{
	"id": "668db7b6-dc2a-4125-a7c4-c521606eb181",
	"created_at": "2026-04-06T00:10:05.77064Z",
	"updated_at": "2026-04-10T13:13:05.285906Z",
	"deleted_at": null,
	"sha1_hash": "37520579625c4917d1811d2d18509da88fe5f4cc",
	"title": "Analyzing Dark Crystal RAT, a C# Backdoor",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1331053,
	"plain_text": "Analyzing Dark Crystal RAT, a C# Backdoor\r\nBy Mandiant\r\nPublished: 2020-12-05 · Archived: 2026-04-05 21:48:08 UTC\r\nWritten by: Jacob Thompson\r\nThe FireEye Mandiant Threat Intelligence Team helps protect our customers by tracking cyber attackers and the malware\r\nthey use. The FLARE Team helps augment our threat intelligence by reverse engineering malware samples. Recently,\r\nFLARE worked on a new C# variant of Dark Crystal RAT (DCRat) that the threat intel team passed to us. We reviewed open\r\nsource intelligence and prior work, performed sandbox testing, and reverse engineered the Dark Crystal RAT to review its\r\ncapabilities and communication protocol. Through publishing this blog post we aim to help defenders look for indicators of\r\ncompromise and other telltale signs of Dark Crystal RAT, and to assist fellow malware researchers new to .NET malware, or\r\nwho encounter future variants of this sample.\r\nDiscovering Dark Crystal RAT\r\nThe threat intel team provided FLARE with an EXE sample, believed to contain Dark Crystal RAT, and having the MD5\r\nhash b478d340a787b85e086cc951d0696cb1. Using sandbox testing, we found that this sample produced two executables,\r\nand in turn, one of those two executables produced three more. Figure 1 shows the relationships between the malicious\r\nexecutables discovered via sandbox testing.\r\nFigure 1: The first sample we began analyzing ultimately produced five executables\r\nArmed with the sandbox results, our next step was to perform a triage analysis on each executable. We found that the\r\noriginal sample and mnb.exe were droppers, that dal.exe was a clean-up utility to delete the dropped files, and that daaca.exe\r\nand fsdffc.exe were variants of Plurox, a family with existing reporting. Then we moved to analyzing the final dropped\r\nsample, which was dfsds.exe. We found brief public reporting by @James_inthe_box on the same sample, identifying it as\r\nDCRat and as a RAT and credential stealer. We also found a public sandbox run that included the same sample. Other public\r\nreporting described DCRat, but actually analyzed the daaca.exe Plurox component bundled along with DCRat in the initial\r\nsample.\r\nSatisfied that dfsds.exe was a RAT lacking detailed public reporting, we decided to perform a deeper analysis.\r\nAnalyzing Dark Crystal RAT\r\nInitial Analysis\r\nShifting aside from our sandbox for a moment, we performed static analysis on dfsds.exe. We chose to begin static analysis\r\nusing CFF Explorer, a good tool for opening a PE file and breaking down its sections into a form that is easy to view.\r\nHaving viewed dfsds.exe in CFF Explorer, as shown in Figure 2, the utility showed us that it is a .NET executable. This\r\nmeant we could take a much different path to analyzing it than we would on a native C or C++ sample. Techniques we might\r\nhave otherwise used to start narrowing down a native sample’s functionality, such as looking at what DLLs it imports and\r\nwhat functions from those DLLs that it uses, yielded no useful results for this .NET sample. As shown in Figure 3, dfsds.exe\r\nimports only the function _CorExeMain from mscoree.dll. We could have opened dfsds.exe in IDA Pro, but IDA Pro is\r\nusually not the most effective way of analyzing .NET samples; in fact, the free version of IDA Pro cannot handle .NET\r\nCommon Language Infrastructure (CLI) intermediate code.