user@threatcheck.sh ~ threat-analysis
bash
$ analyze-threat Backdoor:MSIL/DCRat!MTB
Backdoor:MSIL/DCRat!MTB - Windows Defender threat signature analysis

Backdoor:MSIL/DCRat!MTB - Windows Defender Threat Analysis

$ cat analysis.txt
=== THREAT ANALYSIS REPORT ===
Threat Name: Backdoor:MSIL/DCRat!MTB
Classification:
Type:Backdoor
Platform:MSIL
Family:DCRat
Detection Type:Concrete
Known malware family with identified signatures
Suffix:!MTB
Detected via machine learning and behavioral analysis
Detection Method:Behavioral
Confidence:Very High
False-Positive Risk:Low

Concrete signature match: Backdoor - Provides unauthorized remote access for .NET (Microsoft Intermediate Language) platform, family DCRat

Summary:

This threat is a .NET-based backdoor known as DCRat, detected through behavioral analysis. It allows remote attackers to control the infected system, steal sensitive information from applications like Discord, take screenshots, and download additional malware.

Severity:
Medium
VDM Static Detection:
Relevant strings associated with this threat:
 - DCRatBuild.exe (PEHSTR_EXT)
 - DCRatBuild.Visitors (PEHSTR_EXT)
 - DCRatBuild.Configurations (PEHSTR_EXT)
 - DCRatBuild.Dictionaries (PEHSTR_EXT)
 - %s%s.dll (PEHSTR_EXT)
 - C:\TEMP\dal.exe (PEHSTR_EXT)
 - \mnb.exe (PEHSTR_EXT)
 - \discord\Local Storage\leveldb (PEHSTR_EXT)
 - Work.log (PEHSTR_EXT)
 - ZGKiHslGPo6vWnIjal.y9LylEaSct3rSferV0 (PEHSTR_EXT)
 - root\SecurityCenter (PEHSTR_EXT)
 - x5E0awbitEqjSDmgDX.oN8Qlsvu43PVCqLX8G (PEHSTR_EXT)
 - 2020.4.11.16511847 (PEHSTR_EXT)
 - System.Security.Cryptography.AesCryptoServiceProvider (PEHSTR_EXT)
 - BHxqwq8oyu12VhypWS.fueOfykw4Q0JxKbAk1 (PEHSTR_EXT)
 - 2020.4.11f1_fbf367ac14e9 (PEHSTR_EXT)
 - pestilence.pdb (PEHSTR_EXT)
 - System.Text.RegularExpressions (PEHSTR_EXT)
 - DCRat (PEHSTR_EXT)
 - DCRat.Code (PEHSTR_EXT)
 - Screenshot (PEHSTR_EXT)
 - l&a \ (PEHSTR_EXT)
 - .themida (PEHSTR_EXT)
 - cMDTM.pdb (PEHSTR_EXT)
 - //a0791030.xsph.ru/exta.exe (PEHSTR_EXT)
 - start C:\ProgramData\exta.exe (PEHSTR_EXT)
 - RustCheatCheck.pdb (PEHSTR_EXT)
 - DCRatLoader (PEHSTR_EXT)
 - FtOHK.g.resources (PEHSTR_EXT)
 - SOFTWARE\Microsoft\Windows Defender\Exclusions (PEHSTR_EXT)
 - vmsrvc.sys (PEHSTR_EXT)
 - UNCOMPRESSED_END (PEHSTR_EXT)
 - \vGN+T (SNID)
 - HttpMessageInvoker (PEHSTR_EXT)
 - Ingjqgvfofy.Properties.Resources (PEHSTR_EXT)
 - jSECRMN2uUh0fW6MeH.Y7OR5DLD9poLlR4axw (PEHSTR_EXT)
 - GxV7QmoeICF2mh50fu.FP6E8LuOYh1uRDvJng (PEHSTR_EXT)
 - mvpbOg99PjLvdbnkrI.cLBjm8fZMMinCvfQFZ (PEHSTR_EXT)
 - hBG0VnIlUfOCISBMZK.WTT95vPmmENthbNmPH (PEHSTR_EXT)
 - bqs6JKWlADqlEDalKA.MbWDAkGFfnmAESC5PM (PEHSTR_EXT)
 - 29kPcnkQO6kESJwAVp.F4xJDtTN9YB4err3DC (PEHSTR_EXT)
 - p91naAPJ3ftIdgWgHn.eIcV1J10NMXHttmQkC (PEHSTR_EXT)
 - QNCrsiJpiyNybOjyV3.Ph5OjfZTud820ZkHal (PEHSTR_EXT)
 - FVodu0kYNVZZ56GXoDG4sjRevFjsrsPWS7OySoti1G7D (PEHSTR_EXT)
 - )qwqdanchun.Properties.Resources.resources (PEHSTR)
 - eBqg1qYY2MBJc40AiZ.t1oQwgWNtVa1T4XkgM (PEHSTR_EXT)
 - cktOgAu20kZfM6aZTzWLhk6dDlzbKi.vbe (PEHSTR_EXT)
 - ecktOgAu20kZfM6aZTzWLhk6dDlzbKi.vbe (PEHSTR_EXT)
 - WLhk6dDlzbKi.vbe (PEHSTR_EXT)
 - serverWebBroker.exe (PEHSTR_EXT)
 - DrivermonitorCommon (PEHSTR_EXT)
 - ".NET Reactor" (PEHSTR_EXT)
 - clrjit.dll (PEHSTR_EXT)
 - YRYpuOK33h3Iv3xmfo.TBC8XU5AL96GUo8htw (PEHSTR_EXT)
 - muel9jwYZZsixLNgC6.2xmOdSgAEH8u1RLSnf (PEHSTR_EXT)
 - jluiR6INEsGUXyjwaS.LKSvsOfnqhRnCSdLh4 (PEHSTR_EXT)
