{
	"id": "6b2a188a-86f7-41a1-927d-ebea908a0014",
	"created_at": "2026-04-06T00:21:02.843396Z",
	"updated_at": "2026-04-10T03:21:05.204302Z",
	"deleted_at": null,
	"sha1_hash": "0ec4a51d7da1ab2a877a5a7bbff3981aacee6738",
	"title": "A deep dive into DCRAT/DarkCrystalRAT malware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1558399,
	"plain_text": "A deep dive into DCRAT/DarkCrystalRAT malware\r\nBy Muhammad Hasan Ali\r\nPublished: 2023-08-30 · Archived: 2026-04-05 22:26:57 UTC\r\n20 minute read\r\nبسم الله الرحمن الرحيم\r\nFreePalestine\r\nIntroductionPermalink\r\nDark Crystal RAT or DCRat is a typical RAT that has been around since at least June 2019. The RAT has ability to do many\r\nmalicious code such as Power options like shutdown, reboot, or logoff the system, Enumerate operations like enumerate\r\nprocesses, folders, or drives, Execute code like CS, VB, VBS, PS, and create Denial of Service DoS. We will start to deep\r\ndive into its capabilities in this blog.\r\nTechnical summaryPermalink\r\nAction Description\r\nPower options Reboot and shutdown the system and log off the current user.\r\nEnumerate operations\r\nEnumerate processes and retrieve information such as executable paths, folders, drives,\r\nscreens, microphones, and cameras.\r\nClipboard grabber Retrieve data from the clipboard, such as files or text.\r\nExecute CS, VB, VBS, PS\r\nRun and compile code inside the victim’s system, including C#, VB code, and scripts in\r\nbat, VBS, or PS.\r\nDenial of Service (DoS) Perform a Denial of Service (DoS) attack using the victim’s computer.\r\nTake screenshots\r\nCapture screenshots from the victim’s computer screen and obtain the screen’s width\r\nand height.\r\nSteal Steam credentials\r\nTarget Steam gaming platform users and attempt to steal Steam credentials from the\r\nvictim’s user.\r\nRetrieve Telegram and\r\nDiscord path\r\nObtain the installation path of Telegram and the path of local database files of Discord.\r\nSystem info\r\nQuery and retrieve information about the victim, such as IP address, hostname, country,\r\nand more.\r\nPersistence Maintain persistence by modifying the registry, such as the Winlogon and run registry\r\nkeys, and create scheduled tasks.\r\nCommandsPermalink\r\nThe malware get commands from C2 to do malcious functions inside Class30 class, specifically inside C7y method.\r\nhttps://muha2xmad.github.io/malware-analysis/dcrat/\r\nPage 1 of 24\n\nFigure: Commands and malicious functions\r\nThe malware gets the struct7_0 as an input which contains values of command and data from dictionary2\r\ndictionary. The value of command from dictionary2 dictionary is returned by RL4 method. Then the value is hashed\r\nusing SHA256 then take the first 4 bytes (32 bits) of the hash and convert to a uint then calculate the 6-digit hash by\r\ntaking modulo ( % ) 1,000,000.\r\nThis done by w_compute_SHA256_return_6_digits method.\r\nFigure: w_compute_SHA256_return_6_digits method\r\nThe implementation in python.\r\nimport hashlib\r\nimport struct\r\ndef smethod_1(string_0):\r\n sha256 = hashlib.sha256()\r\n sha256.update(string_0.encode('utf-8'))\r\n hash_hex = sha256.hexdigest()\r\n # Convert the first 4 bytes (32 bits) of the hash to a uint\r\n hash_value = struct.unpack('\u003cI', bytes.fromhex(hash_hex[:8]))[0]\r\n # Calculate the 6-digit hash by taking modulo 1,000,000\r\n result = hash_value % 1000000\r\n return result\r\ninput_string = \"command\"\r\nhash_value = smethod_1(input_string)\r\nprint(\"Hash: {:06d}\".format(hash_value))\r\nPower optionsPermalink\r\nInside ba1 method, The malware starts a process which can reboot the victim’s device immediately using shutdown.exe\r\n/r /f /t 0 .