{"id":7109,"date":"2024-02-27T05:22:31","date_gmt":"2024-02-27T05:22:31","guid":{"rendered":"\/cybersecurity-blog\/?p=7109"},"modified":"2024-06-22T14:52:42","modified_gmt":"2024-06-22T14:52:42","slug":"dcrat-analysis-in-any-run","status":"publish","type":"post","link":"https:\/\/any.run\/cybersecurity-blog\/dcrat-analysis-in-any-run\/","title":{"rendered":"DCRat: Step-by-Step Analysis in ANY.RUN"},"content":{"rendered":"\n<p>We&#8217;re super excited to introduce a guest writer &#8211; Mizuho (<a href=\"https:\/\/twitter.com\/morimolymoly2\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">@morimolymoly2<\/a> on X) today, a software engineer and malware analyst making their debut on the ANY.RUN blog. In today&#8217;s article, Mizuho guides us through surface, dynamic, and static analysis of DCRat. Let&#8217;s dive in.<\/p>\n\n\n\n<p>In this article, I&#8217;ll guide you through the analysis process of <a href=\"https:\/\/any.run\/malware-trends\/dcrat\" target=\"_blank\" rel=\"noreferrer noopener\">DCRat<\/a> using <a href=\"https:\/\/any.run\/?utm_source=blog&amp;utm_medium=article&amp;utm_campaign=dcratanalysis&amp;utm_content=linktolanding&amp;utm_term=260224\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN<\/a>.&nbsp;<\/p>\n\n\n\n<p>This powerful malware has been available since 2018. Despite its low $5 price tag, it offers a wide array of malicious functions, such as full backdoor access to Windows systems, collection of sensitive personal information like usernames, passwords, and credit card details, capturing screenshots, and stealing Telegram, Steam, and Discord login credentials.&nbsp;<\/p>\n\n\n\n<p>Given the complexity and the range of functions of DCRat, underestimating this malware could lead to significant security breaches and data loss.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Why I picked DCRat for this analysis&nbsp;<\/h2>\n\n\n\n<p>I noticed that DCRat seems to be gaining popularity as of late \u2014 it has been frequently mentioned in various underground online forums. This inexpensive, yet highly capable malware gives threat actors complete surveillance over their victims, and its potential to access and control social network accounts adds another layer of risk. It can compromise not just individual data but also potentially broader networks and contacts.&nbsp;<\/p>\n\n\n\n<p>In the article I aim to cover:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Distribution and ecosystem of DCRat.&nbsp;<\/li>\n\n\n\n<li>Surface and Dynamic analysis of DCRat.&nbsp;<\/li>\n\n\n\n<li>Static analysis of DCRat.&nbsp;<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">What is DCRat malware &nbsp;<\/h2>\n\n\n\n<p>DCRat, also known as Dark Crystal RAT, is both a Remote Access Trojan (RAT) and an information stealer. This dual functionality makes it an especially nasty tool in the hands of cybercriminals.&nbsp;<\/p>\n\n\n\n<p>DCRat&#8217;s modular architecture allows for a high degree of customization, meaning that attackers can configure the malware for their specific objectives. Modularity also ensures that its code can be constantly mutated to bypass signature-based detection.&nbsp;<\/p>\n\n\n\n<p>One of the most alarming aspects of DCRat is its low price of just $5. This low cost makes it accessible to a wide array of cybercriminals, and its use has been observed by both novices and organized threat actors.&nbsp;<\/p>\n\n\n\n<p>This is our investigated infection chain of DCRat:&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"701\" height=\"631\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/1-6.png\" alt=\"\" class=\"wp-image-7110\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/1-6.png 701w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/1-6-300x270.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/1-6-370x333.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/1-6-270x243.png 270w\" sizes=\"(max-width: 701px) 100vw, 701px\" \/><figcaption class=\"wp-element-caption\">Flow of Infection<\/figcaption><\/figure><\/div>\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"112\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/2-6-1024x112.png\" alt=\"\" class=\"wp-image-7112\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/2-6-1024x112.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/2-6-300x33.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/2-6-768x84.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/2-6-1536x168.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/2-6-370x40.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/2-6-270x30.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/2-6-740x81.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/2-6.png 1600w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">ANY.RUN\u2019s malware trends<\/figcaption><\/figure><\/div>\n\n\n<p>As you can see from the ANY.RUN Malware Trends Tracker, DCRat is ranked 9th among all malware as of January 18, 2024, and it&#8217;s on a rising trajectory. You can observe numerous detections of this malware in ANY.RUN&#8217;s <a href=\"https:\/\/bazaar.abuse.ch\/browse.php?search=tag%3Adcrat\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Public Submissions<\/a>, and there are also plenty of samples available on <a href=\"https:\/\/bazaar.abuse.ch\/browse.php?search=tag%3Adcrat\" target=\"_blank\" rel=\"noreferrer noopener\">Malware Bazaar<\/a>.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">DCRat\u2019s Ecosystem&nbsp;<\/h3>\n\n\n\n<p>DCRat is sold via a Telegram group, where it often goes on sale. It operates on a subscription model, and the standard prices are as follows:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>&nbsp;2months: 5$&nbsp;<\/li>\n\n\n\n<li>1year: 19$&nbsp;<\/li>\n\n\n\n<li>Lifetime: 39$&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>This is already quite inexpensive, but during promotions, the price drops even further. The creators of the malware launched a Telegram bot to sell DCRat &#8220;licenses&#8221;:<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"883\" height=\"1024\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/3-3-883x1024.png\" alt=\"\" class=\"wp-image-7113\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/3-3-883x1024.png 883w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/3-3-259x300.png 259w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/3-3-768x890.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/3-3-370x429.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/3-3-270x313.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/3-3-740x858.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/3-3.png 1192w\" sizes=\"(max-width: 883px) 100vw, 883px\" \/><figcaption class=\"wp-element-caption\">DCRat\u2019s selling bot on Telegram<\/figcaption><\/figure><\/div>\n\n\n<p>You can also receive support via the same TG bot. The presence of a formal payment page likely makes the process of purchasing malware less daunting for first-timers \u2014 DCRat&#8217;s creators are proficient businessmen and marketers.&nbsp;<\/p>\n\n\n\n<p>The payment page for DCRat is hosted on crystalpay[.]io:<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"424\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/4-2-1024x424.png\" alt=\"\" class=\"wp-image-7114\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/4-2-1024x424.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/4-2-300x124.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/4-2-768x318.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/4-2-1536x636.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/4-2-370x153.