IBM X-Force Threat Analysis: DCRat presence growing in Latin America
In early May 2025, IBM X-Force observed Hive0131 conducting email campaigns targeting users in Colombia with electronic notifications of criminal proceedings, purporting to be from The Judiciary of Colombia. Hive0131 is a financially motivated group likely originating from South America that routinely conducts campaigns largely in Latin America (LATAM) to deliver a wide array of commodity payloads. The current campaigns imitate official correspondence and contain either an embedded link or a PDF lure with an embedded link. Clicking on the embedded link will initiate the infection chain to execute the banking trojan "DCRat" in memory.
DCRat is operated as a Malware-as-a-Service (MaaS), first appearing in at least 2018, and heavily advertised on Russian cyber crime forums, purchasable for around USD 7 for a two-month subscription. DCRat's presence is widespread and has become increasingly popular in LATAM since at least 2024. Over the summer of 2024, X-Force observed several campaigns heavily targeting entities in Colombia, all imitating a LATAM company specializing in electronic document ecosystems in Mexico and Colombia. However, given the differences in infection chain and the delivery of DCRat, X-Force assesses that the 2024 and current campaigns were conducted by different actors. The campaigns observed in 2024 relied heavily on password-protected RAR files containing NSIS to execute a GuLoader downloader, whereas these recent campaigns rely on an obfuscated .NET loader we've named VMDetectLoader.
DCRat capabilities
- Bypasses AMSI
- Detects analysis environments
- Kills blocklisted processes
- Obtains persistence through a scheduled task or registry key
- Listens for commands from a command and control (C2) server
DCRat comes with plugins that are capable of the following tasks, although threat actors can create custom plugins in order to accomplish additional tasks:
- Recording a victim through the computer's microphone or camera
- Uploading and downloading files
- Executing commands
- Obtaining system information
- Encrypting and decrypting files
- Editing registry keys
- Logging keystrokes and clipboard data
- Manipulating the filesystem
MaaS
Strengthen your security intelligence
Stay ahead of threats with news and insights on security, AI and more, weekly in the Think Newsletter.
In early May 2025, X-Force observed Hive0131 email campaigns imitating The Judiciary of Colombia (Rama Judicial de Colombia), purporting to be from the Civil Circuit of Bogota, Colombia, to send out electronic notifications of criminal proceedings. The observed campaigns either contain a PDF lure with a link to a TinyURL or contain an embedded link to a Google Docs location.
Infection Chain Overview - PDF with TinyURL
For the emails containing a PDF lure leading to a tinyurl, the victim is redirected to a ZIP archive named 1Juzgado 08 Civil Circuito de Bogotá Notificacion electronica Orden de Embargo.Uue. The ZIP archive contains benign files as well as a malicious JavaScript file named 1Juzgado 08 Civil Circuito de Bogotá Notificacion electronica Orden de Embargo.js. The JavaScript file downloads a JavaScript payload from a paste[.]ee site and executes it. This payload then executes a PowerShell command that downloads a JPG from hxxps://archive[.]org/download/new_ABBAS/new_ABBAS.jpg with a base64-encoded loader appended to the end of the file. Once executed, the loader downloads and executes DCRat in memory.
The loader is given the name VMDetectLoader due to its ability to determine if it's running in a sandbox environment. Analysis indicates that the loader is based on the open-source project https://github.com/robsonfelix/VMDetector.
Infection chain overview - Embedded Google Docs link
This infection chain is initiated with phishing emails that contain a link to a Google Docs download of a password-protected ZIP archive named CUI 158616000129-2025-10047_122011111777.zip, the password of which is in the email and is 3004. The archive contains a batch file downloader, CUI 158616000129-2025-10047_122011111777.bat, that downloads and executes an obfuscated VBScript (VBS) component from
The final payload is then downloaded by VMDetectLoader via a paste[.]ee URL passed to it by the PowerShell script.
VMDetectLoader
VMDetectLoader is an obfuscated .NET loader (Microsoft.Win32.TaskScheduler.dll) which can be found on VirusTotal at https://www.virustotal.com/gui/file/0df13fd42fb4a4374981474ea87895a3830eddcc7f3bd494e76acd604c4004f7. Analysis of the loader's metadata indicates that the code is based on the open-source project https://github.com/robsonfelix/VMDetector.
