DCRat

Now not too long ago, the cybersecurity researchers at ANY.RUN identified that hackers are selling DCRat subscriptions for $5 on the Telegram groups.

Hackers sell Far flung Access Trojan (RAT) subscriptions to diversified malicious actors to generate earnings. These subscriptions present investors with unauthorized gather entry to to compromised computer systems.

This permits them to control and video display the infected units remotely. The underground market for RAT subscriptions permits risk actors to consume compromised systems for varied malicious actions.

ANY.RUN is a cloud-based fully atmosphere for examining Windows malware and Linux-based fully samples. Malware analysts, SOC, DFIR teams can safely secret agent threats, simulate diversified scenarios, and originate insights into malware behavior to beef up cybersecurity solutions.

ANY.RUN additionally permits researchers to attain malware behavior, bring collectively IOCs, and with out considerations blueprint malicious actions to TTPs—all in our interactive sandbox.

 The Chance Intelligence Search for platform helps security researchers bring collectively relevant risk files from sandbox responsibilities of ANY.RUN.

Technical diagnosis

DCRat has been a extremely effective and energetic malware since 2018 that grants fleshy Windows backdoor gather entry to, collects superb files, captures screenshots, and steals Telegram, Steam, and Discord credentials.Â

Underestimating the complexity of this extremely effective malware could perhaps risk valuable security breaches and files loss.

Underground internet sites uncover that DCRat is turning into extra and extra smartly-liked. Even supposing it’s low-impress, it has loads of spying parts, akin to the means to assemble entry to social community accounts.

DCRat (aka Sad Crystal RAT) is a dangerous Far flung Access Trojan (RAT) and files stealer. Its dual efficiency, modular architecture, and low $5 impress set aside it versatile and accessible.Â

This RAT is customizable for bid objectives and its repeatedly mutating code helps risk actors in evading signature-based fully detection. 

As a consequence of these key versatilities, it’s been actively used by each beginner and expert risk actors.

iIwEJnb1UX15pK gHeVigb vGLRcvK2Gukh1BelAVVCexjdUce9n36ZQsV5L 1PPPkcrAGzAyOosVcNGK76Lwsr6IUsL UrCBmykW3pNlTiCOJ6wAhWF4BkOqN2f6EPpm46Dgv2f 68Oqj YGZUkhiM
Drift of Infection

Right here below we dangle talked about the cost page for DCRat that was hosted on:-

Price page

The physique of workers at the encourage of DCRat is rather cautious about their OPSEC, and for this:-

  • They assemble all dialog by strategy of Telegram.Â
  • They handiest gain crypto funds to burner wallets. 
  • They consume crystalpay[.]io to anonymize transactions extra.

DCRat loader is identified as an SFX file by instruments tackle “Detect It Easy.” The SFX recordsdata are on the total used for tool set up and perform embedded scripts to extract and flee recordsdata with out particular person files.

XMTXSPhP6GrbrFyGwrvAdkhgFXlmgQKFV2GmyWBMiFwvko6 Ng0LNzXA0Ti7w3q1QR4Jb6XTTiX1uJtnW2VJRgWIbf2skjlcZZezXxdJ6Vehra33mQ5L4SNbYbNOSJi0kbJXJu7nMhCRa dCPoLW3dI
Detect It Easy

The .NET app obfuscation alters offer code to hide the realizing, though instruments tackle DnSpy encourage diagnosis. While learning DCRat’s “Upload” characteristic, it unearths the C2 server address by examining decompiled offer code.

Decompiled .NET code has odd namespaces for security and dialog capabilities. Namespace ns12 decrypts malware configuration, while dgz handles C2 dialog decryption.

File

Analyse Shopisticated Malware with ANY.RUN

Are attempting ANY.RUN Your self with a 14-day Free Trial

Bigger than 300,000 analysts consume ANY.RUN is a malware diagnosis sandbox worldwide. Be part of the community to conduct in-depth investigations into the head threats and produce collectively detailed reports on their behavior..

Subscription Model

Through a Telegram crew, the sales of DCRat occur; in this Telegram crew, the sales are held most incessantly. Moreover this, it additionally makes consume of a subscription model with the next odd prices:-

  • 2 months: 5$ 
  • 1 year: 19$ 
  • Lifetime: 39$

If we talk in regards to the impress tags then it’s totally no longer complainable, as the impress tags are already more affordable. 

Nonetheless, the impress is diminished even extra, and the builders at the encourage of this RAT deploy a Telegram bot to present DCRat “licenses.”Â

About ANY.RUN

ANY.RUN is an interactive cybersecurity carrier that enables mavens to research malware and realize its behavior in a safe, managed atmosphere. The carrier is dedicated to offering comprehensive diagnosis instruments to strive against digital threats.

Relied on by over 400,000 security experts, ANY.RUN empowers SOC and DFIR teams to research threats effectively by strategy of its cloud-based fully malware sandbox.

You must perhaps analyze a malware file, community, module, and registry job with the ANY.RUN malware sandbox.

IOCs

  • DCRat SFX: 76de703cc14b6c07efe92f8f73f9b91e91dc0a48a0024cfdf72fca09cacb5157 
  • DCRat: 5fe993c74d2fa4eb065149591af56011855a0a8f5471dab498d9e0f6641c6851 
  • C2 domain: 019214cm[.]nyashland[.]top 
  • C2: hxxp://019214cm[.]nyashland[.]top/EternalLineLowgameDefaultsqlbaseasyncuniversal[.]php