A deep dive into DCRAT/DarkCrystalRAT malware
By Muhammad Hasan Ali
Published: 2023-08-30 · Archived: 2026-04-05 22:26:57 UTC
20 minute read
بسم الله الرحمن الرحيم
FreePalestine
IntroductionPermalink
Dark Crystal RAT or DCRat is a typical RAT that has been around since at least June 2019. The RAT has ability to do many
malicious code such as Power options like shutdown, reboot, or logoff the system, Enumerate operations like enumerate
processes, folders, or drives, Execute code like CS, VB, VBS, PS, and create Denial of Service DoS. We will start to deep
dive into its capabilities in this blog.
Technical summaryPermalink
Action Description
Power options Reboot and shutdown the system and log off the current user.
Enumerate operations
Enumerate processes and retrieve information such as executable paths, folders, drives,
screens, microphones, and cameras.
Clipboard grabber Retrieve data from the clipboard, such as files or text.
Execute CS, VB, VBS, PS
Run and compile code inside the victim’s system, including C#, VB code, and scripts in
bat, VBS, or PS.
Denial of Service (DoS) Perform a Denial of Service (DoS) attack using the victim’s computer.
Take screenshots
Capture screenshots from the victim’s computer screen and obtain the screen’s width
and height.
Steal Steam credentials
Target Steam gaming platform users and attempt to steal Steam credentials from the
victim’s user.
Retrieve Telegram and
Discord path
Obtain the installation path of Telegram and the path of local database files of Discord.
System info
Query and retrieve information about the victim, such as IP address, hostname, country,
and more.
Persistence Maintain persistence by modifying the registry, such as the Winlogon and run registry
keys, and create scheduled tasks.
CommandsPermalink
The malware get commands from C2 to do malcious functions inside Class30 class, specifically inside C7y method.
https://muha2xmad.github.io/malware-analysis/dcrat/
Page 1 of 24

Figure: Commands and malicious functions
The malware gets the struct7_0 as an input which contains values of command and data from dictionary2
dictionary. The value of command from dictionary2 dictionary is returned by RL4 method. Then the value is hashed
using SHA256 then take the first 4 bytes (32 bits) of the hash and convert to a uint then calculate the 6-digit hash by
taking modulo ( % ) 1,000,000.
This done by w_compute_SHA256_return_6_digits method.
Figure: w_compute_SHA256_return_6_digits method
The implementation in python.
import hashlib
import struct
def smethod_1(string_0):
 sha256 = hashlib.sha256()
 sha256.update(string_0.encode('utf-8'))
 hash_hex = sha256.hexdigest()
 # Convert the first 4 bytes (32 bits) of the hash to a uint
 hash_value = struct.unpack('<I', bytes.fromhex(hash_hex[:8]))[0]
 # Calculate the 6-digit hash by taking modulo 1,000,000
 result = hash_value % 1000000
 return result
input_string = "command"
hash_value = smethod_1(input_string)
print("Hash: {:06d}".format(hash_value))
Power optionsPermalink
Inside ba1 method, The malware starts a process which can reboot the victim’s device immediately using shutdown.exe
/r /f /t 0 .
https://muha2xmad.github.io/malware-analysis/dcrat/
Page 2 of 24

Figure: reboot the system immediately
Or inside Class25 method, the malware starts a process which can but logoff the system shutdown.exe /l /f /t 0
Figure: logoff the system immediately
Or the malware can shutdown the the victim’s device
Figure: Shutdown the system immediately
Enumerate operationsPermalink
Enumerate Processes and their executablePermalink
Inside avS method, the malware has the ability to enumerate the currently running processes on the system and retrieve the
full path to the executable file associated with the process. The malware setup a dictionary which holds:
Column Value Description
N Name of the executable associated with the process (ProcessName + .exe ).
T The window title of the process (WindowTitle + “ “).
https://muha2xmad.github.io/malware-analysis/dcrat/
Page 3 of 24

Column Value Description
I The process ID (processId + “ “).
S 1 when the process ID is the same as the ID of the current process, which is the malware process.
P
The full path to the executable file associated with the process using QueryFullProcessImageName . If it
fails to retrieve the full path, Memory is used as a placeholder.
Figure: Enumerate Processes and retrieve thier associated executable
Enumerate DrivesPermalink
Inside W1W method, the malware has the ability to retrieve information about drivers of the victim’s computer such as
type , name , size , and description .
It startup a dictionary which contains:
Column Value Description
T Drive
N Drive name
S Size of the drive
M Description of the drive, including the volume label, drive type, and drive format
https://muha2xmad.github.io/malware-analysis/dcrat/
Page 4 of 24

