BLACK FRIDAY: 2-for-1 offer NOVEMBER 20 - 26 See details

DCRat

20
Global rank
13 infographic chevron month
Month rank
9 infographic chevron week
Week rank
2341
IOCs

DCrat, also known as Dark Crystal RAT, is a remote access trojan (RAT), which was first introduced in 2018. It is a modular malware that can be customized to perform different tasks. For instance, it can steal passwords, crypto wallet information, hijack Telegram and Steam accounts, and more. Attackers may use a variety of methods to distribute DCrat, but phishing email campaigns are the most common.

Remote Access Trojan
Type
ex-USSR
Origin
1 July, 2018
First seen
28 February, 2024
Last seen
Also known as
Dark Crystal RAT

How to analyze DCRat with ANY.RUN

Remote Access Trojan
Type
ex-USSR
Origin
1 July, 2018
First seen
28 February, 2024
Last seen

IOCs

Hashes
9c87ade4ce7abb2983a8925810ef2c85eb73dc99dfebee2d0ee4dfcb720a4757
49f508d4532c8276583a5e77e146344324e96b4ba98641b9848bac4baaa53e53
69cb12c0b363b013dd951d0d93ca6349c59190f1a027df0885dc8c6dbb81548c
9deb20d484ab344597ef5a400423c649bc53d8994dc7d466b2c1e8f66b960c51
3927622ef8e0a99764011d9f98f47bf0eb1a39df514a7e02e78d3cc7773c4944
8ee3375883ab0d07940d40234dc20373175be006af2479cbad9e36610dbeea71
cefaf36989b372560447abca01a57ee825cb85a0203aedfbde20934d41c72397
f72ec7b3eaf3112713d6d77c7256a25d777d4794a0daa3b864855b68bbf40a5e
0c7b510f9d063a8c1e28a4d40d3ea99d8c2db7a3d9154b394aa4eb45dd73ba9b
41b317e88c96f2f7bb90714e1b7a5a6a6b421300ee8e6da7a71386582f7d8f59
54f5e112a1562400ff3e074826169cf6e2f8c2b6e963c28c25c85991e51dbc3b
dde37291022dad1f8a4b27584006e7ab2937e2e9398df727181e78c4f3e1d519
946a9ce9f66e31a0ebce009f2c2fcc55390ff61bcc752767fb852b4ed89ab475
c2a2689212a40415f5bf94e08cc232543076bd9dfae34b78638abc32c84085ff
985a754dff1bbb8dd0417b2b5ed7bcae4b11e21e3cb601b3c71dacffe01ad2f6
0b105dd2bf7fb6b296dd96e908ce04194e3446694859928534ded6b26b9da981
648edb17c6872a95fb145e30d494f6c57310b508f8c78d07d75b6cd543085c9f
7b2a00a5aa73f0bb88c2d4751423d55a9c30d3cc665e05a9710db83723223a35
33a74190a5d5c9bf019083aeb8068c676ca044e3bf5d25d03ccbad22ee7b59f3
9328dfee3d0f5a6c2f508dab5d06d77a8484f2a4b602d20de3abbefd1a3f71f6
URLs
https://pastebin.com/raw/gcS8Y8E1
https://pastebin.com/raw/pTFH56pW
http://185.195.24.252/@==gbJBzYuFDT
http://954354cl.nyashmyash.top/@0J3bwBXdzh2chlnb
http://767163cm.nyashsens.top/@0J3bwBXdzh2chlnb
http://825947295cm.whiteproducts.ru/@==gbJBzYuFDT
https://pastebin.com/raw/w4XiC7iY
https://pastebin.com/raw/dsRpnimG
https://pastebin.com/raw/cRNWuKbz
http://cr09599.tw1.ru/@zd3bk5Wa3RHb1FmZlR0X
https://pastebin.com/raw/ncw9tVWD
https://pastebin.com/raw/BbtFLxN0
http://356873cm.nyashtyan.top/@0J3bwBXdzh2chlnb
https://pastebin.com/raw/KzHhi6jB
https://pastebin.com/raw/w4eKY6m4
https://pastebin.com/raw/1xhVSDBq
http://cs52010.tw1.ru/@zd3bk5Wa3RHb1FmZlR0X
https://pastebin.com/raw/yPx06aRv
https://pastebin.com/raw/PXx6ZeVT
https://pastebin.com/raw/zA6uChmd
Last Seen at

Recent blog posts

post image
DCRat: Step-by-Step Analysis in ANY.RUN
watchers 867
comments 0
post image
Analyzing Linux Malware in ANY.RUN: 3 exampl...
watchers 333
comments 0
post image
What is Crypto Malware: Definition and Analys...
watchers 315
comments 0

What is DCRat malware?

DCRat, also known as Dark Crystal RAT, is a remote access trojan (RAT) that lets threat actors take control over an infected machine and extract users’ data, such as the information copied to the clipboard and personal credentials from apps. The malware is known for its stealthiness and its ability to evade detection by security software. DCrat has been in operation since 2018, yet it regularly undergoes changes aimed at advancing and expanding its capabilities.

The malware consists of several components each responsible for a certain type of malicious activity, including stealing of cryptocurrency and keylogging. On top of that, the authors of DCrat have published a special software called DCRat Studio, which serves as a tool for developing new modules for the malware.