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/4-2-270x112.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/4-2-740x306.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/4-2.png 1600w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Payment page on CRYSTALPAY likely hosted by DCRat team<\/figcaption><\/figure><\/div>\n\n\n<p>I looked into how BTC payments for DCRat are processed using a <a href=\"https:\/\/www.blockchain.com\/explorer\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">block explorer<\/a>. Each payment goes to a temporary wallet address facilitated by crystalpay[.]io.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"613\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/5-1-1024x613.png\" alt=\"\" class=\"wp-image-7115\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/5-1-1024x613.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/5-1-300x180.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/5-1-768x460.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/5-1-1536x920.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/5-1-370x222.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/5-1-270x162.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/5-1-740x443.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/5-1.png 1600w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Transaction history of payment address<\/figcaption><\/figure><\/div>\n\n\n<p>From how they operate, it seems that the DCRat team is quite cautious about their OPSEC.&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>They do all communication though Telegram.&nbsp;<\/li>\n\n\n\n<li>They only accept crypto payments to burner wallets.&nbsp;<\/li>\n\n\n\n<li>They use crystalpay[.]io to further anonymize transactions.&nbsp;<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Surface analysis of DCRat&nbsp;<\/h2>\n\n\n\n<p>Let\u2019s begin exploring this threat by examining its external characteristics, such as its iconography.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"152\" height=\"164\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/6.png\" alt=\"\" class=\"wp-image-7116\"\/><figcaption class=\"wp-element-caption\">Icon of the malware<\/figcaption><\/figure><\/div>\n\n\n<p>In this case, the loader is disguised behind a printer&#8217;s driver icon. &nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"654\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/7-1-1024x654.png\" alt=\"\" class=\"wp-image-7117\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/7-1-1024x654.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/7-1-300x192.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/7-1-768x491.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/7-1-370x236.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/7-1-270x173.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/7-1-740x473.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/7-1.png 1446w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Surface Analysis with Detect It Easy<\/figcaption><\/figure><\/div>\n\n\n<p>The identification of the DCRat loader as an SFX (Self-Extracting Archive) file is detected by tools like Detect It Easy. SFX files are a type of executable that contains compressed data, often used for legitimate purposes such as simplifying the installation process of software.&nbsp;<\/p>\n\n\n\n<p>The SFX file executes its embedded script that automatically extracts its contents and then executes these files without the user&#8217;s knowledge.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"627\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/8-1-1024x627.png\" alt=\"\" class=\"wp-image-7118\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/8-1-1024x627.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/8-1-300x184.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/8-1-768x470.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/8-1-370x227.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/8-1-270x165.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/8-1-740x453.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/8-1.png 1120w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">You need password to open SFX file&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>In the case of our sample, the SFX file is password-protected to evade detection and hinder reverse engineering. Cracking these passwords can be a time-consuming and resource-intensive process.&nbsp;<\/p>\n\n\n\n<p>In cybersecurity research, we can use alternative methods to understand the threat, such as analyzing the malware&#8217;s behavior in a controlled environment, examining network traffic for anomalies, or using known indicators of compromise (IOCs) to detect its presence on affected systems.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Dynamic Analysis in ANY.RUN&nbsp;<\/h2>\n\n\n\n<p>I conducted dynamic analysis with ANY.RUN for ease. The detonation results are <a href=\"https:\/\/app.any.run\/tasks\/29d4d4ed-e9a7-4ec3-bb19-101df4f2b015\/?utm_source=blog&amp;utm_medium=article&amp;utm_campaign=dcratanalysis&amp;utm_content=linktoservice&amp;utm_term=260224\" target=\"_blank\" rel=\"noreferrer noopener\">here<\/a>.&nbsp;<\/p>\n\n\n\n<p>Let\u2019s first examine the executable file.&nbsp;<\/p>\n\n\n\n<p>The file 76de703cc14b6c07efe92f8f73f9b91e91dc0a48a0024cfdf72fca09cacb5157.exe has a digital signature from ESET, as shown in the image below:<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"699\" height=\"1024\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/9-1-699x1024.png\" alt=\"\" class=\"wp-image-7119\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/9-1-699x1024.png 699w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/9-1-205x300.png 205w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/9-1-768x1124.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/9-1-370x542.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/9-1-270x395.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/9-1-740x1083.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/9-1.png 832w\" sizes=\"(max-width: 699px) 100vw, 699px\" \/><figcaption class=\"wp-element-caption\">Digital Signature of DCRat<\/figcaption><\/figure><\/div>\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"824\" height=\"200\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/10.png\" alt=\"\" class=\"wp-image-7120\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/10.png 824w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/10-300x73.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/10-768x186.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/10-370x90.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/10-270x66.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/10-740x180.png 740w\" sizes=\"(max-width: 824px) 100vw, 824px\" \/><figcaption class=\"wp-element-caption\">File formation of DCRat<\/figcaption><\/figure><\/div>\n\n\n<p>Note the description labeled &#8220;Uninstall WinRAR&#8221;. It is likely that the phishing strategy used by attackers involves tricking users into &#8220;uninstalling&#8221; this utility.&nbsp;<\/p>\n\n\n\n<p>Modified files are shown in the image below. Dropped files are important artifacts, indicating that 7z.exe extracts a compressed file (file.bin).&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"577\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/11-1024x577.png\" alt=\"\" class=\"wp-image-7121\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/11-1024x577.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/11-300x169.