\r\nhttps://muha2xmad.github.io/malware-analysis/dcrat/\r\nPage 2 of 24\n\nFigure: reboot the system immediately\r\nOr inside Class25 method, the malware starts a process which can but logoff the system shutdown.exe /l /f /t 0\r\nFigure: logoff the system immediately\r\nOr the malware can shutdown the the victim’s device\r\nFigure: Shutdown the system immediately\r\nEnumerate operationsPermalink\r\nEnumerate Processes and their executablePermalink\r\nInside avS method, the malware has the ability to enumerate the currently running processes on the system and retrieve the\r\nfull path to the executable file associated with the process. The malware setup a dictionary which holds:\r\nColumn Value Description\r\nN Name of the executable associated with the process (ProcessName + .exe ).\r\nT The window title of the process (WindowTitle + “ “).\r\nhttps://muha2xmad.github.io/malware-analysis/dcrat/\r\nPage 3 of 24\n\nColumn Value Description\r\nI The process ID (processId + “ “).\r\nS 1 when the process ID is the same as the ID of the current process, which is the malware process.\r\nP\r\nThe full path to the executable file associated with the process using QueryFullProcessImageName . If it\r\nfails to retrieve the full path, Memory is used as a placeholder.\r\nFigure: Enumerate Processes and retrieve thier associated executable\r\nEnumerate DrivesPermalink\r\nInside W1W method, the malware has the ability to retrieve information about drivers of the victim’s computer such as\r\ntype , name , size , and description .\r\nIt startup a dictionary which contains:\r\nColumn Value Description\r\nT Drive\r\nN Drive name\r\nS Size of the drive\r\nM Description of the drive, including the volume label, drive type, and drive format\r\nhttps://muha2xmad.github.io/malware-analysis/dcrat/\r\nPage 4 of 24\n\nFigure: Enumerate Drives\r\nEnumerate foldersPermalink\r\nInside CmN method, this method retrieve information about files and directories within a specified directory and return that\r\ninformation in a structured format. If it’s a directory/folder:\r\nColumn Value Description\r\nT Folder .\r\nN the name of the directory.\r\nS empty string “”.\r\nM the last modified time of the directory in the format dd.MM.yyyy HH:mm .\r\nIf it’s a file:\r\nColumn Value Description\r\nT File .\r\nN the name of the file.\r\nS the size of the file.\r\nM the last modified time of the file in the format dd.MM.yyyy HH:mm .\r\nhttps://muha2xmad.github.io/malware-analysis/dcrat/\r\nPage 5 of 24\n\nFigure: Enumerate folders or files\r\nEnumerate screensPermalink\r\nThe malware will try to enumerate number of available screens and their device names.\r\nFigure: Enumerate screens\r\nEnumerate CamerasPermalink\r\nThe code will retrieve info about the camera devices on the system.\r\nFigure: Enumerate cameras\r\nEnumerate MicrophonesPermalink\r\nThe malware will retrieve info about the audio input devices using the Windows Multimedia API ( winmm.dll ) and return a\r\nlist of audio input device names.\r\nhttps://muha2xmad.github.io/malware-analysis/dcrat/\r\nPage 6 of 24\n\nFigure: Enumerate Microphones\r\nClipboard grabberPermalink\r\nThe malware will try to grab data from Clipboard.\r\nFigure: grab data from Clipboard\r\nInside the GetText method, the malware retrieves text data from the clipboard in a specified format such as UnicodeText ,\r\nText , HTML by using Clipboard.GetDataObject() which retrieve the current contents of the clipboard.