\r\nhttps://www.fireeye.com/blog/threat-research/2020/05/analyzing-dark-crystal-rat-backdoor.html\r\nPage 1 of 18\n\nFigure 2: CFF Explorer shows that dfsds.exe is a .NET executable\r\nFigure 3: The import table for dfsds.exe is not useful as it contains only one function\r\nInstead of using a disassembler like IDA Pro on dfsds.exe, we used a .NET decompiler. Luckily for the reverse engineer,\r\ndecompilers operate at a higher level and often produce a close approximation of the original C# code. dnSpy is a great\r\n.NET decompiler. dnSpy’s interface displays a hierarchy of the sample’s namespaces and classes in the Assembly Explorer\r\nand shows code for the selected class on the right. Upon opening dfsds.exe, dnSpy told us that the sample’s original name at\r\nlink time was DCRatBuild.exe, and that its entry point is at {63E52738-38EE-4EC2-999E-1DC99F74E08C}.Main, shown\r\nin Figure 4. When we browsed to the Main method using the Assembly Explorer, we found C#-like code representing that\r\nmethod in Figure 5. Wherever dnSpy displays a call to another method in the code, it is possible to click on the target\r\nmethod name to go to it and view its code. By right-clicking on an identifier in the code, and clicking Analyze in the context\r\nmenu, we caused dnSpy to look for all occurrences where the identifier is used, similar to using cross-references in IDA Pro.\r\nhttps://www.fireeye.com/blog/threat-research/2020/05/analyzing-dark-crystal-rat-backdoor.html\r\nPage 2 of 18\n\nFigure 4: dnSpy can help us locate the sample's entry point\r\nFigure 5: dnSpy decompiles the Main method into C#-like code\r\nWe went to the SchemaServerManager.Main method that is called from the entry point method, and observed that it makes\r\nmany calls to ExporterServerManager.InstantiateIndexer with different integer arguments, as shown in Figure 6. We\r\nbrowsed to the ExporterServerManager.InstantiateIndexer method, and found that it is structured as a giant switch statement\r\nwith many goto statements and labels; Figure 7 shows an excerpt. This does not look like typical dnSpy output, as dnSpy\r\noften reconstructs a close approximation of the original C# code, albeit with the loss of comments and local variable names.\r\nThis code structure, combined with the fact that the code refers to the CipherMode.CBC constant, led us to believe that\r\nExporterServerManager.InstantiateIndexer may be a decryption or deobfuscation routine. Therefore, dfsds.exe is likely\r\nobfuscated. Luckily, .NET developers often use obfuscation tools that are somewhat reversible through automated means.\r\nhttps://www.fireeye.com/blog/threat-research/2020/05/analyzing-dark-crystal-rat-backdoor.html\r\nPage 3 of 18\n\nFigure 6: SchemaServerManager.Main makes many calls to ExporterServerManager.InstantiateIndexer\r\nFigure 7: ExporterServerManager.InstantiateIndexer looks like it may be a deobfuscation routine\r\nDeobfuscation\r\nDe4dot is a .NET deobfuscator that knows how to undo many types of obfuscations. Running de4dot -d (for detect) on\r\ndfsds.exe (Figure 8) informed us that .NET Reactor was used to obfuscate it.\r\n\u003e de4dot -d dfsds.exe\r\nde4dot v3.1.41592.3405 Copyright (C) 2011-2015 de4dot@gmail.com\r\nLatest version and source code: https://github.com/0xd4d/de4dot\r\nDetected .NET Reactor (C:\\...\\dfsds.exe)\r\nhttps://www.fireeye.com/blog/threat-research/2020/05/analyzing-dark-crystal-rat-backdoor.html\r\nPage 4 of 18\n\nFigure 8: dfsds.exe is obfuscated with .NET Reactor\r\nAfter confirming that de4dot can deobfuscate dfsds.exe, we ran it again to deobfuscate the sample into the file\r\ndfsds_deob.exe (Figure 9).\r\n\u003e de4dot -f dfsds.exe -o dfsds_deob.exe\r\nde4dot v3.1.41592.3405 Copyright (C) 2011-2015 de4dot@gmail.com\r\nLatest version and source code: https://github.com/0xd4d/de4dot\r\nDetected .NET Reactor (C:\\Users\\user\\Desktop\\intelfirst\\dfsds.exe)\r\nCleaning C:\\Users\\user\\Desktop\\intelfirst\\dfsds.exe\r\nRenaming all obfuscated symbols\r\nSaving C:\\Users\\user\\Desktop\\intelfirst\\dfsds_deob.exe\r\nFigure 9: de4dot successfully deobfuscates dfsds.exe\r\nAfter deobfuscating dfsds.exe, we ran dnSpy again on the resulting dfsds_deob.exe. When we decompiled\r\nSchemaServerManager.Main again, the results were much different, as shown in Figure 10. Contrasting the new output with\r\nthe obfuscated version shown previously in Figure 6, we found the deobfuscated code much more readable. In the\r\ndeobfuscated version, all the calls to ExporterServerManager.InstantiateIndexer were removed; as suspected, it was\r\napparently a string decoding routine. In contrast, the class names shown in the Assembly Explorer did not change; the\r\nobfuscator must have irrecoverably replaced the original class names with meaningless ones obtained from a standard list.\r\nNext, we noted that ten lines in Figure 10 hold base64-encoded data. Once the sample was successfully deobfuscated, it was\r\ntime to move on to extracting its configuration and to follow the sample’s code path to its persistence capabilities and initial\r\nbeacon.