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/11-768x432.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/11-1536x865.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/11-370x208.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/11-270x152.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/11-740x417.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/11.png 1600w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Dropped files from DCRat<\/figcaption><\/figure><\/div>\n\n\n<p>Dropped files from DCRat show that it has 7-zip executables because it is an SFX file.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"206\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/12-1024x206.png\" alt=\"\" class=\"wp-image-7122\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/12-1024x206.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/12-300x60.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/12-768x155.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/12-1536x309.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/12-370x74.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/12-270x54.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/12-740x149.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/12.png 1600w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Scan result of 7z.dll at VirusTotal<\/figcaption><\/figure><\/div>\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"218\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/13-1024x218.png\" alt=\"\" class=\"wp-image-7123\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/13-1024x218.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/13-300x64.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/13-768x164.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/13-1536x327.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/13-370x79.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/13-270x58.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/13-740x158.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/13.png 1600w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Scan result of 7z.exe at VirusTotal<\/figcaption><\/figure><\/div>\n\n\n<p>The scan results of 7z.dll and 7z.exe at VirusTotal reveal that both of the hashes are well-known and legitimate.&nbsp;<\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\nConnect with <span class=\"highlight\">our team<\/span> to discuss <br>how <span class=\"highlight\">ANY.RUN<\/span> can strengthen your cybersecurity posture&nbsp;\n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/calendly.com\/d\/3nd-rzd-xvx\/any-run-demo-blog\/\" rel=\"noopener\" target=\"_blank\">\nSchedule a call\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<p>Next, let\u2019s take a look at C:\\Users\\admin\\AppData\\Roaming\\temp\\main.bat. This is a configuration of a 7-zip SFX executable. You can check the content of the &#8220;main.bat&#8221; file on ANY.RUN as shown below:<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"396\" height=\"718\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/14.png\" alt=\"\" class=\"wp-image-7124\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/14.png 396w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/14-165x300.png 165w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/14-370x671.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/14-270x490.png 270w\" sizes=\"(max-width: 396px) 100vw, 396px\" \/><\/figure><\/div>\n\n\n<p>This executable performs the following actions:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Extract file.bin&nbsp;<\/li>\n\n\n\n<li>Launch C:\\Users\\admin\\AppData\\Roaming\\temp\\main.bat(configuration file)&nbsp;<\/li>\n\n\n\n<li>Extract file.bin(file.zip) and get portprovider.exe &nbsp;<\/li>\n\n\n\n<li>Make portprovider.exe hidden&nbsp;<\/li>\n\n\n\n<li>Launch portprovider.exe&nbsp;<\/li>\n\n\n\n<li>Delete portprovider.exe&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>Let&#8217;s take a closer look at what this portprovider.exe is:<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"221\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/MicrosoftTeams-image-17-1-1024x221.png\" alt=\"\" class=\"wp-image-7165\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/MicrosoftTeams-image-17-1-1024x221.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/MicrosoftTeams-image-17-1-300x65.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/MicrosoftTeams-image-17-1-768x166.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/MicrosoftTeams-image-17-1-1536x331.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/MicrosoftTeams-image-17-1-2048x442.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/MicrosoftTeams-image-17-1-370x80.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/MicrosoftTeams-image-17-1-270x58.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/MicrosoftTeams-image-17-1-740x160.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">portprovider.exe file information<\/figcaption><\/figure><\/div>\n\n\n<p>&#8220;portprovider.exe&#8221; is a component of DCRat, masquerading as Spotify to blend in with legitimate processes on a user&#8217;s computer. DCRat aims to operate without users being aware of its presence on the computer.&nbsp;<\/p>\n\n\n\n<p>portprovider.exe drops many executables, all of which have the same hash:&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"908\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/16-1024x908.png\" alt=\"\" class=\"wp-image-7126\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/16-1024x908.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/16-300x266.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/16-768x681.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/16-1536x1362.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/16-370x328.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/16-270x239.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/16-740x656.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/16.png 1590w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Dropped Files which has same hash<\/figcaption><\/figure><\/div>\n\n\n<p>After dropping these files, cmd.exe executes C:\\Users\\admin\\AppData\\Local\\Temp\\vvGzDF3vOe.bat.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"372\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/MicrosoftTeams-image-18-1024x372.png\" alt=\"\" class=\"wp-image-7168\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/MicrosoftTeams-image-18-1024x372.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/MicrosoftTeams-image-18-300x109.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/MicrosoftTeams-image-18-768x279.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/MicrosoftTeams-image-18-1536x558.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/MicrosoftTeams-image-18-2048x744.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/MicrosoftTeams-image-18-370x134.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/MicrosoftTeams-image-18-270x98.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/MicrosoftTeams-image-18-740x269.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Executed BAT file<\/figcaption><\/figure><\/div>\n\n\n<p>C:\\Users\\admin\\AppData\\Local\\Temp\\vvGzDF3vOe.bat performs the following actions:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Starts C:\\Users\\admin\\StartMenuExperienceHost.exe (DCRat)&nbsp;<\/li>\n\n\n\n<li>Deletes C:\\Users\\admin\\AppData\\Local\\Temp\\vvGzDF3vOe.bat (itself)&nbsp;<\/li>\n\n\n\n<li>StartMenuExperienceHost.exe (DCRat) connects to 019214cm[.]nyashland[.]top:80 (C2 address) and posts to path \/EternalLineLowgameDefaultsqlbaseasyncuniversal.php.