\r\nFigure: How to grab data from Clipboard\r\nhttps://muha2xmad.github.io/malware-analysis/dcrat/\r\nPage 7 of 24\n\nThe malware will try to save the content of the clipboard and It checks if there are file drops in the clipboard using\r\nClipboard.ContainsFileDropList() to save it to Clipboard [Files].txt file or it checks if it’s text to save it to\r\nClipboard [Text].txt file.\r\nFigure: Save Clipboard data\r\nShow notificationsPermalink\r\nInside atR method, the malware can show notifications on the victim’s computer such as information, warning,\r\nconfirmation, or error.\r\nFigure: Show Message box with a text\r\nExecute CS, VB, VBS, PSPermalink\r\nThe malware can compile and run code such as C# or Visual Basic , run VBS script, powershell script, and batch script\r\ninside the victim’s computer.\r\nFirst, the malware will check the type to determine how it will be executed. If its type is C# or VB :\r\nIf it’s C# code, it creates a CSharpCodeProvider instance which allows you to dynamically compile C# source code. If\r\nit’s a VB code, it creates a VBCodeProvider instance which allows you to dynamically compile VB source code.\r\nBefore compiling using CSharpCodeProvider or VBCodeProvider , the code configures the compilation process by using\r\nCompilerParameters . The parameters are GenerateInMemory and GenerateExecutable .\r\nIt sets GenerateInMemory to true and sets GenerateExecutable to false to make sure that the compiled code is\r\ngenerated inside the memory not compiled as an executable file on disk.\r\nThen compile the provided code using CompileAssemblyFromSource . If there are compilation errors, it collects the error\r\nnumber, line, and error text.\r\nIf there are no errors, the malware creates an instance of the class DCRAT.code and invoke the Main method to execute the\r\ncode dynamically.\r\nhttps://muha2xmad.github.io/malware-analysis/dcrat/\r\nPage 8 of 24\n\nFigure: Check if the type is CS or VB\r\nFigure: Check if errors happen then execute\r\nIf the Type is BAT which is batch .bat file, the malware will write the code from dictionary[\"Code\"] value in the\r\nrandom-string-generated file which located in the temp file.\r\nThe code will run the batch file using two ways which are determined by the value of dictionary2[\"Hidden\"] :\r\n1. If the value of dictionary2[\"Hidden\"] if true , It means that the file will run and won’t show the command-line\r\nwindow.\r\n2. If the value of dictionary2[\"Hidden\"] if false , the file will run and will show the command-line window.\r\nAfter executing the file, the batch file will be deteted.\r\nhttps://muha2xmad.github.io/malware-analysis/dcrat/\r\nPage 9 of 24\n\nFigure: How it runs the bat script\r\nIf it’s VBS script, the code will run the VBS script using cscript.exe which is Windows Script Host executable which is\r\nresposible for running VBS scripts.\r\nAfter executing the file, the batch file will be deteted.\r\nFigure: How it runs the VBS script\r\nIf it’s a powershell PS script, the code will run the PS script in a hidden window using powershell.exe .\r\nFigure: How it runs the PS script\r\nTake screenshotsPermalink\r\nInside the uKl method, the malware has the ability to take screenshots from the victim’s computer screen and get the width\r\nand hight of the screen.\r\nhttps://muha2xmad.github.io/malware-analysis/dcrat/\r\nPage 10 of 24\n\nFigure: uKl method\r\nThe malware will start a thread to start taking screenshots from the victim’s computer and save it a byte array of JPEG\r\nformat, then upload files to the C2.\r\nFigure: Capture screenshots\r\nDownload FilePermalink\r\nInside Class19 method, the malware can download a file from a specific URL and save the file inside a specific directory\r\ninside the victim’s device.