\r\nFigure 10: Deobfuscating dfsds.exe shows that the method begins with some path manipulation and then accesses Base64-\r\nencoded data\r\nConfiguration, Persistence and Initial Beacon\r\nRecall that in Figure 10 we found that the method SchemaServerManager.Main has a local variable containing Base64-\r\nencoded data; decoding that data revealed what it contains. Figure 11 shows the decoded configuration (with C2 endpoint\r\nURLs de-fanged):\r\n\u003e echo TUhvc3Q6aHR0cDovL2RvbWFsby5vbmxpbmUva3NlemJseGx2b3Uza2NtYnE4bDdoZjNmNGN5NXhnZW\r\n80dWRsYTkxZHVldTNxYTU0LzQ2a3FianZ5a2x1bnAxejU2dHh6a2hlbjdnamNpM2N5eDhnZ2twdHgy\r\nNWk3NG1vNm15cXB4OWtsdnYzL2FrY2lpMjM5bXl6b24weHdqbHhxbm4zYjM0dyxCSG9zdDpodHRwOi\r\n8vZG9tYWxvLm9ubGluZS9rc2V6Ymx4bHZvdTNrY21icThsN2hmM2Y0Y3k1eGdlbzR1ZGxhOTFkdWV1\r\nM3FhNTQvNDZrcWJqdnlrbHVucDF6NTZ0eHpraGVuN2dqY2kzY3l4OGdna3B0eDI1aTc0bW82bXlxcH\r\ng5a2x2djMvYWtjaWkyMzlteXpvbjB4d2pseHFubjNiMzR3LE1YOkRDUl9NVVRFWC13TGNzOG8xTlZF\r\nhttps://www.fireeye.com/blog/threat-research/2020/05/analyzing-dark-crystal-rat-backdoor.html\r\nPage 5 of 18\n\nVXRYeEo5bjl5ZixUQUc6VU5ERUY= | base64 -d\r\nMHost:hxxp://domalo[.]online/ksezblxlvou3kcmbq8l7hf3f4cy5xgeo4udla91dueu3qa54/\r\n46kqbjvyklunp1z56txzkhen7gjci3cyx8ggkptx25i74mo6myqpx9klvv3/akcii239myzon0xwjl\r\nxqnn3b34w,BHost:hxxp://domalo[.]online/ksezblxlvou3kcmbq8l7hf3f4cy5xgeo4udla91\r\ndueu3qa54/46kqbjvyklunp1z56txzkhen7gjci3cyx8ggkptx25i74mo6myqpx9klvv3/akcii239\r\nmyzon0xwjlxqnn3b34w,MX:DCR_MUTEX-wLcs8o1NVEUtXxJ9n9yf,TAG:UNDEF\r\nFigure 11: Decoding the base64 data in SchemaServerManager.Main reveals a configuration string\r\nFigure 11 shows that the data decoded to a configuration string containing four values: MHost, BHost, MX, and TAG. We\r\nanalyzed the code that parses this string and found that MHost and BHost were used as its main and backup command and\r\ncontrol (C2) endpoints. Observe that the MHost and BHost values in Figure 11 are identical, so this sample did not have a\r\nbackup C2 endpoint.\r\nIn dnSpy it is possible to give classes and methods meaningful names just as it is possible to name identifiers in IDA Pro.\r\nFor example, the method SchemaServerManager.StopCustomer picks the name of a random running process. By right-clicking the StopCustomer identifier and choosing Edit Method, it is possible to change the method name to\r\nPickRandomProcessName, as shown in Figure 12.\r\nFigure 12: Assigning meaningful names to methods makes it easier to keep analyzing the program\r\nContinuing to analyze the SchemaServerManager.Main method revealed that the sample persists across reboots. The\r\npersistence algorithm can be summarized as follows:\r\n1. The malware picks the name of a random running process, and then copies itself to %APPDATA% and C:\\. For\r\nexample, if svchost.exe is selected, then the malware copies itself to %APPDATA%\\svchost.exe and C:\\svchost.exe.\r\n2. The malware creates a shortcut %APPDATA%\\dotNET.lnk pointing to the copy of the malware under\r\n%APPDATA%.\r\n3. The malware creates a shortcut named dotNET.lnk in the logged-on user’s Startup folder pointing to\r\n%APPDATA%\\dotNET.lnk.\r\n4. The malware creates a shortcut C:\\Sysdll32.lnk pointing to the copy of the malware under C:\\.\r\n5. The malware creates a shortcut named Sysdll32.lnk in the logged-on user’s Startup folder pointing to\r\nC:\\Sysdll32.lnk.\r\n6. The malware creates the registry value HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\scrss pointing to\r\n%APPDATA%\\dotNET.lnk.\r\n7. The malware creates the registry value HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Wininit pointing to\r\nC:\\Sysdll32.lnk.\r\nAfter its persistence steps, the malware checks for multiple instances of the malware:\r\n1. The malware sleeps for a random interval between 5 and 7 seconds.\r\nhttps://www.fireeye.com/blog/threat-research/2020/05/analyzing-dark-crystal-rat-backdoor.html\r\nPage 6 of 18\n\n2. The malware takes the MD5 hash of the still-base64-encoded configuration string, and creates the mutex whose name\r\nis the hexadecimal representation of that hash. For this sample, the malware creates the mutex\r\nbc2dc004028c4f0303f5e49984983352. If this fails because another instance is running, the malware exits.\r\nThe malware then beacons, which also allows it to determine whether to use the main host (MHost) or backup host (BHost).