Assembly Attributes:
[assembly: CompilationRelaxations(8)]
[assembly: RuntimeCompatibility(WrapNonExceptionThrows = true)]
[assembly: Debuggable(DebuggableAttribute.DebuggingModes.Default |
DebuggableAttribute.DebuggingModes.DisableOptimizations |
DebuggableAttribute.DebuggingModes.IgnoreSymbolStoreSequencePoints |
DebuggableAttribute.DebuggingModes.EnableEditAndContinue)]
[assembly: AssemblyTitle("VMDetector")]
[assembly: AssemblyCompany("Robson Felix")]
[assembly: AssemblyProduct("VMDetector")]
[assembly: AssemblyCopyright("Copyright © Robson Felix 2017")]
[assembly: AssemblyTrademark("")]
[assembly: TargetFramework(".NETFramework,Version=v4.5", FrameworkDisplayName = "")]
[assembly: SecurityPermission(SecurityAction.RequestMinimum, SkipVerification = true)]
Before loading the payload, the loader detects virtual machines, printing a list of host attributes to the console if a VM is detected. For example:
================
Availability = 3
Caption = Motherboard
ConfigManagerErrorCode =
ConfigManagerUserConfig =
CreationClassName = Win32_MotherBoardDevice
Description = Motherboard
DeviceID = Motherboard
ErrorCleared =
ErrorDescription =
InstallDate =
LastErrorCode =
Name = Motherboard
PNPDeviceID =
PowerManagementCapabilities =
PowerManagementSupported =
PrimaryBusType = PCI
RevisionNumber =
SecondaryBusType = ISA
Status = OK
StatusInfo =
SystemCreationClassName = Win32_ComputerSystem
SystemName = DESKTOP-LettersNumbers
--------------------------------------------------------------
Asserting ?
Detected as virtual machine given key computer information.
Detected as virtual machine given bios information.
Detected as virtual machine given hard disk information.
Detected as virtual machine given PnP devices information.
Detected as virtual machine given Windows services information.
Functionality
VMDetectLoader is executed via its
@($storeman,'','','','MSBuild','','','','','C:\Users\Public\Downloads','rhabdo
'rhabdosteus','js','','','bimetallism','1',''));
Argument | Description |
$storeman | Reversed Pastee URL from which a base64-encoded payload is downloaded. |
MSBuilld | Target injection process |
C:\Users\Public\Downloads | Path used in creating a scheduled task: C:\Users\Public\Downloads\rhabdosteus.js |
1 | Flag that indicates process checks |
bimetallism | Scheduled task name |
During execution, VMDetectLoader, XOR decrypts notable strings as needed from the .NET resource "hIXS".
Sample decrypted strings
Microsoft Virtual PC
{{ A = {0}, B = {1} }}
--------------------------------------------------------------
Microsoft Hyper-V
qemu
vbox
VirtualBox
BiosCharacteristics
{{ A = {0}, B = {1}, C = {2} }}
SYSTEM\CurrentControlSet\Services\
Caption
{{ A = {0}, B = {1}, C = {2}, D = {3}, E = {4}, F = {5}, G = {6}, H = {7}, I =
{8} }}
Win32_ComputerSystem
OEMStringArray
Win32_BIOS
Win32_MotherboardDevice
Win32_PnPEntity
Win32_DiskDrive
MOTHERBOARD INFO
================
BIOS INFO
=========
COMPUTER INFO
=============
DEVICES INFO
============
HARD DRIVES INFO
WINDOWS SERVICES
virtual
ImagePath
name
.exe
Name
Manufacturer
Model
Description
Detected as virtual machine given PnP devices information.
Detected as virtual machine given processes information.
Detected as virtual machine given Windows services information.