\r\nFigure: Downlaod file\r\nRun a specific filePermalink\r\nInside Class32 method, the malware can run a file from victim’s computer by starting a process with different\r\nwindowstyle such as the window is Hidden , Minimized , or Maximized .\r\nhttps://muha2xmad.github.io/malware-analysis/dcrat/\r\nPage 11 of 24\n\nFigure: run the downlaoded file\r\nWrite bat file in tempPermalink\r\nThe malware write a .bat file with a random-string-generated name in the temp path. And write this batch script in the\r\n.bat file:\r\n@echo off\r\nw32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 1\u003enul\r\nstart \"\" \"C:\\Users\\username\\Start Menu\\SearchProtocolHost.exe\"\r\ndel /a /q /f \"C:\\Users\\username\\AppData\\Local\\Temp\\\\sr3bn8JpP4.bat\"\r\n@echo off : It ensures that the commands are not displayed in the console window while they are executed.\r\nw32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 1\u003enul : This command uses the\r\nWindows Time Service ( w32tm ) to retrieve time-related information, /computer:localhost Specifies that the\r\ntime-related information should be collected from the local computer, /period:5 get the data collection period to 5\r\nseconds, /dataonly get only the data values should be displayed, /samples:2 Specifies the number of samples to\r\ncollect, and 1\u003enul not to show any output.\r\nstart \"\" \"C:\\Users\\username\\Start Menu\\SearchProtocolHost.exe\" : launch a new process of the\r\nSearchProtocolHost.exe and the window has an empty title.\r\ndel /a /q /f \"C:\\Users\\username\\AppData\\Local\\Temp\\\\sr3bn8JpP4.bat\" : Then delete the .bat file.\r\nAfter writing the script into the BAT file, it is launched in a new process (with admin privileges).\r\nhttps://muha2xmad.github.io/malware-analysis/dcrat/\r\nPage 12 of 24\n\nFigure: batch script\r\nDownlaod and executePermalink\r\nIn this method, the malware will download an exe file inside the temp folder, and execute the file using batch .bat file.\r\nInside the batch file, it starts the downloaded file ( text ) in a new process and then delete the .bat file.\r\nFigure: Downlaod a exe file and execute it\r\nDenial of Service DoSPermalink\r\nThe malware has the ability to perform a Denial of Service DoS attack using victim’s computer. The malware will start a\r\nnumber of threads as we will explain next.\r\nhttps://muha2xmad.github.io/malware-analysis/dcrat/\r\nPage 13 of 24\n\nFigure: Prepare threads to send a file\r\nFirst, the malware will start a thread to run the HF6 method. Inside this method, the malware will create a TCP connection\r\nwith the targeted remote host or IP address . And send a simple POST request to the target then sleep for 100 millisecondss.\r\nFigure: First thread to prepare the connection\r\nThen, the malware will launch a thread of method_0 method. In this method, the malware will start setting up a Socket\r\nfor sending UDP packets to the remote host using SendTo and The size of each packet is determined by the result of\r\nw_Generate_random_numbers()% 1000 + 1 . And between each packet, the thread sleeps for 100-millisecond .\r\nFigure: setting up a Socket for UDP flood attack\r\nIn third thread, it’s doing the same function but sending TCP packets to the remote host instead of UDP packets.\r\nhttps://muha2xmad.github.io/malware-analysis/dcrat/\r\nPage 14 of 24\n\nFigure: setting up a Socket for sending TCP packets\r\nSteal Steam credintialsPermalink\r\nAction How to\r\nGet Steam path Retrieve the value of SteamPath inside the SOFTWARE\\\\Valve\\\\Steam registry key.