Overview

overview

10

Static

static

10

DcRat.7z

windows10-ltsc 2021-x64

10

DcRat.7z

windows11-21h2-x64

1

Analysis

  • max time kernel
    899s
  • max time network
    516s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20241211-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    31-12-2024 00:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    DcRat.7z

  • Size

    4.0MB

  • MD5

    836c2ae55c1baec789b83fa3d79d23b3

  • SHA1

    359a091da48369e1e8cea6e004826ee25a93b3db

  • SHA256

    68115c6e039363be3b80e416ed462d97f8c763af800237b1fa183cca1180bac5

  • SHA512

    e12f7438545f6615f84e37b81837127aacc79b4aadd3b212702bb662b0f752778ed15d646e8d657b318dfde57d2f893c18831bfb686a0ae1b7d62137c63080be

  • SSDEEP

    98304:ZuPQL6HZ4+zkMgDWby//eWG/mdBMXW3Jx3/EI+e+:Zuz4+zyDWbRL2s

Score
10/10
asyncratdefaultrat

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Default

C2

127.0.0.1:8848

127.0.0.1:9003
Mutex

DcRatMutex_qwqdanchun

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Asyncrat family
    asyncrat
  • Contains code to disable Windows Defender 1 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Async RAT payload 2 IoCs
    rat
  • Executes dropped EXE 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 41 IoCs
  • Suspicious behavior: EnumeratesProcesses 56 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 9 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs

Processes

  • C:\Program Files\7-Zip\7zFM.exe
    "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\DcRat.7z"
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:4320
  • C:\Users\Admin\Desktop\DcRat.exe
    "C:\Users\Admin\Desktop\DcRat.exe"
    1⤵
    • Executes dropped EXE
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:6076
  • C:\Windows\system32\wbem\WmiApSrv.exe
    C:\Windows\system32\wbem\WmiApSrv.exe
    1⤵
      PID:1144
    • C:\Users\Admin\Desktop\DcRat.exe
      "C:\Users\Admin\Desktop\DcRat.exe"
      1⤵
      • Executes dropped EXE
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:1792
    • C:\Windows\system32\wbem\WmiApSrv.exe
      C:\Windows\system32\wbem\WmiApSrv.exe
      1⤵
        PID:5336
      • C:\Users\Admin\Desktop\Client.exe
        "C:\Users\Admin\Desktop\Client.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:5280

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Server\DcRat.exe_Url_kymwtd5fiyktuadip43hppevshtajuzt\1.0.7.0\user.config
        Filesize

        314B

        MD5

        014739a5766c3115083c783039b432c9

        SHA1

        23658fc4b9262aca0799bfae7d9580acaaacfeee

        SHA256

        1a491c457281edb17d1dcd7d5d7b7fb0c035f04faba977555ded7f745ee3ab10

        SHA512

        64a9702bf09885d2a70f6d84e8de1bb38de8667b5b4938d7c863e2a75ce1374f304bee88081dc6cc4f82c9b7f16e2abe4d693d2635fab445905935c3f2b8476d

        Download Submit

      • C:\Users\Admin\AppData\Local\Server\DcRat.exe_Url_kymwtd5fiyktuadip43hppevshtajuzt\1.0.7.0\user.config
        Filesize

        585B

        MD5

        90e93817c159709b2142aac31e8fb228

        SHA1

        4173d4a75f80ab1decc3c492c2cc3ef75135d2c4

        SHA256

        9c41eeef8b801315ad4da47a27c6bd0f031bf8a4fb1c71a93f32bec1f3b3e096

        SHA512

        947f10cfb6ef135474ae32be57840262e4a53ec46f575e4899843478b5bc8c239da886badb9172bb980eee1fbf0ca453790d68617c976ec7836d89f3511ba9b5

        Download Submit

      • C:\Users\Admin\Desktop\Client.exe
        Filesize

        47KB

        MD5

        788fab813fa15e5b4d518359fa04b306

        SHA1

        b97968820321d5d6895b4a83f89aee81e7dc0ada

        SHA256

        71c187c63459b107900614c83ab6ad228128e18523d361e1e05e042214af047e

        SHA512

        86b3723484ddfdec4152287e0aaf469ea34538e72ff3441b181fdc0550daea2ab6878114b56865e62af66b17665cb41f535f531bcd4816b5da83aff943fd3187

