DCRat (Malware Family)

SYMBOL	COMMON_NAME	aka. SYNONYMS

win.dcrat (Back to overview)

DCRat

aka: DarkCrystal RAT

DCRat is a typical RAT that has been around since at least June 2019.

References

2025-03-11 ⋅ Kaspersky Labs ⋅ AMR
DCRat backdoor returns
DCRat

2025-02-12 ⋅ cyber.wtf blog ⋅ Hendrik Eckardt, Leonard Rapp
Unpacking Pyarmor v8+ scripts
AsyncRAT DCRat XWorm

2025-02-12 ⋅ Red Canary ⋅ Phil Hagen, Tony Lambert
Defying tunneling: A Wicked approach to detecting malicious network traffic
AsyncRAT DCRat NjRAT XWorm

2025-02-11 ⋅ EclecticIQ ⋅ Arda Büyükkaya
Sandworm APT Targets Ukrainian Users with Trojanized Microsoft KMS Activation Tools in Cyber Espionage Campaigns
Kalambur BACKORDER DCRat

2025-02-11 ⋅ CyberSecurityNews ⋅ Do Son
Sandworm APT Exploits Trojanized KMS Tools to Target Ukrainian Users in Cyber Espionage Campaign
DCRat

2025-01-10 ⋅ Spamhaus ⋅ Spamhaus Malware Labs
Spamhaus Botnet Threat Update July to December 2024
Coper FluBot Hook Mirai FAKEUPDATES AsyncRAT BianLian Brute Ratel C4 Cobalt Strike DanaBot DCRat Havoc Latrodectus NjRAT Quasar RAT RedLine Stealer Remcos Rhadamanthys Sliver Stealc

2024-07-09 ⋅ Spamhaus ⋅ Spamhaus Malware Labs
Spamhaus Botnet Threat Update January to June 2024
Coper FluBot Hook Bashlite Mirai FAKEUPDATES AsyncRAT BianLian Cobalt Strike DCRat Havoc NjRAT QakBot Quasar RAT RedLine Stealer Remcos Rhadamanthys RisePro Sliver

2024-06-04 ⋅ ⋅ Cert-UA ⋅ Cert-UA
UAC-0200: Targeted cyberattacks using DarkCrystal RAT and Signal as a trusted distribution vehicle (CERT-UA#9918)
DCRat

2024-05-14 ⋅ Check Point Research ⋅ Antonis Terefos, Tera0017
Foxit PDF “Flawed Design” Exploitation
Rafel RAT Agent Tesla AsyncRAT DCRat DONOT Nanocore RAT NjRAT Pony Remcos Venom RAT XWorm

2024-04-20 ⋅ Axel's IT Security Research ⋅ Axel Mahr
New Robust Technique for Reliably Identifying AsyncRAT/DcRAT/VenomRAT Servers
AsyncRAT DCRat Venom RAT

2024-04-11 ⋅ Github (jeFF0Falltrades) ⋅ Jeff Archer
Rat King Configuration Parser
AsyncRAT DCRat Quasar RAT Venom RAT

2024-02-01 ⋅ ⋅ Infinitum IT ⋅ Kerime Gencay
DcRat Technical Analysis Report (Paywall)
DCRat

2024-01-25 ⋅ JSAC 2024 ⋅ Masafumi Takeda, Tomoya Furukawa
Threat Intelligence of Abused Public Post-Exploitation Frameworks
AsyncRAT DCRat Empire Downloader GRUNT Havoc Koadic Merlin PoshC2 Quasar RAT Sliver

2024-01-12 ⋅ Spamhaus ⋅ Spamhaus Malware Labs
Spamhaus Botnet Threat Update Q4 2023
FluBot Hook FAKEUPDATES AsyncRAT BianLian Cobalt Strike DCRat Havoc IcedID Lumma Stealer Meterpreter NjRAT Pikabot QakBot Quasar RAT RecordBreaker RedLine Stealer Remcos Rhadamanthys Sliver

2023-10-12 ⋅ Spamhaus ⋅ Spamhaus Malware Labs
Spamhaus Botnet Threat Update Q3 2023
FluBot AsyncRAT Ave Maria Cobalt Strike DCRat Havoc IcedID ISFB Nanocore RAT NjRAT QakBot Quasar RAT RecordBreaker RedLine Stealer Remcos Rhadamanthys Sliver Stealc Tofsee Vidar