\r\nTo do so, the malware constructs a beacon URL based on the MHost URL, makes a request to the beacon URL, and then\r\nchecks to see if the server responds with the HTTP response body “ok.” If the server does not send this response, then the\r\nmalware unconditionally uses the BHost; this code is shown in Figure 13. Note that since this sample has the same MHost\r\nand BHost value (from Figure 11), the malware uses the same C2 endpoint regardless of whether the check succeeds or fails.\r\nFigure 13: The malware makes an HTTP request based on the MHost URL to determine whether to use the MHost or BHost\r\nThe full algorithm to obtain the beacon URL is as follows:\r\n1. Obtain the MHost URL, i.e., hxxp://domalo[.]online/ksezblxlvou3kcmbq8l7hf3f4cy5xgeo4udla91dueu3qa54\r\n/46kqbjvyklunp1z56txzkhen7gjci3cyx8ggkptx25i74mo6myqpx9klvv3/akcii239my\r\nzon0xwjlxqnn3b34w.\r\n2. Calculate the SHA1 hash of the full MHost URL, i.e., 56743785cf97084d3a49a8bf0956f2c744a4a3e0.\r\n3. Remove the last path component from the MHost URL, and then append the SHA1 hash from above, and ?\r\ndata=active. The full beacon URL is therefore\r\nhxxp://domalo[.]online/ksezblxlvou3kcmbq8l7hf3f4cy5xgeo4udla91dueu3qa54\r\n/46kqbjvyklunp1z56txzkhen7gjci3cyx8ggkptx25i74mo6myqpx9klvv3/56743785cf\r\n97084d3a49a8bf0956f2c744a4a3e0.php?data=active.\r\nAfter beaconing the malware proceeds to send and receive messages with the configured C2.\r\nMessages and Capabilities\r\nAfter performing static analysis of dfsds.exe to determine how it selects the C2 endpoint and confirming the C2 endpoint\r\nURL, we shifted to dynamic analysis in order to collect sample C2 traffic and make it easier to understand the code that\r\ngenerates and accepts C2 messages. Luckily for our analysis, the malware continues to generate requests to the C2 endpoint\r\neven if the server does not send a valid response. To listen for and intercept requests to the C2 endpoint (domalo[.]online)\r\nwithout allowing the malware Internet access, we used FLARE’s FakeNet-NG tool. Figure 14 shows some of the C2\r\nrequests that the malware made being captured by FakeNet-NG.\r\nhttps://www.fireeye.com/blog/threat-research/2020/05/analyzing-dark-crystal-rat-backdoor.html\r\nPage 7 of 18\n\nFigure 14: FakeNet-NG can capture the malware's HTTP requests to the C2 endpoint\r\nBy comparing the messages generated by the malware and captured in FakeNet-NG with the malware’s decompiled code,\r\nwe determined its message format and types. Observe that the last HTTP request visible in Figure 14 contains a list of\r\nrunning processes. By tracing through the decompiled code, we found that the method\r\nSchemaServerManager.ObserverWatcher.NewMerchant generated this message. We renamed this method to taskThread and\r\nassigned meaningful names to the other methods it calls; the resulting code for this method appears in Figure 15.\r\nFigure 15: The method that generates the list of running processes and sends it to the C2 endpoint\r\nBy analyzing the code further, we identified the components of the URLs that the malware used to send data to the C2\r\nendpoint, and how they are constructed.\r\nBeacons\r\nThe first type of URL is a beacon, sent only once when the malware starts up. For this sample, the beacon URL was always\r\nhxxp://domalo[.]online/ksezblxlvou3kcmbq8l7hf3f4cy5xgeo4udla91dueu3qa54/46kqbjvyklunp1z56txzk\r\nhen7gjci3cyx8ggkptx25i74mo6myqpx9klvv3/.php?data=active, where is the SHA1 hash of the MHost URL, as described\r\nearlier.\r\nGET requests, format 1\r\nWhen the malware needs to send data to or receive data from the C2, it sends a message. The first type of message, which\r\nwe denote as “format 1,” is a GET request to URLs of the form\r\nhxxp://domalo[.]online/ksezblxlvou3kcmbq8l7hf3f4cy5xgeo4udla91dueu3qa54/46kqb\r\njvyklunp1z56txzkhen7gjci3cyx8ggkptx25i74mo6myqpx9klvv3/akcii239myzon0xwjlxqnn\r\n3b34w/.php? type=__ds_setdata\u0026__ds_setdata_user=\u0026__ds_setdata_ext=\u0026__ds_setdata_data=, where:\r\nis MD5(SHA1(MHost)), which for this sample, is 212bad81b4208a2b412dfca05f1d9fa7.\r\nhttps://www.fireeye.com/blog/threat-research/2020/05/analyzing-dark-crystal-rat-backdoor.html\r\nPage 8 of 18\n\nis a unique identifier for the machine on which the malware is running. It is always calculated as SHA1(OS_version\r\n+ machine_name + user_name) as provided by the .NET System.Environment class.