&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>&#8220;portprovider.exe&#8221; creates multiple scheduled tasks to ensure persistence:<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"864\" height=\"964\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/18.png\" alt=\"\" class=\"wp-image-7128\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/18.png 864w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/18-269x300.png 269w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/18-768x857.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/18-370x413.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/18-270x301.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/18-740x826.png 740w\" sizes=\"(max-width: 864px) 100vw, 864px\" \/><figcaption class=\"wp-element-caption\">Process tree of schtasks.exe(Scheduling tasks)&nbsp;&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>When analyzing scheduled tasks, it\u2019s helpful to pay attention to the following:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The names of the scheduled tasks&nbsp;<\/li>\n\n\n\n<li>The actions specified in the tasks.&nbsp;<\/li>\n\n\n\n<li>The triggers for the tasks.&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>In our case the tasks created were as follows:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>C:\\Users\\All Users\\dllhost.exe&nbsp;<\/li>\n\n\n\n<li>C:\\Users\\admin\\StartMenuExperienceHost.exe&nbsp;<\/li>\n\n\n\n<li>C:\\Users\\Public\\fontdrvhost.exe&nbsp;<\/li>\n\n\n\n<li>C:\\Users\\Public\\Documents\\My Videos\\fontdrvhost.exe&nbsp;<\/li>\n\n\n\n<li>C:\\Users\\admin\\Start Menu\\explorer.exe&nbsp;<\/li>\n\n\n\n<li>C:\\Users\\admin\\AppData\\Roaming\\temp\\portprovider.exe&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>And we can see that one scheduled task was executed:<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"840\" height=\"114\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/19.png\" alt=\"\" class=\"wp-image-7129\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/19.png 840w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/19-300x41.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/19-768x104.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/19-370x50.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/19-270x37.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/19-740x100.png 740w\" sizes=\"(max-width: 840px) 100vw, 840px\" \/><figcaption class=\"wp-element-caption\">Executed scheduled task<\/figcaption><\/figure><\/div>\n\n\n<h2 class=\"wp-block-heading\">DCRat Static Analysis&nbsp;<\/h2>\n\n\n\n<p>Let\u2019s dive into the static analysis of DCRat to better understand its functions, IOCs, and configuration details.&nbsp;<\/p>\n\n\n\n<p>First, let\u2019s take a look at the DCRat in Detect it Easy (DIE):<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"651\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/MicrosoftTeams-image-19-1024x651.png\" alt=\"\" class=\"wp-image-7169\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/MicrosoftTeams-image-19-1024x651.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/MicrosoftTeams-image-19-300x191.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/MicrosoftTeams-image-19-768x488.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/MicrosoftTeams-image-19-1536x976.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/MicrosoftTeams-image-19-2048x1302.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/MicrosoftTeams-image-19-370x235.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/MicrosoftTeams-image-19-270x172.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/MicrosoftTeams-image-19-740x470.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">DCRat surface analysis with Detect It Easy&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>Nothing particularly noteworthy here; it appears to be an obfuscated .NET application.&nbsp;<\/p>\n\n\n\n<p>Obfuscation in the context of a .NET application involves modifying the original source code to make it challenging to understand, though not impossible to analyze, especially with the right tools such as DnSpy.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"346\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/21-1024x346.png\" alt=\"\" class=\"wp-image-7131\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/21-1024x346.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/21-300x101.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/21-768x260.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/21-1536x519.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/21-370x125.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/21-270x91.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/21-740x250.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/21.png 1600w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Suspicious code which involved credential theft<\/figcaption><\/figure><\/div>\n\n\n<p>As depicted in the screenshot above, DCRat gathers a substantial amount of data:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Screen Capture&nbsp;<\/li>\n\n\n\n<li>Webcam&nbsp;<\/li>\n\n\n\n<li>Microphone&nbsp;<\/li>\n\n\n\n<li>Steam specific data&nbsp;<\/li>\n\n\n\n<li>Telegram specific data&nbsp;<\/li>\n\n\n\n<li>Discord specific data&nbsp;<\/li>\n\n\n\n<li>.NET specific data&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>Analyzing the &#8220;Upload&#8221; function in DCRat can help us identify the C2 server address. This process involves scrutinizing the decompiled source code to pinpoint the specific function responsible for data exfiltration:<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"774\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/22-1024x774.png\" alt=\"\" class=\"wp-image-7132\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/22-1024x774.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/22-300x227.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/22-768x581.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/22-1536x1162.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/22-370x280.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/22-270x204.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/22-740x560.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/22-80x60.png 80w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/22.png 1600w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Code which involved in C2 Communication<\/figcaption><\/figure><\/div>\n\n\n<p>In our case, the function <strong>ns21.F5x.w90 <\/strong>and the specific method <strong>ns12.sz3.method_0()<\/strong> are responsible for generating the C2. The function references <strong>dgz.x2l.x2l<\/strong> as the final executor of this action.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"381\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/23-1024x381.png\" alt=\"\" class=\"wp-image-7133\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/23-1024x381.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/23-300x112.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/23-768x286.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/23-370x138.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/23-270x100.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/23-740x275.