SYMBOLCOMMON_NAMEaka. SYNONYMS
win.dcrat (Back to overview)

DCRat

aka: DarkCrystal RAT

DCRat is a typical RAT that has been around since at least June 2019.

References
2022-06-24Cert-UACert-UA
@online{certua:20220624:cyberattack:c247b3d, author = {Cert-UA}, title = {{Cyberattack against Ukrainian telecommunications operators using DarkCrystal RAT malware (CERT-UA # 4874)}}, date = {2022-06-24}, organization = {Cert-UA}, url = {https://cert.gov.ua/article/405538}, language = {Ukrainian}, urldate = {2022-06-27} } Cyberattack against Ukrainian telecommunications operators using DarkCrystal RAT malware (CERT-UA # 4874)
DCRat
2022-05-09BlackberryThe BlackBerry Research & Intelligence Team
@online{team:20220509:dirty:76f87f1, author = {The BlackBerry Research & Intelligence Team}, title = {{Dirty Deeds Done Dirt Cheap: Russian RAT Offers Backdoor Bargains}}, date = {2022-05-09}, organization = {Blackberry}, url = {https://blogs.blackberry.com/en/2022/05/dirty-deeds-done-dirt-cheap-russian-rat-offers-backdoor-bargains}, language = {English}, urldate = {2022-05-17} } Dirty Deeds Done Dirt Cheap: Russian RAT Offers Backdoor Bargains
DCRat NjRAT
2022-04-16forensicitguyTony Lambert
@online{lambert:20220416:snip3:6d70f31, author = {Tony Lambert}, title = {{Snip3 Crypter used with DCRat via VBScript}}, date = {2022-04-16}, organization = {forensicitguy}, url = {https://forensicitguy.github.io/snip3-crypter-dcrat-vbs/}, language = {English}, urldate = {2022-04-29} } Snip3 Crypter used with DCRat via VBScript
DCRat
2022-03-02RiskIQJennifer Grob
@online{grob:20220302:riskiq:38b8181, author = {Jennifer Grob}, title = {{RiskIQ: Malware Linked to Upwork Post Seeking Content Writer for a "Newly Developed Application" Deploys DCRat}}, date = {2022-03-02}, organization = {RiskIQ}, url = {https://community.riskiq.com/article/50c77491}, language = {English}, urldate = {2022-03-07} } RiskIQ: Malware Linked to Upwork Post Seeking Content Writer for a "Newly Developed Application" Deploys DCRat
DCRat
2022-02-17ZscalerStuti Chaturvedi, Aditya Sharma
@online{chaturvedi:20220217:freecryptoscam:340b9ec, author = {Stuti Chaturvedi and Aditya Sharma}, title = {{FreeCryptoScam - A New Cryptocurrency Scam That Leads to Installation of Backdoors and Stealers}}, date = {2022-02-17}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/freecryptoscam-new-cryptocurrency-scam-leads-installation-backdoors-and}, language = {English}, urldate = {2022-03-02} } FreeCryptoScam - A New Cryptocurrency Scam That Leads to Installation of Backdoors and Stealers
DCRat
2022-01-19BlackberryThe BlackBerry Research & Intelligence Team
@online{team:20220119:kraken:5b52d17, author = {The BlackBerry Research & Intelligence Team}, title = {{Kraken the Code on Prometheus}}, date = {2022-01-19}, organization = {Blackberry}, url = {https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus}, language = {English}, urldate = {2022-05-25} } Kraken the Code on Prometheus
Prometheus Backdoor BlackMatter Cerber Cobalt Strike DCRat Ficker Stealer QakBot REvil Ryuk
2021-10-19Cisco TalosAsheer Malhotra
@online{malhotra:20211019:malicious:6889662, author = {Asheer Malhotra}, title = {{Malicious campaign uses a barrage of commodity RATs to target Afghanistan and India}}, date = {2021-10-19}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html}, language = {English}, urldate = {2021-11-02} } Malicious campaign uses a barrage of commodity RATs to target Afghanistan and India
DCRat Quasar RAT
2021-10-12InfobloxAvinash Shende
@online{shende:20211012:malspam:41220f1, author = {Avinash Shende}, title = {{Malspam Campaign Delivers Dark Crystal RAT (dcRAT)}}, date = {2021-10-12}, organization = {Infoblox}, url = {https://blogs.infoblox.com/cyber-threat-intelligence/cyber-campaign-briefs/malspam-campaign-delivers-dark-crystal-rat-dcrat/}, language = {English}, urldate = {2021-10-22} } Malspam Campaign Delivers Dark Crystal RAT (dcRAT)
DCRat
2021-09-22YouTube (John Hammond)John Hammond
@online{hammond:20210922:snip3:319b687, author = {John Hammond}, title = {{Snip3 Crypter/RAT Loader - DcRat MALWARE ANALYSIS}}, date = {2021-09-22}, organization = {YouTube (John Hammond)}, url = {https://www.youtube.com/watch?v=ElqmQDySy48}, language = {English}, urldate = {2021-09-23} } Snip3 Crypter/RAT Loader - DcRat MALWARE ANALYSIS
DCRat
2021-09-03Trend MicroMohamad Mokbel
@techreport{mokbel:20210903:state:df86499, author = {Mohamad Mokbel}, title = {{The State of SSL/TLS Certificate Usage in Malware C&C Communications}}, date = {2021-09-03}, institution = {Trend Micro}, url = {https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf}, language = {English}, urldate = {2021-09-19} } The State of SSL/TLS Certificate Usage in Malware C&C Communications
AdWind ostap AsyncRAT BazarBackdoor BitRAT Buer Chthonic CloudEyE Cobalt Strike DCRat Dridex FindPOS GootKit Gozi IcedID ISFB Nanocore RAT Orcus RAT PandaBanker Qadars QakBot Quasar RAT Rockloader ServHelper Shifu SManager TorrentLocker TrickBot Vawtrak Zeus Zloader
2020-05-12FireEyeJacob Thompson
@online{thompson:20200512:analyzing:2dceb57, author = {Jacob Thompson}, title = {{Analyzing Dark Crystal RAT, a C# backdoor}}, date = {2020-05-12}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2020/05/analyzing-dark-crystal-rat-backdoor.html}, language = {English}, urldate = {2020-05-18} } Analyzing Dark Crystal RAT, a C# backdoor
DCRat
2019-10-02tcontre
@online{tcontre:20191002:dcrat:1d1f601, author = {tcontre}, title = {{DCRAT malware Evades SandBox that use Fake Internet by using the Google public DNS IP address}}, date = {2019-10-02}, url = {https://tccontre.blogspot.com/2019/10/dcrat-malware-evades-sandbox-that-use.html}, language = {English}, urldate = {2020-02-13} } DCRAT malware Evades SandBox that use Fake Internet by using the Google public DNS IP address
DCRat
Yara Rules
[TLP:WHITE] win_dcrat_w0 (20200227 | DCRat payload)
rule win_dcrat_w0 {
    meta:
        author = "ditekshen"
        description = "DCRat payload"
        cape_type = "DCRat payload"
        source = "https://raw.githubusercontent.com/kevoreilly/CAPEv2/master/data/yara/CAPE/DCRat.yar"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat"
        malpedia_version = "20200227"
        malpedia_sharing = "TLP:WHITE"
        malpedia_license = ""
    strings:
        // DCRat
        $dc1 = "DCRatBuild" ascii
        $dc2 = "DCStlr" ascii

