dcrat | Nursultan[.]exe | Triage

Sharing

General

Target

Nursultan.exe
Size

1.4MB
MD5

04dd1f99162ef231ab0c9d28d181e9d2
SHA1

af9cb52510704981a6e3daeae61c617d711366ef
SHA256

c383f1a8383c27fda0910a6691aa4a7561d86094e3309df7d2ad787d8e601086
SHA512

701b7557e14384648fafdc58ae28f76abee5d1c9f567884c42371e722d699d923ac6df68d0a896207452a2eeea4fe65cbcd350f11a2ff519b51b776970565614
SSDEEP

24576:wBmXmo2G/nvxW3Ww0tBBlxD41ittL91eboEH2IgYAUUjZhI:wBi3bA30BBlxnioE5AW

Score

10^/10

rat dcrat 44caliber

Malware Config

Signatures

44caliber family
44caliber

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

Processes:

resource	yara_rule
sample	dcrat

Dcrat family
dcrat

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

Processes:

resource
Nursultan.exe

Files

Nursultan.exe
.exe windows:4 windows x86 arch:x86

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_BYTES_REVERSED_LO
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_BYTES_REVERSED_HI

Sections

CODE
Size: 5KB - Virtual size: 4KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

DATA
Size: 512B - Virtual size: 124B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

BSS
Size: - Virtual size: 1KB

IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 1024B - Virtual size: 770B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: - Virtual size: 4B

IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: 512B - Virtual size: 24B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 456B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 1.4MB - Virtual size: 1.4MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