KeyLogger from RAT. (Reuploaded)

Due for disapproved I’ve move remove some of information. Thanks

The malware is keylogger and is assembly that is good so I can use dnspy. The code is obfuscated easily and I can will deobfuscate for you.

Here is Information:
URL: 194.226.139.141
FileName: fontWinRuntimecrtNetrefruntimedll.exe
Source Code: -
Obfuscation → Rename namespaces, to random strings. Stil code is readable.
Obfuscator Name: .NET Reactor

Connections Made: 78.24.217.56 (WHO.IS | VirusTotal)
http://78.24.217.56/on/predpochel/ostatsa/anonistom/CpuGameApiSqlflower.php

VirusTotal → Click Here
WHO.IS (Domain) → Click Here
RAT Name → DcRAT (Proof: Screenshot by Lightshot) → Full Name: Dark Crystal RAT.
IP Contry: RUSSA (RU)
IP City: Moscow (Russia)

• The IP (194.226.139.141) has similar files whoose also are stubs from RATS.

Pictures:

image1215×575 36.1 KB

image1176×670 32.4 KB

New Information:

New IP: 91.203.192.227 (VirusTotal).
A file called DCRATLoader were found in %local%. if need I will send alert message.

DCRATLoader sounds like Dark Comet with the DC. Nice expose.

Their Website were down by FBI.
Thanks to everyone who helped about destroy these russian hackers.

image1103×505 80 KB