\r\nLanguage Retrieve the value of Language inside the SOFTWARE\\\\Valve\\\\Steam registry key.\r\nLogin Users Retrieve the value of AutoLoginUser inside the SOFTWARE\\\\Valve\\\\Steam registry key.\r\nSteam IDs Parse the loginusers.vdf file to obtain Steam user IDs.\r\nSteam Apps Retrieve a list of game names in the Steam gaming platform.\r\nFigure: Return Steam users\r\nFigure: Return Steam IDs\r\nGet Telegram pathPermalink\r\nThe malware will try to get the installation path of Telegram by searching for (\\\\w\\\\W.+)Telegram.exe using regex and\r\nget the path or by searching for specific parocesses names related to Telegram such as Telegram , Kotatogram and get\r\nthe get the executable path of the process using w_QueryFullProcessImageName API.\r\nhttps://muha2xmad.github.io/malware-analysis/dcrat/\r\nPage 15 of 24\n\nFigure: Get Telegram path\r\nGet Discord pathPermalink\r\nIn this code, it determines the path of the local Database files of Discord .\r\nFigure: Get Discord path\r\nSystem infoPermalink\r\nInside the o4V method, the malware will decode the aHR0cHM6Ly9pcGluZm8uaW8vanNvbg== from Base64 which its value\r\nwill be https://ipinfo.io/json . The code will query and retrieving information about the victim such as IP ,\r\nhostname , country , and more.\r\nFigure: Retrieve info such as IP or the location\r\nThen inside method_1 method, the malware will retrieve additional info such as PCName , UserName , WindowsVersion ,\r\nACTiveWindow and much more\r\nhttps://muha2xmad.github.io/malware-analysis/dcrat/\r\nPage 16 of 24\n\nFigure: Retrieve additional info\r\nThen save the retreived info and save it to a .txt file and send it to the C2.\r\nPersistencePermalink\r\nThe malware will try to stay active when the system is rebooted and stay undetected to do its malicious activities.\r\nThe malware uses two methods: using scheduled task and edit registry.\r\n1. The malware will execute using schtasks.exe to create scheduled task.\r\nThe first command, it creates a new scheduled task with the our sample, The task is trigger every minute with\r\na random delay between (5, 15) seconds.\r\nthe second command, it does the first command and specifies that the task will run when the user logs on, sets\r\nthe privilege of the task to HIGHEST\r\nFigure: Create scheduled tasks for persistence\r\nThe malware can delete the scheduled tasks for some reasons.\r\nhttps://muha2xmad.github.io/malware-analysis/dcrat/\r\nPage 17 of 24\n\nFigure: Delete scheduled tasks\r\n1. the second way is to modify registries\r\nOpens the Software\\Microsoft\\Windows\\CurrentVersion\\Run key, add a registry its name is the sample\r\nname without extension, and its value is the \"path/to/sample/fullsamplename\" .\r\nOpens \"Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon , retrieve the value of Shell\r\nregistry, then append the \"path/to/sample/fullsamplename\" . Shell registry determines which program is\r\nused as the system shell when a user logs into Windows.\r\nFigure: modify registries\r\nHere we can see that the malware deletes the added registries from before.\r\nFigure: Delete registries\r\nConfiguration decryptionPermalink\r\nIn the next figure, We see the method config_dec which contains a base64 string which starts with a base64 encoded\r\nzipped string ( H4sIAA* ).\r\nhttps://muha2xmad.github.io/malware-analysis/dcrat/\r\nPage 18 of 24\n\nFigure: encoded string starts with zipped string\r\nFrom embee-research blog, we will try to explain how the malware encodes the configuration. First, We will decode the\r\nbase64 string then we will decompress (unzip) it. Then we will reverse the characters of the string then we decode the result\r\nfrom base64 string.