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/23.png 1344w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Decryption flow of C2 Address<\/figcaption><\/figure><\/div>\n\n\n<p>The code below calls <strong>KO4<\/strong> and <strong>XT1<\/strong>. Let&#8217;s break down what they are responsible for:&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"220\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/image-4.png\" alt=\"\" class=\"wp-image-7173\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/image-4.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/image-4-300x64.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/image-4-768x165.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/image-4-370x79.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/image-4-270x58.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/image-4-740x159.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Generating HMAC<\/figcaption><\/figure><\/div>\n\n\n<p>The functionality of <strong>KO4 <\/strong>lies in generating a password and HMAC (Hash-based Message Authentication Code) to ensure secure communication and data integrity.&nbsp;<\/p>\n\n\n\n<p>DCRat employs <strong>string0 <\/strong>as a password and <strong>byte_1<\/strong> as a salt. The combination of a password and a salt is a common strategy to enhance the security of encryption and hashing.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"120\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/MicrosoftTeams-image-20-1-1024x120.png\" alt=\"\" class=\"wp-image-7171\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/MicrosoftTeams-image-20-1-1024x120.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/MicrosoftTeams-image-20-1-300x35.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/MicrosoftTeams-image-20-1-768x90.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/MicrosoftTeams-image-20-1-1536x180.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/MicrosoftTeams-image-20-1-2048x240.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/MicrosoftTeams-image-20-1-370x43.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/MicrosoftTeams-image-20-1-270x32.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/MicrosoftTeams-image-20-1-740x87.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Call Gi8 function and get strings from base64 like string<\/figcaption><\/figure><\/div>\n\n\n<p><strong>XT1<\/strong> (above) retrieves the first base64-like string from <strong>dgz.x2l.array<\/strong>, decodes it using base64, and then passes it to the <strong>Gi8<\/strong> function. It appears that Gi8 serves as the decryption component.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"622\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/26-1024x622.png\" alt=\"\" class=\"wp-image-7136\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/26-1024x622.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/26-300x182.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/26-768x467.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/26-1536x933.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/26-370x225.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/26-270x164.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/26-740x450.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/26.png 1600w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">AES decryption code<\/figcaption><\/figure><\/div>\n\n\n<p>The argument string is initially encoded in Base64 and subsequently encrypted using AES, with <strong>KO4.W7U <\/strong>acting as the key.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"374\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/27-1024x374.png\" alt=\"\" class=\"wp-image-7137\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/27-1024x374.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/27-300x109.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/27-768x280.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/27-370x135.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/27-270x99.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/27-740x270.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/27.png 1074w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Generating salt<\/figcaption><\/figure><\/div>\n\n\n<p>The string <strong>2DR3p5K1MlSUp8vL <\/strong>(above) constitutes part of the salt. Finally, it becomes apparent that KO4 is a generator of configuration:<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"363\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/28-1024x363.png\" alt=\"\" class=\"wp-image-7138\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/28-1024x363.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/28-300x106.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/28-768x272.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/28-1536x544.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/28-370x131.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/28-270x96.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/28-740x262.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/28.png 1600w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Combine and get salt of AES&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>It combines two strings (circled in red). CtvQZH10ETJuAmYV2DR3p5K1MlSUp8vL represents the salt, while the password is array[2]. We wrote&nbsp;the decryption code for it. Please refer to the appendix for details.<\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\nAnalyze DCRat and other malware in <span class=\"highlight\">ANY.RUN sandbox<\/span>&nbsp;\n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/app.any.run\/#register\/\" rel=\"noopener\" target=\"_blank\">\nGet started free\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<h2 class=\"wp-block-heading\">Wrapping up&nbsp;<\/h2>\n\n\n\n<p>We\u2019re finally on the home stretch.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"521\" height=\"181\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/29.png\" alt=\"\" class=\"wp-image-7139\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/29.png 521w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/29-300x104.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/29-370x129.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/29-270x94.png 270w\" sizes=\"(max-width: 521px) 100vw, 521px\" \/><figcaption class=\"wp-element-caption\">Rough sketch of the decryption process<\/figcaption><\/figure><\/div>\n\n\n<p>The decompiled .NET code includes specific namespaces tailored to distinct functions pertaining to security and communication.&nbsp;<\/p>\n\n\n\n<p>The <strong>ns12<\/strong> namespace encompasses functionality for config decryption, tasked with decrypting configuration data utilized by the malware to operate.&nbsp;<\/p>\n\n\n\n<p>On the other hand, the <strong>dgz <\/strong>namespace is linked to C2 decryption features, housing methods for decrypting communication between the malware and its C2 server.&nbsp;<\/p>\n\n\n\n<p>You can see a decrypted config as follows:&nbsp;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code style=\"white-space: pre-wrap;\">&#91;\"bj0UKX3O1fsx9BYPGXoKHqjvLayVva1jN63FIaBpzhY4ZE1D43om8NOuAFJtihcbnIkDHSHpW8UjRpWHjvb2vPk9sIFCRRHSF7QQdy5lw8PA2odUtBKwGkpYhlU9MEYF\",\"DCR_MUTEX-11Fyfh7gXU61FzPB2sRh\",\"0\",\"VV??