Manuel Statik Analiz (LLM Okumali) — DCRat VBS Dropper — Firebase + GitHub Dead-Drop | Tehdit: HIGH

Dosya Kimligi

SHA25671c79c58dc14cf56ff1c7c4dea1894b4b4d9794a84abb0cc65168a99c0429c69
FormatVBScript (.vbs) — Stage 1 dropper
Boyut1.031.536 byte (~1.0 MB)
TeknikBase64 kodlanmis PowerShell, Firebase + GitHub dead-drop C2

C2 ve Indirme Altyapisi

Stage 2 indirme: Firebase Storage (firebasestorage.googleapis.com)
Stage 3 indirme: GitHub RAW (threat actor dead-drop repository)
Token: 9cad75-dbf7-4ece-ad49-7ac5dc81a1b3
Stage 2 (Firebase)https://firebasestorage.googleapis.com/v0b/[proje].appspot.com/o/dll%2FDLL%2018-?-2026.txt?alt=media&token=9cad75-dbf7-4ece-ad49-7ac5dc81a1b3
Stage 3 (GitHub)https://raw.githubusercontent.com/[kullanici]/[repo]/refs/heads/main/[payload].txt (gizlenmiş, ters-encode)
ProtokolHTTPS, TLS 1.2 zorunlu (SecurityProtocolType::Tls12)

Obfuskasyon Teknikleri

String Gizleme"pow"+"ersh"+"ell" — imza atlatma icin string parcalama
Junk Labellumoqnmmvflralxr:driqvqesdfngphhb: goturuculerle kod dolgusu
Ters URLGitHub URL'si ters Base64 ile gizlenmis (reversed string encoding)
PowerShell Base64Tum PS1 kodu base64 ile kodlanmis, VBS icerisinde sakli
Gecici DosyaC:\ProgramData\Lwoqo.ps1 ve C:\ProgramData\NgOVP.ps1

Calisma Mekanizmasi

  1. VBS baslatilir: WScript.Shell ile sistem bilgisi alinir
  2. Base64 blob decode edilir: Gizli PowerShell kodu ortaya cikar
  3. PS1 dosyalari C:\ProgramData\ altina yazilir
  4. PowerShell -ExecutionPolicy Bypass -File [ps1] calistirilir
  5. Firebase Storage'dan DLL indirilir (DLL 18-x-2026.txt maskesi)
  6. GitHub dead-drop'tan ikinci payload indirilir
  7. DCRat ana modulu in-memory yuklenir ve calistirilir

IOC'lar

SHA25671c79c58dc14cf56ff1c7c4dea1894b4b4d9794a84abb0cc65168a99c0429c69
Firebasefirebasestorage.googleapis.com (Stage 2)
GitHubraw.githubusercontent.com (Stage 3 dead-drop)
Token9cad75-dbf7-4ece-ad49-7ac5dc81a1b3
Gecici PS1C:\ProgramData\Lwoqo.ps1, C:\ProgramData\NgOVP.ps1
Gecici TXTC:\ProgramData\Lwoqo.txt

Nasil Kaldirilir?

  1. VBS engeli: .vbs uzantili dosyalarin calistirilmasini engelleyin (GPO/AppLocker)
  2. PowerShell kisitla: ExecutionPolicy Restricted veya Constrained Language Mode
  3. Gecici dosya sil: C:\ProgramData\Lwoqo.ps1/txt ve NgOVP.ps1
  4. Network engeli: firebasestorage.googleapis.com ve
    raw.githubusercontent.com'a yetkisiz erisimi izle/engelle
  5. Tam AV tarama: guncel imzali tarama yapilsin

Teknik Ozet

Bu DCRat Stage 1 VBS dropper'i, yoğun obfuskasyon tekniklerine basvurur: PowerShell komutu string parcalama ile gizlenirken ("pow"+"ersh"+"ell"), payload URL'si ters-Base64 ile saklanmistir. Tum is mantigi base64 ile kodlanmis ve VBS gövdesinde sakli bir PowerShell blogunun icindedir. Payload, Firebase Storage ve GitHub RAW (dead-drop deposu) kaynagindan cekilerek bellekte calistirilmaktadir. Nihai yük DCRat RAT'idir.

DCRat — Malware Profile

DCRat Rusça RAT. sostener1.vbs VBScript dropper. PowerShell ExecutionPolicy Bypass. geutqmonpmjthuux.ru DGA C2.

Malware Type
RAT
Programming Language
C#/.NET
C2 Protocol
HTTP
Target Systems
Windows
Also Known As (AKA)
DarkCrystal

Technical Details

.NET C#, AES-128-CBC sifreleme, plugin mimarisi (DLLler), TCP varsayilan port 5552, SQLite lokal depolama, Anti-VM/Sandbox (Process check, Registry), Loader, Stealer, RAT modulleri ayri

Capabilities & Behavior

Uzaktan Erişim & Kontrol
Keylogger
Ekran Görüntüsü
Webcam Erişimi
Dosya Yönetimi
Süreç Yönetimi
Komut Yürütme
Kalıcılık Mekanizması

IOC List (5 indicators)

IOC — DCRat
# SHA256 71c79c58dc14cf56ff1c7c4dea1894b4b4d9794a84abb0cc65168a99c0429c69 # DOMAIN firebasestorage.googleapis.com # DOMAIN raw.githubusercontent.com # FILEPATH C:\ProgramData\Lwoqo.ps1 # FILEPATH C:\ProgramData\NgOVP.ps1
TypeValueNote
sha256 71c79c58dc14cf56ff1c7c4dea1894b4b4d9794a84abb0cc65168a99c0429c69
domain firebasestorage.googleapis.com
domain raw.githubusercontent.com
filepath C:\ProgramData\Lwoqo.ps1
filepath C:\ProgramData\NgOVP.ps1

C2 Servers (8 recorded servers for this family)

Address Type Port Protocol Status Country
microsoft.com domain — TCP active —
system.io domain — TCP active —
system.io domain — TCP active —
digicert.com domain — TCP active —
system.io domain — TCP active —
crypto.io domain — TCP active —
system.io domain — TCP active —
microsoft.com domain — TCP active —

C2 addresses are provided only from malware samples manually verified by the KEYDAL team. Commercial use is prohibited.

Tags
dcratvbs-dropperfirebasegithub-deadroppowershell-bypassbase64obfuscationstatik-analiz