Request a Demo
Rewterz
Rewterz Threat Alert – Raccoon Infostealer – Active IOCs
January 22, 2023
Rewterz
Rewterz Threat Alert – GCleaner Malware – Active IOCs
January 23, 2023

Rewterz Threat Alert – DarkCrystal RAT (DCRat) – Active IOCs

Severity

High

Analysis Summary

DCRat – a Russian backdoor, was initially introduced in 2018, but rebuilt and relaunched a year later. The DCRat backdoor appears to be the product of a single threat actor who goes online with the pseudonyms of “boldenis44,” “crystalcoder,” and Кодер (“Coder”). 

DCRat is one of the cheapest commercial RATs. For a two-month membership, the price starts at 500 RUB (less than 5 GBP/US$6), and it periodically drops even cheaper during special offers. This is written in .NET and features a modular structure, allowing affiliates to create their own plugins using DCRat Studio, a dedicated integrated development environment (IDE).

The malware’s modular architecture allows it to be extended for a variety of nefarious objectives, including surveillance, reconnaissance, data theft, DDoS attacks, and arbitrary code execution.

The DCRat consists of three parts:

  • A stealer/client executable
  • The command-and-control (C2) endpoint/ interface is a single PHP page
  • An administrator tool

The malware is still in development, the author announces any news and updates through a dedicated Telegram channel with about 3k users updated with any news and changes.

Impact

  • Unauthorized Remote Access
  • Keylogging
  • Information Theft
  • Password Theft

Indicators of Compromise

MD5

  • 142fc3f98e2b78474c392c72a6e4b826
  • 2e6fcc3e0fec764cd998291edae41835
  • 97fd39727f09d456c6e6e8a3fb9b4028
  • f763d6937405d921474f3996910dc816
  • fc938e39c9d9e09ef95d04b7529ff7cf

SHA-256

  • f45baeadbd3670a3d6f0e5e5dd53325269153dcd02195c8d98d1a49db8a6b46c
  • d89d94282170e98d32127e2c87754a1badf527018da2cb9338c3e5e6487e90c2
  • 29b84cbec0c92620955afd16358fb786df50fdc6dc024399cc9d2f5d8f40f38a
  • 278b30b6a9c6ffba21a71c5cad9f4b64d383b868e79098be97a5b92cb57e6667
  • c01b4811306e46eb5b8bd85e25a5d6c9fdf508983855278e2ad905bcbd4a052d

SHA-1

  • 85e4bf6f82e3bc640652df5982a937fa1457e541
  • 73e8e155eab7cf2512047c49a015c9f347af3186
  • f27399f10573bb39ebc472b7fdfa649e48494dfd
  • e81cd22b8e4a361c20c926d2aecdbe231274a656
  • c726cefba588cea3135ba7bb47228676d68ce51a

Remediation

  • Block all threat indicators at your respective controls.
  • Search for IOCs in your environment.