Request a Demo
Rewterz
Rewterz Threat Advisory – Multiple Adobe InDesign Vulnerabilities
May 11, 2022
Rewterz
Rewterz Threat Advisory – CVE-2022-28819 – Adobe Character Animator Vulnerability
May 11, 2022

Rewterz Threat Alert – DarkCrystal RAT (DCRat) – Active IOCs

Severity

High

Analysis Summary

DCRat – a Russian backdoor, was initially introduced in 2018, but rebuilt and relaunched a year later. The DCRat backdoor appears to be the product of a single threat actor who goes online with the pseudonyms of “boldenis44,” “crystalcoder,” and Кодер (“Coder”). 

DCRat is one of the cheapest commercial RATs. For a two-month membership, the price starts at 500 RUB (less than 5 GBP/US$6), and it periodically drops even cheaper during special offers. This is written in .NET and features a modular structure, allowing affiliates to create their own plugins using DCRat Studio, a dedicated integrated development environment (IDE).

The malware’s modular architecture allows it to be extended for a variety of nefarious objectives, including surveillance, reconnaissance, data theft, DDoS attacks, and arbitrary code execution.

The DCRat consists of three parts:

  • A stealer/client executable
  • The command-and-control (C2) endpoint/ interface is a single PHP page
  • An administrator tool

The malware is still in development, the author announces any news and updates through a dedicated Telegram channel with about 3k users updated with any news and changes.

Impact

  • Unauthorized Remote Access
  • Keylogging
  • Information Theft
  • Password Theft

Indicators of Compromise

Domain Name

  • dcrat[.]ru
  • crystalfiles[.]ru

MD5

  • 15a1eb360159ae7906efb9562ee664cb
  • 29fb61de3e11e1db3e65ca5fdef6e542
  • 8a1764d0affe8740407b93040fc639d4
  • 89bf0f7e9adf290c6d571eccf79206a9
  • aa84f91edd922e7b3bb979e663c94f1a
  • 569052631a6b80c1c6a336c10c978b02
  • 9a2ea4da5eec75298f16ba444d3a98d6
  • 0b4dbf61a98f3e34cdd3a1b08a6a4609
  • bbc5441ecd131f5a98dff8be2ebc5294
  • e8b39f250fb67e115e07e9eac5c99708

SHA-256

  • 6014d44d8f7da00f03db051b3dcea9a03ec3837977118c69a4512ef558a6df2a
  • 914cca033fc8ca52830a21b5dca55263cee1e74ab5571702906ee9c25aedafd7
  • 812cd4b5e80bc4e83a2e01a6f3fb24346ecf57dcaf8ff6fc3e55a2a6b953da23
  • b11ad1adfa96eacf5f18cf87785884947a6d35a1baebf4f20f16402b04d5109f
  • 38274608d5a4b53ec22f8099f798ba46ce0ed41db65a33dfb3853f0dbf849f6f
  • c41cd461470ff3c936e225cea37e5190cb06e3cd70a3d76ca8e5d3aceead5493
  • 2293fe261d5c6f5f2a33004b11f068037677b7aa5a6f792031e31555f31f0d69
  • e817802f166662a7df0b144571354d74b10e34d120f91ae9d84ca3ba925241c6
  • 78684aea83b1a5c402a87ba0ce2e7ad5b0338462cc804e97369203ce53d29834
  • d634cde09d1aa1320a1d4c589d35d306f8350129faf225b2bca394128c2c4442

SHA-1

  • a229e40ceaa5d9f18d0e2fd9040caaa7330457f0
  • 7101c467e214e39cebb281e98e8009b3f64ec411
  • ea4e4925abf5d7d2e7488850efe8cecaaf8471ea
  • 65f95791234ff93bc3e35f1d35d7a6664872dc56
  • da46b9962a6c6cceef38c3e11b8b5bc9c1b536fa
  • 4bc411b19536c90a6ea0917d7d93f3f6560ee6f0
  • f4f790430556e36d418498cd2f3112d04dabf877
  • 73587f1f5d040541b230513d22d696513dbd4cf9
  • f90e309443dc760359e69102f366496a53c307d8
  • 51bf6ab0baa3a4c6f45be46011baa8ccd7ceaf8f

Remediation

  • Block all threat indicators at your respective controls.
  • Search for IOCs in your environment.