\r\nidentifies what kind of message the malware is sending to the C2 endpoint. The is calculated as MD5( + ), where is a\r\nshort keyword identifying the type of message, and is as calculated above.\r\nValues for exist for each command that the malware supports; for possible values, see the “msgs” variable in\r\nthe code sample shown in Figure 19.\r\nObserve that this makes it difficult to observe the message type visually from log traffic, or to write a static\r\nnetwork signature for the message type, since it varies for every machine due to the inclusion of the .\r\nOne type of message uses the value u instead of a hash for .\r\nis the message data, which is not obscured in any way.\r\nThe other type of ordinary message is a getdata message. These are GET requests to URLs of the form\r\nhxxp://domalo[.]online/ksezblxlvou3kcmbq8l7hf3f4cy5xgeo4udla91dueu3qa54/46kqb\r\njvyklunp1z56txzkhen7gjci3cyx8ggkptx25i74mo6myqpx9klvv3/akcii239myzon0xwjlxqnn\r\n3b34w/.php? type=__ds_getdata\u0026__ds_getdata_user=\u0026__ds_getdata_ext=\u0026__ds_getdata_key=, where:\r\nand are calculated as described above for getdata messages.\r\nis also calculated as described above for getdata messages, but describes the type of message the malware is\r\nexpecting to receive in the server’s response.\r\nis MD5().\r\nThe server is expected to respond to a getdata message with an appropriate response for the type of message specified by .\r\nGET requests, format 2\r\nA few types of messages from the malware to the C2 use a different format, which we denote as “format 2.” These messages\r\nare GET requests of the form hxxp://domalo[.]online\r\n/ksezblxlvou3kcmbq8l7hf3f4cy5xgeo4udla91dueu3qa54/46kqbjvyklunp1z56txzkhen7gj\r\nci3cyx8ggkptx25i74mo6myqpx9klvv3/akcii239myzon0xwjlxqnn3b34w/.\u003cmes\u003c span=\"\"\u003e\u003c/mes\u003c\u003e\r\nsage_hash\u003e, where:\r\nis calculated as described above for getdata messages.\r\nis also calculated as described above for getdata messages, but describes the type of message the malware is\r\nexpecting to receive in the server’s response. may also be the string comm.\r\nTable 1 shows possible that may be incorporated into as part of format 2 messages to instruct the server which type of\r\nresponse is desired. In contrast to format 1 messages, format 2 messages are only used for a handful of values.\r\n  Response desired\r\ns_comm The server sends a non-empty response if a screenshot request is pending\r\nm_comm The server sends a non-empty response if a microphone request is pending\r\nRDK The server responds directly with keystrokes to replay\r\ncomm The server responds directly with other types of tasking\r\nTable 1: Message types when the malware uses a special message to request tasking from the server\r\nPOST requests\r\nWhen the malware needs to upload large files, it makes a POST request. These POST requests are sent to\r\nhxxp://domalo[.]online/ksezblxlvou3kcmbq8l7hf3f4cy5xgeo4udla91dueu3qa54/46kqb\r\njvyklunp1z56txzkhen7gjci3cyx8ggkptx25i74mo6myqpx9klvv3/akcii239myzon0xwjlxqnn\r\n3b34w/.php, with the following parameters in the POST data:\r\nname is + \".\" + , where is calculated as described above and is the type of data being uploaded.\r\nupload is a file with the data being sent to the server.\r\nTable 2 shows possible values along with the type of file being uploaded.\r\n  Type of File\r\njpg Screenshot\r\nzipstealerlog Cookie stealer log\r\nwav Microphone recording\r\nfile Uploaded file\r\nhttps://www.fireeye.com/blog/threat-research/2020/05/analyzing-dark-crystal-rat-backdoor.html\r\nPage 9 of 18\n\nbmp Webcam image\r\nTable 2: Message types when files are uploaded to the server\r\nCapabilities\r\nBy analyzing the code that handles the responses to the comm message (format 2), it was possible for us to inventory the\r\nmalware’s capabilities. Table 3 shows the keywords used in responses along with the description of each capability.