\r\nOpen CyberChef and put the encoded string in input :\r\nFrom Base64 + Gunzip + reverse + From Base64 + unescape string ( to clean the string from \\ ).\r\nFigure: decoded configuration from config_dec\r\nFrom the decoded Configuration, we can get that:\r\nSCRT and PCRT dictionaries is used to decrypt another strings as we will see in the blog.\r\nMutex: qrXivo3mkbeXpHSqt4kC\r\nEnabled features:\r\nExpand to see more\r\n cookies\r\n passwords\r\n forms\r\n cc\r\nWhen we scroll down, we see another base64 string which starts with base64 encoded zipped string ( H4sIAA* ).\r\nThe malware decode the base64 string then decompresses (unzip) it. Then the malware uses the previous decoded string\r\nfrom config_dec and get [\"SCRT\"] dictionary to use it to replace values from the decoded string in c2_config method\r\nwith [\"SCRT\"] dictionary. Then reverse the characters of the string. Then we decode it from base64 again.\r\nhttps://muha2xmad.github.io/malware-analysis/dcrat/\r\nPage 19 of 24\n\nFigure: encoded configuration from c2_config\r\nAs we can see inside the w_replace_values method, we see that it replaces values of the decoded string of c2_config\r\nwith the [\"SCRT\"] dictionary keys.\r\nFigure: Replacing values with keys c2_config inside w_replace_values\r\nwe can use this script to decode the encoded string and get the C2.\r\nimport base64,gzip\r\n#Create Dictionary obtained from previous decoding\r\nA1 = {\"SCRT\":{\"Q\":\")\",\"a\":\"_\",\"m\":\"(\",\"I\":\"^\",\"M\":\"`\",\"j\":\"$\",\"v\":\"#\",\"Y\":\" \",\"h\":\"@\",\"8\":\"!\",\"4\":\"|\",\"s\":\"\u0026\",\"D\":\"~\",\"1\":\r\n#Store string from from encoding\r\nzip_encoded = \"H4sIAAAAAAAEABXMwQqCMBgA4FdRUpnixIuBuGQrNJGBkOKhw6/YOoykvIyNCJ89PX6X7xS/QYNspD+DB5e+MlgMdO48gqbBuJZ37wWlM97\r\nunzip_decoded = str(gzip.decompress(base64.b64decode(zip_encoded)))\r\n# print(unzip_decoded)\r\n#Obtain the SCRT Dictionary\r\ndictionary = A1[\"SCRT\"]\r\n# print(dictionary)\r\n#Use the dictionary to perform a search/replace\r\n#Making sure to replace the Value with the Key\r\n# and not the other way around\r\nfor i in dictionary:\r\n unzip_decoded = unzip_decoded.replace(dictionary[i],i)\r\n# print(\"First round of Decoding: \\n\" + unzip_decoded + \"\\n\")\r\n#Reverse the string\r\nreverse_unzip_decoded = unzip_decoded[-1:0:-1]\r\n#base64 decode again\r\ndecoded = base64.b64decode(reverse_unzip_decoded)\r\n#print the result\r\nprint(\"Second round of decoding: \\n\" + str(decoded))\r\nThe output will be:\r\nb'{\"H1\":\"http://77[.]246[.]107[.]91/@==AbhNnclZXauVlclZnclNXZulGT\",\"H2\":\"http://77[.]246[.]107[.]91/@==AbhNnclZXauVlclZnclNXZulGT\",\"T\":\"\r\nhttps://muha2xmad.github.io/malware-analysis/dcrat/\r\nPage 20 of 24\n\nAfter the malware decode the C2 configuation, the malware generate a random number between (100, 10000) to pause the\r\nthread for that randomly generated amount of time.\r\nC2 communicationsPermalink\r\nAfter resuming the thread, the malware checks if T in the C2 config is 1 which in our case is 0 . If the T is 1 , the\r\nmalware uses WebClient to make HTTP requests using a custom User-Agent header and specify a specific MIME type in\r\nthe request.\r\nFigure: WebClient to make HTTP requests\r\nInside the sAA method\r\nFigure: sAA method\r\nFirst, the malware generate a random text which cosists of two parts each part contains number of characters between ( 2 ,\r\n32 ) and separate the two parts with = . Then save it in text variable which will be used later.