DCrat's popularity can be attributed in part to its low cost. Its one-month license goes for a mere $5, while a lifetime one is available for $40. This is a stark contrast to other malware-as-a-service options. For instance, a lifetime AgentTesla subscription will require forking out $120. According to researchers, such prices are due to the malware being simply a pet project of a single developer, who does not work on it full-time. The developer is likely based in the ex-USSR region.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

Technical details of the DCRat malicious software

Although back in 2018, the malicious program utilized Java, it switched to C# in 2019. As a result, nowadays, the majority of Dark Crystal RAT’s modules are written in the C# programming language. However, the administrative server for this malware is developed with JPHP, which is an implementation of PHP that relies on the Java Virtual Machine.

Different samples of the malware have been observed to be outfitted with evasion and obfuscation techniques. For instance, in order to create a layer of protection against malware analysts’ attempts to reverse engineer its code, DCrat’s payload can be obfuscated with Enigma Protector.

The standard set of tools available to threat actors using DCrat includes:

  • DCRat can record the victim's keystrokes, which can be used to steal passwords and other sensitive information.
  • The separate CryptoStealer module of the malware allows attackers to get access to users’ crypto wallet information.
  • It can collect information about the system (CPU and GPU stats, etc.)
  • It can take screenshots of the victim's computer, which can be used to monitor their activity.
  • DCRat can exfiltrate information from browsers, such as session cookies, auto-fill credentials, and credit card details.
  • The malware can transmit the contents of the victim's clipboard to its command-and-control server (C&C).
  • It can hijack Telegram, Steam, Discord accounts.
  • DCrat can function as a loader, dropping other types of malware on the infected computer.

Additionally, DCrat can execute a persistence algorithm to retain control over the system. For instance, the malware can copy itself to a random running process and to the root directory (C:). It then can create shortcuts to these copies in the user's Startup folder. It can also add registry values that point to these shortcuts. This allows DCrat to start automatically when the computer boots up.

It is important to note that Dark Crystal RAT is polymorphic, meaning that attackers can use its builder functionality to add changes to the malware’s code to make it difficult to detect using traditional methods, such as file hash.

Execution process of DCRat

Uploading Dark Crystal RAT to the ANY.RUN sandbox lets you quickly see the malicious activities triggered by the malware. Here is a sample of DCrat executed in the interactive sandbox.

DCrat's flexibility makes it challenging to handle, but there are things that can help us pinpoint it. For example, DCrat rarely produces malicious activity in its current process. Like most malware, it prefers to create large process trees and then infiltrate a harmless process at some point to detonate later. By using ANY.RUN, we can easily identify the process targeted by the malware.

DCRat process tree DCRat's process tree

On top of that, it can delay execution for a period of time after the infection, drop executables, run embedded payloads, and use WMI queries to detect a virtualized environment or or to gain persistence in the system.

DCRat process tree DCRat's WMI queries

Distribution methods of the DCRat malware

Since Dark Crystal RAT is sold openly on the Internet, cyber criminals of all skill levels have access to it. Subsequently, there are many different methods they implement to drop the payload on victims’ computers. Yet, as is the case with most remote access trojans, including Vidar, njRAT, and QuasarRAT, DCrat’s main way of infecting a system is via phishing emails.

Threat actors devise sophisticated multi-staged attacks intended to manipulate the victim into believing that the fake email is actually legitimate and the attachment file it contains is safe to open. These downloadable files are usually in an office suite format, such as .docx or .xls, and have built-in macros or other mechanisms that can trigger the chain reaction which will result in DCRat being dropped onto the system.

There are also accounts of users unsuspectingly downloading a DCrat executable from websites distributing torrent files. In such cases, the malware can be disguised as a legitimate program. Once executed, the program installs the malicious program and runs it, stealing the user’s data often without them being aware of it.

Conclusion

Dark Crystal RAT is a remote access trojan that constitutes a significant concern for organizations and individuals worldwide. The malware’s low price tag and modular design make it an in-demand tool among cyber criminals. To protect your system from DCrat, you should be very careful about opening links or attachments from unknown senders.

Instead of taking the risk of downloading and opening potentially harmful files or clicking on malicious links, you can first analyze them in a sandbox environment like ANY.RUN. This will allow you to quickly and safely determine whether the file is malicious or not. ANY.RUN will also provide you with a detailed report about the malware, including its indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs). This information can be used to protect your organization from future attacks.

Try ANY.RUN for free – request a demo!

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Amadey screenshot
Amadey
amadey
Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.
Read More
Arkei screenshot
Arkei
arkei stealer
Arkei is a stealer type malware capable of collecting passwords, autosaved forms, cryptocurrency wallet credentials, and files.
Read More
AsyncRAT screenshot
AsyncRAT
asyncrat
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.
Read More
WarZone screenshot
WarZone
warzone avemaria stealer trojan rat
WarZone RAT is a remote access trojan, which is written in C++ and offered as a malware-as-a-service. It packs a wide range of capabilities, from stealing victims’ files and passwords to capturing desktop activities. WarZone RAT is primarily distributed via phishing emails and receives regular updates from its C2.
Read More

Our website uses cookies. By visiting the pages of the site, you agree to our Privacy Policy