General
-
Target
https://github.com/qwqdanchun/DcRat
-
Sample
250519-tv14aabn4v
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://github.com/qwqdanchun/DcRat
Resource
win10ltsc2021-20250410-en
Malware Config
Extracted
asyncrat
1.0.7
Default
127.0.0.1:8848
DcRatMutex_qwqdanchun
-
delay
1
-
install
false
-
install_folder
%AppData%
Targets
-
-
Target
https://github.com/qwqdanchun/DcRat
-
Asyncrat family
-
Contains code to disable Windows Defender
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Modifies Windows Defender Real-time Protection settings
-
UAC bypass
-
Async RAT payload
-
Grants admin privileges
Uses net.exe to modify the user's privileges.
-
Renames multiple (348) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Checks whether UAC is enabled
-
Enumerates processes with tasklist
-
MITRE ATT&CK Enterprise v16
Execution
Command and Scripting Interpreter
2PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Account Manipulation
1Create or Modify System Process
3Windows Service
3Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Account Manipulation
1Create or Modify System Process
3Windows Service
3Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Discovery
Browser Information Discovery
1Network Service Discovery
1Permission Groups Discovery
1Local Groups
1Process Discovery
1Query Registry
4System Information Discovery
7System Location Discovery
1System Language Discovery
1System Network Connections Discovery
1