\r\nFigure: Generate random text\r\nhttps://muha2xmad.github.io/malware-analysis/dcrat/\r\nPage 21 of 24\n\nThen we enter the for loop , method_0 contains \"http://77[.]246[.]107[.]91/@==AbhNnclZXauVlclZnclNXZulGT\" and\r\nmethod_1 contains \"http://77[.]246[.]107[.]91/@==AbhNnclZXauVlclZnclNXZulGT\" . We will try to explain how the\r\nmalware construct the URL request\r\n1. The text2 contains the C2 \"http://77[.]246[.]107[.]91/@==AbhNnclZXauVlclZnclNXZulGT\" .\r\n2. Split text3 with @ , then text3 conatins \"http://77[.]246[.]107[.]91/\" .\r\n3. The malware will decode the ==AbhNnclZXauVlclZnclNXZulGT string within the URL which is reversed and then\r\ndecoded form base64 which will be LineserverUniversal . The text4 contains LineserverUniversal .\r\n4. Create MD5 hash of 77.246.107.91gettoken .\r\n5. Create MD5 hash of 77.246.107.91 .\r\n6. Create MD5 hash of 77.246.107.91token_uid\r\n7. The value of zl3.x83 variable is determined by:\r\nthe d51 method has [\"MUTEX\"] the mutex as a parameter \"DCR_MUTEX-qrXivo3mkbeXpHSqt4kC\" .\\\r\n8. var_version_number contains 4.5.33\r\n9. from D9a method we get that, get the OS, get the system directory, MachineName, username, process count, type of\r\nOS, path to the current user, total size of drivers. Then the value will be hashed using SHA1 .\r\n10. Get_MachineName has the MachineName such as FOLAN-PC .\r\n11. Get_UserName has the UserName such as folan .\r\n12. The value of the mutex \"DCR_MUTEX-qrXivo3mkbeXpHSqt4kC\" is hashed using SHA1 .\r\n13. After getting the value of zl3.x83 , the value will be decrypted using SHA1 + SHA1 again + To Base64 (and\r\nremeove = at the end) + reverse characters.\r\nAfter these operations, the URL request will be like this:\r\nhttp://77[.]246[.]107[.]91/LineserverUniversal[.]php?\r\nS0s2r66zY1djVBwZ1altYRNw3fz0a=Drr2V0tR\u0026bac6c8eb8980430e52de074e8ac708b2=d150a0b3e170c11c5606292418404eed\u002666aba1f0bc95f01c05b9d5c9b7ca2004\r\n1. text3 : http://77[.]246[.]107[.]91/\r\n2. text4 : LineserverUniversal + .php?\r\n3. text : S0s2r66zY1djVBwZ1altYRNw3fz0a=Drr2V0tR + \u0026\r\n4. MD5 hash of 77.246.107.91gettoken : bac6c8eb8980430e52de074e8ac708b2 + =\r\n5. MD5 hash of 77.246.107.91 : d150a0b3e170c11c5606292418404eed + \u0026\r\n6. MD5 hash of 77.246.107.91token_uid = 66aba1f0bc95f01c05b9d5c9b7ca2004 + =\r\n7. The value of zl3.x83 : AMkVWZ0QTZjRzN5IWZ0YjN5IDOihDNwATY3kTMzMWO1MWN2M2NxEzY + \u0026\r\n8. text : S0s2r66zY1djVBwZ1altYRNw3fz0a=Drr2V0tR\r\nCommands tablePermalink\r\nHash Action\r\n489540U 214916U Take screenshot, mouse events, keyboard events\r\n18691U Create a Zip of directory\r\n134266U Reboot the system\r\n281864U Shutdown the system\r\n334551U Logoff from the current user\r\n379238U Enumerate Processes and their executable\r\n414986U 12926U Download file\r\n526922U Run a process\r\n549717U Enumerate drives\r\n677710U Run shell command\r\n750724U Delete all files from PC\r\n859704U Uninstall malware\r\n872468U Show MessageBox window\r\n909989U Create a new directory\r\n911819U Retrieve file or process properties\r\n950881U Retrieve info about a specific folder\r\n38889U Clipboard grabber\r\nhttps://muha2xmad.github.io/malware-analysis/dcrat/\r\nPage 22 of 24\n\nHash Action\r\n44265U Download and execute file\r\n160478U Send UDP and TCP packets to a given IP (DDoS)\r\n154753U Download and execute cs, vb, vbs, ps, bat\r\n788583U Put text in clipboard\r\n119627U Open a URL\r\n172941U 343584U Kill a process\r\n204675U Show files of directory\r\n225809U Create paused notepad.exe process\r\n299365U Run file\r\n322482U Resume threads\r\n940389U Suspend threads\r\n516557U Delete directory\r\n739465U Copy directory\r\n290226U Move a file\r\n687473U