\r\nKeyword Description\r\nshell Execute a shell command\r\ndeleteall Recursively delete all files from C:, D:, F:, and G:\r\nclosecd Close the CD-ROM drive door\r\nsetwallpaper Change the background wallpaper\r\nddos Send TCP and UDP packets to a given host or IP address\r\nlogoff Log off the current user\r\nkeyboardrecorder Replay keystrokes as if the user had typed them\r\nfm_newfolder Create a new folder\r\nfm_rename Rename or move a file\r\ndesktopHide Hide desktop icons\r\nkeyloggerstart Start logging keystrokes\r\nexec_cs_code Compile and execute C# code\r\nmsgbox Open a Windows MessageBox\r\nfm_upload Transfer a file from the C2 to the client\r\nrdp Re-spawn the malware running as an administrator\r\nfm_zip Build a ZIP file from a directory tree and transfer it from the client to the C2\r\nwebcam Take a webcam picture\r\nfm_unzip Unzip a ZIP file to a given path on the client\r\nkeyloggerstop Stop logging keystrokes\r\nfm_drives Enumerate drive letters\r\ncookiestealer Transfer cookies and browser/FileZilla saved credentials to the C2\r\nfm_delete Recursively delete a given directory\r\ndismon Hide desktop icons and taskbar\r\nfm_uploadu Transfer a file from the C2 to the client\r\ntaskstart Start a process\r\nhttps://www.fireeye.com/blog/threat-research/2020/05/analyzing-dark-crystal-rat-backdoor.html\r\nPage 10 of 18\n\ncleardesktop Rotate screen\r\nlcmd Run shell command and send standard output back to C2\r\ntaskbarShow Show taskbar\r\nclipboard Set clipboard contents\r\ncookiestealer_file Save cookies and credentials to a local file\r\nnewuserpass Create a new local user account\r\nbeep Beep for set frequency and duration\r\nspeak Use speech synthesizer to speak text\r\nopenchat Open chat window\r\ntaskbarHide Hide the taskbar\r\nRDStart Start remote control over user’s desktop\r\nclosechat Close chat window\r\nRDStop Stop remote control over user’s desktop\r\nfm_opendir List directory contents\r\nuninstall Remove the malware from the client\r\ntaskkill Kill a process\r\nforkbomb Endlessly spawn instances of cmd.exe\r\nfm_get Transfer a file from the client to the C2\r\ndesktopShow Show desktop icons\r\nClipboardget Transfer clipboard contents to C2\r\nplayaudiourl Play a sound file\r\nopencd Open the CD-ROM drive door\r\nhttps://www.fireeye.com/blog/threat-research/2020/05/analyzing-dark-crystal-rat-backdoor.html\r\nPage 11 of 18\n\nshutdown Shut down the machine\r\nrestart Restart the machine\r\nbrowseurl Open a web URL in the default browser\r\nTable 3: Capabilities of DCRat\r\nProof-of-Concept Dark Crystal RAT Server\r\nAfter gathering information from Dark Crystal RAT about its capabilities and C2 message format, another way to illustrate\r\nthe capabilities and test our understanding of the messages was to write a proof-of-concept server. Here is a code snippet\r\nthat we wrote containing a barebones DCRat server written in Python. Unlike a real RAT server, this one does not have a\r\nuser interface to allow the attacker to pick and launch commands. Instead, it has a pre-scripted command list that it sends to\r\nthe RAT.\r\nWhen the server starts up, it uses the Python BaseHTTPServer to begin listening for incoming web requests (lines 166-174).\r\nIncoming POST requests are assumed to hold a file that the RAT is uploading to the server; this server assumes all file\r\nuploads are screenshots and saves them to “screen.png” (lines 140-155). For GET requests, the server must distinguish\r\nbetween beacons, ordinary messages, and special messages (lines 123-138). For ordinary messages, __ds_setdata messages\r\nare simply printed to standard output, while the only __ds_getdata message type supported is s_comm (screenshot\r\ncommunications), to which the server responds with the desired screenshot dimensions (lines 63-84). For messages of type\r\ncomm, the server sends four types of commands in sequence: first, it hides the desktop icons; then, it causes the string\r\n“Hello this is tech support” to be spoken; next, it displays a message box asking for a password; finally, it launches the\r\nWindows Calculator (lines 86-121).\r\nFigure 16 shows the results when Dark Crystal RAT is run on a system that has been configured to redirect all traffic to\r\ndomalo[.]online to the proof-of-concept server we wrote.\r\nFigure 16: The results when a Dark Crystal RAT instance communicates with the proof-of-concept server\r\nOther Work and Reconnaissance\r\nAfter reverse engineering Dark Crystal RAT, we continued reconnaissance to see what additional information we could find.\r\nOne limitation to our analysis was that we did not wish to allow the sample to communicate with the real C2, so we kept it\r\nisolated from the Internet. To learn more about Dark Crystal RAT we tried two approaches: the first was to browse the Dark\r\nCrystal RAT website (files.dcrat[.]ru) using Tor, and the other was to take a look at YouTube videos of others’ experiments\r\nwith the “real” Dark Crystal RAT server.