Researchers from ANY.RUN reported a new wave of DCRat malware, known for its wide array of harmful functions, selling the membership for the low cost of $5.
The detailed report covers the distribution, dynamic, and static analysis of DCRat, also known as Dark Crystal RAT, which is both a Remote Access Trojan (RAT) and an information stealer.
DCRat’s modular architecture allows for customization and mutation to bypass signature-based detection, making it a formidable tool for cybercriminals.
The malware’s low price point has made it accessible to many threat actors, from novices to organized groups.
You can analyze DCRat malware file, network, module, and registry activity with the ANY.RUN malware sandbox.
ANY.RUN is a cloud-based environment for analyzing Windows malware and Linux-based samples. Malware analysts, SOC, DFIR teams can safely examine threats, simulate different scenarios, and gain insights into malware behavior to improve cybersecurity strategies.
ANY.RUN also allows researchers to understand malware behavior, collect IOCs, and easily map malicious actions to TTPs—all in our interactive sandbox.
The Threat Intelligence Lookup platform helps security researchers find relevant threat data from sandbox tasks of ANY.RUN.
Infection Flow
ANY.RUN’s analysis reveals that DCRat is sold via a Telegram group, operating on a subscription model with prices ranging from $5 for two months to $39 for a lifetime subscription.
- They do all communication through Telegram.
- They only accept crypto payments to burner wallets.
- They use crystalpay[.]io to further anonymize transactions.
The ANY.RUN Malware Trends Tracker ranks DCRat as the 9th most prevalent malware as of January 18, 2024, indicating its rising trajectory.
The malware is distributed through a Telegram bot, which also provides support and facilitates transactions through the crystalpay[.]io payment platform, demonstrating the DCRat team’s high level of operational security (OPSEC).
More than 300,000 analysts use ANY.RUN is a malware analysis sandbox worldwide. Join the community to conduct in-depth investigations into the top threats and collect detailed reports on their behavior..
DCRat Malware Dynamic Analysis
The surface analysis of DCRat, identifying it as a password-protected Self-Extracting Archive (SFX) file, often used to evade detection.
Dynamic analysis in ANY.RUN’s controlled environment revealed the malware’s behavior, including the execution of a digitally signed executable file disguised as a printer driver and the dropping of multiple executables to ensure persistence.
Static Analysis
Static analysis provided insights into the malware’s functions, Indicators of Compromise (IOCs), and configuration details.
The analysis utilized tools such as Detect It Easy (DIE) and decompilers like dnSpy or ILSpy for .NET applications to deobfuscate the executable and understand the malware’s operational logic.
The ANY.RUN team also recommends using Flare FLOSS for extracting strings from binaries to identify hidden information.
Researchers also noted that the malware is stealing the following data.
- Screen Capture
- Webcam
- Microphone
- Steam specific data
- Telegram specific data
- Discord specific data
- .NET specific data
The analysis concludes with the mapping of DCRat’s tactics, techniques, and procedures (TTPs) to the MITRE ATT&CK framework, aiding SOC analysts in understanding the threat quickly. ANY.RUN’s service is invaluable for rapid threat identification and in-depth malware research.
ANY.RUN encourages cybersecurity professionals to access the full analysis on their platform to better understand DCRat’s capabilities and strengthen their cybersecurity posture.
About ANY.RUN
ANY.RUN is an interactive cybersecurity service that enables professionals to analyze malware and understand its behavior in a safe, controlled environment. The service is dedicated to providing comprehensive analysis tools to combat digital threats.
Trusted by over 400,000 security specialists, ANY.RUN empowers SOC and DFIR teams to investigate threats efficiently through its cloud-based malware sandbox.