Dosya Kimligi
| SHA256 | 71c79c58dc14cf56ff1c7c4dea1894b4b4d9794a84abb0cc65168a99c0429c69 |
|---|---|
| Format | VBScript (.vbs) — Stage 1 dropper |
| Boyut | 1.031.536 byte (~1.0 MB) |
| Teknik | Base64 kodlanmis PowerShell, Firebase + GitHub dead-drop C2 |
C2 ve Indirme Altyapisi
firebasestorage.googleapis.com)Stage 3 indirme: GitHub RAW (threat actor dead-drop repository)
Token:
9cad75-dbf7-4ece-ad49-7ac5dc81a1b3
| Stage 2 (Firebase) | https://firebasestorage.googleapis.com/v0b/[proje].appspot.com/o/dll%2FDLL%2018-?-2026.txt?alt=media&token=9cad75-dbf7-4ece-ad49-7ac5dc81a1b3 |
|---|---|
| Stage 3 (GitHub) | https://raw.githubusercontent.com/[kullanici]/[repo]/refs/heads/main/[payload].txt (gizlenmiş, ters-encode) |
| Protokol | HTTPS, TLS 1.2 zorunlu (SecurityProtocolType::Tls12) |
Obfuskasyon Teknikleri
| String Gizleme | "pow"+"ersh"+"ell" — imza atlatma icin string parcalama |
|---|---|
| Junk Label | lumoqnmmvflralxr:driqvqesdfngphhb: goturuculerle kod dolgusu |
| Ters URL | GitHub URL'si ters Base64 ile gizlenmis (reversed string encoding) |
| PowerShell Base64 | Tum PS1 kodu base64 ile kodlanmis, VBS icerisinde sakli |
| Gecici Dosya | C:\ProgramData\Lwoqo.ps1 ve C:\ProgramData\NgOVP.ps1 |
Calisma Mekanizmasi
- VBS baslatilir:
WScript.Shellile sistem bilgisi alinir - Base64 blob decode edilir: Gizli PowerShell kodu ortaya cikar
- PS1 dosyalari
C:\ProgramData\altina yazilir PowerShell -ExecutionPolicy Bypass -File [ps1]calistirilir- Firebase Storage'dan DLL indirilir (
DLL 18-x-2026.txtmaskesi) - GitHub dead-drop'tan ikinci payload indirilir
- DCRat ana modulu in-memory yuklenir ve calistirilir
IOC'lar
| SHA256 | 71c79c58dc14cf56ff1c7c4dea1894b4b4d9794a84abb0cc65168a99c0429c69 |
|---|---|
| Firebase | firebasestorage.googleapis.com (Stage 2) |
| GitHub | raw.githubusercontent.com (Stage 3 dead-drop) |
| Token | 9cad75-dbf7-4ece-ad49-7ac5dc81a1b3 |
| Gecici PS1 | C:\ProgramData\Lwoqo.ps1, C:\ProgramData\NgOVP.ps1 |
| Gecici TXT | C:\ProgramData\Lwoqo.txt |
Nasil Kaldirilir?
- VBS engeli: .vbs uzantili dosyalarin calistirilmasini engelleyin (GPO/AppLocker)
- PowerShell kisitla: ExecutionPolicy Restricted veya Constrained Language Mode
- Gecici dosya sil:
C:\ProgramData\Lwoqo.ps1/txtveNgOVP.ps1 - Network engeli:
firebasestorage.googleapis.comveraw.githubusercontent.com'a yetkisiz erisimi izle/engelle - Tam AV tarama: guncel imzali tarama yapilsin
Teknik Ozet
Bu DCRat Stage 1 VBS dropper'i, yoğun obfuskasyon tekniklerine basvurur: PowerShell komutu
string parcalama ile gizlenirken ("pow"+"ersh"+"ell"), payload URL'si ters-Base64
ile saklanmistir. Tum is mantigi base64 ile kodlanmis ve VBS gövdesinde sakli bir PowerShell
blogunun icindedir. Payload, Firebase Storage ve GitHub RAW
(dead-drop deposu) kaynagindan cekilerek bellekte calistirilmaktadir. Nihai yük DCRat RAT'idir.
DCRat — Malware Profile
DCRat Rusça RAT. sostener1.vbs VBScript dropper. PowerShell ExecutionPolicy Bypass. geutqmonpmjthuux.ru DGA C2.
Technical Details
.NET C#, AES-128-CBC sifreleme, plugin mimarisi (DLLler), TCP varsayilan port 5552, SQLite lokal depolama, Anti-VM/Sandbox (Process check, Registry), Loader, Stealer, RAT modulleri ayri
Capabilities & Behavior
IOC List (5 indicators)
# SHA256
71c79c58dc14cf56ff1c7c4dea1894b4b4d9794a84abb0cc65168a99c0429c69
# DOMAIN
firebasestorage.googleapis.com
# DOMAIN
raw.githubusercontent.com
# FILEPATH
C:\ProgramData\Lwoqo.ps1
# FILEPATH
C:\ProgramData\NgOVP.ps1
| Type | Value | Note |
|---|---|---|
| sha256 | 71c79c58dc14cf56ff1c7c4dea1894b4b4d9794a84abb0cc65168a99c0429c69 | |
| domain | firebasestorage.googleapis.com | |
| domain | raw.githubusercontent.com | |
| filepath | C:\ProgramData\Lwoqo.ps1 | |
| filepath | C:\ProgramData\NgOVP.ps1 |
C2 Servers (8 recorded servers for this family)
| Address | Type | Port | Protocol | Status | Country |
|---|---|---|---|---|---|
| microsoft.com | domain | — | TCP | active | — |
| system.io | domain | — | TCP | active | — |
| system.io | domain | — | TCP | active | — |
| digicert.com | domain | — | TCP | active | — |
| system.io | domain | — | TCP | active | — |
| crypto.io | domain | — | TCP | active | — |
| system.io | domain | — | TCP | active | — |
| microsoft.com | domain | — | TCP | active | — |
C2 addresses are provided only from malware samples manually verified by the KEYDAL team. Commercial use is prohibited.