Rewterz Threat Alert – Raccoon Infostealer – Active IOCs

January 22, 2023

Rewterz Threat Alert – GCleaner Malware – Active IOCs

January 23, 2023

Rewterz Threat Alert – DarkCrystal RAT (DCRat) – Active IOCs

January 23, 2023

Severity

High

Analysis Summary

DCRat – a Russian backdoor, was initially introduced in 2018, but rebuilt and relaunched a year later. The DCRat backdoor appears to be the product of a single threat actor who goes online with the pseudonyms of “boldenis44,” “crystalcoder,” and Кодер (“Coder”).

DCRat is one of the cheapest commercial RATs. For a two-month membership, the price starts at 500 RUB (less than 5 GBP/US$6), and it periodically drops even cheaper during special offers. This is written in .NET and features a modular structure, allowing affiliates to create their own plugins using DCRat Studio, a dedicated integrated development environment (IDE).

The malware’s modular architecture allows it to be extended for a variety of nefarious objectives, including surveillance, reconnaissance, data theft, DDoS attacks, and arbitrary code execution.

The DCRat consists of three parts:

A stealer/client executable
The command-and-control (C2) endpoint/ interface is a single PHP page
An administrator tool

The malware is still in development, the author announces any news and updates through a dedicated Telegram channel with about 3k users updated with any news and changes.

Impact

Unauthorized Remote Access
Keylogging
Information Theft
Password Theft

Indicators of Compromise

MD5

142fc3f98e2b78474c392c72a6e4b826
2e6fcc3e0fec764cd998291edae41835
97fd39727f09d456c6e6e8a3fb9b4028
f763d6937405d921474f3996910dc816
fc938e39c9d9e09ef95d04b7529ff7cf

SHA-256

f45baeadbd3670a3d6f0e5e5dd53325269153dcd02195c8d98d1a49db8a6b46c
d89d94282170e98d32127e2c87754a1badf527018da2cb9338c3e5e6487e90c2
29b84cbec0c92620955afd16358fb786df50fdc6dc024399cc9d2f5d8f40f38a
278b30b6a9c6ffba21a71c5cad9f4b64d383b868e79098be97a5b92cb57e6667
c01b4811306e46eb5b8bd85e25a5d6c9fdf508983855278e2ad905bcbd4a052d

SHA-1

85e4bf6f82e3bc640652df5982a937fa1457e541
73e8e155eab7cf2512047c49a015c9f347af3186
f27399f10573bb39ebc472b7fdfa649e48494dfd
e81cd22b8e4a361c20c926d2aecdbe231274a656
c726cefba588cea3135ba7bb47228676d68ce51a

Remediation

Block all threat indicators at your respective controls.
Search for IOCs in your environment.

Platform

Managed Security Services

Managed Penetration Testing

Assess

Transform

Train

Respond

Resources

Remcos RAT – Active IOCs

Multiple Dell BSAFE SSL-J Vulnerabilities

Multiple Microsoft Windows Vulnerabilities Exploit in the Wild

Threat Insights

About Us

Our Leadership

CSR

Connect with Us