Figure: Enumerate Drives
Enumerate foldersPermalink
Inside CmN method, this method retrieve information about files and directories within a specified directory and return that
information in a structured format. If it’s a directory/folder:
Column Value Description
T Folder .
N the name of the directory.
S empty string “”.
M the last modified time of the directory in the format dd.MM.yyyy HH:mm .
If it’s a file:
Column Value Description
T File .
N the name of the file.
S the size of the file.
M the last modified time of the file in the format dd.MM.yyyy HH:mm .
https://muha2xmad.github.io/malware-analysis/dcrat/
Page 5 of 24

Figure: Enumerate folders or files
Enumerate screensPermalink
The malware will try to enumerate number of available screens and their device names.
Figure: Enumerate screens
Enumerate CamerasPermalink
The code will retrieve info about the camera devices on the system.
Figure: Enumerate cameras
Enumerate MicrophonesPermalink
The malware will retrieve info about the audio input devices using the Windows Multimedia API ( winmm.dll ) and return a
list of audio input device names.
https://muha2xmad.github.io/malware-analysis/dcrat/
Page 6 of 24

Figure: Enumerate Microphones
Clipboard grabberPermalink
The malware will try to grab data from Clipboard.
Figure: grab data from Clipboard
Inside the GetText method, the malware retrieves text data from the clipboard in a specified format such as UnicodeText ,
Text , HTML by using Clipboard.GetDataObject() which retrieve the current contents of the clipboard.
Figure: How to grab data from Clipboard
https://muha2xmad.github.io/malware-analysis/dcrat/
Page 7 of 24

The malware will try to save the content of the clipboard and It checks if there are file drops in the clipboard using
Clipboard.ContainsFileDropList() to save it to Clipboard [Files].txt file or it checks if it’s text to save it to
Clipboard [Text].txt file.
Figure: Save Clipboard data
Show notificationsPermalink
Inside atR method, the malware can show notifications on the victim’s computer such as information, warning,
confirmation, or error.
Figure: Show Message box with a text
Execute CS, VB, VBS, PSPermalink
The malware can compile and run code such as C# or Visual Basic , run VBS script, powershell script, and batch script
inside the victim’s computer.
First, the malware will check the type to determine how it will be executed. If its type is C# or VB :
If it’s C# code, it creates a CSharpCodeProvider instance which allows you to dynamically compile C# source code. If
it’s a VB code, it creates a VBCodeProvider instance which allows you to dynamically compile VB source code.
Before compiling using CSharpCodeProvider or VBCodeProvider , the code configures the compilation process by using
CompilerParameters . The parameters are GenerateInMemory and GenerateExecutable .
It sets GenerateInMemory to true and sets GenerateExecutable to false to make sure that the compiled code is
generated inside the memory not compiled as an executable file on disk.
Then compile the provided code using CompileAssemblyFromSource . If there are compilation errors, it collects the error
number, line, and error text.
If there are no errors, the malware creates an instance of the class DCRAT.code and invoke the Main method to execute the
code dynamically.
https://muha2xmad.github.io/malware-analysis/dcrat/
Page 8 of 24

Figure: Check if the type is CS or VB
Figure: Check if errors happen then execute
If the Type is BAT which is batch .bat file, the malware will write the code from dictionary["Code"] value in the
random-string-generated file which located in the temp file.
The code will run the batch file using two ways which are determined by the value of dictionary2["Hidden"] :
1. If the value of dictionary2["Hidden"] if true , It means that the file will run and won’t show the command-line
window.
2. If the value of dictionary2["Hidden"] if false , the file will run and will show the command-line window.
After executing the file, the batch file will be deteted.
https://muha2xmad.github.io/malware-analysis/dcrat/
Page 9 of 24

Figure: How it runs the bat script
If it’s VBS script, the code will run the VBS script using cscript.exe which is Windows Script Host executable which is
resposible for running VBS scripts.
After executing the file, the batch file will be deteted.
Figure: How it runs the VBS script
If it’s a powershell PS script, the code will run the PS script in a hidden window using powershell.exe .
Figure: How it runs the PS script
Take screenshotsPermalink
Inside the uKl method, the malware has the ability to take screenshots from the victim’s computer screen and get the width
and hight of the screen.
https://muha2xmad.github.io/malware-analysis/dcrat/
Page 10 of 24

