Skip to content

ruslanglvv/DC-RAT

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

7 Commits
 
 
 
 

Repository files navigation

DC Rat Malware Analysis Report

1. General Information

As part of this research, an analysis of malicious software identified as DC Rat was conducted. The initial sample was obtained from the malware repository MalwareBazaar (abuse.ch platform).

SHA256 of the original sample:

1b5d9120901b2fa972a959a82c97c8d3df7f53792ab623f63998a6a61d257959

The purpose of this analysis was to determine:

  • the functional capabilities of the sample,
  • obfuscation mechanisms,
  • interaction methods with the command-and-control (C2) infrastructure,
  • indicators of compromise (IOCs).

2. Initial Static Analysis

After extracting the archive, an executable .exe file was obtained.

2.1 File Type Identification

The utility Detect It Easy was used for initial identification.

Findings:

  • The file is a .NET assembly.
  • Code obfuscation is present.
  • Anti-analysis protection mechanisms are used.

Screenshot 1 — Analysis result in Detect It Easy

photo1


3. Deobfuscation Attempts

3.1 Using de4dot

The file was first processed using the deobfuscator de4dot.

Result:

  • The tool partially removed protection.
  • The number of protected constructs was reduced.
  • Full deobfuscation was not achieved.

Screenshot 2 — Result of de4dot's work

photo2


3.2 Using NETReactorSlayer

For deeper code cleaning, NETReactorSlayer was used.

After processing, the file became significantly more readable, allowing detailed analysis of the malware logic.

Screenshot 3 — Result of NETReactorSlayer deobfuscation

photo3


4. Dynamic Analysis

Behavioral analysis was performed using Process Hacker.

4.1 Observed Activity

After execution, the following actions were observed:

  1. Creation of a temporary .bat file.
  2. Execution of the .bat file.
  3. Hidden execution of the main executable.
  4. Self-deletion of the .bat file.

Screenshot 4 — Creating and running a .bat file

photo4 photo5


4.2 Persistence and Masquerading

In the directory:

C:\Users\user1\

a file named firefox.exe was created along with additional supporting files.

Further analysis showed that firefox.exe is the same malicious sample, disguised as a legitimate Firefox browser executable.

This indicates an attempt at masquerading and system persistence.

Screenshot 5 — Creating firefox.exe

photo6

Screenshot 6 — Firefox.exe analysis in Detect It Easy

photo7


5. Code Analysis

The deobfuscated file was opened in dnSpy for further investigation.

Screenshot 7 — Opening a file in dnSpy

photo8


5.1 Configuration Analysis

An encrypted string with the prefix:

H4sIA

was discovered in the code.

This prefix indicates:

  • Base64 encoding
  • GZip compression

After decoding, a configuration file was obtained.

Screenshot 8 — Encrypted string in the code

photo9

Screenshot 9 — Decrypted configuration file

photo10


5.2 Targeted Data

According to the configuration, the malware collects:

  • saved passwords;
  • cookies;
  • personal data from accounts:
    • Telegram;
    • Steam;
    • Discord;
  • system information;
  • IP address information;
  • screen data;
  • microphone and webcam information.

6. Network Activity

6.1 External IP Collection

The following URL was identified in the code:

https://ipinfo.io/

The malware uses this service to retrieve information about the victim’s external IP address.

Screenshot 10 — Calling ipinfo.io

photo11


6.2 Command-and-Control Server (C2)

During analysis, another encrypted string was identified.

After decryption, the following C2 address was obtained:

http://cc75590[.]tw1[.]ru/@zd3bk5Wa3RHb1FmZlR0X

This HTTP endpoint is used to:

  • transmit collected data;
  • receive commands from the attacker.

Screenshot 11 — C2 address in the code photo12 Screenshot 12 — decrypted C2 address photo13


7. Functional Capabilities

The analysis revealed the following modules:

  • System information collection module.
  • Credential stealing module (infostealer).
  • C2 communication module.
  • Spy features (peripheral device access).
  • Masquerading and persistence mechanisms.

Screenshot 13 — Infostealer functions photo14

Screenshot 14 — Function for interacting with the C2 server photo15 Screenshots 15, 16 — Masking and fixing mechanism photo16 photo17


8. Conclusion

The analyzed sample is a multifunctional malicious tool combining:

  • remote administration capabilities,
  • credential theft,
  • system and network data collection,
  • remote command execution.

The use of .NET obfuscation, string encryption, and masquerading techniques demonstrates a deliberate effort to hinder detection and analysis.

This malware poses a significant threat to both individual users and corporate environments.


9. Indicators of Compromise (IOC)

Hashes

Original sample:

SHA256: 1b5d9120901b2fa972a959a82c97c8d3df7f53792ab623f63998a6a61d257959

Deobfuscated sample:

SHA256: C831FBE6A18373B1040C6B46963C8986BAD1C1C0D83BE69B9B0C01E4C6692038

Temporary .bat file:

SHA256: F98FC1CA4E49DBBABBCB282D536960C2085D070069531113113BFE8F1D682C91

Mutex

DCR_MUTEX-7zgCpdjoYRHPfS1GclpW

C2-Address

http ://cc75590[.]tw1[.]ru/@zd3bk5Wa3RHb1FmZlR0X


10. Sources

https://bazaar.abuse.ch/sample/1b5d9120901b2fa972a959a82c97c8d3df7f53792ab623f63998a6a61d257959/?ref=embeeresearch.io

About

No description, website, or topics provided.

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

 
 
 

Contributors