\r\nDark Crystal RAT Website\r\nhttps://www.fireeye.com/blog/threat-research/2020/05/analyzing-dark-crystal-rat-backdoor.html\r\nPage 12 of 18\n\nWe found that Dark Crystal RAT has a website at files.dcrat[.]ru, shown in Figure 17. Observe that there are options to\r\ndownload the RAT itself, as well as a few plugins; the DCLIB extension is consistent with the plugin loading code we found\r\nin the RAT.\r\nFigure 17: The website files.dcrat[.]ru allows users to download Dark Crystal RAT and some of its plugins\r\nFigure 18 shows some additional plugins, including plugins with the ability to resist running in a virtual machine, disable\r\nWindows Defender, and disable webcam lights on certain models. No plugins were bundled with the sample we studied.\r\nhttps://www.fireeye.com/blog/threat-research/2020/05/analyzing-dark-crystal-rat-backdoor.html\r\nPage 13 of 18\n\nFigure 18: Additional plugins listed on the Dark Crystal RAT website\r\nFigure 19 lists software downloads on the RAT page. We took some time to look at these files; here are some interesting\r\nthings we discovered:\r\nThe DCRat listed on the website is actually a “builder” that packages a build of the RAT and a configuration for the\r\nattacker to deploy. This is consistent with the name DCRatBuild.exe shown back in Figure 4. In our brief testing of\r\nthe builder, we found that it had a licensing check. We did not pursue bypassing it once we found public YouTube\r\nvideos of the DCRat builder in operation, as we show later.\r\nThe DarkCrystalServer is not self-contained, rather, it is just a PHP file that allows the user to supply a username and\r\npassword, which causes it to download and install the server software. Due to the need to supply credentials and\r\ncommunicate back with dcrat[.]ru (Figure 20), we did not pursue further analysis of DarkCrystalServer.\r\nhttps://www.fireeye.com/blog/threat-research/2020/05/analyzing-dark-crystal-rat-backdoor.html\r\nPage 14 of 18\n\nFigure 19: The RAT page lists software for the RAT, the server, an API, and plugin development\r\nFigure 20: The DarkCrystalServer asks for a username and password and calls back to dcrat[.]ru to download software, so\r\nwe did not pursue it further\r\nYouTube Videos\r\nAs part of confirming our findings about Dark Crystal RAT capabilities that we obtained through reverse engineering, we\r\nfound some YouTube demonstrations of the DCRat builder and server.\r\nThe YouTube user LIKAR has a YouTube demonstration of Dark Crystal RAT. The author demonstrates use of the Dark\r\nCrystal RAT software on a server with two active RAT instances. During the video, the author browses through the various\r\nscreens in the software. This made it easy to envision how a cyber threat would use the RAT, and to confirm our suspicions\r\nof how it works.\r\nhttps://www.fireeye.com/blog/threat-research/2020/05/analyzing-dark-crystal-rat-backdoor.html\r\nPage 15 of 18\n\nFigure 21 shows a capture from the video at 3:27. Note that the Dark Crystal RAT builder software refers to the DCRatBuild\r\npackage as a “server” rather than a client. Nonetheless, observe that one of the options was a type of Java, or C# (Beta). By\r\nwatching this YouTube video and doing some additional background research, we discovered that Dark Crystal RAT has\r\nexisted for some time in a Java version. The C# version is relatively new. This explained why we could not find much\r\ndetailed prior reporting about it.\r\nFigure 21: A YouTube demonstration revealed that Dark Crystal RAT previously existed in a Java version, and the C#\r\nversion we analyzed is in beta\r\nFigure 22 shows another capture from the video at 6:28. The functionality displayed on the screen lines up nicely with the\r\n“msgbox”, “browseurl”, “clipboard”, “speak”, “opencd”, “closecd”, and other capabilities we discovered and enumerated in\r\nTable 6.\r\nFigure 22: A YouTube demonstration confirmed many of the Dark Crystal RAT capabilities we found in reverse engineering\r\nConclusion\r\nIn this post we walked through our analysis of the sample that the threat intel team provided to us and all its components.