Overview
overview
10Static
static
10DcRat/DcRat.exe
windows7-x64
10DcRat/DcRat.exe
windows10-2004-x64
10DcRat/DcRat.exe.xml
windows7-x64
1DcRat/DcRat.exe.xml
windows10-2004-x64
1DcRat/Plug...io.dll
windows7-x64
1DcRat/Plug...io.dll
windows10-2004-x64
1DcRat/Plug...at.dll
windows7-x64
1DcRat/Plug...at.dll
windows10-2004-x64
1DcRat/Plug...rd.dll
windows7-x64
1DcRat/Plug...rd.dll
windows10-2004-x64
1DcRat/Plug...ra.dll
windows7-x64
1DcRat/Plug...ra.dll
windows10-2004-x64
1DcRat/Plug...er.dll
windows7-x64
1DcRat/Plug...er.dll
windows10-2004-x64
1DcRat/Plug...er.dll
windows7-x64
1DcRat/Plug...er.dll
windows10-2004-x64
1DcRat/Plugins/Fun.dll
windows7-x64
1DcRat/Plugins/Fun.dll
windows10-2004-x64
1DcRat/Plug...on.dll
windows7-x64
1DcRat/Plug...on.dll
windows10-2004-x64
1DcRat/Plug...er.exe
windows7-x64
1DcRat/Plug...er.exe
windows10-2004-x64
1DcRat/Plug...er.dll
windows7-x64
1DcRat/Plug...er.dll
windows10-2004-x64
1DcRat/Plug...ib.dll
windows7-x64
1DcRat/Plug...ib.dll
windows10-2004-x64
1DcRat/Plug...us.dll
windows7-x64
1DcRat/Plug...us.dll
windows10-2004-x64
1DcRat/Plug...at.dll
windows7-x64
1DcRat/Plug...at.dll
windows10-2004-x64
1DcRat/Plug...ns.dll
windows7-x64
1DcRat/Plug...ns.dll
windows10-2004-x64
1Analysis
-
max time kernel
151s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
16/04/2023, 13:34
Behavioral task
behavioral1
Sample
DcRat/DcRat.exe
Resource
win7-20230220-en
windows7-x64
Behavioral task
behavioral2
Sample
DcRat/DcRat.exe
Resource
win10v2004-20230220-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
DcRat/DcRat.exe.xml
Resource
win7-20230220-en
windows7-x64
Behavioral task
behavioral4
Sample
DcRat/DcRat.exe.xml
Resource
win10v2004-20230220-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
DcRat/Plugins/Audio.dll
Resource
win7-20230220-en
windows7-x64
Behavioral task
behavioral6
Sample
DcRat/Plugins/Audio.dll
Resource
win10v2004-20230220-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
DcRat/Plugins/Chat.dll
Resource
win7-20230220-en
windows7-x64
Behavioral task
behavioral8
Sample
DcRat/Plugins/Chat.dll
Resource
win10v2004-20230221-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
DcRat/Plugins/Discord.dll
Resource
win7-20230220-en
windows7-x64
Behavioral task
behavioral10
Sample
DcRat/Plugins/Discord.dll
Resource
win10v2004-20230220-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
DcRat/Plugins/Extra.dll
Resource
win7-20230220-en
windows7-x64
Behavioral task
behavioral12
Sample
DcRat/Plugins/Extra.dll
Resource
win10v2004-20230220-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
DcRat/Plugins/FileManager.dll
Resource
win7-20230220-en
windows7-x64
Behavioral task
behavioral14
Sample
DcRat/Plugins/FileManager.dll
Resource
win10v2004-20230220-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
DcRat/Plugins/FileSearcher.dll
Resource
win7-20230220-en
windows7-x64
Behavioral task
behavioral16
Sample
DcRat/Plugins/FileSearcher.dll
Resource
win10v2004-20230220-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
DcRat/Plugins/Fun.dll
Resource
win7-20230220-en
windows7-x64
Behavioral task
behavioral18
Sample
DcRat/Plugins/Fun.dll
Resource
win10v2004-20230220-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
DcRat/Plugins/Information.dll
Resource
win7-20230220-en
windows7-x64
Behavioral task
behavioral20
Sample
DcRat/Plugins/Information.dll
Resource
win10v2004-20230220-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
DcRat/Plugins/Keylogger.exe
Resource
win7-20230220-en
windows7-x64
Behavioral task
behavioral22
Sample
DcRat/Plugins/Keylogger.exe
Resource
win10v2004-20230220-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
DcRat/Plugins/Logger.dll
Resource
win7-20230220-en
windows7-x64
Behavioral task
behavioral24
Sample
DcRat/Plugins/Logger.dll
Resource
win10v2004-20230221-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
DcRat/Plugins/MessagePackLib.dll
Resource
win7-20230220-en
windows7-x64
Behavioral task
behavioral26
Sample
DcRat/Plugins/MessagePackLib.dll
Resource
win10v2004-20230220-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
DcRat/Plugins/Miscellaneous.dll
Resource
win7-20230220-en
windows7-x64
Behavioral task
behavioral28
Sample
DcRat/Plugins/Miscellaneous.dll
Resource
win10v2004-20230221-en
windows10-2004-x64
Behavioral task
behavioral29
Sample
DcRat/Plugins/Netstat.dll
Resource
win7-20230220-en
windows7-x64
Behavioral task
behavioral30
Sample
DcRat/Plugins/Netstat.dll
Resource
win10v2004-20230220-en
windows10-2004-x64
Behavioral task
behavioral31
Sample
DcRat/Plugins/Options.dll
Resource
win7-20230220-en
windows7-x64
Behavioral task
behavioral32
Sample
DcRat/Plugins/Options.dll
Resource
win10v2004-20230220-en
windows10-2004-x64
General
-
Target
DcRat/DcRat.exe
-
Size
21.6MB
-
MD5
86f3de7b3546c538291820eb6f1d3d32
-
SHA1
4b0994b910d67990c855b669f4124e6ebbbc0343
-
SHA256
533c45a3400cceaf13703564aa125c4a17b613ea0964d140be0415d7df4f644b
-
SHA512
002449d99933ee6a61059a2722a2b75f5358b987f4853a93ef0dd5c0b5724835c449a810450f1d2ba6cb5114a106c8f05fbad2137b3c0b3c851663fa1a00d244
-
SSDEEP
393216:q/nGTBP+Zw6NLIsFfskh1BmXGR1Bd+/2:q/GTBP+Zlnk0rmoBY