Extract a zip file\r\n163489U Upload file to C2\r\n922147U Send collected info, plugins, clipboard data\r\nYaraPermalink\r\nrule DCRat {\r\n meta:\r\n author = \"Muammad Hasan Ali @muha2xmad\"\r\n date = \"2023-09-03\"\r\n description = \"YARA rule for DCRat indicators\"\r\n strings:\r\n $str001 = \"cao28Fn172GnuaZvuO_OnSystemInfoO29PluginI2bG7\" fullword wide\r\n $str002 = \"uploadsafefile_name\" fullword wide\r\n $str003 = \"uploadfile_name\" fullword wide\r\n $str004 = \"searchpath\" fullword wide\r\n $str005 = \"runas\" fullword wide\r\n $str006 = \"@@EXTRACTLOCATION\" fullword wide\r\n $str007 = \"@@EXTRACT_EXISTING_FILE\" fullword wide\r\n $str008 = \"@@POST_UNPACK_CMD_LINE\" fullword wide\r\n $str009 = \"@@REMOVE_AFTER_EXECUTE\" fullword wide\r\n $str010 = \"ACTWindow\" fullword wide\r\n $str011 = \"Clipboard [Files].txt\" fullword wide\r\n $str012 = \"Clipboard [Text].txt\" fullword wide\r\n $str013 = \"ConfigPluginName\" fullword wide\r\n $str014 = \"saving....\" fullword wide\r\n $str015 = \"DCRat-Log#\" fullword wide\r\n $str016 = \"DCRat.Code\" fullword wide\r\n $str017 = \"EncTable\" fullword wide\r\n $str018 = \"OldPath\" fullword wide\r\n $str019 = \"[Clipboard] Saving information...\" fullword wide\r\n $str020 = \"[Plugin] Invoke:\" fullword wide\r\n $str021 = \"[Screenshot] Saving screenshots from\" fullword wide\r\n $str022 = \"[SystemInfromation] Saving information...\" fullword wide\r\n $str023 = \"stealerlogstatus\" fullword wide\r\n $API01 = \"UseShellExecute\" fullword ascii wide\r\n $API02 = \"FromBase64String\" fullword ascii wide\r\n $API03 = \"GZipStream\" fullword ascii wide\r\n $API04 = \"GetTempPath\" fullword ascii wide\r\n $API05 = \"SHA1Managed\" fullword ascii wide\r\nhttps://muha2xmad.github.io/malware-analysis/dcrat/\r\nPage 23 of 24\n\n$API06 = \"SHA256Managed\" fullword ascii wide\r\n $dir1 = \"%AppData% - Very Fast\\\\AppData\\\\\" fullword wide\r\n $dir2 = \"%SystemDrive% - Slow\" fullword wide\r\n $dir3 = \"%UsersFolder% - Fast\" fullword wide\r\n $dir4 = \"%AppData% - Very Fast\\\\AppData\\\\\" fullword wide\r\n $dir5 = \"%UsersFolder% - Fast\" fullword wide\r\n $dir6 = \"%AppData% - Very Fast\\\\AppData\\\\\" fullword wide\r\n $ext01 = \".bat\" fullword wide\r\n $ext02 = \".vbs\" fullword wide\r\n $ext03 = \".zip\" fullword wide\r\n $ext04 = \".jpg\" fullword wide\r\n $ext05 = \".exe\" fullword wide\r\n \r\n $comm = \"w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 1\u003enul\" fullword wide\r\n \r\n condition:\r\n uint16(0) == 0x5a4d and (15 of ($str*) and 5 of ($API*) and 3 of ($dir*) and 3 of ($ext*) and ($comm))\r\n}\r\nIoCsPermalink\r\nSample SHA256 hash: 80e9df6cbe742866f0a88ea550f4b66498417506b8b8b7a88ffd180f67056670\r\nC2 and path: http://77[.]246[.]107[.]91/LineserverUniversal[.]php\r\nQuotePermalink\r\nا َن ْح ن الاَّلجئَنيأ واَل ُعدَن\r\nًج\r\nل\r\nَم\r\nا َدت ُعيونك \r\nَع\r\nفاَل \r\nمت بحمد لله وبتوفيقه\r\nRefPermalink\r\nDcrat Deobfuscation - How to Manually Decode a 3-Stage .NET Malware\r\nSource: https://muha2xmad.github.io/malware-analysis/dcrat/\r\nhttps://muha2xmad.github.io/malware-analysis/dcrat/\r\nPage 24 of 24",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://muha2xmad.github.io/malware-analysis/dcrat/"
	],
	"report_names": [
		"dcrat"
	],
	"threat_actors": [],
	"ts_created_at": 1775434862,
	"ts_updated_at": 1775791265,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/0ec4a51d7da1ab2a877a5a7bbff3981aacee6738.pdf",
		"text": "https://archive.orkl.eu/0ec4a51d7da1ab2a877a5a7bbff3981aacee6738.txt",
		"img": "https://archive.orkl.eu/0ec4a51d7da1ab2a877a5a7bbff3981aacee6738.jpg"
	}
}