\r\nThrough our initial triage, we found that its “dfsds.exe” component is Dark Crystal RAT. We found that Dark Crystal RAT\r\nwas a .NET executable, and reverse engineered it. We extracted the malware’s configuration, and through dynamic analysis\r\ndiscovered the syntax of its C2 communications. We implemented a small proof-of-concept server to test the correct format\r\nof commands that can be sent to the malware, and how to interpret its uploaded screenshots. Finally, we took a second look\r\nat how actual threat actors would download and use Dark Crystal RAT.\r\nTo conclude, indicators of compromise for this version of Dark Crystal RAT (MD5: 047af34af65efd5c6ee38eb7ad100a01)\r\nare given in Table 4.\r\nIndicators of Compromise\r\nDark Crystal RAT (dfsds.exe)\r\nHandle\r\nartifacts\r\nMutex\r\nname\r\nbc2dc004028c4f0303f5e49984983352\r\nhttps://www.fireeye.com/blog/threat-research/2020/05/analyzing-dark-crystal-rat-backdoor.html\r\nPage 16 of 18\n\nRegistry\r\nartifacts\r\nRegistry\r\nvalue\r\nHKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\scrss\r\nRegistry\r\nvalue\r\nHKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Wininit\r\nFile\r\nsystem\r\nartifacts\r\nFile C:\\Sysdll32.lnk\r\nFile %APPDATA%\\dotNET.lnk\r\nFile Start Menu\\Programs\\Startup\\Sysdll32.lnk\r\nFile Start Menu\\Programs\\Startup\\dotNET.lnk\r\nFile %APPDATA%\\\u003crandom process name\u003e.exe\r\nFile C:\\\u003crandom process name\u003e.exe\r\nNetwork\r\nartifacts\r\nHTTP\r\nrequest\r\nhxxp://domalo[.]online/ksezblxlvou3kcmbq8l7hf3f4cy5xgeo4udla91dueu3qa54/46kqbjvyklunp1z56txzkhen7gjci3cyx8ggkptx25i74mo6m\r\nHTTP\r\nrequest\r\nhxxp://domalo[.]online/ksezblxlvou3kcmbq8l7hf3f4cy5xgeo4udla91dueu3qa54/46kqbjvyklunp1z56txzkhen7gjci3cyx8ggkptx25i74mo6m\r\ntype=__ds_getdata\u0026__ds_getdata_user=\u003cuser_hash\u003e\u0026__ds_getdata_ext=\u003cmessage_hash\u003e\u0026__ds_getdata_key=\u003ckey\u003e\r\nHTTP\r\nrequest\r\nhxxp://domalo[.]online /ksezblxlvou3kcmbq8l7hf3f4cy5xgeo4udla91dueu3qa54/46kqbjvyklunp1z56txzkhen7gjci3cyx8ggkptx25i74mo6\r\nTCP\r\nconnection\r\ndomalo[.]online:80\r\nTCP\r\nconnection\r\nipinfo[.]ip\r\nDNS\r\nlookup\r\ndomalo[.]online\r\nDNS\r\nlookup\r\nipinfo[.]ip\r\nhttps://www.fireeye.com/blog/threat-research/2020/05/analyzing-dark-crystal-rat-backdoor.html\r\nPage 17 of 18\n\nStrings\r\nStatic\r\nstring\r\nDCRatBuild\r\nTable 4: IoCs for this instance of DCRat\r\nFireEye Product Support for Dark Crystal RAT\r\nTable 5 describes how FireEye products react to the initial sample (MD5: b478d340a787b85e086cc951d0696cb1) and its\r\nDark Crystal RAT payload, or in the case of Mandiant Security Validation, allow a stakeholder to validate their own\r\ncapability to detect Dark Crystal RAT.\r\nFireEye Product Support for Dark Crystal RAT\r\nFireEye Network\r\nSecurity (NX)\r\nBackdoor.Plurox detection\r\nFireEye Email Security\r\n(EX \u0026 ETP)\r\nBackdoor.MSIL.DarkCrystal, Backdoor.Plurox, Malware.Binary.exe, Trojan.Vasal.FEC3,\r\nWin.Ransomware.Cerber-6267996-1, fe_ml_heuristic detections\r\nFireEye Endpoint\r\nSecurity (HX)\r\nTrojan.GenericKD.32546165, Backdoor.MSIL.DarkCrystal detections\r\nFireEye Malware\r\nAnalysis (AX)\r\nBackdoor.Plurox.FEC2 detection\r\nFireEye Detection on\r\nDemand (DoD)\r\nBackdoor.Plurox.FEC2, FireEye.Malware detections\r\nMandiant Security\r\nValidation\r\nBuilt-in Action coming soon\r\nTable 5: Support in FireEye products to detect Dark Crystal RAT or validate detection capability\r\nPosted in\r\nThreat Intelligence\r\nSecurity \u0026 Identity\r\nSource: https://www.fireeye.com/blog/threat-research/2020/05/analyzing-dark-crystal-rat-backdoor.html\r\nhttps://www.fireeye.com/blog/threat-research/2020/05/analyzing-dark-crystal-rat-backdoor.html\r\nPage 18 of 18\n\nC:\\Sysdll32.lnk. After its persistence steps, the malware checks for multiple instances of the malware:\n1. The malware sleeps for a random interval between 5 and 7 seconds.\n  Page 6 of 18",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.fireeye.com/blog/threat-research/2020/05/analyzing-dark-crystal-rat-backdoor.html"
	],
	"report_names": [
		"analyzing-dark-crystal-rat-backdoor.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434205,
	"ts_updated_at": 1775826785,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/37520579625c4917d1811d2d18509da88fe5f4cc.pdf",
		"text": "https://archive.orkl.eu/37520579625c4917d1811d2d18509da88fe5f4cc.txt",
		"img": "https://archive.orkl.eu/37520579625c4917d1811d2d18509da88fe5f4cc.jpg"
	}
}