Figure: uKl method
The malware will start a thread to start taking screenshots from the victim’s computer and save it a byte array of JPEG
format, then upload files to the C2.
Figure: Capture screenshots
Download FilePermalink
Inside Class19 method, the malware can download a file from a specific URL and save the file inside a specific directory
inside the victim’s device.
Figure: Downlaod file
Run a specific filePermalink
Inside Class32 method, the malware can run a file from victim’s computer by starting a process with different
windowstyle such as the window is Hidden , Minimized , or Maximized .
https://muha2xmad.github.io/malware-analysis/dcrat/
Page 11 of 24

Figure: run the downlaoded file
Write bat file in tempPermalink
The malware write a .bat file with a random-string-generated name in the temp path. And write this batch script in the
.bat file:
@echo off
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 1>nul
start "" "C:\Users\username\Start Menu\SearchProtocolHost.exe"
del /a /q /f "C:\Users\username\AppData\Local\Temp\\sr3bn8JpP4.bat"
@echo off : It ensures that the commands are not displayed in the console window while they are executed.
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 1>nul : This command uses the
Windows Time Service ( w32tm ) to retrieve time-related information, /computer:localhost Specifies that the
time-related information should be collected from the local computer, /period:5 get the data collection period to 5
seconds, /dataonly get only the data values should be displayed, /samples:2 Specifies the number of samples to
collect, and 1>nul not to show any output.
start "" "C:\Users\username\Start Menu\SearchProtocolHost.exe" : launch a new process of the
SearchProtocolHost.exe and the window has an empty title.
del /a /q /f "C:\Users\username\AppData\Local\Temp\\sr3bn8JpP4.bat" : Then delete the .bat file.
After writing the script into the BAT file, it is launched in a new process (with admin privileges).
https://muha2xmad.github.io/malware-analysis/dcrat/
Page 12 of 24

Figure: batch script
Downlaod and executePermalink
In this method, the malware will download an exe file inside the temp folder, and execute the file using batch .bat file.
Inside the batch file, it starts the downloaded file ( text ) in a new process and then delete the .bat file.
Figure: Downlaod a exe file and execute it
Denial of Service DoSPermalink
The malware has the ability to perform a Denial of Service DoS attack using victim’s computer. The malware will start a
number of threads as we will explain next.
https://muha2xmad.github.io/malware-analysis/dcrat/
Page 13 of 24

Figure: Prepare threads to send a file
First, the malware will start a thread to run the HF6 method. Inside this method, the malware will create a TCP connection
with the targeted remote host or IP address . And send a simple POST request to the target then sleep for 100 millisecondss.
Figure: First thread to prepare the connection
Then, the malware will launch a thread of method_0 method. In this method, the malware will start setting up a Socket
for sending UDP packets to the remote host using SendTo and The size of each packet is determined by the result of
w_Generate_random_numbers()% 1000 + 1 . And between each packet, the thread sleeps for 100-millisecond .
Figure: setting up a Socket for UDP flood attack
In third thread, it’s doing the same function but sending TCP packets to the remote host instead of UDP packets.
https://muha2xmad.github.io/malware-analysis/dcrat/
Page 14 of 24

Figure: setting up a Socket for sending TCP packets
Steal Steam credintialsPermalink
Action How to
Get Steam path Retrieve the value of SteamPath inside the SOFTWARE\\Valve\\Steam registry key.
Language Retrieve the value of Language inside the SOFTWARE\\Valve\\Steam registry key.
Login Users Retrieve the value of AutoLoginUser inside the SOFTWARE\\Valve\\Steam registry key.
Steam IDs Parse the loginusers.vdf file to obtain Steam user IDs.
Steam Apps Retrieve a list of game names in the Steam gaming platform.
Figure: Return Steam users
Figure: Return Steam IDs
Get Telegram pathPermalink
The malware will try to get the installation path of Telegram by searching for (\\w\\W.+)Telegram.exe using regex and
get the path or by searching for specific parocesses names related to Telegram such as Telegram , Kotatogram and get
the get the executable path of the process using w_QueryFullProcessImageName API.
https://muha2xmad.github.io/malware-analysis/dcrat/
Page 15 of 24

Figure: Get Telegram path
Get Discord pathPermalink
In this code, it determines the path of the local Database files of Discord .
Figure: Get Discord path
System infoPermalink
Inside the o4V method, the malware will decode the aHR0cHM6Ly9pcGluZm8uaW8vanNvbg== from Base64 which its value
will be https://ipinfo.io/json . The code will query and retrieving information about the victim such as IP ,
hostname , country , and more.
Figure: Retrieve info such as IP or the location
Then inside method_1 method, the malware will retrieve additional info such as PCName , UserName , WindowsVersion ,
ACTiveWindow and much more
https://muha2xmad.github.io/malware-analysis/dcrat/
Page 16 of 24