\",\"\",\"5\",\"2\",\"WyIxIiwiIiwiNSJd\",\"WyIxIiwiV3lJaUxDSWlMQ0psZVVsM1NXcHZhV1V4VGxwVk1WSkdWRlZTVTFOV1drWm1VemxXWXpKV2VXTjVPR2xNUTBsNFNXcHZhVnB0Um5Oak1sVnBURU5KZVVscWIybGFiVVp6WXpKVmFVeERTWHBKYW05cFpFaEtNVnBUU1hOSmFsRnBUMmxLTUdOdVZteEphWGRwVGxOSk5rbHVVbmxrVjFWcFRFTkpNa2xxYjJsa1NFb3hXbE5KYzBscVkybFBhVXB0V1ZkNGVscFRTWE5KYW1kcFQybEtNR051Vm14SmFYZHBUMU5KTmtsdVVubGtWMVZwVEVOSmVFMURTVFpKYmxKNVpGZFZhVXhEU1hoTlUwazJTVzVTZVdSWFZXbE1RMGw0VFdsSk5rbHVVbmxrVjFWcFRFTkplRTE1U1RaSmJsSjVaRmRWYVV4RFNYaE9RMGsyU1c1U2VXUlhWV2xtVVQwOUlsMD0iXQ==\"] <\/code><\/pre>\n\n\n\n<p>It\u2019s worth noting the inclusion of a Mutex (mutual exclusion object) value. It prevents multiple instances of the same malware from running on the same host:<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"513\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/30-1024x513.png\" alt=\"\" class=\"wp-image-7140\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/30-1024x513.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/30-300x150.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/30-768x385.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/30-370x185.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/30-270x135.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/30-740x371.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/30.png 1134w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Mutex value which you can obsorve in ANY.RUN<\/figcaption><\/figure><\/div>\n\n\n<p>Here is the decrypted C2 address:&nbsp;<\/p>\n\n\n\n<p><em>http:\/\/019214cm[.]nyashland[.]top\/&#8221;,&#8221;EternalLineLowgameDefaultsqlbaseasyncuniversal&nbsp;<\/em><\/p>\n\n\n\n<p>Decryption code is also provided in the Appendix.&nbsp;<\/p>\n\n\n\n<p>ANY.RUN was highly useful for dynamic analysis. It helps trace network traffic, and easily collect IOCs such as domain names, IP addresses, and other network-based signatures. However, to see the internals of a .NET RAT you need static analysis and code deobfuscation skills.&nbsp;<\/p>\n\n\n\n<p>In static analysis, you can use decompilers (such as dnSpy or ILSpy for .NET applications) to revert the obfuscated executable back into higher-level code.&nbsp;<\/p>\n\n\n\n<p>Look for patterns and rely on your comprehension of common malware behavior and knowledge of the .NET framework to identify the malware&#8217;s operational logic.&nbsp;<\/p>\n\n\n\n<p>Also, you can extract strings directly from the binary to obtain information such as hardcoded IP addresses, domain names, file paths, and other artifacts.&nbsp;<\/p>\n\n\n\n<p>I recommend using FLOSS: <a href=\"https:\/\/github.com\/mandiant\/flare-floss\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">https:\/\/github.com\/mandiant\/flare-floss<\/a><\/p>\n\n\n\n<p>Flare FLOSS is helpful for extracting strings from binaries. It is designed to automatically deobfuscate and identify hidden strings that have been obfuscated to evade detection.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"606\" height=\"342\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/31.png\" alt=\"\" class=\"wp-image-7141\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/31.png 606w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/31-300x169.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/31-370x209.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/31-270x152.png 270w\" sizes=\"(max-width: 606px) 100vw, 606px\" \/><figcaption class=\"wp-element-caption\">Floss result&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<h2 class=\"wp-block-heading\">Should you prioritize static or dynamic analysis?&nbsp;<\/h2>\n\n\n\n<p>This depends entirely on the use case. For SOC analysts and incident responders, the primary focus is on swiftly identifying threats and implementing containment measures. In this context, static analysis of malware can be time-consuming, and tools like ANY.RUN are invaluable for rapidly understanding the malware&#8217;s impact.&nbsp;<\/p>\n\n\n\n<p>On the other hand, for a malware analyst or researcher who dedicates significant time to unpacking every aspect of the malware&#8217;s operation, deep-dive static analysis is essential. This approach aims not only to comprehend and mitigate the current threat but also to anticipate future variations and contribute to the development&nbsp;of long-term defenses.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">MITRE ATT&amp;CK of DCRat&nbsp;<\/h2>\n\n\n\n<p>ANY.RUN automatically maps threats to the MITRE ATT&amp;CK framework. This makes it easy for SOC analysts to quickly understand TTPs employed by a given piece of malware.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"554\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/32-1024x554.png\" alt=\"\" class=\"wp-image-7142\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/32-1024x554.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/32-300x162.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/32-768x416.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/32-1536x831.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/32-370x200.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/32-270x146.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/32-740x401.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/32.png 1600w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Mitre ATT&amp;CK in ANY.RUN<\/figcaption><\/figure><\/div>\n\n\n<h2 class=\"wp-block-heading\">Conclusion&nbsp;<\/h2>\n\n\n\n<p>In the article, we&#8217;ve explored the functionalities of DCRat and its ecosystem. Notably, DCRat is accessible at a low cost and boasts a widespread user base. Of particular interest is its payment system, <em>crystalpay[.]io<\/em>, which helps attackers conceal transactions. We also saw that the DCRat team demonstrates a high level of OPSEC&nbsp;awareness.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">About ANY.RUN<\/h3>\n\n\n\n<p>Trusted by over 400,000 security specialists, <a href=\"https:\/\/any.run\/?utm_source=blog&amp;utm_medium=article&amp;utm_campaign=dcratanalysis&amp;utm_content=linktolanding&amp;utm_term=260224\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN<\/a> empowers SOC and DFIR teams to efficiently investigate threats through its cloud-based malware sandbox.<\/p>\n\n\n\n<p><a href=\"https:\/\/app.any.run\/#register\/?utm_source=blog&amp;utm_medium=article&amp;utm_campaign=dcratanalysis&amp;utm_content=linktoregistration&amp;utm_term=260224\" target=\"_blank\" rel=\"noreferrer noopener\">Get started in ANY.RUN for free today \u2192<\/a>&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Appendix&nbsp;<\/h2>\n\n\n\n<h2 class=\"wp-block-heading\">IOCs&nbsp;<\/h2>\n\n\n\n<p>DCRat SFX: 76de703cc14b6c07efe92f8f73f9b91e91dc0a48a0024cfdf72fca09cacb5157&nbsp;<\/p>\n\n\n\n<p>DCRat: 5fe993c74d2fa4eb065149591af56011855a0a8f5471dab498d9e0f6641c6851&nbsp;<\/p>\n\n\n\n<p>C2 domain: 019214cm[.]nyashland[.]top&nbsp;<\/p>\n\n\n\n<p>C2: hxxp:\/\/019214cm[.]nyashland[.]top\/EternalLineLowgameDefaultsqlbaseasyncuniversal[.]php&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">YARA rule&nbsp;<\/h2>\n\n\n\n<pre class=\"wp-block-code\"><code>import \"dotnet\" \n\n  \n\nrule dcrat_yara { \n\n    meta: \n\n        description = \"DCRat YARA\" \n\n        author = \"Mizuho Mori a.k.a. morimolymoly\" \n\n        hash = \"5fe993c74d2fa4eb065149591af56011855a0a8f5471dab498d9e0f6641c6851\" \n\n    strings: \n\n        $1 = \"Uninstall WinRAR\" \n\n        $2 = \"k786jutyhrtgj756h4tgrku6jyhrtgerjyhrtgerfwc\" \n\n        $3 = \"Alexander Roshalov\" \n\n        $8 = \"Webcams\" \n\n        $9 = \"TelegramPath\" \n\n        $10 = \"FrameworkVersion\" \n\n        $11 = \"Saving...\" \n\n        $12 = \"DarkCrystal RAT\" \n\n        $13 = \"&#91;Screenshot] Saving screenshots from \" \n\n        $14 = \"&#91;Clipboard] Saving information...\" \n\n        $15 = \"&#91;SystemInfromation] Saving information...