | — | TCP | active | — |
| digicert.com | domain | — | TCP | active | — |
| system.io | domain | — | TCP | active | — |
| crypto.io | domain | — | TCP | active | — |
| system.io | domain | — | TCP | active | — |
| microsoft.com | domain | — | TCP | active | — |
C2 addresses are provided only from malware samples manually verified by the KEYDAL team. Commercial use is prohibited.