Figure: Retrieve additional info
Then save the retreived info and save it to a .txt file and send it to the C2.
PersistencePermalink
The malware will try to stay active when the system is rebooted and stay undetected to do its malicious activities.
The malware uses two methods: using scheduled task and edit registry.
1. The malware will execute using schtasks.exe to create scheduled task.
The first command, it creates a new scheduled task with the our sample, The task is trigger every minute with
a random delay between (5, 15) seconds.
the second command, it does the first command and specifies that the task will run when the user logs on, sets
the privilege of the task to HIGHEST
Figure: Create scheduled tasks for persistence
The malware can delete the scheduled tasks for some reasons.
https://muha2xmad.github.io/malware-analysis/dcrat/
Page 17 of 24

Figure: Delete scheduled tasks
1. the second way is to modify registries
Opens the Software\Microsoft\Windows\CurrentVersion\Run key, add a registry its name is the sample
name without extension, and its value is the "path/to/sample/fullsamplename" .
Opens "Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon , retrieve the value of Shell
registry, then append the "path/to/sample/fullsamplename" . Shell registry determines which program is
used as the system shell when a user logs into Windows.
Figure: modify registries
Here we can see that the malware deletes the added registries from before.
Figure: Delete registries
Configuration decryptionPermalink
In the next figure, We see the method config_dec which contains a base64 string which starts with a base64 encoded
zipped string ( H4sIAA* ).
https://muha2xmad.github.io/malware-analysis/dcrat/
Page 18 of 24

Figure: encoded string starts with zipped string
From embee-research blog, we will try to explain how the malware encodes the configuration. First, We will decode the
base64 string then we will decompress (unzip) it. Then we will reverse the characters of the string then we decode the result
from base64 string.
Open CyberChef and put the encoded string in input :
From Base64 + Gunzip + reverse + From Base64 + unescape string ( to clean the string from \ ).
Figure: decoded configuration from config_dec
From the decoded Configuration, we can get that:
SCRT and PCRT dictionaries is used to decrypt another strings as we will see in the blog.
Mutex: qrXivo3mkbeXpHSqt4kC
Enabled features:
Expand to see more
 cookies
 passwords
 forms
 cc
When we scroll down, we see another base64 string which starts with base64 encoded zipped string ( H4sIAA* ).
The malware decode the base64 string then decompresses (unzip) it. Then the malware uses the previous decoded string
from config_dec and get ["SCRT"] dictionary to use it to replace values from the decoded string in c2_config method
with ["SCRT"] dictionary. Then reverse the characters of the string. Then we decode it from base64 again.
https://muha2xmad.github.io/malware-analysis/dcrat/
Page 19 of 24

Figure: encoded configuration from c2_config
As we can see inside the w_replace_values method, we see that it replaces values of the decoded string of c2_config
with the ["SCRT"] dictionary keys.
Figure: Replacing values with keys c2_config inside w_replace_values
we can use this script to decode the encoded string and get the C2.
import base64,gzip
#Create Dictionary obtained from previous decoding
A1 = {"SCRT":{"Q":")","a":"_","m":"(","I":"^","M":"`","j":"$","v":"#","Y":" ","h":"@","8":"!","4":"|","s":"&","D":"~","1":
#Store string from from encoding
zip_encoded = "H4sIAAAAAAAEABXMwQqCMBgA4FdRUpnixIuBuGQrNJGBkOKhw6/YOoykvIyNCJ89PX6X7xS/QYNspD+DB5e+MlgMdO48gqbBuJZ37wWlM97
unzip_decoded = str(gzip.decompress(base64.b64decode(zip_encoded)))
# print(unzip_decoded)
#Obtain the SCRT Dictionary
dictionary = A1["SCRT"]
# print(dictionary)
#Use the dictionary to perform a search/replace
#Making sure to replace the Value with the Key
# and not the other way around
for i in dictionary:
 unzip_decoded = unzip_decoded.replace(dictionary[i],i)
# print("First round of Decoding: \n" + unzip_decoded + "\n")
#Reverse the string
reverse_unzip_decoded = unzip_decoded[-1:0:-1]
#base64 decode again
decoded = base64.b64decode(reverse_unzip_decoded)
#print the result
print("Second round of decoding: \n" + str(decoded))
The output will be:
b'{"H1":"http://77[.]246[.]107[.]91/@==AbhNnclZXauVlclZnclNXZulGT","H2":"http://77[.]246[.]107[.]91/@==AbhNnclZXauVlclZnclNXZulGT","T":"
https://muha2xmad.github.io/malware-analysis/dcrat/
Page 20 of 24

