user@threatcheck.sh ~ threat-analysis
bash
$ analyze-threat Backdoor:MSIL/DCRat!MTB
Backdoor:MSIL/DCRat!MTB - Windows Defender threat signature analysis

Backdoor:MSIL/DCRat!MTB - Windows Defender Threat Analysis

$ cat analysis.txt
=== THREAT ANALYSIS REPORT ===
Threat Name: Backdoor:MSIL/DCRat!MTB
Classification:
Type:Backdoor
Platform:MSIL
Family:DCRat
Detection Type:Concrete
Known malware family with identified signatures
Suffix:!MTB
Detected via machine learning and behavioral analysis
Detection Method:Behavioral
Confidence:Very High
False-Positive Risk:Low

Concrete signature match: Backdoor - Provides unauthorized remote access for .NET (Microsoft Intermediate Language) platform, family DCRat

Summary:

This threat is a .NET-based backdoor known as DCRat, detected through behavioral analysis. It allows remote attackers to control the infected system, steal sensitive information from applications like Discord, take screenshots, and download additional malware.

Severity:
Medium
VDM Static Detection:
Relevant strings associated with this threat:
 - DCRatBuild.exe (PEHSTR_EXT)
 - DCRatBuild.Visitors (PEHSTR_EXT)
 - DCRatBuild.Configurations (PEHSTR_EXT)
 - DCRatBuild.Dictionaries (PEHSTR_EXT)
 - %s%s.dll (PEHSTR_EXT)
 - C:\TEMP\dal.exe (PEHSTR_EXT)
 - \mnb.exe (PEHSTR_EXT)
 - \discord\Local Storage\leveldb (PEHSTR_EXT)
 - Work.log (PEHSTR_EXT)
 - ZGKiHslGPo6vWnIjal.y9LylEaSct3rSferV0 (PEHSTR_EXT)
 - root\SecurityCenter (PEHSTR_EXT)
 - x5E0awbitEqjSDmgDX.oN8Qlsvu43PVCqLX8G (PEHSTR_EXT)
 - 2020.4.11.16511847 (PEHSTR_EXT)
 - System.Security.Cryptography.AesCryptoServiceProvider (PEHSTR_EXT)
 - BHxqwq8oyu12VhypWS.fueOfykw4Q0JxKbAk1 (PEHSTR_EXT)
 - 2020.4.11f1_fbf367ac14e9 (PEHSTR_EXT)
 - pestilence.pdb (PEHSTR_EXT)
 - System.Text.RegularExpressions (PEHSTR_EXT)
 - DCRat (PEHSTR_EXT)
 - DCRat.Code (PEHSTR_EXT)
 - Screenshot (PEHSTR_EXT)
 - l&a \ (PEHSTR_EXT)
 - .themida (PEHSTR_EXT)
 - cMDTM.pdb (PEHSTR_EXT)
 - //a0791030.xsph.ru/exta.exe (PEHSTR_EXT)
 - start C:\ProgramData\exta.exe (PEHSTR_EXT)
 - RustCheatCheck.pdb (PEHSTR_EXT)
 - DCRatLoader (PEHSTR_EXT)
 - FtOHK.g.resources (PEHSTR_EXT)
 - SOFTWARE\Microsoft\Windows Defender\Exclusions (PEHSTR_EXT)
 - vmsrvc.sys (PEHSTR_EXT)
 - UNCOMPRESSED_END (PEHSTR_EXT)
 - \vGN+T (SNID)
 - HttpMessageInvoker (PEHSTR_EXT)
 - Ingjqgvfofy.Properties.Resources (PEHSTR_EXT)
 - jSECRMN2uUh0fW6MeH.Y7OR5DLD9poLlR4axw (PEHSTR_EXT)
 - GxV7QmoeICF2mh50fu.FP6E8LuOYh1uRDvJng (PEHSTR_EXT)
 - mvpbOg99PjLvdbnkrI.cLBjm8fZMMinCvfQFZ (PEHSTR_EXT)
 - hBG0VnIlUfOCISBMZK.WTT95vPmmENthbNmPH (PEHSTR_EXT)
 - bqs6JKWlADqlEDalKA.MbWDAkGFfnmAESC5PM (PEHSTR_EXT)
 - 29kPcnkQO6kESJwAVp.F4xJDtTN9YB4err3DC (PEHSTR_EXT)
 - p91naAPJ3ftIdgWgHn.eIcV1J10NMXHttmQkC (PEHSTR_EXT)
 - QNCrsiJpiyNybOjyV3.Ph5OjfZTud820ZkHal (PEHSTR_EXT)
 - FVodu0kYNVZZ56GXoDG4sjRevFjsrsPWS7OySoti1G7D (PEHSTR_EXT)
 - )qwqdanchun.Properties.Resources.resources (PEHSTR)
 - eBqg1qYY2MBJc40AiZ.t1oQwgWNtVa1T4XkgM (PEHSTR_EXT)
 - cktOgAu20kZfM6aZTzWLhk6dDlzbKi.vbe (PEHSTR_EXT)
 - ecktOgAu20kZfM6aZTzWLhk6dDlzbKi.vbe (PEHSTR_EXT)
 - WLhk6dDlzbKi.vbe (PEHSTR_EXT)
 - serverWebBroker.exe (PEHSTR_EXT)
 - DrivermonitorCommon (PEHSTR_EXT)
