Threat Research

DCRat: Step-by-Step Analysis in ANY.RUN – ANY.RUN’s Cybersecurity Blog

AnyRun

This analysis walks through surface, dynamic, and static examination of DCRat using ANY.RUN, showing an SFX loader that extracts a .NET RAT which establishes HTTP C2 and deploys persistence via scheduled tasks. The report includes deobfuscation details (KO4/XT1, AES+HMAC decryption), key IOCs (file hashes, C2 domain), and reproducible Python decryption code. #DCRat #nyashland_top

Keypoints

  • DCRat is a modular .NET RAT distributed as a password-protected 7-zip SFX that extracts and runs a loader (7z.exe → file.bin → main.bat → portprovider.exe → StartMenuExperienceHost.exe).
  • Dynamic analysis in ANY.RUN shows the sample drops 7-zip binaries, executes a BAT configuration (main.bat), launches portprovider.exe (masquerading as Spotify), and then runs StartMenuExperienceHost.exe which performs C2 communication.
  • Persistence is achieved by creating multiple scheduled tasks (several task names pointing to dropped executables), and the malware cleans up temporary BAT files after execution.
  • C2 communication uses HTTP (POST to /EternalLineLowgameDefaultsqlbaseasyncuniversal.php) targeting the domain 019214cm[.]nyashland[.]top; the C2 address is stored in encrypted config and recovered via decryption routines.
  • Static analysis reveals heavy .NET obfuscation; key routines KO4 and XT1 generate salts/HMACs and perform Base64 → AES decryption to recover configuration and the C2 address (AES + HMAC verification using PBKDF2-derived key and salt).
  • IOCs provided: SFX hash 76de703c…, DCRat sample hash 5fe993c7…, C2 domain 019214cm[.]nyashland[.]top, and filenames like portprovider.exe and StartMenuExperienceHost.exe; reproducible Python decryption scripts are included.

MITRE Techniques

  • [T1053.005] Scheduled Task/Job – Used for persistence: ‘“portprovider.exe” creates multiple scheduled tasks to ensure persistence:’
  • [T1071.001] Application Layer Protocol: Web Protocols (HTTP) – C2 over HTTP POST: ‘StartMenuExperienceHost.exe (DCRat) connects to 019214cm[.]nyashland[.]top:80 (C2 address) and posts to path /EternalLineLowgameDefaultsqlbaseasyncuniversal.php.’
  • [T1113] Screen Capture – Collection of screen data: ‘Screen Capture’
  • [T1123] Audio Capture – Collection of microphone/audio data: ‘Microphone’
  • [T1056] Input Capture – Credential and clipboard collection and theft: evidence in code and strings such as ‘”[Clipboard] Saving information…”‘ and mentions of stealing Telegram/Steam/Discord credentials.
  • [T1027] Obfuscated Files or Information – .NET obfuscation to impede analysis: ‘it appears to be an obfuscated .NET application.’

Indicators of Compromise

  • [File hash] DCRat SFX and sample – 76de703cc14b6c07efe92f8f73f9b91e91dc0a48a0024cfdf72fca09cacb5157, 5fe993c74d2fa4eb065149591af56011855a0a8f5471dab498d9e0f6641c6851
  • [Domain / C2] C2 server – 019214cm[.]nyashland[.]top and hxxp://019214cm[.]nyashland[.]top/EternalLineLowgameDefaultsqlbaseasyncuniversal[.]php
  • [Filenames] Dropped/executed files – portprovider.exe, StartMenuExperienceHost.exe, main.bat, vvGzDF3vOe.bat (temporary BAT), and legitimate 7z.exe / 7z.dll used by SFX
  • [Strings / Config] Encrypted config and mutex – encrypted config array and mutex value ‘DCR_MUTEX-11Fyfh7gXU61FzPB2sRh’ (decrypted config shown in article)

DCRat analysis workflow (technical procedure): Start with surface inspection to identify packaging and artifacts—Detect It Easy revealed a password-protected 7-zip SFX loader that executes an embedded script. Because the SFX was password-protected, dynamic sandboxing (ANY.RUN) was used to detonate the sample: observe the extraction chain (7z.exe → file.bin → main.bat), capture dropped files, and record process activity and network traffic. Key artifacts from the run included main.bat (SFX configuration), portprovider.exe (masquerade binary), temporary BATs (vvGzDF3vOe.bat), and StartMenuExperienceHost.exe (the RAT), plus scheduled tasks created for persistence.

For dynamic tracing capture both process trees and network logs: ANY.RUN showed StartMenuExperienceHost.exe posting via HTTP to 019214cm[.]nyashland[.]top on port 80 and executing POSTs to /EternalLineLowgameDefaultsqlbaseasyncuniversal.php. Also collect dropped filenames and hashes, scheduled task names and actions, and temporary file deletion behavior (self-deleting BAT). Use VirusTotal and Bazaar/abuse.ch for hash enrichment and to confirm that bundled 7z binaries are legitimate signed components.

Proceed to static analysis on the deobfuscated .NET binary: load it in a .NET decompiler (dnSpy/ILSpy) and search for configuration and upload routines. The article identifies functions ns21.F5x.w90 and ns12.sz3.method_0() leading to dgz.x2l.x2l for C2 generation; KO4 generates the PBKDF2-derived key/HMAC and XT1 retrieves base64 strings that Gi8 decrypts via AES (AES-CBC with IV and HMAC verification). Reproduce the config/C2 decryption using the provided Python code (PBKDF2 → key/hmac split → HMAC verification → AES-CBC decrypt → unpad) to recover the plaintext config, C2 URL, and mutex. Recommended tooling: ANY.RUN for behavior capture, FLOSS for extracting obfuscated strings, and dnSpy/ILSpy for .NET decompilation and deobfuscation.

Read more: https://any.run/cybersecurity-blog/dcrat-analysis-in-any-run/