2023-09-04 ⋅ Github (muha2xmad) ⋅ Muhammad Hasan Ali
A deep dive into DCRAT/DarkCrystalRAT malware
DCRat

2023-07-11 ⋅ Spamhaus ⋅ Spamhaus Malware Labs
Spamhaus Botnet Threat Update Q2 2023
Hydra AsyncRAT Aurora Stealer Ave Maria BumbleBee Cobalt Strike DCRat Havoc IcedID ISFB NjRAT QakBot Quasar RAT RecordBreaker RedLine Stealer Remcos Rhadamanthys Sliver Tofsee

2023-04-12 ⋅ Spamhaus ⋅ Spamhaus Malware Labs
Spamhaus Botnet Threat Update Q1 2023
FluBot Amadey AsyncRAT Aurora Ave Maria BumbleBee Cobalt Strike DCRat Emotet IcedID ISFB NjRAT QakBot RecordBreaker RedLine Stealer Remcos Rhadamanthys Sliver Tofsee Vidar

2023-04-08 ⋅ Twitter (@embee_research) ⋅ Embee_research
Dcrat - Manual De-obfuscation of .NET Malware
DCRat

2023-04-08 ⋅ kienmanowar Blog ⋅ m4n0w4r, Tran Trung Kien
[QuickNote] Uncovering Suspected Malware Distributed By Individuals from Vietnam
AsyncRAT DCRat WorldWind

2023-02-24 ⋅ Zscaler ⋅ Avinash Kumar, Niraj Shivtarkar
Snip3 Crypter Reveals New TTPs Over Time
DCRat Quasar RAT

2022-10-13 ⋅ Spamhaus ⋅ Spamhaus Malware Labs
Spamhaus Botnet Threat Update Q3 2022
FluBot Arkei Stealer AsyncRAT Ave Maria BumbleBee Cobalt Strike DCRat Dridex Emotet Loki Password Stealer (PWS) Nanocore RAT NetWire RC NjRAT QakBot RecordBreaker RedLine Stealer Remcos Socelars Tofsee Vjw0rm

2022-09-19 ⋅ Recorded Future ⋅ Insikt Group®
Russia-Nexus UAC-0113 Emulating Telecommunication Providers in Ukraine
Ave Maria Colibri Loader DCRat

2022-09-15 ⋅ Sekoia ⋅ Threat & Detection Research Team
PrivateLoader: the loader of the prevalent ruzki PPI service
Agent Tesla Coinminer DanaBot DCRat Eternity Stealer Glupteba Mars Stealer NetSupportManager RAT Nymaim Nymaim2 Phoenix Keylogger PrivateLoader Raccoon RedLine Stealer SmokeLoader Socelars STOP Vidar YTStealer

2022-08-30 ⋅ Cisco ⋅ Vanja Svajcer
ModernLoader delivers multiple stealers, cryptominers and RATs
Coinminer DCRat ModernLoader RedLine Stealer SapphireMiner SystemBC

2022-08-18 ⋅ Trustwave ⋅ Pawel Knapczyk
Overview of the Cyber Weapons Used in the Ukraine - Russia War
AcidRain CaddyWiper Cobalt Strike CredoMap DCRat DoubleZero GraphSteel GrimPlant HermeticWiper INDUSTROYER2 InvisiMole IsaacWiper PartyTicket

2022-06-24 ⋅ ⋅ Cert-UA ⋅ Cert-UA
Cyberattack against Ukrainian telecommunications operators using DarkCrystal RAT malware (CERT-UA # 4874)
DCRat Sandworm

2022-06-10 ⋅ ⋅ Cert-UA ⋅ Cert-UA
Massive cyberattack on Media Organizations of Ukraine using crescentImp malware (CERT-UA#4797)
DCRat

2022-05-09 ⋅ Blackberry ⋅ The BlackBerry Research & Intelligence Team
Dirty Deeds Done Dirt Cheap: Russian RAT Offers Backdoor Bargains
DCRat NjRAT

2022-04-27 ⋅ Trendmicro ⋅ Daniel Lunghi, Jaromír Hořejší
Operation Gambling Puppet
reptile oRAT AsyncRAT Cobalt Strike DCRat Ghost RAT PlugX Quasar RAT Trochilus RAT Earth Berberoka

2022-04-16 ⋅ forensicitguy ⋅ Tony Lambert
Snip3 Crypter used with DCRat via VBScript
DCRat

