SYMBOLCOMMON_NAMEaka. SYNONYMS
win.dcrat (Back to overview)

DCRat

aka: DarkCrystal RAT

DCRat is a typical RAT that has been around since at least June 2019.

References
2021-09-22YouTube (John Hammond)John Hammond
@online{hammond:20210922:snip3:319b687, author = {John Hammond}, title = {{Snip3 Crypter/RAT Loader - DcRat MALWARE ANALYSIS}}, date = {2021-09-22}, organization = {YouTube (John Hammond)}, url = {https://www.youtube.com/watch?v=ElqmQDySy48}, language = {English}, urldate = {2021-09-23} } Snip3 Crypter/RAT Loader - DcRat MALWARE ANALYSIS
DCRat
2021-09-03Trend MicroMohamad Mokbel
@techreport{mokbel:20210903:state:df86499, author = {Mohamad Mokbel}, title = {{The State of SSL/TLS Certificate Usage in Malware C&C Communications}}, date = {2021-09-03}, institution = {Trend Micro}, url = {https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf}, language = {English}, urldate = {2021-09-19} } The State of SSL/TLS Certificate Usage in Malware C&C Communications
AdWind ostap AsyncRAT BazarBackdoor BitRAT Buer Chthonic CloudEyE Cobalt Strike DCRat Dridex FindPOS GootKit Gozi IcedID ISFB Nanocore RAT Orcus RAT PandaBanker Qadars QakBot Quasar RAT Rockloader ServHelper Shifu SManager TorrentLocker TrickBot Vawtrak Zeus Zloader
2020-05-12FireEyeJacob Thompson
@online{thompson:20200512:analyzing:2dceb57, author = {Jacob Thompson}, title = {{Analyzing Dark Crystal RAT, a C# backdoor}}, date = {2020-05-12}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2020/05/analyzing-dark-crystal-rat-backdoor.html}, language = {English}, urldate = {2020-05-18} } Analyzing Dark Crystal RAT, a C# backdoor
DCRat
2019-10-02tcontre
@online{tcontre:20191002:dcrat:1d1f601, author = {tcontre}, title = {{DCRAT malware Evades SandBox that use Fake Internet by using the Google public DNS IP address}}, date = {2019-10-02}, url = {https://tccontre.blogspot.com/2019/10/dcrat-malware-evades-sandbox-that-use.html}, language = {English}, urldate = {2020-02-13} } DCRAT malware Evades SandBox that use Fake Internet by using the Google public DNS IP address
DCRat
Yara Rules
[TLP:WHITE] win_dcrat_w0 (20200227 | DCRat payload)
rule win_dcrat_w0 {
    meta:
        author = "ditekshen"
        description = "DCRat payload"
        cape_type = "DCRat payload"
        source = "https://raw.githubusercontent.com/kevoreilly/CAPEv2/master/data/yara/CAPE/DCRat.yar"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat"
        malpedia_version = "20200227"
        malpedia_sharing = "TLP:WHITE"
        malpedia_license = ""
    strings:
        // DCRat
        $dc1 = "DCRatBuild" ascii
        $dc2 = "DCStlr" ascii

        $string1 = "CaptureBrowsers" fullword ascii
        $string2 = "DecryptBrowsers" fullword ascii
        $string3 = "Browsers.IE10" ascii
        $string4 = "Browsers.Chromium" ascii
        $string5 = "WshShell" ascii
        $string6 = "SysMngmts" fullword ascii
        $string7 = "LoggerData" fullword ascii

        // DCRat Plugins/Libraries
        $plugin = "DCRatPlugin" fullword ascii

        // AntiVM
        $av1 = "AntiVM" ascii wide
        $av2 = "vmware" fullword wide
        $av3 = "VirtualBox" fullword wide
        $av4 = "microsoft corporation" fullword wide
        $av5 = "VIRTUAL" fullword wide
        $av6 = "DetectVirtualMachine" fullword ascii
        $av7 = "Select * from Win32_ComputerSystem" fullword wide

        // Plugin_AutoStealer, Plugin_AutoKeylogger
        $pl1 = "dcratAPI" fullword ascii
        $pl2 = "dsockapi" fullword ascii
        $pl3 = "file_get_contents" fullword ascii
        $pl4 = "classthis" fullword ascii
        $pl5 = "typemdt" fullword ascii
        $pl6 = "Plugin_AutoStealer" ascii wide
        $pl7 = "Plugin_AutoKeylogger" ascii wide
        
    condition:
        uint16(0) == 0x5a4d and (all of ($dc*) or all of ($string*)) or ($plugin and (4 of ($av*) or 5 of ($pl*)))
}
Download all Yara Rules