{ "id": "49b08eff-bf27-43c6-88a9-0754f3bd631e", "created_at": "2026-04-06T00:17:55.179936Z", "updated_at": "2026-04-10T13:12:57.51056Z", "deleted_at": null, "sha1_hash": "372d473a5631d62928543b1dd0623c0d78e4e662", "title": "FreeCryptoScam", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3035622, "plain_text": "FreeCryptoScam\r\nBy Stuti Chaturvedi, Aditya Sharma\r\nPublished: 2022-02-17 · Archived: 2026-04-05 23:21:41 UTC\r\nIntroduction\r\nIn January 2022, the ThreatLabz research team identified a crypto scam, which we've dubbed \"FreeCryptoScam.\"\r\nIn this scam, the threat actor targets crypto users by luring them with an offer of free cryptocurrency. When the\r\nvictim downloads the payload, it leads to installation of multiple malware payloads on the victim's system,\r\nallowing the threat actor to establish backdoors and/or steal user information. In this campaign, we see the Dark\r\nCrystal RAT (\"DCRat\") being downloaded which further leads to Redline and TVRat being downloaded and\r\nexecuted onto the victim’s system.\r\nThis blog aims to explain various aspects of the campaign that the ThreatLabz team has uncovered during the\r\ninvestigation and technical analysis of the dropped payloads.\r\nWebsite Analysis\r\nIn this campaign, threat actors host their malicious payload on either a new (Figure 1) or an old compromised web\r\ndomain (Figure 2 \u0026 Figure 3). They use the below mechanisms to successfully drop the payload to the victim\r\nmachine:\r\n1. As soon as the user visits the website, the below javascript under a “script” tag gets executed to drop a\r\npayload:\r\n“setTimeout(document.location.href=, )”\r\n2. As soon as the user clicks on the button, the “href” property is used to drop the payload that consists of the\r\npayload link.\r\nhttps://www.zscaler.com/blogs/security-research/freecryptoscam-new-cryptocurrency-scam-leads-installation-backdoors-and\r\nPage 1 of 11\n\nFigure 1: Newly spun up website hosting malicious payloads\r\nFigure 2: Old compromised websites used for hosting malicious payload\r\nIt should be noted that:\r\nThe threat actor uses social engineering to drive successful payload execution, luring victims to install the\r\ndropped payload by using a message offering free cryptocurrency. \r\nThe attack works across browsers, with the mechanism running the same way in Chrome, Internet\r\nExplorer, and Firefox. Depending on the browser settings, the payload will be automatically downloaded,\r\nor a pop-up window will ask the user to save the application on the system.\r\nFrom the whois record, it is clear that the second domain (shown in Figure 2) is an old domain that has\r\nlikely been compromised.\r\nhttps://www.zscaler.com/blogs/security-research/freecryptoscam-new-cryptocurrency-scam-leads-installation-backdoors-and\r\nPage 2 of 11\n\nFigure 3: Whois report of the second domain [Credit: DomainTools]\r\nAttack Chain\r\nThe figure below depicts the attack chain of two scenarios:\r\nhttps://www.zscaler.com/blogs/security-research/freecryptoscam-new-cryptocurrency-scam-leads-installation-backdoors-and\r\nPage 3 of 11\n\nFigure 4: Attack chain\r\nTechnical Analysis\r\nAs shown in the above figure, we found two types of payload:\r\n1. In Scenario 1, the payload was a downloader that connected to another malicious domain hosting second\r\nstage payloads—backdoors and stealers. In most cases, the downloaded files were DCRat, Redline, and\r\nTVRat.\r\n2. In Scenario 2, the payload served the DCRat malware directly. \r\n[+] Scenario 1: Downloader DCRatLoader\r\nFor the purposes of analysis, we will look at the payload with MD5 hash:\r\nD3EF4EC10EE42994B313428D13B1B0BD which was protected by a well-known packer named Asprotect and\r\ngiven a fake certificate (as shown in the figure below).\r\nFigure 5: Version information and digital certificate \r\nAfter unpacking the file, we get a 48KB .NET executable file (MD5 =\r\n469240D5A3B57C61F5F9F2B90F405999). This is a downloader consisting of base64 encoded urls and file paths\r\n(as shown in the figure below ).\r\nhttps://www.zscaler.com/blogs/security-research/freecryptoscam-new-cryptocurrency-scam-leads-installation-backdoors-and\r\nPage 4 of 11\n\nFigure 6: Code of Unpacked file\r\nThese base64 encoded strings represent the URL paths for downloading stage 2 payloads as well as the file paths\r\nwhere these payloads will be dropped on the victim system.\r\nFigure 7: URLs and File paths\r\nScenario 2: DCRat\r\nThe second scenario involved direct download of the DCRat payload which was also protected by Asprotect.