2022-03-02 ⋅ RiskIQ ⋅ Jennifer Grob
RiskIQ: Malware Linked to Upwork Post Seeking Content Writer for a "Newly Developed Application" Deploys DCRat
DCRat

2022-02-17 ⋅ Zscaler ⋅ Aditya Sharma, Stuti Chaturvedi
FreeCryptoScam - A New Cryptocurrency Scam That Leads to Installation of Backdoors and Stealers
DCRat

2022-01-19 ⋅ Blackberry ⋅ The BlackBerry Research & Intelligence Team
Kraken the Code on Prometheus
Prometheus Backdoor BlackMatter Cerber Cobalt Strike DCRat Ficker Stealer QakBot REvil Ryuk

2021-10-19 ⋅ Cisco Talos ⋅ Asheer Malhotra
Malicious campaign uses a barrage of commodity RATs to target Afghanistan and India
DCRat Quasar RAT

2021-10-12 ⋅ Infoblox ⋅ Avinash Shende
Malspam Campaign Delivers Dark Crystal RAT (dcRAT)
DCRat

2021-09-22 ⋅ YouTube (John Hammond) ⋅ John Hammond
Snip3 Crypter/RAT Loader - DcRat MALWARE ANALYSIS
DCRat

2021-09-03 ⋅ Trend Micro ⋅ Mohamad Mokbel
The State of SSL/TLS Certificate Usage in Malware C&C Communications
AdWind ostap AsyncRAT BazarBackdoor BitRAT Buer Chthonic CloudEyE Cobalt Strike DCRat Dridex FindPOS GootKit Gozi IcedID ISFB Nanocore RAT Orcus RAT PandaBanker Qadars QakBot Quasar RAT Rockloader ServHelper Shifu SManager TorrentLocker TrickBot Vawtrak Zeus Zloader

2020-05-12 ⋅ FireEye ⋅ Jacob Thompson
Analyzing Dark Crystal RAT, a C# backdoor
DCRat

2019-10-02 ⋅ tcontre
DCRAT malware Evades SandBox that use Fake Internet by using the Google public DNS IP address
DCRat

Yara Rules

[TLP:WHITE] win_dcrat_w0 (20200227 | DCRat payload)

rule win_dcrat_w0 {
    meta:
        author = "ditekshen"
        description = "DCRat payload"
        cape_type = "DCRat payload"
        source = "https://raw.githubusercontent.com/kevoreilly/CAPEv2/master/data/yara/CAPE/DCRat.yar"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat"
        malpedia_version = "20200227"
        malpedia_sharing = "TLP:WHITE"
        malpedia_license = ""
    strings:
        // DCRat
        $dc1 = "DCRatBuild" ascii
        $dc2 = "DCStlr" ascii

        $string1 = "CaptureBrowsers" fullword ascii
        $string2 = "DecryptBrowsers" fullword ascii
        $string3 = "Browsers.IE10" ascii
        $string4 = "Browsers.Chromium" ascii
        $string5 = "WshShell" ascii
        $string6 = "SysMngmts" fullword ascii
        $string7 = "LoggerData" fullword ascii

        // DCRat Plugins/Libraries
        $plugin = "DCRatPlugin" fullword ascii

        // AntiVM
        $av1 = "AntiVM" ascii wide
        $av2 = "vmware" fullword wide
        $av3 = "VirtualBox" fullword wide
        $av4 = "microsoft corporation" fullword wide
        $av5 = "VIRTUAL" fullword wide
        $av6 = "DetectVirtualMachine" fullword ascii
        $av7 = "Select * from Win32_ComputerSystem" fullword wide

        // Plugin_AutoStealer, Plugin_AutoKeylogger
        $pl1 = "dcratAPI" fullword ascii
        $pl2 = "dsockapi" fullword ascii
        $pl3 = "file_get_contents" fullword ascii
        $pl4 = "classthis" fullword ascii
        $pl5 = "typemdt" fullword ascii
        $pl6 = "Plugin_AutoStealer" ascii wide
        $pl7 = "Plugin_AutoKeylogger" ascii wide
        
    condition:
        uint16(0) == 0x5a4d and (all of ($dc*) or all of ($string*)) or ($plugin and (4 of ($av*) or 5 of ($pl*)))
}

Download all Yara Rules

DCRat Propose Change

References

Yara Rules

DCRat