Overview

overview

10

Static

static

10

Release/DcRat.exe

windows7-x64

10

Release/DcRat.exe

windows10-2004-x64

10

Release/Pl...io.dll

windows7-x64

1

Release/Pl...io.dll

windows10-2004-x64

1

Release/Pl...at.dll

windows7-x64

1

Release/Pl...at.dll

windows10-2004-x64

1

Release/Pl...ra.dll

windows7-x64

1

Release/Pl...ra.dll

windows10-2004-x64

1

Release/Pl...er.dll

windows7-x64

1

Release/Pl...er.dll

windows10-2004-x64

1

Release/Pl...er.dll

windows7-x64

1

Release/Pl...er.dll

windows10-2004-x64

1

Release/Pl...un.dll

windows7-x64

1

Release/Pl...un.dll

windows10-2004-x64

1

Release/Pl...on.dll

windows7-x64

1

Release/Pl...on.dll

windows10-2004-x64

1

Release/Pl...er.exe

windows7-x64

1

Release/Pl...er.exe

windows10-2004-x64

1

Release/Pl...er.dll

windows7-x64

1

Release/Pl...er.dll

windows10-2004-x64

1

Release/Pl...us.dll

windows7-x64

1

Release/Pl...us.dll

windows10-2004-x64

1

Release/Pl...at.dll

windows7-x64

1

Release/Pl...at.dll

windows10-2004-x64

1

Release/Pl...ns.dll

windows7-x64

1

Release/Pl...ns.dll

windows10-2004-x64

1

Release/Pl...er.dll

windows7-x64

1

Release/Pl...er.dll

windows10-2004-x64

1

Release/Pl...re.dll

windows7-x64

1

Release/Pl...re.dll

windows10-2004-x64

1

Release/Pl...ry.dll

windows7-x64

1

Release/Pl...ry.dll

windows10-2004-x64

1

Analysis

  • max time kernel
    150s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    07-11-2024 02:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Release/DcRat.exe

  • Size

    12.3MB

  • MD5

    7fce411ea2b74f227489659113960b18

  • SHA1

    543d95b74193a188fe273ce7b065aa177405beb5

  • SHA256

    c73b1ffa39c5843b2ed951ac48350d1deb33db4057341f1dab1ee64ea1a62248

  • SHA512

    42de7bc4a0b47e1053ff3ff52a3f887e56759f81cfa691996a533d769e80f98b3e8dcf869785fce801d9cc7a2bc3d675e2eb832b520846b053d6b07093be2678

  • SSDEEP

    196608:XtfZFB2gaNIsNNNNKmvN8rNNNNNNNNNNHbL7aIXM1B7Z0/3G6tULs8wR:XlT81Bd+3G6

Score
10/10
asyncratdefaultrat

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Default

Mutex

DcRatMutex_qwqdanchun

Attributes
  • c2_url_file

    https://Pastebin.com/raw/fevFJe98

  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Asyncrat family
    asyncrat
  • Async RAT payload 3 IoCs
    rat
  • Executes dropped EXE 3 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Release\DcRat.exe
    "C:\Users\Admin\AppData\Local\Temp\Release\DcRat.exe"
    1⤵
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    PID:2072
  • C:\Windows\system32\wbem\WmiApSrv.exe
    C:\Windows\system32\wbem\WmiApSrv.exe
    1⤵
      PID:1796
    • C:\Users\Admin\Desktop\Client.exe
      "C:\Users\Admin\Desktop\Client.exe"
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:840
    • C:\Users\Admin\Desktop\Client.exe
      "C:\Users\Admin\Desktop\Client.exe"
      1⤵
      • Executes dropped EXE
      PID:1864
    • C:\Users\Admin\Desktop\Client.exe
      "C:\Users\Admin\Desktop\Client.exe"
      1⤵
      • Executes dropped EXE
      PID:1952

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Server\DcRat.exe_Url_0xi2najjma3q33cy3liy1lyphmot3lyd\1.0.7.0\gx4ylfga.newcfg
      Filesize

      585B

      MD5

      d33502309781171038abe74a9d25fe4e

      SHA1

      978477fccabaa7edfbd55e54202d4ceb916f6c6c

      SHA256

      a2a5e43f2f583a212d182ead278e52d08dd0fc89bca22e02dc283ce1f8cb7d81

      SHA512

      e37712e379b9c3bc6b8bd427f9c456369ee65e0a98b82002117336fb7bb392f15ca0f8f4690fdbff0438146804c2a77099a4b4677a711e41aa2599381a03dfc7

      Download Submit

    • C:\Users\Admin\AppData\Local\Server\DcRat.exe_Url_0xi2najjma3q33cy3liy1lyphmot3lyd\1.0.7.0\user.config
      Filesize

      309B

      MD5

      0c6e4f57ebaba0cc4acfc8bb65c589f8

      SHA1

      8c021c2371b87f2570d226b419c64c3102b8d434

      SHA256

      a9539ba4eae9035b2ff715f0e755aa772b499d72ccab23af2bf5a2dc2bcfa41c

      SHA512

      c6b877ff887d029e29bf35f53006b8c84704f73b74c616bf97696d06c6ef237dff85269bdf8dfb432457b031dd52410e2b883fd86c3f54b09f0a072a689a08c0