\r\nUpon unpacking, we get a 664KB .NET executable file (MD5= 37F433E1843602B29EC641B406D14AFA)\r\nwhich is the DCRat malware (shown in the figure below). \r\nFigure 8: Strings found in memory\r\nhttps://www.zscaler.com/blogs/security-research/freecryptoscam-new-cryptocurrency-scam-leads-installation-backdoors-and\r\nPage 5 of 11\n\nNetwork Traffic:\r\nFigure 9: Network traffic observed\r\nFigure 10: Get request sent to C\u0026C\r\nIn addition to the DCRat code, we also found stealer code inside the unpacked binary. This part of the code\r\nexhibited stealer characteristics, which are often used to exfiltrate sensitive user information. Not only did it steal\r\nthe information from the infected system, but also disabled the antivirus protection (if found enabled). The code in\r\nthe figure below showcases the type of data being exfiltrated:\r\nhttps://www.zscaler.com/blogs/security-research/freecryptoscam-new-cryptocurrency-scam-leads-installation-backdoors-and\r\nPage 6 of 11\n\nFigure 11: Stealer code \r\nFigure 12: Checks for antiviruses installed and disable them. \r\nWe saw the sample created a mutex, named,\r\n\"\\Sessions\\1\\BaseNamedObjects\\865218dd0bef38bd584e8c4ea44a4b7e295cb6f3\" where\r\n865218dd0bef38bd584e8c4ea44a4b7e295cb6f3 is the SHA1(hash value) of the string \"DCR_MUTEX-BZrxW3QvqgtvhEFCpLSr\" and “DCR_MUTEX” is symbolic of DCRat malware.\r\nhttps://www.zscaler.com/blogs/security-research/freecryptoscam-new-cryptocurrency-scam-leads-installation-backdoors-and\r\nPage 7 of 11\n\nFigure 13: Configuration of the DCRat\r\nZscaler Sandbox Detection\r\nDownloader Payload\r\nDCRat payload\r\nIn addition to sandbox detections, Zscaler’s multilayered cloud security platform detects indicators related to the\r\ncampaign at various levels with the following threat names:\r\nhttps://www.zscaler.com/blogs/security-research/freecryptoscam-new-cryptocurrency-scam-leads-installation-backdoors-and\r\nPage 8 of 11\n\nWin32.Downloader.DCRat\r\nWin32.Downloader.Redline\r\nWin32.Downloader.TVrat\r\nWin32.Backdoor.Dcrat\r\nWin32.Backdoor.Redline\r\nWin32.Backdoor.Tvrat\r\nWe haven't categorized this campaign in association with any particular family because it's a generic downloader\r\nthat downloads other backdoors or stealers.\r\nMITRE ATT\u0026CK AND TTP Mapping\r\nID Tactic Technique\r\nT1189  Drive-by Compromise\r\nAdversaries may gain access to a system through a user visiting a\r\nwebsite over the normal course of browsing. \r\nT1140\r\nDeobfuscate/Decode Files or\r\nInformation\r\nStrings and other data are obfuscated in the payload\r\nT1082\r\nSystem Information\r\nDiscovery\r\nSends processor architecture and computer name\r\nT1083\r\nFile and Directory\r\nDiscovery\r\nUpload file from the victim machine\r\nT1005  Data from Local System \r\nAdversaries may search local system sources, such as file systems\r\nor local databases, to find files of interest and sensitive data prior\r\nto Exfiltration. \r\nT1222\r\nFile Directory Permissions\r\nModification\r\nChange directory permission to hide its file \r\nT1555\r\nCredentials from password\r\nstore\r\nSteal stored password\r\nhttps://www.zscaler.com/blogs/security-research/freecryptoscam-new-cryptocurrency-scam-leads-installation-backdoors-and\r\nPage 9 of 11\n\nT1056 Keylogging Keylog of infected machine \r\nT1055 Process Injection Inject code into other processes\r\nIndicators of Compromise\r\n[+] MD5 Hashes\r\nd3ef4ec10ee42994b313428d13b1b0bd\r\n469240d5a3b57c61f5f9f2b90f405999\r\n6bc6b19a38122b926c4e3a5872283c56\r\n3da7cbb5e16c1f02522ff5e49ffc39e7\r\nfdec732050d0b59d37e81453b746a5f3\r\nd27dba475f35ee9983de3541d4a48bda\r\n67364aac61276a7a4abb7b339733e72c\r\n2e30e741aaa4047f0c114d22cb5f6494\r\n22c4c7c383f1021c80f55ced63ed465c\r\n1c5cf95587171cc0950a6e1be576fedc\r\n37f433e1843602b29ec641b406d14afa\r\nA6718d7cecc4ec8aeef273918d18aa19\r\nfa80b7635babe8d75115ebcc3247ffff\r\ne6d174dd2482042a0f24be7866f71b8d\r\n53be54c4311238bae8cf2e95898e4b12\r\n[+] Network Indicators:\r\nwetranszfer[.]com\r\ndogelab[.]net\r\nverio-tx[.]net\r\nbenbest[.]org\r\nhttps://www.zscaler.com/blogs/security-research/freecryptoscam-new-cryptocurrency-scam-leads-installation-backdoors-and\r\nPage 10 of 11\n\ngorillaboardwj[.]com\r\ndogelab[.]net\r\nd0me[.]net\r\npshzbnb[.]com\r\nghurnibd[.]com\r\ntheagencymg[.]com\r\ngettingtoaha[.]com\r\nsquidgame[.]to\r\n178[.]20[.]44[.]131:8842 \r\n92[.]38[.]241[.]101:36778 \r\nmirtonewbacker[.]com \r\n94[.]103[.]81[.]146/php/Cpu4pythonserver/37Game/Video74Local/processtraffic.php?\r\nSource: https://www.zscaler.com/blogs/security-research/freecryptoscam-new-cryptocurrency-scam-leads-installation-backdoors-and\r\nhttps://www.zscaler.com/blogs/security-research/freecryptoscam-new-cryptocurrency-scam-leads-installation-backdoors-and\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.zscaler.com/blogs/security-research/freecryptoscam-new-cryptocurrency-scam-leads-installation-backdoors-and" ], "report_names": [ "freecryptoscam-new-cryptocurrency-scam-leads-installation-backdoors-and" ], "threat_actors": [], "ts_created_at": 1775434675, "ts_updated_at": 1775826777, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/372d473a5631d62928543b1dd0623c0d78e4e662.pdf", "text": "https://archive.orkl.eu/372d473a5631d62928543b1dd0623c0d78e4e662.txt", "img": "https://archive.orkl.eu/372d473a5631d62928543b1dd0623c0d78e4e662.jpg" } }