BLACK FRIDAY: 2-for-1 offer NOVEMBER 20 - 26 See details

DCRat

18
Global rank
10 infographic chevron month
Month rank
11
Week rank
6265
IOCs

DCrat, also known as Dark Crystal RAT, is a remote access trojan (RAT), which was first introduced in 2018. It is a modular malware that can be customized to perform different tasks. For instance, it can steal passwords, crypto wallet information, hijack Telegram and Steam accounts, and more. Attackers may use a variety of methods to distribute DCrat, but phishing email campaigns are the most common.

Remote Access Trojan
Type
ex-USSR
Origin
1 July, 2018
First seen
14 July, 2024
Last seen
Also known as
Dark Crystal RAT

How to analyze DCRat with ANY.RUN

Remote Access Trojan
Type
ex-USSR
Origin
1 July, 2018
First seen
14 July, 2024
Last seen

IOCs

IP addresses
79.137.248.10
34.92.66.146
45.92.1.155
143.92.60.20
143.92.60.22
172.94.103.171
45.77.175.130
18.158.249.75
173.44.50.86
190.211.255.106
51.75.52.3
82.165.114.107
81.69.247.188
3.131.147.49
20.216.165.135
193.161.193.99
54.94.248.37
18.231.93.153
194.87.218.64
109.107.189.197
Hashes
6d2a8a1ad160fbd9a9aafbab1c73c7ee1b44cf75150305880ea3a2afa113c6af
e6b9d9efdbb6d0d658d6523a0ed9ed89a513f9a020647acb40194f8893f392d8
9bcee93682a4a4f3c0ab31c1471f46f424604d95e26813ca9641016c1152eb6f
e1d9f073ad19ca0941ba5de4b69d2283564793737f5b2e2b0fb33b4132a26811
6add12dd9f1ad161a067f9c7c8950c7a2c00182e391fbab3a8c13f0bc4808f71
a85def6a9c93df7a6c059e5e305dc374ef74c44a4cc77e628b0c945354e4ecb6
6cfaf0baaa146cc03026051292210d4d4fc57b8217450ca391415e6dd27f8b56
7de4166cf9e353a2179c3bf5004042dd9ab40f7f2de6b4f5c7f29ded3435b49b
ad36fd29255e2cc7311a9ee8acf001adb391d8e7f7ab084db88b772fb6d8c2e1
16d3961d021c1f220e9744f06ce70be253f6402677c20e8efcc231616d1953f0
bebd0d11986280182b73fb31fed43ada95f60df1bd29b6c6f0218b13490a54f6
21e5a355b9de9dc47da53a1cc8fac1fb1f725a211a3d7debe494c6ab87bdbf12
c9bcf4d73801d6b082308fbe80154901c610b218be094e5811e5b9b59fbf7547
b57e680c994a2d18558380c663e2746ca7a159f4f4e810f6ade29c46c2aa0f44
8e22d996f05c15465c4ab92f4cee452419fdc1b569a63e0936e709a682df9123
f7f617fb91d8a287e99cfe7cf1f31b4d811249c4d6d2cf0e8c07c354f9c0909d
f731b46179f227da5d8751cf225967f12f748358000cc52a88c558f848eea062
f6dde7c34c214a707edb6e7e1c4e918e5bfb9bb01813bf9f20cfdee344161283
2265cccf9b279b2cb05013d612a94506fcd55bedf23f452700922ca436fe87cc
8a0301a78582b811059c6adfbafe17577bafcc93b892a7f73063d02578f9b0c8
Domains
akamaitechcdns.com
76428.clmonth.nyashteam.top
531810.clmonth.nyashteam.top
a0689699.xsph.ru
a0761798.xsph.ru
100879.clmonth.nyashteam.top
flugrekorder.duckdns.org
newroda2023.duckdns.org
055561.clmonth.nyashteam.top
promotores14.duckdns.org
638041.clmonth.nyashteam.top
envio2023junio.duckdns.org
paste-bin.xyz
a1000048.xsph.ru
235566cm.n9shteam2.top
cu85891.tmweb.ru
a0995485.xsph.ru
a0987400.xsph.ru
424673cm.n9shteam2.top
005514cm.n9shteam1.top
URLs
http://cg92198.tw1.ru/L1nc0In
http://95.140.153.179/ProviderMultitrafficWp.php
http://95.140.153.179/ProviderMultitrafficWp
http://a0992484.xsph.ru/server1/09d1f581.php
http://574056cm.nyashka.top/ExternalCpuDefaultdb.php
http://77.91.77.81/Kiru9gu/index.php
http://dfwreds.com/data.php
https://pastebin.com/raw/9B1mtYtp
http://a1003569.xsph.ru/ecafc5f6.php
http://a1003569.xsph.ru/ecafc5f6
http://f0979909.xsph.ru/L1nc0In.php
https://pastebin.com/raw/qJAexXhc
http://147.45.44.3/Secure/LongpollPrivateAsync/1TestDump/traffic/flowerServerbase/Test/trafficwordpressdatalifeDlelocalPrivatecdnuploadsdownloads.php
http://193.233.115.185/Dle0protectTemp/externalprotect/providerimagepolllongpollLinuxGeneratorCdn.php
http://f0979909.xsph.ru/L1nc0In
http://cp57435.tw1.ru/L1nc0In.php
http://co30059.tw1.ru/a40a3f7a.php
http://co30059.tw1.ru/a40a3f7a
http://082650cm.nyashka.top/phpWppublic
http://cl71096.tw1.ru/2a5cb35a.php
Last Seen at
Last Seen at