      Download Submit

    • C:\Users\Admin\AppData\Local\Server\DcRat.exe_Url_0xi2najjma3q33cy3liy1lyphmot3lyd\1.0.7.0\user.config
      Filesize

      586B

      MD5

      0bf93f584275ab33f1f4b6fb52f51ec9

      SHA1

      902549af26744c6bfe6805727d490e15a74186e7

      SHA256

      caee138f4c2c9bd33fcb37fb510640496bb8af855e75613aaebd2fad62f9b745

      SHA512

      2b10fa3d9ca83b99facfae7d3e4f3c60bf7ee10a944d5b66b58f0628aee64bc38e07c032e8eb9b55789fd23480b50885024426f5139393281bf79db5d87d9c22

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Release\Client.exe
      Filesize

      47KB

      MD5

      1c50598d545ea58d0c62d833c9d34954

      SHA1

      4723fcf39ff4e95b6f77456ad80aee7e658eec71

      SHA256

      4ea310fdfaecace36726c2d78ec7856ad54d24c72ca4c790555dd8b83d189428

      SHA512

      a376247fd6b5c95b8e7780b44032996ad485fcec0834eed1427a174a38d40b3ef544c64760efb352e1b25c64e3287995999d900c215b15b5b588b4be729a2c04

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Release\Client.exe
      Filesize

      47KB

      MD5

      5948c1d53160246a2b8e54c424c96e50

      SHA1

      0b57b6e570311dbef4d89e96d38b4c88500e1891

      SHA256

      d49f87f6e79a64d17f5ae4b64643883477aee8cddeba92a19a89cfafa6a6db10

      SHA512

      ce1e57336f17f3a9bea26aa34f27a79a300f052c328424b80a33c07f28e90c361077c8da77f4c517df38d0d3373b7a6c9adc2c3b708e7bbb4f8874819750720b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Release\ServerCertificate.p12
      Filesize

      1KB

      MD5

      8360967653fc39253c066f6735106f00

      SHA1

      4677c7c50ddedcda1e828c5db1fcd55a440b95cc

      SHA256

      b12befa0c4c46edacec05e8a9d19a7624cb366c1e8da8d2aeb6c02cd5f27ea05

      SHA512

      7d1eb3da380954c33872b4b35f8fd36f7634e3a2bcff82be846a31b03d88cb7209c531c82290384716b1b4a95cd89c145765d8aa18136186033c281cf92f8e5b

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1846800975-3917212583-2893086201-1000\97f7a763e504579efb23c3d920b8c0a1_f9da27c9-c625-43c3-9b3a-b1344b01e128
      Filesize

      1KB

      MD5

      39d4866448114d76ca84a449d3df2ec9

      SHA1

      d1556a43f4a481837fc78b3b82446eafa0653585

      SHA256

      c73e0b72dac3b00f4f64a87c506e2de34b55848ff51828bb6add28d5124ed3ae

      SHA512

      ef60c04ffef7301750d11380bda33a20d11dcbc8a53dc073885a8b88c0015d866f84c5205992287cc90f1263fadb9334f75e46a4b3bab3e206d36803bdfda892

      Download Submit

    • C:\Users\Admin\Desktop\Client.exe
      Filesize

      47KB

      MD5

      ec6e0cf30838de6891cbd634493704c9

      SHA1

      a2c789e57cd8f460e9f23e2bf9bf55c320b9f1e8

      SHA256

      49ee7559547911e9df5c694d31318126dbfc2b86229dbf2f22b301dfd7de7fd0

      SHA512

      e0df6f667d97ebed351209b0b6d5eb112e3fe97655ce4af5d301a9b00e9c1507bdb9489c61bfac166b89d05cd171ac8cba2307d21eaf2f8f9f561c8e51895dc7

      Download Submit

    • memory/840-114-0x0000000000F10000-0x0000000000F22000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2072-14-0x000007FEF52D3000-0x000007FEF52D4000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2072-19-0x000007FEF52D0000-0x000007FEF5CBC000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2072-20-0x000000001F3E0000-0x000000001F3F0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2072-18-0x000007FEF52D0000-0x000007FEF5CBC000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2072-17-0x000007FEF52D0000-0x000007FEF5CBC000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2072-16-0x000007FEF52D0000-0x000007FEF5CBC000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2072-15-0x000007FEF52D0000-0x000007FEF5CBC000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2072-0-0x000007FEF52D3000-0x000007FEF52D4000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2072-4-0x000007FEF52D0000-0x000007FEF5CBC000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2072-3-0x000007FEF52D0000-0x000007FEF5CBC000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2072-2-0x000007FEF52D0000-0x000007FEF5CBC000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2072-1-0x0000000001040000-0x0000000001C8A000-memory.dmp

      Filesize

      12.3MB

      Download