Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now

DCRat

23
Global rank
17 infographic chevron month
Month rank
17
Week rank
0
IOCs

DCrat, also known as Dark Crystal RAT, is a remote access trojan (RAT), which was first introduced in 2018. It is a modular malware that can be customized to perform different tasks. For instance, it can steal passwords, crypto wallet information, hijack Telegram and Steam accounts, and more. Attackers may use a variety of methods to distribute DCrat, but phishing email campaigns are the most common.

RAT
Type
ex-USSR
Origin
1 July, 2018
First seen
14 December, 2024
Last seen
Also known as
Dark Crystal RAT

How to analyze DCRat with ANY.RUN

RAT
Type
ex-USSR
Origin
1 July, 2018
First seen
14 December, 2024
Last seen

IOCs

IP addresses
79.137.248.10
4.194.12.203
91.92.246.196
91.92.242.235
113.45.153.3
198.13.49.217
20.199.26.211
87.70.175.54
167.94.158.156
172.208.93.32
152.201.182.125
171.41.252.199
66.135.26.66
77.127.86.54
171.41.251.170
141.255.146.60
46.246.12.14
141.255.152.88
78.47.204.48
82.146.39.98
Domains
269818cm.nyashland.top
925823lm.nyashnyash.top
004242cm.nyashland.top
evgenzow.beget.tech
12112.ru.swtest.ru
767241cm.nyashland.top
f0885664.xsph.ru
233584cm.nyashland.top
078301cm.nyashland.top
a0885630.xsph.ru
123d.ddns.net
217196cm.nyashcrack.top
a0889022.xsph.ru
a0887556.xsph.ru
f0892247.xsph.ru
302099cm.nyashland.top
249782m.dccrk.top
098452cm.nyashland.top
598194cm.nyashland.top
ck53254.tw1.ru
URLs
http://a1063683.xsph.ru/2172ee40.php
http://88.255.216.16/landpage
http://kotoswin.darkproducts.ru/L1nc0In
http://64927cm.darkproducts.ru/L1nc0In.php
http://598828cm.n9shka.top/VmPollSecureLongpollApiBasewindowsUniversal
http://37.230.117.59/imageVmLongpolluniversal.php
http://188.120.227.56/VoiddbVoiddb/secureAuthgamelongpollapiBigloadcdn
http://78.24.221.196/destenyserver/serverWindows.php
http://185.246.64.16/geoprofile/temporaryfiles/Vmdownloads.php
http://195.3.223.79/Uploads/Universallocal9windows/PhpUploadsWordpress3/3/Process/multiSecure1update/8/MulticdnVideo6/Geo/updatedbTrafficLocal
http://195.3.223.79/Uploads/Universallocal9windows/PhpUploadsWordpress3/3/Process/multiSecure1update/8/MulticdnVideo6/Geo/updatedbTrafficLocal.php
http://a1060903.xsph.ru/b6244617.php
http://ddosbo0r.beget.tech/60d047cb.php
http://817087cm.nyashteam.ru/Jsmultiwp
http://306039cm.nyashcrack.top/geoGeneratorwordpresswpprivatetempDownloads
http://cz26145.tw1.ru/79989c0b.php
http://61839.clmonth.nyashteam.ru/nyashsupport.php
http://smmplanet.xyz/ProviderexternalpipesecureupdateProcessAuthDefaultSql
http://86.110.212.203/geodle/image7Generatorrequest/track/central/4Protect82/universaluniversalPythonBetter/centralDump/8Phpmulti/5requestWindowsWindows/PythonSecuretrackGenerator/externaluniversalprovider/dle/dbProtect/ExternalHttpeternal/VideoauthprotectSqlDbwindowsflowerwplocal
http://128538cm.n9shteam3.top/VmPipepacketupdateflowerAsyncDatalifeTempuploads.php
Last Seen at

Recent blog posts

post image
Access and Use ANY.RUN’s TI Feeds via MISP
watchers 298
comments 0
post image
Analysis of Nova: A Snake Keylogger Fork
watchers 1586
comments 0
post image
Manufacturing Companies Targeted with New Lum...
watchers 1933
comments 0

What is DCRat malware?

DCRat, also known as Dark Crystal RAT, is a remote access trojan (RAT) that lets threat actors take control over an infected machine and extract users’ data, such as the information copied to the clipboard and personal credentials from apps. The malware is known for its stealthiness and its ability to evade detection by security software. DCrat has been in operation since 2018, yet it regularly undergoes changes aimed at advancing and expanding its capabilities.

The malware consists of several components each responsible for a certain type of malicious activity, including stealing of cryptocurrency and keylogging. On top of that, the authors of DCrat have published a special software called DCRat Studio, which serves as a tool for developing new modules for the malware.

DCrat's popularity can be attributed in part to its low cost. Its one-month license goes for a mere $5, while a lifetime one is available for $40. This is a stark contrast to other malware-as-a-service options. For instance, a lifetime AgentTesla subscription will require forking out $120. According to researchers, such prices are due to the malware being simply a pet project of a single developer, who does not work on it full-time. The developer is likely based in the ex-USSR region.

Get started today for free

Analyze malware and phishing in a fully-interactive sandbox

Create free account

Technical details of the DCRat malicious software

Although back in 2018, the malicious program utilized Java, it switched to C# in 2019. As a result, nowadays, the majority of Dark Crystal RAT’s modules are written in the C# programming language. However, the administrative server for this malware is developed with JPHP, which is an implementation of PHP that relies on the Java Virtual Machine.

Different samples of the malware have been observed to be outfitted with evasion and obfuscation techniques. For instance, in order to create a layer of protection against malware analysts’ attempts to reverse engineer its code, DCrat’s payload can be obfuscated with Enigma Protector.