After the malware decode the C2 configuation, the malware generate a random number between (100, 10000) to pause the
thread for that randomly generated amount of time.
C2 communicationsPermalink
After resuming the thread, the malware checks if T in the C2 config is 1 which in our case is 0 . If the T is 1 , the
malware uses WebClient to make HTTP requests using a custom User-Agent header and specify a specific MIME type in
the request.
Figure: WebClient to make HTTP requests
Inside the sAA method
Figure: sAA method
First, the malware generate a random text which cosists of two parts each part contains number of characters between ( 2 ,
32 ) and separate the two parts with = . Then save it in text variable which will be used later.
Figure: Generate random text
https://muha2xmad.github.io/malware-analysis/dcrat/
Page 21 of 24

Then we enter the for loop , method_0 contains "http://77[.]246[.]107[.]91/@==AbhNnclZXauVlclZnclNXZulGT" and
method_1 contains "http://77[.]246[.]107[.]91/@==AbhNnclZXauVlclZnclNXZulGT" . We will try to explain how the
malware construct the URL request
1. The text2 contains the C2 "http://77[.]246[.]107[.]91/@==AbhNnclZXauVlclZnclNXZulGT" .
2. Split text3 with @ , then text3 conatins "http://77[.]246[.]107[.]91/" .
3. The malware will decode the ==AbhNnclZXauVlclZnclNXZulGT string within the URL which is reversed and then
decoded form base64 which will be LineserverUniversal . The text4 contains LineserverUniversal .
4. Create MD5 hash of 77.246.107.91gettoken .
5. Create MD5 hash of 77.246.107.91 .
6. Create MD5 hash of 77.246.107.91token_uid
7. The value of zl3.x83 variable is determined by:
the d51 method has ["MUTEX"] the mutex as a parameter "DCR_MUTEX-qrXivo3mkbeXpHSqt4kC" .\
8. var_version_number contains 4.5.33
9. from D9a method we get that, get the OS, get the system directory, MachineName, username, process count, type of
OS, path to the current user, total size of drivers. Then the value will be hashed using SHA1 .
10. Get_MachineName has the MachineName such as FOLAN-PC .
11. Get_UserName has the UserName such as folan .
12. The value of the mutex "DCR_MUTEX-qrXivo3mkbeXpHSqt4kC" is hashed using SHA1 .
13. After getting the value of zl3.x83 , the value will be decrypted using SHA1 + SHA1 again + To Base64 (and
remeove = at the end) + reverse characters.
After these operations, the URL request will be like this:
http://77[.]246[.]107[.]91/LineserverUniversal[.]php?
S0s2r66zY1djVBwZ1altYRNw3fz0a=Drr2V0tR&bac6c8eb8980430e52de074e8ac708b2=d150a0b3e170c11c5606292418404eed&66aba1f0bc95f01c05b9d5c9b7ca2004
1. text3 : http://77[.]246[.]107[.]91/
2. text4 : LineserverUniversal + .php?
3. text : S0s2r66zY1djVBwZ1altYRNw3fz0a=Drr2V0tR + &
4. MD5 hash of 77.246.107.91gettoken : bac6c8eb8980430e52de074e8ac708b2 + =
5. MD5 hash of 77.246.107.91 : d150a0b3e170c11c5606292418404eed + &
6. MD5 hash of 77.246.107.91token_uid = 66aba1f0bc95f01c05b9d5c9b7ca2004 + =
7. The value of zl3.x83 : AMkVWZ0QTZjRzN5IWZ0YjN5IDOihDNwATY3kTMzMWO1MWN2M2NxEzY + &
8. text : S0s2r66zY1djVBwZ1altYRNw3fz0a=Drr2V0tR
Commands tablePermalink
Hash Action
489540U 214916U Take screenshot, mouse events, keyboard events
18691U Create a Zip of directory
134266U Reboot the system
281864U Shutdown the system
334551U Logoff from the current user
379238U Enumerate Processes and their executable
414986U 12926U Download file
526922U Run a process
549717U Enumerate drives
677710U Run shell command
750724U Delete all files from PC
859704U Uninstall malware
872468U Show MessageBox window
909989U Create a new directory
911819U Retrieve file or process properties
950881U Retrieve info about a specific folder
38889U Clipboard grabber
https://muha2xmad.github.io/malware-analysis/dcrat/
Page 22 of 24