\" \n\n        condition: \n\n            (dotnet.is_dotnet == 1) and \n\n            any of them \n\n} \n\n  \n\n<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">Decryption code for DCRat config<\/h2>\n\n\n\n<pre class=\"wp-block-code\"><code>\nfrom cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes \n\nfrom cryptography.hazmat.backends import default_backend \n\nfrom cryptography.hazmat.primitives.kdf.pbkdf2 import PBKDF2HMAC \n\nfrom cryptography.hazmat.primitives import hashes \n\nfrom hashlib import sha256 \n\nimport base64 \n\nimport hmac \n\n  \n\nclass KO4: \n\n    def __init__(self, password, salt): \n\n        kdf = PBKDF2HMAC( \n\n            algorithm=hashes.SHA1(), \n\n            length=96, # 32 + 64 \n\n            salt=salt, \n\n            iterations=1024, \n\n            backend=default_backend() \n\n        ) \n\n  \n\n        key = kdf.derive(password) \n\n  \n\n        self.key = key&#91;:32] \n\n        self.hmac = key&#91;32:96] \n\n  \n\ndef decrypt_aes(encrypted_data, key, hmack): \n\n    hmac_sha256 = hmac.new(hmack, digestmod=sha256) \n\n    hmac_sha256.update(encrypted_data&#91;32:]) \n\n    computed_hmac = hmac_sha256.digest() \n\n  \n\n    if computed_hmac != encrypted_data&#91;:32]: \n\n        raise ValueError(\"HMAC verification failed\") \n\n     \n\n    iv = encrypted_data&#91;32:48] \n\n  \n\n    cipher = Cipher(algorithms.AES(key), modes.CBC(iv), backend=default_backend()) \n\n    decryptor = cipher.decryptor() \n\n  \n\n    decrypted_data = decryptor.update(encrypted_data&#91;48:]) + decryptor.finalize() \n\n  \n\n    return decrypted_data \n\n  \n\npassword = \"1CeTYFnv0zFx9kGDpuTPGULeR1t2d5ZrjKJzJJ5oXZ6Re2Z6eQUbvJ8g19ChWvR4aXNybQ4fzp1rX3AZcwXMl76aMm8JHYSmHB1HokfNWymFRQJ89mEjXFTcbxmzSuXa\".encode(\"utf-8\") \n\nsalt = \"CtvQZH10ETJuAmYV2DR3p5K1MlSUp8vL\".encode(\"utf-8\") \n\nko4_instance = KO4(password, salt) \n\n  \n\nkey = ko4_instance.key \n\n  \n\nencrypted_data = base64.b64decode(\"twqziPMyOf6TnyOB\/OK1jTdK956e34V42RMtGMVty6+ZbZ\/0qhyPa51EFIbkOILnUmjGENz8Bsxp9j12\/g0Zr3vpvrUnsOzV2cwwuEaLXKjVJIqSveHZfNuYG6F4zyNhcW8shTMg0VI7dKjnY1vGpJbwrXByPVnI4FBFnJoRImSAE1vNJjvzdOzHq5+w2xstewXQhRP4PqEtgiVd3odCEho1geLc70vkATTvkgk2FVbmSJAF1j6SSlWrBFBm8Bl2lLqol1r85lvAIjSpagTFIm8QKQfD05h5sXR17sKazsdKdP9ahYS+ldWkjEMLe8tV5boxfNV1gJDpi15NixjKJWS5myqzYOhSQn1JynlWh9ej0Y2YYlj3YEp\/j+xqWYvOvnHPVdOt928Z9+jep98h0SxvkGnrNxLvcDIJI0VSVkC9eIU4XADkRe4hAMmJbvQ5671XQSoLJCsWxQ4IzS596vNXL7n+UKLx2LXD\/fkJNE7NMMOKuFGBQ+IgdOffNUw9gOV3731cJ4WFYfMLMLuhZeQI4sDbY9xlAXD9Ha+7hY7Dx9sk3u9ybZZ0DP0nxW2w9zNad\/GEX9+MklEXrRjLjGDD5iCQKCAMKaSVEsTvKPZ3RX2BtuRrL2egqdU531tZKbG4yJnXY12vrzJeS2Dg+1\/IVQEoFVfNoWF0sPil1Dvmt28pC5+7+9v8\/vIxVfn6LP4PbSpTW1qNSZK5LWQDiSAFyFfnO6Vpk7atHaYlb1+t9gBaPBOLJJQCwXLNUVhRwY271kvh8EUUwFo4ld7kPVv5zNIbe5oTVR8UewFIES2f4KGGLo4loJpBM+5dMvomDctqqFNCmASxLHikniRsOs+5ci4I0hig0khqu1JYM8hNxrlaTPI2BboP3f0gFhFN9YmTL1KicLWdh6ftKWRFQX0qPYd6Ww4oQuBAxEkKA76wEHdpoO5iDVCXoQhF+QPpXxRrxvIzbPlpmQsfPiZa+\/N4P9zm0wmTv02102\/UN+0=\") \n\n  \n\ndecrypted_data = decrypt_aes(encrypted_data, key, ko4_instance.hmac) \n\nprint(decrypted_data.decode(\"utf-8\")) <\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">Decryption of C2 address&nbsp;<\/h2>\n\n\n\n<pre class=\"wp-block-code\"><code>from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes \n\nfrom cryptography.hazmat.backends import default_backend \n\nfrom cryptography.hazmat.primitives.kdf.pbkdf2 import PBKDF2HMAC \n\nfrom cryptography.hazmat.primitives import hashes, padding \n\nfrom hashlib import sha256 \n\nimport base64 \n\nimport hmac \n\n  \n\nclass KO4: \n\n    def __init__(self, password, salt): \n\n        kdf = PBKDF2HMAC( \n\n            algorithm=hashes.SHA1(), \n\n            length=96, # 32 + 64 \n\n            salt=salt, \n\n            iterations=1024, \n\n            backend=default_backend() \n\n        ) \n\n  \n\n        key = kdf.derive(password) \n\n  \n\n        self.key = key&#91;:32] \n\n        self.hmac = key&#91;32:96] \n\n  \n\ndef decrypt_aes(encrypted_data, key, hmack): \n\n    hmac_sha256 = hmac.new(hmack, digestmod=sha256) \n\n    hmac_sha256.update(encrypted_data&#91;32:]) \n\n    computed_hmac = hmac_sha256.digest() \n\n  \n\n    if computed_hmac != encrypted_data&#91;:32]: \n\n        raise ValueError(\"HMAC verification failed\") \n\n     \n\n    iv = encrypted_data&#91;32:48] \n\n  \n\n    encrypted_data = encrypted_data&#91;48:] \n\n  \n\n    cipher = Cipher(algorithms.AES(key), modes.CBC(iv), backend=default_backend()) \n\n    decryptor = cipher.decryptor() \n\n    padded_plaintext = decryptor.update(encrypted_data) + decryptor.finalize() \n\n  \n\n    unpadder = padding.PKCS7(128).unpadder() \n\n    plaintext = unpadder.update(padded_plaintext) + unpadder.finalize() \n\n  \n\n    return plaintext \n\n  \n\n# decrypt Password \n\npassword = \"bj0UKX3O1fsx9BYPGXoKHqjvLayVva1jN63FIaBpzhY4ZE1D43om8NOuAFJtihcbnIkDHSHpW8UjRpWHjvb2vPk9sIFCRRHSF7QQdy5lw8PA2odUtBKwGkpYhlU9MEYF\".encode(\"utf-8\") \n\nsalt = \"CtvQZH10ETJuAmYV2DR3p5K1MlSUp8vL\".encode(\"utf-8\") \n\nko4_instance = KO4(password, salt) \n\n  \n\nkey = ko4_instance.key \n\n  \n\nencrypted_data = base64.b64decode(\"6DuJThqLqhXMRndyjcrpSvR+NowgfgPUfadTAPLT7RzQEaQ3bZTS2B69cJ+6b9gMItPpYbJufWtQMjS77Qehab2Q+nE+hYfWDfb+T9kHg8KoSt+NAc00NmL95jbxX5qWdMKBiNsSTppEM\/HD93PwYFKZCrLv7VhGHiQP8GV5\/h8KKSZ+93DQTyTyXIU9kKzo6EM\/bmELphag+kIO5kj28pRQY9kCOtzWU5LxezAmxJdrcp+EGjpZSgMpeynFIZE9\") \n\n  \n\ndecrypted_data = decrypt_aes(encrypted_data, key, ko4_instance.hmac) \n\nprint(\"decrypted password: \" + decrypted_data.decode(\"utf-8\")) \n\n  \n\n# decrypt C2 \n\npassword = \"XPkWC3v1QKzwU0J5dAKeTsPBsYp18q5mbMsCqw5G1NTNQgIkoqWSj2GpAinnN33kONVHHGPqEEnGZBvMQFMRTmCiGDCHIS37Ts8DKAchbqOfP9P8xbXIqlQlKxBEEHhv\".encode(\"utf-8\") \n\nsalt = \"CtvQZH10ETJuAmYV2DR3p5K1MlSUp8vL\".encode(\"utf-8\") \n\nko4_instance = KO4(password, salt) \n\n  \n\nkey = ko4_instance.key \n\n  \n\nencrypted_data = base64.b64decode(\"zCEl5MLNt1nWGMDkINJb16lVnQwVhHlbE0ON\/jzps092WYVbsn8xXBFE1kAEM8FE6Zu4vZdIFAVDmeASNmk+Cal\/saaZFTYrBzpD6gHAmeV\/2nzMJLz3TeS9r66FgUt0rP\/vImvRIfwAfOjcSrkD1sdkzQFiIyDJZ3lO3QnF4FxspW89vlhx6OBIISdDgT0h\") \n\n  \n\ndecrypted_data = decrypt_aes(encrypted_data, key, ko4_instance.hmac) \n\nprint(\"decrypted C2: \" + decrypted_data.decode(\"utf-8\")) <\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"<p>We&#8217;re super excited to introduce a guest writer &#8211; Mizuho (@morimolymoly2 on X) today, a software engineer and malware analyst making their debut on the ANY.RUN blog. In today&#8217;s article, Mizuho guides us through surface, dynamic, and static analysis of DCRat. Let&#8217;s dive in. In this article, I&#8217;ll guide you through the analysis process of [&hellip;]<\/p>\n","protected":false},"author":6,"featured_media":7145,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[8],"tags":[57,10,77,15,34,40],"class_list":["post-7109","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-malware-analysis","tag-anyrun","tag-cybersecurity","tag-guest-post","tag-malware","tag-malware-analysis","tag-malware-behavior"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v20.10 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>DCRat: Step-by-Step Analysis in ANY.RUN - ANY.RUN&#039;s Cybersecurity Blog<\/title>\n<meta name=\"description\" content=\"Learn about the distribution and ecosystem of DCRat and study a detailed dynamic analysis of DCRat using the ANY.RUN sandbox.