 - ".NET Reactor" (PEHSTR_EXT)
 - clrjit.dll (PEHSTR_EXT)
 - YRYpuOK33h3Iv3xmfo.TBC8XU5AL96GUo8htw (PEHSTR_EXT)
 - muel9jwYZZsixLNgC6.2xmOdSgAEH8u1RLSnf (PEHSTR_EXT)
 - jluiR6INEsGUXyjwaS.LKSvsOfnqhRnCSdLh4 (PEHSTR_EXT)
 - Q9uica2a622InXT8Sx.4aYyTZRtX532xwliFI (PEHSTR_EXT)
 - 0ywRuctNsJTbkcJr0l.5XcA1kVBcXdCKURQ4I (PEHSTR_EXT)
 - ER\SO (MACROHSTR_EXT)
 - FT" + "WARE\Mic" + "rosoft\Win" + "dows NT\Curre" + "ntVers (MACROHSTR_EXT)
 - ion\Win" + "dows\L" + "OAD" (MACROHSTR_EXT)
 - = CreateObject("WScr" + "ipt.Sh" + "ell") (MACROHSTR_EXT)
 - fileNameDigitalRSASignature = "Use" + "rCac" + "he.in" + "i.h" + "ta (MACROHSTR_EXT)
 - fileNameCHECKSUM = "Us" + "erC" + "ac" + "he.i" + "ni (MACROHSTR_EXT)
 - net/http.fakeLocker,sync.Locker (PEHSTR_EXT)
 - github.com/MrBrounr/main/raw/main/naker.exe (PEHSTR_EXT)
 - TessaLetMeDie601Violet.jnfvqq (PEHSTR_EXT)
 - scoree.dCl (PEHSTR_EXT)
 - Something is fishy. [{0}] (PEHSTR_EXT)
 - [Screenshot] Saving screenshots from (PEHSTR_EXT)
 - [Clipboard] Saving information... (PEHSTR_EXT)
 - [SystemInfromation] Saving information... (PEHSTR_EXT)
 - Loader.pdb (PEHSTR_EXT)
 - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT)
 - rundll32 (PEHSTR_EXT)
 - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT)
 - !#HSTR:ExecutionGuardrails (PEHSTR_EXT)
 - !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)
YARA Rule:
rule Backdoor_MSIL_DCRat_2147825893_0
{
    meta:
        author = "threatcheck.sh"
        detection_name = "Backdoor:MSIL/DCRat!MTB"
        threat_id = "2147825893"
        type = "Backdoor"
        platform = "MSIL: .NET intermediate language scripts"
        family = "DCRat"
        severity = "Critical"
        info = "MTB: Microsoft Threat Behavior"
        signature_type = "SIGNATURE_TYPE_PEHSTR_EXT"
        threshold = "6"
        strings_accuracy = "High"
    strings:
        $x_3_1 = {57 ff 03 3e 09 1f 00 00 00 00 00 00 00 00 00 00 02 00 00 00 35 01 00 00 22 01 00 00 ad 04}  //weight: 3, accuracy: High
        $x_1_2 = "{11111-22222-10009-11112}" wide //weight: 1
        $x_1_3 = "{11111-22222-50001-00000}" wide //weight: 1
        $x_1_4 = "System.Security.Cryptography.AesCryptoServiceProvider" wide //weight: 1
    condition:
        (filesize < 20MB) and
        (all of ($x*))
}
Known malware which is associated with this threat:
Filename: 10699659e61063e1635332ea0cfd00f6.exe
0418fd873b985dc519a55814dade5cc9bf9421ae0dbda9eba6995741fcdee668
24/11/2025
VirusTotalDownload Sample
Filename: 0d143aa10eae99e51887ebcf9bf82042.exe
5928fc679943aca8e9c19dd90d57ef8b4bf871b9b5b79e6c6acbcac9cd301d7e
21/11/2025
VirusTotalDownload Sample
Remediation Steps:
Isolate the affected machine from the network immediately. Use antivirus software to remove the detected threat. Investigate for associated files (e.g., exta.exe, dal.exe), persistence mechanisms, and suspicious network traffic. Reset user credentials, particularly for any applications targeted for data theft.
=== END REPORT ===
$ reanalyze-threat
This analysis was last updated on 21/11/2025. Do you want to analyze it again?
$ ls available-commands/
→ cd /home
user@threatcheck.sh:~$