The standard set of tools available to threat actors using DCrat includes:

  • DCRat can record the victim's keystrokes, which can be used to steal passwords and other sensitive information.
  • The separate CryptoStealer module of the malware allows attackers to get access to users’ crypto wallet information.
  • It can collect information about the system (CPU and GPU stats, etc.)
  • It can take screenshots of the victim's computer, which can be used to monitor their activity.
  • DCRat can exfiltrate information from browsers, such as session cookies, auto-fill credentials, and credit card details.
  • The malware can transmit the contents of the victim's clipboard to its command-and-control server (C&C).
  • It can hijack Telegram, Steam, Discord accounts.
  • DCrat can function as a loader, dropping other types of malware on the infected computer.

Additionally, DCrat can execute a persistence algorithm to retain control over the system. For instance, the malware can copy itself to a random running process and to the root directory (C:). It then can create shortcuts to these copies in the user's Startup folder. It can also add registry values that point to these shortcuts. This allows DCrat to start automatically when the computer boots up.

It is important to note that Dark Crystal RAT is polymorphic, meaning that attackers can use its builder functionality to add changes to the malware’s code to make it difficult to detect using traditional methods, such as file hash.

Execution process of DCRat

Uploading Dark Crystal RAT to the ANY.RUN sandbox lets you quickly see the malicious activities triggered by the malware. Here is a sample of DCrat executed in the interactive sandbox.

DCrat's flexibility makes it challenging to handle, but there are things that can help us pinpoint it. For example, DCrat rarely produces malicious activity in its current process. Like most malware, it prefers to create large process trees and then infiltrate a harmless process at some point to detonate later. By using ANY.RUN, we can easily identify the process targeted by the malware.

DCRat process tree DCRat's process tree

On top of that, it can delay execution for a period of time after the infection, drop executables, run embedded payloads, and use WMI queries to detect a virtualized environment or or to gain persistence in the system.

DCRat process tree DCRat's WMI queries

Distribution methods of the DCRat malware

Since Dark Crystal RAT is sold openly on the Internet, cyber criminals of all skill levels have access to it. Subsequently, there are many different methods they implement to drop the payload on victims’ computers. Yet, as is the case with most remote access trojans, including Vidar, njRAT, and QuasarRAT, DCrat’s main way of infecting a system is via phishing emails.

Threat actors devise sophisticated multi-staged attacks intended to manipulate the victim into believing that the fake email is actually legitimate and the attachment file it contains is safe to open. These downloadable files are usually in an office suite format, such as .docx or .xls, and have built-in macros or other mechanisms that can trigger the chain reaction which will result in DCRat being dropped onto the system.

There are also accounts of users unsuspectingly downloading a DCrat executable from websites distributing torrent files. In such cases, the malware can be disguised as a legitimate program. Once executed, the program installs the malicious program and runs it, stealing the user’s data often without them being aware of it.

Conclusion

Dark Crystal RAT is a remote access trojan that constitutes a significant concern for organizations and individuals worldwide. The malware’s low price tag and modular design make it an in-demand tool among cyber criminals. To protect your system from DCrat, you should be very careful about opening links or attachments from unknown senders.

Instead of taking the risk of downloading and opening potentially harmful files or clicking on malicious links, you can first analyze them in a sandbox environment like ANY.RUN. This will allow you to quickly and safely determine whether the file is malicious or not. ANY.RUN will also provide you with a detailed report about the malware, including its indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs). This information can be used to protect your organization from future attacks.

Try ANY.RUN for free – request a demo!

HAVE A LOOK AT

Latrodectus screenshot
Latrodectus
latrodectus
Latrodectus is a malicious loader that is used by threat actors to gain a foothold on compromised devices and deploy additional malware. It has been associated with the IcedID trojan and has been used by APT groups in targeted attacks. The malware can gather system information, launch executables, and detect sandbox environments. It uses encryption and obfuscation to evade detection and can establish persistence on the infected device.
Read More
MetaStealer screenshot
MetaStealer
metastealer
MetaStealer is an info-stealing malware primarily targeting sensitive data like login credentials, payment details, and browser history. It typically infects systems via phishing emails or malicious downloads and can exfiltrate data to a command and control (C2) server. MetaStealer is known for its stealthy techniques, including evasion and persistence mechanisms, which make it difficult to detect. This malware has been actively used in various cyberattacks, particularly for financial theft and credential harvesting from individuals and organizations.
Read More
Adware screenshot
Adware
adware
Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security.
Read More
Virlock screenshot
Virlock
virlock
Virlock is a unique ransomware strain that combines encryption capabilities with file infection techniques. First observed in 2014, it stands out due to its polymorphic nature and ability to embed its code into compromised files, ensuring continued propagation. Once it infects a system, it encrypts files and locks the screen, demanding a ransom for file recovery and system access.
Read More
WannaCry screenshot
WannaCry
wannacry ransomware
WannaCry is a famous Ransomware that utilizes the EternalBlue exploit. This malware is known for infecting at least 200,000 computers worldwide and it continues to be an active and dangerous threat.
Read More
DeerStealer screenshot
DeerStealer
deerstealer
DeerStealer is an information-stealing malware discovered in 2024 by ANY.RUN, primarily targeting sensitive data such as login credentials, browser history, and cryptocurrency wallet details. It is often distributed through phishing campaigns and fake Google ads that mimic legitimate platforms like Google Authenticator. Once installed, it exfiltrates the stolen data to a remote command and control (C2) server. DeerStealer’s ability to disguise itself as legitimate downloads makes it particularly dangerous for unsuspecting users.
Read More