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/any.run\/cybersecurity-blog\/dcrat-analysis-in-any-run\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Mizuho Mori\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"16 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/dcrat-analysis-in-any-run\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/dcrat-analysis-in-any-run\/\"},\"author\":{\"name\":\"Mizuho Mori\",\"@id\":\"https:\/\/any.run\/\"},\"headline\":\"DCRat: Step-by-Step Analysis in ANY.RUN\",\"datePublished\":\"2024-02-27T05:22:31+00:00\",\"dateModified\":\"2024-06-22T14:52:42+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/dcrat-analysis-in-any-run\/\"},\"wordCount\":2427,\"commentCount\":1,\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"keywords\":[\"ANYRUN\",\"cybersecurity\",\"guest post\",\"malware\",\"malware analysis\",\"malware behavior\"],\"articleSection\":[\"Malware Analysis\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/dcrat-analysis-in-any-run\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/dcrat-analysis-in-any-run\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/dcrat-analysis-in-any-run\/\",\"name\":\"DCRat: Step-by-Step Analysis in ANY.RUN - ANY.RUN&#039;s Cybersecurity Blog\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/\"},\"datePublished\":\"2024-02-27T05:22:31+00:00\",\"dateModified\":\"2024-06-22T14:52:42+00:00\",\"description\":\"Learn about the distribution and ecosystem of DCRat and study a detailed dynamic analysis of DCRat using the ANY.RUN sandbox.\",\"breadcrumb\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/dcrat-analysis-in-any-run\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/dcrat-analysis-in-any-run\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/dcrat-analysis-in-any-run\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Malware Analysis\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/category\/malware-analysis\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"DCRat: Step-by-Step Analysis in ANY.RUN\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN&#039;s Cybersecurity Blog\",\"description\":\"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.\",\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/any.run\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN\",\"url\":\"https:\/\/any.run\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"contentUrl\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"width\":1,\"height\":1,\"caption\":\"ANY.RUN\"},\"image\":{\"@id\":\"https:\/\/any.run\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/www.any.run\/\",\"https:\/\/twitter.com\/anyrun_app\",\"https:\/\/www.linkedin.com\/company\/30692044\",\"https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"Mizuho Mori\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/moly.png\",\"contentUrl\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/moly.png\",\"caption\":\"Mizuho Mori\"},\"description\":\"Mizuho is a guest writer, software engineer, malware analyst. His background was a cyber threat intelligence analyst and cyber threat researcher. He currently spends time on researching malware trends and malware analysis. He has a passion for programming and researching and investigation. Check his website out.\",\"sameAs\":[\"https:\/\/morimolymoly.com\"],\"url\":\"#molongui-disabled-link\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"DCRat: Step-by-Step Analysis in ANY.RUN - ANY.RUN&#039;s Cybersecurity Blog","description":"Learn about the distribution and ecosystem of DCRat and study a detailed dynamic analysis of DCRat using the ANY.RUN sandbox.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/any.run\/cybersecurity-blog\/dcrat-analysis-in-any-run\/","twitter_misc":{"Written by":"Mizuho Mori","Est. reading time":"16 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/any.run\/cybersecurity-blog\/dcrat-analysis-in-any-run\/#article","isPartOf":{"@id":"https:\/\/any.run\/cybersecurity-blog\/dcrat-analysis-in-any-run\/"},"author":{"name":"Mizuho Mori","@id":"https:\/\/any.run\/"},"headline":"DCRat: Step-by-Step Analysis in ANY.RUN","datePublished":"2024-02-27T05:22:31+00:00","dateModified":"2024-06-22T14:52:42+00:00","mainEntityOfPage":{"@id":"https:\/\/any.run\/cybersecurity-blog\/dcrat-analysis-in-any-run\/"},"wordCount":2427,"commentCount":1,"publisher":{"@id":"https:\/\/any.run\/"},"keywords":["ANYRUN","cybersecurity","guest post","malware","malware analysis","malware behavior"],"articleSection":["Malware Analysis"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/any.run\/cybersecurity-blog\/dcrat-analysis-in-any-run\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/any.run\/cybersecurity-blog\/dcrat-analysis-in-any-run\/","url":"https:\/\/any.run\/cybersecurity-blog\/dcrat-analysis-in-any-run\/","name":"DCRat: Step-by-Step Analysis in ANY.RUN - ANY.RUN&#039;s Cybersecurity Blog","isPartOf":{"@id":"https:\/\/any.run\/"},"datePublished":"2024-02-27T05:22:31+00:00","dateModified":"2024-06-22T14:52:42+00:00","description":"Learn about the distribution and ecosystem of DCRat and study a detailed dynamic analysis of DCRat using the ANY.RUN sandbox.","breadcrumb":{"@id":"https:\/\/any.run\/cybersecurity-blog\/dcrat-analysis-in-any-run\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/any.run\/cybersecurity-blog\/dcrat-analysis-in-any-run\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/any.run\/cybersecurity-blog\/dcrat-analysis-in-any-run\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/any.run\/cybersecurity-blog\/"},{"@type":"ListItem","position":2,"name":"Malware Analysis","item":"https:\/\/any.run\/cybersecurity-blog\/category\/malware-analysis\/"},{"@type":"ListItem","position":3,"name":"DCRat: Step-by-Step Analysis in ANY.RUN"}]},{"@type":"WebSite","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/","name":"ANY.RUN&#039;s Cybersecurity Blog","description":"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.","publisher":{"@id":"https:\/\/any.run\/"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/any.run\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/any.run\/","name":"ANY.RUN","url":"https:\/\/any.run\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","width":1,"height":1,"caption":"ANY.RUN"},"image":{"@id":"https:\/\/any.run\/"},"sameAs":["https:\/\/www.facebook.com\/www.any.run\/","https:\/\/twitter.com\/anyrun_app","https:\/\/www.linkedin.com\/company\/30692044","https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ"]},{"@type":"Person","@id":"https:\/\/any.run\/","name":"Mizuho Mori","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/moly.png","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/moly.png","caption":"Mizuho Mori"},"description":"Mizuho is a guest writer, software engineer, malware analyst. His background was a cyber threat intelligence analyst and cyber threat researcher. He currently spends time on researching malware trends and malware analysis. He has a passion for programming and researching and investigation. Check his website out.","sameAs":["https:\/\/morimolymoly.com"],"url":"#molongui-disabled-link"}]}},"_links":{"self":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/7109"}],"collection":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/users\/6"}],"replies":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/comments?post=7109"}],"version-history":[{"count":16,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/7109\/revisions"}],"predecessor-version":[{"id":8066,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/7109\/revisions\/8066"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media\/7145"}],"wp:attachment":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media?parent=7109"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/categories?post=7109"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/tags?post=7109"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}