{
	"id": "f53ad0df-644d-4c97-a676-46218070e3f1",
	"created_at": "2026-04-06T00:10:48.965167Z",
	"updated_at": "2026-04-10T03:21:09.495865Z",
	"deleted_at": null,
	"sha1_hash": "b43dbcafef7f02917885a524018d78e055d08dfd",
	"title": "Dcrat Malware Analysis - How to Manually Decode a 3-Stage Malware Sample",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3092699,
	"plain_text": "Dcrat Malware Analysis - How to Manually Decode a 3-Stage\r\nMalware Sample\r\nBy Matthew\r\nPublished: 2023-04-08 · Archived: 2026-04-05 13:12:36 UTC\r\nAnalysis of a 3-stage malware sample resulting in a dcrat infection. The initial sample contains 2 payloads which\r\nare hidden by obfuscation. This analysis will demonstrate methods for manually uncovering both payloads and\r\nextracting the final obfuscated C2.\r\nTooling\r\nDetect-it-easy - Quick initial analysis of pe-files\r\nDnspy - Analysis, decompilation and debugging of .NET files\r\nCyberchef - Interactive tool for prototyping decoders\r\nSamples\r\nThe malware file can be found here\r\nAnd a copy of the decoding scripts here\r\nInitial Analysis\r\nThe initial file can be downloaded via Malware Bazaar and unzipped using the password infected\r\ndetect-it-easy is a great tool for the initial analysis of the file.\r\nPe-studio is also a great option but we personally prefer the speed and simplicity of detect-it-easy\r\nDetect-it-easy revealed that the sample is a 32-bit .NET-based file.\r\n- The protector Confuser(1.X) has also been recognized.\r\nhttps://embeeresearch.io/dcrat-manual-de-obfuscation/\r\nPage 1 of 22\n\nInitial analysis using Detect-it-easy\r\nBefore proceeding, we checked the entropy graph for signs of embedded files.\r\nI used this to determine if the file was really dcrat , or a loader for an additional payload containing dcrat .\r\nIn my experience, large and high entropy sections often indicate an embedded payload. Indicating that the file\r\nbeing analyzed is a loader.\r\nhttps://embeeresearch.io/dcrat-manual-de-obfuscation/\r\nPage 2 of 22\n\nEntropy Analysis of the Initial .exe file - Showing a large section of high entropy\r\nThe entropy graph revealed that a significant portion of the file has an entropy of 7.98897 (This is very high, the\r\nmaximum value is 8).\r\nThis was a strong indicator that the file was a loader and not the final dcrat payload.\r\nTo analyze the suspected loader, we moved on to Dnspy\r\nDnspy Analysis\r\nUtilizing Dnspy, we saw that the file had been recognized as rewrwr.exe and contained references to\r\nconfuserEx. Likely this means the file is obfuscated using ConfuserEx and might be a pain to analyze.\r\nDnspy overview of the initial file\r\nhttps://embeeresearch.io/dcrat-manual-de-obfuscation/\r\nPage 3 of 22\n\nTo peek at the code being executed - we right-clicked on the rewrwr.exe name and selected go to entry\r\npoint\r\nThis would give me a rough idea of what the actual executed code might look like.\r\nThe file immediately creates an extremely large array of unsigned integers. This could be an encrypted array of\r\nintegers containing bytecodes for the next stage (further suggested by a post-array reference to a Decrypt\r\nfunction)\r\nViewing Encrypted Arrays using Dnspy\r\nUsing Dnspy to locate and view the Decryption function\r\nThe initial array of uints was so huge that it was too large to display in Dnspy.\r\nGiven the size, we suspected this array was the reason for the extremely high entropy previously observed with\r\ndetect-it-easy\r\nAfter the array, there is again code that suggests the array's contents are decrypted, then loaded into memory with\r\nthe name koi\r\nhttps://embeeresearch.io/dcrat-manual-de-obfuscation/\r\nPage 4 of 22\n\nGiven the relative simplicity of the code so far - we suspected the encryption was not complex, but still, we\r\ndecided not to analyze it this time.\r\nInstead, we considered two other approaches\r\nSet a breakpoint after the Decrypt call and dump the result from memory.\r\nSet a module breakpoint to break when the new module is decrypted and loaded. Then dump the result\r\ninto a file.