        Download Submit

      • C:\Users\Admin\Desktop\DcRat.exe
        Filesize

        12.3MB

        MD5

        7fce411ea2b74f227489659113960b18

        SHA1

        543d95b74193a188fe273ce7b065aa177405beb5

        SHA256

        c73b1ffa39c5843b2ed951ac48350d1deb33db4057341f1dab1ee64ea1a62248

        SHA512

        42de7bc4a0b47e1053ff3ff52a3f887e56759f81cfa691996a533d769e80f98b3e8dcf869785fce801d9cc7a2bc3d675e2eb832b520846b053d6b07093be2678

        Download Submit

      • C:\Users\Admin\Desktop\DcRat.exe.config
        Filesize

        5KB

        MD5

        f8806ec6bcfeda3bfaab9821506ef15c

        SHA1

        ede84267e6df98f8c60ecdb72a1546013cb4ba3b

        SHA256

        dc698c4a2c1b33a2e449f4f4c8ef6058c325b4125584a70b71efde05715b78e7

        SHA512

        2617bd0917f5de770c06adec6484ffd2b34406e6708c67929192531bd95eed9e216825909f610573dd6bbef64870c6a7c5801d9d201c0d98010fc634b8f28477

        Download Submit

      • C:\Users\Admin\Desktop\Plugins\Audio.dll
        Filesize

        22KB

        MD5

        9834bb111cfe8084c4f88b10c246f4b0

        SHA1

        68fc9f2e8df32a350a56300b3c2bc97f7159c340

        SHA256

        b843447e46f13e5cddc2d3ccc974fdea22a03a4a393a9310787c56b9f18a4c5d

        SHA512

        7b7f7b93c2094f8010fc8ee696a16d3fe8190ce79bfa1fa083a4a09d9d9bc187eb5b43ddd4674c3d11ddadca273c4c108a64d5d7316d923ddb2c351d0be556d9

        Download Submit

      • C:\Users\Admin\Desktop\Plugins\Chat.dll
        Filesize

        387KB

        MD5

        485874ca1ca6a970edbf93deacade012

        SHA1

        d6d94a485d4a43f538d305178408f34c032ece60

        SHA256

        eb772c641008eb5d441c37095a4e0b395748b0246f187d30a92c9284e56507fd

        SHA512

        2d49477be64537841de35973575b0f1d3aa44cda9cbe76e3b53fc4d31c8156caa6e1a33af6a60892f912a683b1600a264f256d913ed1a90499796b493ba4aef8

        Download Submit

      • C:\Users\Admin\Desktop\Plugins\Extra.dll
        Filesize

        29KB

        MD5

        00d372a4d492c46625e6a2bcf98e12f8

        SHA1

        6663347f6dc00942e32127b4de64a55a348082df

        SHA256

        df8bc945b8e62b82f31e5eb11f472392130becfcee16fd0832e7ae4f109a427e

        SHA512

        051bb37839176ec7c22bf3af57ad3a3e162dd833074be2ea6be937663bb9e6a880007d99425debd6a39ebd255131076a84cd128806990bc253aaea385e656931

        Download Submit

      • C:\Users\Admin\Desktop\Plugins\FileManager.dll
        Filesize

        32KB

        MD5

        67f3e90ab8453715362f181b55315e57

        SHA1

        31b93df1ead2b4abe01234444965398b3fe93be0

        SHA256

        1a311b860252d4aa0c306d9a4e580c1dce91a7f3a03e289ff02b3d4f59588276

        SHA512

        6e8fb1d9f5d568376ab15894f1709d5aa0cb467cb34a1aa9ab3f0bfb78af8cfba76cb185cdfc797ba6afd30f88c9bcf79d118efc2999af12e6bbc21debd3a6cd

        Download Submit

      • C:\Users\Admin\Desktop\Plugins\FileSearcher.dll
        Filesize

        277KB

        MD5

        6d837cc3170240963302c07cdb0cfa06

        SHA1

        d6aab1c8842ef388a756259f49e97de3caaf2732

        SHA256

        6ad83748dae28b4f8e6e93c54ff08fdb01c91eb4f510967145852a2c4b64703c

        SHA512

        baaea2aaaa42d75012c7fcf735b31deb0531e35c7a6a9d93965630a3fa31e8fed836f98a850760eefc253a2ebc001be4c79956efdd6ce51289dd0296cf7c7f1b

        Download Submit

      • C:\Users\Admin\Desktop\Plugins\Fun.dll
        Filesize

        33KB

        MD5

        4db70bd8aab4b9b62ce8c318db634b21

        SHA1

        7f5b4b21a021b5fd95702426d97a62222d26520b

        SHA256

        8b8ecd3edab14d136f3257411e2ff9436ae2eebc96f3613e84abdad0fb0a1f3c

        SHA512

        78b59c833075b904c404eb860d309dd15c364032154401a910538bde573be90d7057e2ec390d76104b55da8e586660022633f5566950c1e0eea775474a282004

