DCRat | Threat Level: high | Type: RAT

Cryptographic Identifiers

SHA256dac6ceef5ed0906713c1f1b319ba7bf1e56a9aae6201c9f59bf97cbb94c787e0
MD5722139ba13e0f38263b049baaa4cc42f
File Typeexe
Size1137.1 KB
First Seen2026-01-19
File NameBloodlineStudiosBuilder.exe2
TagsDCRat, exe

Malware Family: DCRat

DCRat, modüler RAT'tır.

TypeRAT
Programming LanguageC#/.NET
Target PlatformWindows
C2 ProtocolHTTP
PurposePlugin tabanlı RAT
First Seen Year2019
AliasesDarkCrystal

Threat Indicators (IOC)

  • SHA256: dac6ceef5ed0906713c1f1b319ba7bf1e56a9aae6201c9f59bf97cbb94c787e0
  • MD5: 722139ba13e0f38263b049baaa4cc42f

System Cleanup Guide

  1. Disconnect the system from the network — unplug ethernet, disable Wi-Fi
  2. Terminate suspicious processes from Task Manager
  3. Run a full system scan with Malwarebytes or Kaspersky
  4. HKCU\Software\Microsoft\Windows\CurrentVersion\Run kayıtlarını kontrol edin
  5. Review newly created tasks in Task Scheduler
  6. Change all your account passwords from a clean device
  7. Gerekirse Windows'u yeniden yükleyin ve verilerinizi temiz bir yedeğe geri alın

YARA Rule Hints

rule DCRat_SHA256 {
    meta:
        description = "DCRat sample: dac6ceef5ed09067"
        threat_level = "high"
        first_seen = "2026-01-19"
    condition:
        hash.sha256(0, filesize) == "dac6ceef5ed0906713c1f1b319ba7bf1e56a9aae6201c9f59bf97cbb94c787e0"
}

DCRat — Malware Profile

DCRat Rusça RAT. sostener1.vbs VBScript dropper. PowerShell ExecutionPolicy Bypass. geutqmonpmjthuux.ru DGA C2.

Malware Type
RAT
Programming Language
C#/.NET
C2 Protocol
HTTP
Target Systems
Windows
Also Known As (AKA)
DarkCrystal

Technical Details

.NET C#, AES-128-CBC sifreleme, plugin mimarisi (DLLler), TCP varsayilan port 5552, SQLite lokal depolama, Anti-VM/Sandbox (Process check, Registry), Loader, Stealer, RAT modulleri ayri

Capabilities & Behavior

Uzaktan Erişim & Kontrol
Keylogger
Ekran Görüntüsü
Webcam Erişimi
Dosya Yönetimi
Süreç Yönetimi
Komut Yürütme
Kalıcılık Mekanizması

IOC List (2 indicators)

IOC — DCRat
# SHA256 dac6ceef5ed0906713c1f1b319ba7bf1e56a9aae6201c9f59bf97cbb94c787e0 # MD5 722139ba13e0f38263b049baaa4cc42f
TypeValueNote
sha256 dac6ceef5ed0906713c1f1b319ba7bf1e56a9aae6201c9f59bf97cbb94c787e0
md5 722139ba13e0f38263b049baaa4cc42f

C2 Servers (8 recorded servers for this family)

Address Type Port Protocol Status Country
microsoft.com domain — TCP active —
digicert.com domain — TCP active —
crypto.io domain — TCP active —
microsoft.com domain — TCP active —
microsoft.com domain — TCP active —
microsoft.com domain — TCP active —
microsoft.com domain — TCP active —
microsoft.com domain — TCP active —

C2 addresses are provided only from malware samples manually verified by the KEYDAL team. Commercial use is prohibited.

Tags
dcratratmalwarehighsha256analizzenginleştirilmiş