\r\nI took the second approach, as it is reliable and useful for occasions where the location of decryption and loading\r\nisn't as easy to find. (Typically it's more complicated to find the Decryption function, but luckily in this case it was\r\nrather simple)\r\nEither way, we decided to take the second approach.\r\nTo extract stage 2 - We first created a module breakpoint which would break on all module loads.\r\nTo do this, we first opened the module breakpoints window.\r\nDebug -\u003e Windows -\u003e Module Breakpoints\r\nHow to set a module breakpoint using Dnspy\r\nWe then created a module breakpoint with two wildcards. This will break on all new modules loaded by the\r\nmalware.\r\nhttps://embeeresearch.io/dcrat-manual-de-obfuscation/\r\nPage 5 of 22\n\nModule breakpoint to break on all loaded modules\r\nWe then executed the malware using the start button\r\nDnspy button to Start or Continue execution\r\nWe can accept the default options.\r\nDefault options for Dnspy Debugging are ok\r\nImmediately, a breakpoint was hit as mscorelib.dll was being loaded into memory. This is a default library and we\r\nignored it by selecting Continue\r\nDnspy alert when a module breakpoint has been triggered\r\nOnce executed - the Continue button can be used to resume the execution\r\nhttps://embeeresearch.io/dcrat-manual-de-obfuscation/\r\nPage 6 of 22\n\nThe next module loaded was the original file being analyzed, which in this case can be safely ignored.\r\nAfter that, a suspicious-looking koi module was loaded into memory. (If you don't have a modules window, go\r\nto debug -\u003e windows -\u003e modules )\r\nHow to View Currently Loaded Modules in Dnspy\r\nHere we could see the koi module had been loaded.\r\nExample of a suspicious module being loaded into memory\r\nAt this point, we saved the koi module to a new file using Right-Click -\u003e Save Module .\r\nhttps://embeeresearch.io/dcrat-manual-de-obfuscation/\r\nPage 7 of 22\n\nDnspy Option for Saving a Loaded Module\r\nWe can then exit the debugger and move on to the koi.exe file.\r\nAnalysis of koi.exe\r\nWe can observe that koi.exe is another 32-bit .net file containing references to the ConfuserEx Obfuscator\r\nInitial Analysis of a .NET file using Detect-it-easy\r\nThis time it does not seem to contain any large encrypted payloads.\r\nAlthough the overall entropy is low, large portions of the graph are still suspiciously flat. This can\r\nsometimes be an indication of text-based obfuscation.\r\nhttps://embeeresearch.io/dcrat-manual-de-obfuscation/\r\nPage 8 of 22\n\nEntropy Analysis when a text-based obfuscation is used\r\nWe can now go ahead and open koi.exe in Dnspy.\r\nThis time there was another rewrwr.exe name and references again to ConfuserEx\r\nFile Overview with Dnspy\r\nKoi.exe does not have a defined Entry Point. Instead we can begin analysis with the rewrwr namespace\r\n(located in the side panel). This namespace contains one Class named Form1\r\nThe Form1 class immediately called Form1_Load , which itself immediately referenced a large string that\r\nappeared to be base64 encoded.\r\nhttps://embeeresearch.io/dcrat-manual-de-obfuscation/\r\nPage 9 of 22\n\nExample of Entry Point Containing Obfuscated Data\r\nDespite appearing to be base64 - the text does not successfully code using base64. This was an indicator that some\r\nadditional tricks or obfuscation had been used.\r\nAttempting to Decode Base64 Using Cyberchef - Initially fails due to additional obfuscation\r\nI decided to jump to the end of the base64-looking data - Noting that there were about 50 large strings in total.\r\nEach titled Str1 str2 ... all the way to Str49\r\nIt was very likely these strings were the cause of the flat entropy graph we viewed earlier. Text based\r\nobfuscation tends to produce lower entropy than \"proper\" encryption\r\nExample of another \"base64\" obfuscated string in Dnspy\r\nAt the end of the data was the decoding logic. Which appeared to be taking the first character from each string and\r\nadding it to a buffer.\r\nhttps://embeeresearch.io/dcrat-manual-de-obfuscation/\r\nPage 10 of 22\n\nDecoding Logic Utilised by the Dcrat Loader - Viewed with Dnspy\r\nAfter the buffer is filled, it is base64 decoded and loaded into memory as an additional module.