Malware Config
Signatures
-
Async RAT payload 1 IoCs
resource yara_rule behavioral1/memory/1156-54-0x0000000001390000-0x000000000292E000-memory.dmp asyncrat -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 37 IoCs
description ioc Process Set value (data) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0\MRUListEx = ffffffff DcRat.exe Key created \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell DcRat.exe Set value (data) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots DcRat.exe Set value (data) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 74003100000000005456d0961100557365727300600008000400efbeee3a851a5456d0962a000000e601000000000100000000000000000036000000000055007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000 DcRat.exe Set value (data) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\MRUListEx = 00000000ffffffff DcRat.exe Set value (int) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0\NodeSlot = "1" DcRat.exe Key created \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU DcRat.exe Key created \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 DcRat.exe Set value (data) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4c00310000000000545626a2100041646d696e00380008000400efbe5456d096545626a22a0000002e000000000004000000000000000000000000000000410064006d0069006e00000014000000 DcRat.exe Key created \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 DcRat.exe Key created \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0 DcRat.exe Set value (data) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 DcRat.exe Set value (data) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\MRUListEx = 00000000ffffffff DcRat.exe Set value (data) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0 = 4c0031000000000090568a7c1020446352617400380008000400efbe90568a7c90568a7c2a0000003931010000000800000000000000000000000000000044006300520061007400000014000000 DcRat.exe Set value (data) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\MRUListEx = 00000000ffffffff DcRat.exe Key created \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags DcRat.exe Key created \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0 DcRat.exe Set value (str) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic" DcRat.exe Set value (data) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff DcRat.exe Set value (data) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000 DcRat.exe Key created \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 DcRat.exe Set value (data) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 DcRat.exe Key created \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 DcRat.exe Set value (str) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}" DcRat.exe Set value (data) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff DcRat.exe Set value (data) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 = 52003100000000005456d096122041707044617461003c0008000400efbe5456d0965456d0962a000000e90100000000020000000000000000000000000000004100700070004400610074006100000016000000 DcRat.exe Set value (data) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = 00000000ffffffff DcRat.exe Set value (data) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0 = 4a0031000000000090568a7c102054656d700000360008000400efbe5456d09690568a7c2a000000fd010000000002000000000000000000000000000000540065006d007000000014000000 DcRat.exe Key created \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0 DcRat.exe Key created \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_Classes\Local Settings DcRat.exe Set value (data) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff DcRat.exe Key created \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 DcRat.exe Key created \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 DcRat.exe Set value (data) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff DcRat.exe Set value (data) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff DcRat.exe Set value (data) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0 = 4c003100000000009056a47c10204c6f63616c00380008000400efbe5456d0969056a47c2a000000fc0100000000020000000000000000000000000000004c006f00630061006c00000014000000 DcRat.exe Key created \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell DcRat.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 1156 DcRat.exe 1156 DcRat.exe 1156 DcRat.exe 1156 DcRat.exe 1156 DcRat.exe 1156 DcRat.exe 1156 DcRat.exe 1156 DcRat.exe 1156 DcRat.exe 1156 DcRat.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1156 DcRat.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1156 DcRat.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1156 DcRat.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 1156 DcRat.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1156 DcRat.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\DcRat\DcRat.exe"C:\Users\Admin\AppData\Local\Temp\DcRat\DcRat.exe"1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1156
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:580