Recent blog posts

post image
Malware Trends Report: Q2, 2024 
watchers 1338
comments 0
post image
A Guide to Common Encryption Algorithms in Mo...
watchers 359
comments 0
post image
Search for Network Threats by Suricata in TI...
watchers 682
comments 0

What is DCRat malware?

DCRat, also known as Dark Crystal RAT, is a remote access trojan (RAT) that lets threat actors take control over an infected machine and extract users’ data, such as the information copied to the clipboard and personal credentials from apps. The malware is known for its stealthiness and its ability to evade detection by security software. DCrat has been in operation since 2018, yet it regularly undergoes changes aimed at advancing and expanding its capabilities.

The malware consists of several components each responsible for a certain type of malicious activity, including stealing of cryptocurrency and keylogging. On top of that, the authors of DCrat have published a special software called DCRat Studio, which serves as a tool for developing new modules for the malware.

DCrat's popularity can be attributed in part to its low cost. Its one-month license goes for a mere $5, while a lifetime one is available for $40. This is a stark contrast to other malware-as-a-service options. For instance, a lifetime AgentTesla subscription will require forking out $120. According to researchers, such prices are due to the malware being simply a pet project of a single developer, who does not work on it full-time. The developer is likely based in the ex-USSR region.

Get started today for free

Easily analyze emerging malware with ANY.RUN interactive online sandbox

Register for free

Technical details of the DCRat malicious software

Although back in 2018, the malicious program utilized Java, it switched to C# in 2019. As a result, nowadays, the majority of Dark Crystal RAT’s modules are written in the C# programming language. However, the administrative server for this malware is developed with JPHP, which is an implementation of PHP that relies on the Java Virtual Machine.

Different samples of the malware have been observed to be outfitted with evasion and obfuscation techniques. For instance, in order to create a layer of protection against malware analysts’ attempts to reverse engineer its code, DCrat’s payload can be obfuscated with Enigma Protector.