        $string1 = "CaptureBrowsers" fullword ascii
        $string2 = "DecryptBrowsers" fullword ascii
        $string3 = "Browsers.IE10" ascii
        $string4 = "Browsers.Chromium" ascii
        $string5 = "WshShell" ascii
        $string6 = "SysMngmts" fullword ascii
        $string7 = "LoggerData" fullword ascii

        // DCRat Plugins/Libraries
        $plugin = "DCRatPlugin" fullword ascii

        // AntiVM
        $av1 = "AntiVM" ascii wide
        $av2 = "vmware" fullword wide
        $av3 = "VirtualBox" fullword wide
        $av4 = "microsoft corporation" fullword wide
        $av5 = "VIRTUAL" fullword wide
        $av6 = "DetectVirtualMachine" fullword ascii
        $av7 = "Select * from Win32_ComputerSystem" fullword wide

        // Plugin_AutoStealer, Plugin_AutoKeylogger
        $pl1 = "dcratAPI" fullword ascii
        $pl2 = "dsockapi" fullword ascii
        $pl3 = "file_get_contents" fullword ascii
        $pl4 = "classthis" fullword ascii
        $pl5 = "typemdt" fullword ascii
        $pl6 = "Plugin_AutoStealer" ascii wide
        $pl7 = "Plugin_AutoKeylogger" ascii wide
        
    condition:
        uint16(0) == 0x5a4d and (all of ($dc*) or all of ($string*)) or ($plugin and (4 of ($av*) or 5 of ($pl*)))
}
Download all Yara Rules