        Download Submit

      • C:\Users\Admin\Desktop\Plugins\Information.dll
        Filesize

        24KB

        MD5

        3105d5c3eeca8a242e366369bf0f1f45

        SHA1

        2ad3283dd949848db6ed4a844500d43a373b650b

        SHA256

        a1a9dd40bcdf20ba208aca0f687fe4bb0a50cc9d62416253d9416400b1cbc9aa

        SHA512

        66ab935e909bc53f9ab9dccf925dd19cb4160fb5e69249274be1a3a502ea1e8061f044dd92e473e5298f768f30e0455731f52532039e80b9cf507a1012201a98

        Download Submit

      • C:\Users\Admin\Desktop\Plugins\Logger.dll
        Filesize

        26KB

        MD5

        a77594c93c6b1ae5e13b71df4cb030c0

        SHA1

        8cd99c7365376445012f16f3fe9f22f0a0fda7bd

        SHA256

        870507a66814c8eac8d062a9bd77614db8ef1ee81b17a865974d9e07bbd0318b

        SHA512

        2fe23ae9f06f471c96bd91ec2ee91be69a7ef373d149a1cf9fdc83ac310f8d746ffb998c730588e0f7285bfbbe0709fa5938ccd77b50e53996323aecf5131cc6

        Download Submit

      • C:\Users\Admin\Desktop\Plugins\Miscellaneous.dll
        Filesize

        80KB

        MD5

        0c49fa7e8a6191f95a5a411b216b5dfe

        SHA1

        4476c1694437bcf7feb8eeed609d450a35fa578a

        SHA256

        0f000db8616abb51a74b8fcf943a693b4c78518634df96b7a4546a870de15076

        SHA512

        e4bb840a76c3e35dedf13bf1dda421c0cce4db06a043d181ef5bf02ffcb45e05216e4058f4080b46bb1f7f664f198c859c26d41906ecb4de168c2aaf1a36ffd4

        Download Submit

      • C:\Users\Admin\Desktop\ServerCertificate.p12
        Filesize

        1KB

        MD5

        04180a91c05980f2d36cd86ad71876c4

        SHA1

        b3edbd1565e56d6106bdbb0d728ca881241d55c2

        SHA256

        2bcc44d5d011692564e2e47c5f1801d34c4f3793137e588d0532c9e446691c10

        SHA512

        e68ec6bb2bfb723af5fd78c4134fa9a2a94df3a518b24268f3a070441c2b3d61f238e3d59575fbbe3eda367c522c848832dbbd3c2d01f14538ec77a9cb270873

        Download Submit

      • C:\Users\Admin\Desktop\Stub\Client.exe
        Filesize

        45KB

        MD5

        c007eafb83bde10955e1fb1f559a207e

        SHA1

        5dcf9702941e41c01fc0a8379df21a5691fa1b5f

        SHA256

        f003f20a3f57d41c72f2874a889a7a2a8e396a57f42cce35fbed9869c6a01964

        SHA512

        cd25e388f06a313fb35abb7fc66d1f01c3df18a9ae01e9e2a8d005f44a749d8151650f01d32af83dc23e09ec3b3a6ce3e5a33c8bc1a32c883f848445714fbba6

        Download Submit

      • memory/1792-56-0x00000275F3BA0000-0x00000275F3BB2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/5280-115-0x000000001CFA0000-0x000000001D016000-memory.dmp

        Filesize

        472KB

        Download

      • memory/5280-104-0x0000000000A00000-0x0000000000A12000-memory.dmp

        Filesize

        72KB

        Download

      • memory/5280-116-0x000000001B5B0000-0x000000001B5CA000-memory.dmp

        Filesize

        104KB

        Download

      • memory/5280-117-0x000000001CF40000-0x000000001CF5E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/6076-65-0x00007FF9346D0000-0x00007FF935192000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/6076-64-0x00007FF9346D0000-0x00007FF935192000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/6076-55-0x00007FF9346D3000-0x00007FF9346D5000-memory.dmp

        Filesize

        8KB

        Download

      • memory/6076-53-0x00000186AC230000-0x00000186AC23A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/6076-52-0x00007FF9346D0000-0x00007FF935192000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/6076-51-0x00007FF9346D0000-0x00007FF935192000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/6076-50-0x000001868DD00000-0x000001868E94A000-memory.dmp

        Filesize

        12.3MB

        Download

      • memory/6076-49-0x00007FF9346D3000-0x00007FF9346D5000-memory.dmp

        Filesize

        8KB

        Download