The standard set of tools available to threat actors using DCrat includes:

  • DCRat can record the victim's keystrokes, which can be used to steal passwords and other sensitive information.
  • The separate CryptoStealer module of the malware allows attackers to get access to users’ crypto wallet information.
  • It can collect information about the system (CPU and GPU stats, etc.)
  • It can take screenshots of the victim's computer, which can be used to monitor their activity.
  • DCRat can exfiltrate information from browsers, such as session cookies, auto-fill credentials, and credit card details.
  • The malware can transmit the contents of the victim's clipboard to its command-and-control server (C&C).
  • It can hijack Telegram, Steam, Discord accounts.
  • DCrat can function as a loader, dropping other types of malware on the infected computer.

Additionally, DCrat can execute a persistence algorithm to retain control over the system. For instance, the malware can copy itself to a random running process and to the root directory (C:). It then can create shortcuts to these copies in the user's Startup folder. It can also add registry values that point to these shortcuts. This allows DCrat to start automatically when the computer boots up.

It is important to note that Dark Crystal RAT is polymorphic, meaning that attackers can use its builder functionality to add changes to the malware’s code to make it difficult to detect using traditional methods, such as file hash.

Execution process of DCRat

Uploading Dark Crystal RAT to the ANY.RUN sandbox lets you quickly see the malicious activities triggered by the malware. Here is a sample of DCrat executed in the interactive sandbox.

DCrat's flexibility makes it challenging to handle, but there are things that can help us pinpoint it. For example, DCrat rarely produces malicious activity in its current process. Like most malware, it prefers to create large process trees and then infiltrate a harmless process at some point to detonate later. By using ANY.RUN, we can easily identify the process targeted by the malware.

DCRat process tree DCRat's process tree

On top of that, it can delay execution for a period of time after the infection, drop executables, run embedded payloads, and use WMI queries to detect a virtualized environment or or to gain persistence in the system.

DCRat process tree DCRat's WMI queries

Distribution methods of the DCRat malware

Since Dark Crystal RAT is sold openly on the Internet, cyber criminals of all skill levels have access to it. Subsequently, there are many different methods they implement to drop the payload on victims’ computers. Yet, as is the case with most remote access trojans, including Vidar, njRAT, and QuasarRAT, DCrat’s main way of infecting a system is via phishing emails.

Threat actors devise sophisticated multi-staged attacks intended to manipulate the victim into believing that the fake email is actually legitimate and the attachment file it contains is safe to open. These downloadable files are usually in an office suite format, such as .docx or .xls, and have built-in macros or other mechanisms that can trigger the chain reaction which will result in DCRat being dropped onto the system.

There are also accounts of users unsuspectingly downloading a DCrat executable from websites distributing torrent files. In such cases, the malware can be disguised as a legitimate program. Once executed, the program installs the malicious program and runs it, stealing the user’s data often without them being aware of it.

Conclusion

Dark Crystal RAT is a remote access trojan that constitutes a significant concern for organizations and individuals worldwide. The malware’s low price tag and modular design make it an in-demand tool among cyber criminals. To protect your system from DCrat, you should be very careful about opening links or attachments from unknown senders.

Instead of taking the risk of downloading and opening potentially harmful files or clicking on malicious links, you can first analyze them in a sandbox environment like ANY.RUN. This will allow you to quickly and safely determine whether the file is malicious or not. ANY.RUN will also provide you with a detailed report about the malware, including its indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs). This information can be used to protect your organization from future attacks.

Try ANY.RUN for free – request a demo!

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Amadey screenshot
Amadey
amadey
Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.
Read More
Arkei screenshot
Arkei
arkei stealer
Arkei is a stealer type malware capable of collecting passwords, autosaved forms, cryptocurrency wallet credentials, and files.
Read More
AsyncRAT screenshot
AsyncRAT
asyncrat
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.
Read More
WarZone screenshot
WarZone
warzone avemaria stealer trojan rat
WarZone RAT is a remote access trojan, which is written in C++ and offered as a malware-as-a-service. It packs a wide range of capabilities, from stealing victims’ files and passwords to capturing desktop activities. WarZone RAT is primarily distributed via phishing emails and receives regular updates from its C2.
Read More

Our website uses cookies. By visiting the pages of the site, you agree to our Privacy Policy