Persistence
If configured to do so, a scheduled task is created to execute the following PowerShell command which downloads and executes a JavaScript payload:
WebRequest -Uri '' -OutFile 'C:\Users\Public\Downloads\rhabdosteus.js'; Start-
Process 'C:\Users\Public\Downloads\rhabdosteus.js'"
Another task may be created, if configured, to execute the JavaScript payload using the following command:
The loader may also create a Registry run key to execute the payload:
Process injection
VMDetectLoader has the ability to use the process hollowing injection technique to load a payload into varying target process instances. For example, for the analyzed campaign, C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe (32-bit) or C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe (64-bit) is the target process. The function responsible for process injection is named HackForums.gigajew.x64.Load() for 64-bit samples and dnlib.IO.Tools.Ande() for 32-bit samples.
Process hollowing injection process:
- Create a suspended process using CreateProcess() with the dwCreationFlags set to CREATE_SUSPENDED (4).
- Unmap memory in the target process using ZwUnmapViewOfSection().
- Allocate new memory in the target process using VirtualAllocEx().
- Write the payload to the newly allocated memory using WriteProcessMemory().
- Update the entry point for the process using GetThreadContext() and SetThreadContex().
- Execute ResumeThread() to execute the code.
DCRat
If VMDetectLoader determines that it's running in a safe environment, the final payload is loaded via process hollowing. In this instance, the final payload is DCRat with the following configuration data.
Field Value
------------ ----------------------------------------------------------------
Parser acce:DcRat
File Path
Description DcRat Implant (qwqdanchun)
Architecture x86
MD5 eeed02e7ebbfe382b3d3af40fffb9ceb
SHA1 f2f9b1205bfcccb738b03531a8bce39478443463
SHA256 1603c606d62e7794da09c51ca7f321bb5550449165b4fe81153020021cbce140
Compile Time 2021-05-05T21:11:39+00:00
---- Encryption Key ----
Tags Key
Algorithm Mode
------------- ---------------------------------------------------------------------------------------------------- ----------- ------
configuration
0x8cbd5d207b2b4ab52e36e1f749dac6c91bc7993ce3f926bc51f200db2c2cc3ab
AES CBC
configuration
0xc801bfee49bb3da4722a6c6f67d6bd52e4cc5b6e00f6655c80f1d0b7e823341b229b274527da
ca070bf4659624c77d2819 HMAC-SHA256
0f2f5c75e985d9a1d59f72086b8811
---- Interval ----
Value
-------
1
---- Mutex ----
Value
---------------------
DcRatMutex_qwqdanchun
---- RSA Public Key ----
Tags Value
---------------- -------------------------------------------------
x509_certificate Modulus (n):
81:cf:a3:d5:04:94:07:91:c3:77:12:18:5b:ae:d3:
8b:66:ba:dd:aa:55:39:a2:f4:9a:e0:8b:f1:aa:4b:
49:e1:5e:67:69:ed:d1:e2:1d:ab:6b:f8:ef:0a:CB:
a9:05:6d:1c:37:39:de:2a:a2:b3:c4:e3:cb:be:56:
53:c7:bb:01:8c:59:20:c7:5a:fb:0d:ba:f8:ac:aa:
eb:29:bc:ef:9b:2b:03:53:e0:d8:5a:db:a9:56:5f:
e1:84:c8:4e:91:69:82:4d:e1:d3:b7:42:e2:f4:07:
14:fa:c1:c7:7a:83:6d:99:26:5f:f4:ba:e8:05:1a:
74:9b:24:49:b4:49:1b:4d
Public Exponent (e):
65537 (0x10001)
---- Socket ----
Tags Address Port Network Protocol
------ ------------------ ------ ------------------
c2 feb18.freeddns.org 8848 TCP
---- Version ----
Value
-------
1.0.7
Key Value
------------------------------ ----------------------------------------------------------------------------------------------------
BSOD False
group ::: 30 :::
AntiProcess False
Anti False
self_installation_flag False
x509_certificate_serial_number
1073276135051967865277505007812279690413261813057
server_signature
b"\x1a\xebHiD\x1d\xa5\x04\xa4\xce\xb4\xd8=9\x08d\xfa\xe2\xdeT\x14T\xdbX\x00\x1
x12<}\x7f\x91E7*r%f\xcei
\xde\x9d\xd9\x93\x08\xce\xc9\x8c\x1c\x98\x9e_O@j\xc0\xcb\x9a\x00)_\x05\x15M\xe
xe2\x9eg\x05a0p-\xac\x
11\xdd\xac\x7fa\x9e\xbc\x96\xc6F\xc6\xd426\x82\x16\x1d\x8c0\x95N\x0c\x19\x10\x
xb24\xa8\x9aRW'\x10E\
xb3\xc3\xb5\x8d\x04-
-\xdb#\xc7\x9fW\x0c\x93\x91\x004\x16vq\xb5U|\xa8r"
server_signature_valid True
---- Logs ----
[+] File Client.exe identified as DcRat Implant (qwqdanchun).