Hash Action
44265U Download and execute file
160478U Send UDP and TCP packets to a given IP (DDoS)
154753U Download and execute cs, vb, vbs, ps, bat
788583U Put text in clipboard
119627U Open a URL
172941U 343584U Kill a process
204675U Show files of directory
225809U Create paused notepad.exe process
299365U Run file
322482U Resume threads
940389U Suspend threads
516557U Delete directory
739465U Copy directory
290226U Move a file
687473U Extract a zip file
163489U Upload file to C2
922147U Send collected info, plugins, clipboard data
YaraPermalink
rule DCRat {
 meta:
 author = "Muammad Hasan Ali @muha2xmad"
 date = "2023-09-03"
 description = "YARA rule for DCRat indicators"
 strings:
 $str001 = "cao28Fn172GnuaZvuO_OnSystemInfoO29PluginI2bG7" fullword wide
 $str002 = "uploadsafefile_name" fullword wide
 $str003 = "uploadfile_name" fullword wide
 $str004 = "searchpath" fullword wide
 $str005 = "runas" fullword wide
 $str006 = "@@EXTRACTLOCATION" fullword wide
 $str007 = "@@EXTRACT_EXISTING_FILE" fullword wide
 $str008 = "@@POST_UNPACK_CMD_LINE" fullword wide
 $str009 = "@@REMOVE_AFTER_EXECUTE" fullword wide
 $str010 = "ACTWindow" fullword wide
 $str011 = "Clipboard [Files].txt" fullword wide
 $str012 = "Clipboard [Text].txt" fullword wide
 $str013 = "ConfigPluginName" fullword wide
 $str014 = "saving...." fullword wide
 $str015 = "DCRat-Log#" fullword wide
 $str016 = "DCRat.Code" fullword wide
 $str017 = "EncTable" fullword wide
 $str018 = "OldPath" fullword wide
 $str019 = "[Clipboard] Saving information..." fullword wide
 $str020 = "[Plugin] Invoke:" fullword wide
 $str021 = "[Screenshot] Saving screenshots from" fullword wide
 $str022 = "[SystemInfromation] Saving information..." fullword wide
 $str023 = "stealerlogstatus" fullword wide
 $API01 = "UseShellExecute" fullword ascii wide
 $API02 = "FromBase64String" fullword ascii wide
 $API03 = "GZipStream" fullword ascii wide
 $API04 = "GetTempPath" fullword ascii wide
 $API05 = "SHA1Managed" fullword ascii wide
https://muha2xmad.github.io/malware-analysis/dcrat/
Page 23 of 24

$API06 = "SHA256Managed" fullword ascii wide
 $dir1 = "%AppData% - Very Fast\\AppData\\" fullword wide
 $dir2 = "%SystemDrive% - Slow" fullword wide
 $dir3 = "%UsersFolder% - Fast" fullword wide
 $dir4 = "%AppData% - Very Fast\\AppData\\" fullword wide
 $dir5 = "%UsersFolder% - Fast" fullword wide
 $dir6 = "%AppData% - Very Fast\\AppData\\" fullword wide
 $ext01 = ".bat" fullword wide
 $ext02 = ".vbs" fullword wide
 $ext03 = ".zip" fullword wide
 $ext04 = ".jpg" fullword wide
 $ext05 = ".exe" fullword wide
 
 $comm = "w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 1>nul" fullword wide
 
 condition:
 uint16(0) == 0x5a4d and (15 of ($str*) and 5 of ($API*) and 3 of ($dir*) and 3 of ($ext*) and ($comm))
}
IoCsPermalink
Sample SHA256 hash: 80e9df6cbe742866f0a88ea550f4b66498417506b8b8b7a88ffd180f67056670
C2 and path: http://77[.]246[.]107[.]91/LineserverUniversal[.]php
QuotePermalink
ا َن ْح ن الاَّلجئَنيأ واَل ُعدَن
ًج
ل
َم
ا َدت ُعيونك 
َع
فاَل 
مت بحمد لله وبتوفيقه
RefPermalink
Dcrat Deobfuscation - How to Manually Decode a 3-Stage .NET Malware
Source: https://muha2xmad.github.io/malware-analysis/dcrat/
https://muha2xmad.github.io/malware-analysis/dcrat/
Page 24 of 24