\r\nExample of Decoded Contents being loaded into Memory \r\nIn order to confirm the theory on how the strings are decoded, we can take the first character from the first 5\r\nstrings and base64 decode the result.\r\nBrief Overview of the Additional obfuscation used\r\nhttps://embeeresearch.io/dcrat-manual-de-obfuscation/\r\nPage 11 of 22\n\nAn example of this decodes using base64\r\nThis confirmed the theory of how the malware was decoding the next stage.\r\nIn order to extract the next module, we can copy out the strings and place them into a Python script.\r\nPython Script to Decode the Dcrat Encoded Strings\r\nRunning this script creates a third file. Which for simplicity's sake is named output.bin\r\nThe file is recognized as a 32-bit .NET file. So the decoding was successful.\r\nhttps://embeeresearch.io/dcrat-manual-de-obfuscation/\r\nPage 12 of 22\n\nInitial Analysis of Third .NET File using Detect-it-easy\r\nStage 3 - Analysis\r\nWe have now obtained a stage 3 file - which again is a 32-bit .NET executable.\r\nLuckily this time, there are no references to ConfuserEx or other obfuscators.\r\nInitial Analysis of Third .NET File using Detect-it-easy\r\nThe entropy is reasonably normal - and does not contain any large flat sections that can indicate a hidden payload.\r\nhttps://embeeresearch.io/dcrat-manual-de-obfuscation/\r\nPage 13 of 22\n\nThe lack of ConfuserEx and relatively normal entropy - is an indication that this may be the final payload.\r\nMoving on to Dnspy, the file is recognized as IvTdur2zx\r\nDespite the lack of ConfuserEx , the namespaces and class names look obfuscated in some way.\r\nhttps://embeeresearch.io/dcrat-manual-de-obfuscation/\r\nPage 14 of 22\n\nDnspy view of Obfuscated Functions in the Final Payload\r\nWe can jump to the Entry Point for further analysis.\r\nThe first few functions are mostly junk - but there are some interesting strings referenced throughout the code.\r\nFor example - references to a .bat script being written to disk\r\nDnspy Overview of Strings in The .NET File\r\nhttps://embeeresearch.io/dcrat-manual-de-obfuscation/\r\nPage 15 of 22\n\nSince the strings were largely plaintext and not obfuscated - At this point we can use detect-it-easy to look for\r\nmore interesting strings contained within the file.\r\nThis reveals a reference to DCrat - as well as some potential targeted applications (discord, steam, etc)\r\nOverview of some plaintext strings contained in the malware\r\nAt that point, you could probably assume the file was DCrat and an info stealer - but we wanted to continue my\r\nanalysis until I'd found the C2.\r\nIn the above screenshot, we noticed some interesting strings that looked like base64 encoding + gzip (the\r\nH4sIAA* is a base64-encoded gzip header).\r\nSo we attempted to analyze these using CyberChef.\r\nThe first resulted in what appeared to be a base64 encoded + reversed string.\r\nThis was strongly hinted by the presence of == at the start.\r\nCyberchef - Base64 + Gzip + Additional Obfuscation\r\nAfter applying a character reverse + base64 decode . We were able to obtain a strange dictionary as well as a\r\nmutex of Wzjn9oCrsWNteRRGsQXn + some basic config.\r\nhttps://embeeresearch.io/dcrat-manual-de-obfuscation/\r\nPage 16 of 22\n\nThis was cool but still no C2.\r\nCyberchef - Decoding the \"base64\" strings\r\nI then tried to decode the second base64 blob shown by detect-it-easy .\r\nBut the result was largely junk.\r\nCyberchef - Failed Decoding of Additional \"base64\" strings\r\nAttempting to reverse + base64 decode returned no results.\r\nhttps://embeeresearch.io/dcrat-manual-de-obfuscation/\r\nPage 17 of 22\n\nCyberchef - Additional failures when decoding strings\r\nAt this point - we decided to search for the base64 encoded string to see where it was referenced in the .net code.\r\nUsing Dnspy to search for string cross-references (x-refs)\r\nThis revealed an interesting function showing multiple additional functions acting on the base64 encoded data.\r\nIn total, there are 4 functions ( M2r.957 , M2r.i6B , M2r.1vX , M2r.i59 ) which are acting on the encoded\r\ndata.