[+] Starting parser DcRat Implant (qwqdanchun) on sample Client.exe. Expected
results include c2 socket addresses, a version, a mutex, aes-cbc decryption
parameters, an SSL certificate and server signature, an interval, varying
flags, and possibly a filepath and a group.
[-] Cannot update settings field 0400000f.
[+] A dead-drop resolver URL is not set in the configuration.
[+] Completed parsing using DcRat Implant (qwqdanchun) for sample Client.exe.
----- File Tree -----
<Client.exe (eeed02e7ebbfe382b3d3af40fffb9ceb) : DcRat Implant (qwqdanchun)>
X-Force tracks several groups operating in the Latin American threat landscape that conduct email campaigns delivering MaaS for the purpose of financial gain. Among the tracked groups are Hive0148 and Hive0149, which focus on delivering the Grandoriero Banking Trojan, Hive0153 delivering Adwind and SambaSpy malware, and Hive0131. Although Hive0131 typically focuses on operations with the delivery of malware such as QuasarRAT and NjRAT, X-Force has observed an increase in campaigns involving DCRat. With the steady and ongoing observances of banking malware delivered to users within LATAM, IBM X-Force assesses that Latin America will continue to face targeting from threat actors seeking to deploy banking trojans via phishing campaigns in attempts to obtain user credentials and other sensitive information.
Entities in LATAM are encouraged to exercise caution with emails containing attachments, links, or that prompt file downloads. In addition, entities are advised to perform the following:
- Exercise caution with emails containing links or download prompts
- Monitor for host-based evidence of process injection, rogue process creation, scheduled tasks creation, and registry modifications
- Install, update and configure endpoint security software
- Monitor endpoint rules
- Hunt for the execution policy bypass
Indicator | Indicator Type | Context |
4ce1d456fa8831733ac01c4a2a32044b6581664d3 | SHA256 | Carrier File |
6a632d8356f42694adb21c064aa9e8710b65addd | SHA256 | ZIP Archive |
1603c606d62e7794da09c51ca7f321bb555044916 | SHA256 | DCRat |
ceb88c09069b5ddc8ca525b7f2e26c4852465bc0 | SHA256 | JS |
0df13fd42fb4a4374981474ea87895a3830eddcc7f3 | SHA256 | Obfuscated .NET Loader |
db21cc64fb7a7ed9075c96600b7e7e7007a0df7cb8 | SHA256 | ZIP Archive |
3c95678d140825b56e04298ce6238ce22b34611d25 | SHA256 | PS Script |
7c3fbea63b7cdf013ef26831bb1850c80f4bfad0103328 | SHA256 | PS Script |
b16588e0e2c6a0c8ff080ded57abe8159008d040ae | SHA256 | Batch Script Downloader |
hxxps://tinyurl[.]com/2ypy4jrz?id=5541213d-0ed8 | URL | Embedded PDF Link |
hxxp://paste[.]ee/d/bx699sF9/0 | URL | Payload Download URL |
hxxps://docs[.]google[.]com/uc?export=download&id=1aJuQtm8YUqZv12E-atslt_GvBWZ | URL | Embedded Email Link |
hxxp://paste[.]ee/d/jYHEqBJ3/0 | URL | Payload Download URL |
hxxps://archive[.]org/download/new_ABBAS/new_ | URL | JPG Download URL |
hxxps://ia601205.us.archive[.]org/26/items/new_ | URL | JPG Download URL |
IBM X-Force Premier Threat Intelligence is now integrated with OpenCTI, delivering actionable threat intelligence about this threat activity and more. Access insights on threat actors, malware and industry risks. Install the OpenCTI Connector to enhance detection and response, strengthening your cybersecurity with IBM X-Force’s expertise. Stay ahead—integrate today.