Derin Statik Analiz — DCRat | Tehdit: high

Datei Kimligi

SHA25659ce29a8e44e2065bd3defb6c51fbab502cd39ab69c530244caabfc293422b5b
MD5b612347cc44edb21170cd00bbfff03fa
SHA16a87adf7322f7a7a0a0f4fa2203f10b3e36ca877
Größe425350 byte
Tur/opt/ksentinel/samples/3c742975836a7071afbb7d23820029f89a48d99f79b85291658a710eb
DerlemeUnbekannt
PackerUPX
C2 Adresi: Sifrelenmis/obfuskeli config (statik analizle cozulemedi)

Yetenekler

  • Tespit edilemedi (obfuskeli)

Gelistirici Ipuclari

PDB Yolu: bash: -c: line 1: syntax error near unexpected token `|' bash: -c: line 1: `grep -oiE '[A-Za-z]:\\Users\\[^\\]{2,30}\\[^

Telegram: @LHsI @SddE @UDEl @yNYA

PE Analizi

Binwalk / Packer

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             Zip archive data, encrypted compressed size: 42

Familie Tespiti

String kaniti bulunamadi (sifrelenmis/obfuskeli).

DCRat — Malware-Profil

DCRat Rusça RAT. sostener1.vbs VBScript dropper. PowerShell ExecutionPolicy Bypass. geutqmonpmjthuux.ru DGA C2.

Malware-Typ
RAT
Programmiersprache
C#/.NET
C2-Protokoll
HTTP
Zielsysteme
Windows
Auch bekannt als (AKA)
DarkCrystal

Technische Details

.NET C#, AES-128-CBC sifreleme, plugin mimarisi (DLLler), TCP varsayilan port 5552, SQLite lokal depolama, Anti-VM/Sandbox (Process check, Registry), Loader, Stealer, RAT modulleri ayri

Fähigkeiten & Verhalten

Uzaktan Erişim & Kontrol
Keylogger
Ekran Görüntüsü
Webcam Erişimi
Dosya Yönetimi
Süreç Yönetimi
Komut Yürütme
Kalıcılık Mekanizması

IOC-Liste (5 Indikatoren)

IOC — DCRat
# 6a87adf7322f7a7a0a0f4fa2203f10b3e36ca877 # SHA256 59ce29a8e44e2065bd3defb6c51fbab502cd39ab69c530244caabfc293422b5b # MD5 b612347cc44edb21170cd00bbfff03fa # FILEPATH bash: -c: line 1: syntax error near unexpected token `|' # FILEPATH bash: -c: line 1: `grep -oiE '[A-Za-z]:\\[^\s\"'\'<>|*?]{5,150}' /tmp/all.txt | grep -viE '(msbuild|nuget|packages|Microsoft\.NET)' | sort -u | head -10'
TypWertBemerkung
6a87adf7322f7a7a0a0f4fa2203f10b3e36ca877
sha256 59ce29a8e44e2065bd3defb6c51fbab502cd39ab69c530244caabfc293422b5b
md5 b612347cc44edb21170cd00bbfff03fa
filepath bash: -c: line 1: syntax error near unexpected token `|'
filepath bash: -c: line 1: `grep -oiE '[A-Za-z]:\\[^\s\"'\'<>|*?]{5,150}' /tmp/all.txt | grep -viE '(msbuild|nuget|packages|Microsoft\.NET)' | sort -u | head -10'

C2-Server (8 erfasste Server für diese Familie)

Adresse Typ Port Protokoll Status Land
microsoft.com domain &mdash; TCP active &mdash;
digicert.com domain &mdash; TCP active &mdash;
crypto.io domain &mdash; TCP active &mdash;
microsoft.com domain &mdash; TCP active &mdash;
microsoft.com domain &mdash; TCP active &mdash;
microsoft.com domain &mdash; TCP active &mdash;
microsoft.com domain &mdash; TCP active &mdash;
microsoft.com domain &mdash; TCP active &mdash;

C2-Adressen stammen ausschließlich aus vom KEYDAL-Team manuell verifizierten Malware-Samples. Kommerzielle Nutzung ist untersagt.

Tags
dcratstatik-analizhighc2iocpe