As part of this research, an analysis of malicious software identified as DC Rat was conducted. The initial sample was obtained from the malware repository MalwareBazaar (abuse.ch platform).
SHA256 of the original sample:
1b5d9120901b2fa972a959a82c97c8d3df7f53792ab623f63998a6a61d257959
The purpose of this analysis was to determine:
- the functional capabilities of the sample,
- obfuscation mechanisms,
- interaction methods with the command-and-control (C2) infrastructure,
- indicators of compromise (IOCs).
After extracting the archive, an executable .exe file was obtained.
The utility Detect It Easy was used for initial identification.
Findings:
- The file is a .NET assembly.
- Code obfuscation is present.
- Anti-analysis protection mechanisms are used.
Screenshot 1 — Analysis result in Detect It Easy
The file was first processed using the deobfuscator de4dot.
Result:
- The tool partially removed protection.
- The number of protected constructs was reduced.
- Full deobfuscation was not achieved.
Screenshot 2 — Result of de4dot's work
For deeper code cleaning, NETReactorSlayer was used.
After processing, the file became significantly more readable, allowing detailed analysis of the malware logic.
Screenshot 3 — Result of NETReactorSlayer deobfuscation
Behavioral analysis was performed using Process Hacker.
After execution, the following actions were observed:
- Creation of a temporary
.batfile. - Execution of the
.batfile. - Hidden execution of the main executable.
- Self-deletion of the
.batfile.
Screenshot 4 — Creating and running a .bat file
In the directory:
C:\Users\user1\
a file named firefox.exe was created along with additional supporting files.
Further analysis showed that firefox.exe is the same malicious sample, disguised as a legitimate Firefox browser executable.
This indicates an attempt at masquerading and system persistence.
Screenshot 5 — Creating firefox.exe
Screenshot 6 — Firefox.exe analysis in Detect It Easy
The deobfuscated file was opened in dnSpy for further investigation.
Screenshot 7 — Opening a file in dnSpy
An encrypted string with the prefix:
H4sIA
was discovered in the code.
This prefix indicates:
- Base64 encoding
- GZip compression
After decoding, a configuration file was obtained.
Screenshot 8 — Encrypted string in the code
Screenshot 9 — Decrypted configuration file
According to the configuration, the malware collects:
- saved passwords;
- cookies;
- personal data from accounts:
- Telegram;
- Steam;
- Discord;
- system information;
- IP address information;
- screen data;
- microphone and webcam information.
The following URL was identified in the code:
https://ipinfo.io/
The malware uses this service to retrieve information about the victim’s external IP address.
Screenshot 10 — Calling ipinfo.io
During analysis, another encrypted string was identified.
After decryption, the following C2 address was obtained:
http://cc75590[.]tw1[.]ru/@zd3bk5Wa3RHb1FmZlR0X
This HTTP endpoint is used to:
- transmit collected data;
- receive commands from the attacker.
Screenshot 11 — C2 address in the code
Screenshot 12 — decrypted C2 address

The analysis revealed the following modules:
- System information collection module.
- Credential stealing module (infostealer).
- C2 communication module.
- Spy features (peripheral device access).
- Masquerading and persistence mechanisms.
Screenshot 13 — Infostealer functions

Screenshot 14 — Function for interacting with the C2 server
Screenshots 15, 16 — Masking and fixing mechanism

The analyzed sample is a multifunctional malicious tool combining:
- remote administration capabilities,
- credential theft,
- system and network data collection,
- remote command execution.
The use of .NET obfuscation, string encryption, and masquerading techniques demonstrates a deliberate effort to hinder detection and analysis.
This malware poses a significant threat to both individual users and corporate environments.
Original sample:
SHA256: 1b5d9120901b2fa972a959a82c97c8d3df7f53792ab623f63998a6a61d257959
Deobfuscated sample:
SHA256: C831FBE6A18373B1040C6B46963C8986BAD1C1C0D83BE69B9B0C01E4C6692038
Temporary .bat file:
SHA256: F98FC1CA4E49DBBABBCB282D536960C2085D070069531113113BFE8F1D682C91
DCR_MUTEX-7zgCpdjoYRHPfS1GclpW
http ://cc75590[.]tw1[.]ru/@zd3bk5Wa3RHb1FmZlR0X