\r\nViewing Additional layers of string obfuscation using Dnspy\r\nThe first function M2r.957 is a wrapper around another function M2r.276 which performed the base64 and\r\nGzip decoding.\r\nDelving Deeper into an \"obfuscation\" function. \r\nThe next function M2r.i6B took the previously obtained string and then performed a Replace operation based\r\non a Dictionary\r\nhttps://embeeresearch.io/dcrat-manual-de-obfuscation/\r\nPage 18 of 22\n\nCyberchef View of Obfuscated String\r\nInteresting to note - is that the Value is replaced with the Key and not the other way around as you\r\nmight expect.\r\nDnspy - Overview of Dictionary-based String Replace\r\nBased on the previous code, the input dictionary had something to do with a value of SCRT\r\nAnalysing additional string obfuscation using Dnspy\r\nSuspiciously - there was an SCRT that looked like a dictionary in the first base64 string that was decoded.\r\nCyberchef - locating the dictionary used for decoding\r\nhttps://embeeresearch.io/dcrat-manual-de-obfuscation/\r\nPage 19 of 22\n\nSo we obtained that dictionary and prettied it up using Cyberchef to remove all of the \\ escapes.\r\nCleaning up escape characters with Cyberchef\r\nWe then created a partial Python script based on the information we had so far. (I'll post a link at the end of this\r\npost)\r\nPython Script used to decode the string\r\nExecuting this result and printing the result - we were able to obtain a cleaner-looking string than before.\r\nHere's a before and after\r\nBefore applying additional text-replacement\r\nAfter applying additional text-replacement\r\nIt was probably safe to assume this string was reversed + base64 encoded , but we decided to check the\r\nremaining two decoding functions just to make sure.\r\nM2r.1vX was indeed responsible for reversing the string.\r\nhttps://embeeresearch.io/dcrat-manual-de-obfuscation/\r\nPage 20 of 22\n\nDnspy - Analysis of additional obfuscation (string reverse)\r\nM2r.i59 was indeed responsible for base64 decoding the result.\r\nDnspy - Analysis of additional obfuscation (base64 encoding)\r\nSo we then added these steps to my Python script.\r\nUpdated Python Script for decoding Dcrat\r\nAnd executed to reveal the results - successful C2!\r\nhttp://battletw[.]beget[.]tech/\r\nSuccessfully obtaining the decoded C2 using Python. \r\nhttps://embeeresearch.io/dcrat-manual-de-obfuscation/\r\nPage 21 of 22\n\n(The URLs contained some base64 reversed/encoded strings and were not very interesting)\r\nThis C2 domain had only 2/85 hits on VirusTotal\r\nAt this point, we had obtained the C2 and decided to stop my analysis.\r\nIn a real environment, it would be best to block this domain immediately in your security solutions. Additionally,\r\nyou could review the previous string dumps for process-based indicators that could be used to hunt signs of\r\nsuccessful execution.\r\nAdditionally, you could try to derive some Sigma rules from the string dumps or potentially use the C2 URL\r\nstructure to hunt through proxy logs.\r\nLinks\r\nCopies of the decoding scripts - https://github.com/embee-research/Decoders/tree/main/2023-April-dcrat\r\nLink to the original malware -\r\nhttps://bazaar.abuse.ch/sample/fd687a05b13c4f87f139d043c4d9d936b73762d616204bfb090124fd163c316e/\r\nSource: https://embeeresearch.io/dcrat-manual-de-obfuscation/\r\nhttps://embeeresearch.io/dcrat-manual-de-obfuscation/\r\nPage 22 of 22\n\n   https://embeeresearch.io/dcrat-manual-de-obfuscation/   \nThe lack of ConfuserEx and relatively normal entropy -is an indication that this may be the final payload.\nMoving on to Dnspy, the file is recognized as IvTdur2zx   \nDespite the lack of ConfuserEx , the namespaces and class names look obfuscated in some way.\n    Page 14 of 22",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://embeeresearch.io/dcrat-manual-de-obfuscation/"
	],
	"report_names": [
		"dcrat-manual-de-obfuscation"
	],
	"threat_actors": [],
	"ts_created_at": 1775434248,
	"ts_updated_at": 1775791269,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b43dbcafef7f02917885a524018d78e055d08dfd.pdf",
		"text": "https://archive.orkl.eu/b43dbcafef7f02917885a524018d78e055d08dfd.txt",
		"img": "https://archive.orkl.eu/b43dbcafef7f02917885a524018d78e055d08dfd.jpg"
	}
}