 - Q9uica2a622InXT8Sx.4aYyTZRtX532xwliFI (PEHSTR_EXT)
 - 0ywRuctNsJTbkcJr0l.5XcA1kVBcXdCKURQ4I (PEHSTR_EXT)
 - ER\SO (MACROHSTR_EXT)
 - FT" + "WARE\Mic" + "rosoft\Win" + "dows NT\Curre" + "ntVers (MACROHSTR_EXT)
 - ion\Win" + "dows\L" + "OAD" (MACROHSTR_EXT)
 - = CreateObject("WScr" + "ipt.Sh" + "ell") (MACROHSTR_EXT)
 - fileNameDigitalRSASignature = "Use" + "rCac" + "he.in" + "i.h" + "ta (MACROHSTR_EXT)
 - fileNameCHECKSUM = "Us" + "erC" + "ac" + "he.i" + "ni (MACROHSTR_EXT)
 - net/http.fakeLocker,sync.Locker (PEHSTR_EXT)
 - github.com/MrBrounr/main/raw/main/naker.exe (PEHSTR_EXT)
 - TessaLetMeDie601Violet.jnfvqq (PEHSTR_EXT)
 - scoree.dCl (PEHSTR_EXT)
 - Something is fishy. [{0}] (PEHSTR_EXT)
 - [Screenshot] Saving screenshots from (PEHSTR_EXT)
 - [Clipboard] Saving information... (PEHSTR_EXT)
 - [SystemInfromation] Saving information... (PEHSTR_EXT)
 - Loader.pdb (PEHSTR_EXT)
 - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT)
 - rundll32 (PEHSTR_EXT)
 - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT)
 - !#HSTR:ExecutionGuardrails (PEHSTR_EXT)
 - !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)
YARA Rule:
rule Backdoor_MSIL_DCRat_2147825893_0
{
    meta:
        author = "threatcheck.sh"
        detection_name = "Backdoor:MSIL/DCRat!MTB"
        threat_id = "2147825893"
        type = "Backdoor"
        platform = "MSIL: .NET intermediate language scripts"
        family = "DCRat"
        severity = "Critical"
        info = "MTB: Microsoft Threat Behavior"
        signature_type = "SIGNATURE_TYPE_PEHSTR_EXT"
        threshold = "6"
        strings_accuracy = "High"
    strings:
        $x_3_1 = {57 ff 03 3e 09 1f 00 00 00 00 00 00 00 00 00 00 02 00 00 00 35 01 00 00 22 01 00 00 ad 04}  //weight: 3, accuracy: High
        $x_1_2 = "{11111-22222-10009-11112}" wide //weight: 1
        $x_1_3 = "{11111-22222-50001-00000}" wide //weight: 1
        $x_1_4 = "System.Security.Cryptography.AesCryptoServiceProvider" wide //weight: 1
    condition:
        (filesize < 20MB) and
        (all of ($x*))
}
Known malware which is associated with this threat:
Filename: 06b9ebceeb682fda05627e97a24241a9.exe
92598fd7f0d08b6ed7534573448bb262091b178cb63b436e399a6a1b04596e65
13/05/2026
VirusTotalDownload Sample
Filename: fatality.exe
b5507c0876b636624bb193212240bc4beb5e4570cfe2790394280cc1b840d478
12/05/2026
VirusTotalDownload Sample
Filename: 216cbcfc190ca10bd85a807888fa3dcc.exe
128f0268f56929b273a39926e65462b7dd980d39e1a613465a765c191d9a9099
06/05/2026
VirusTotalDownload Sample
Filename: 0fcf34f0086e09a7a359ce2ab5a93ffd.exe
99b6cd32cc25ea611de1e0fe5d5b22b201a7e885da87ef1031988dc50986b562
02/05/2026
VirusTotalDownload Sample
Filename: 191789c7dfde687b1efd0e36c2213a1f.exe
947bf9d7c04554915b4c68b1152afeff923fcd74ab718e9c63a603fe48a7cd1e
02/05/2026
VirusTotalDownload Sample
Remediation Steps:
Isolate the affected machine from the network immediately. Use antivirus software to remove the detected threat. Investigate for associated files (e.g., exta.exe, dal.exe), persistence mechanisms, and suspicious network traffic. Reset user credentials, particularly for any applications targeted for data theft.
=== END REPORT ===
$ reanalyze-threat
This analysis was last updated on 21/11/2025. Do you want to analyze it again?
$ ls available-commands/
→ cd /home
user@threatcheck.sh:~$