user@threatcheck.sh ~ threat-analysis
bash
$ analyze-threat Backdoor:MSIL/DCRat!MTB
Backdoor:MSIL/DCRat!MTB - Windows Defender threat signature analysis

Backdoor:MSIL/DCRat!MTB - Windows Defender Threat Analysis

$ cat analysis.txt
=== THREAT ANALYSIS REPORT ===
Threat Name: Backdoor:MSIL/DCRat!MTB
Classification:
Type:Backdoor
Platform:MSIL
Family:DCRat
Detection Type:Concrete
Known malware family with identified signatures
Suffix:!MTB
Detected via machine learning and behavioral analysis
Detection Method:Behavioral
Confidence:Very High
False-Positive Risk:Low

Concrete signature match: Backdoor - Provides unauthorized remote access for .NET (Microsoft Intermediate Language) platform, family DCRat

Summary:

This threat is a .NET-based backdoor known as DCRat, detected through behavioral analysis. It allows remote attackers to control the infected system, steal sensitive information from applications like Discord, take screenshots, and download additional malware.

Severity:
Medium
VDM Static Detection:
Relevant strings associated with this threat:
 - DCRatBuild.exe (PEHSTR_EXT)
 - DCRatBuild.Visitors (PEHSTR_EXT)
 - DCRatBuild.Configurations (PEHSTR_EXT)
 - DCRatBuild.Dictionaries (PEHSTR_EXT)
 - %s%s.dll (PEHSTR_EXT)
 - C:\TEMP\dal.exe (PEHSTR_EXT)
 - \mnb.exe (PEHSTR_EXT)
 - \discord\Local Storage\leveldb (PEHSTR_EXT)
 - Work.log (PEHSTR_EXT)
 - ZGKiHslGPo6vWnIjal.y9LylEaSct3rSferV0 (PEHSTR_EXT)
 - root\SecurityCenter (PEHSTR_EXT)
 - x5E0awbitEqjSDmgDX.oN8Qlsvu43PVCqLX8G (PEHSTR_EXT)
 - 2020.4.11.16511847 (PEHSTR_EXT)
 - System.Security.Cryptography.AesCryptoServiceProvider (PEHSTR_EXT)
 - BHxqwq8oyu12VhypWS.fueOfykw4Q0JxKbAk1 (PEHSTR_EXT)
 - 2020.4.11f1_fbf367ac14e9 (PEHSTR_EXT)
 - pestilence.pdb (PEHSTR_EXT)
 - System.Text.RegularExpressions (PEHSTR_EXT)
 - DCRat (PEHSTR_EXT)
 - DCRat.Code (PEHSTR_EXT)
 - Screenshot (PEHSTR_EXT)
 - l&a \ (PEHSTR_EXT)
 - .themida (PEHSTR_EXT)
 - cMDTM.pdb (PEHSTR_EXT)
 - //a0791030.xsph.ru/exta.exe (PEHSTR_EXT)
 - start C:\ProgramData\exta.exe (PEHSTR_EXT)
 - RustCheatCheck.pdb (PEHSTR_EXT)
 - DCRatLoader (PEHSTR_EXT)
 - FtOHK.g.resources (PEHSTR_EXT)
 - SOFTWARE\Microsoft\Windows Defender\Exclusions (PEHSTR_EXT)
 - vmsrvc.sys (PEHSTR_EXT)
 - UNCOMPRESSED_END (PEHSTR_EXT)
 - \vGN+T (SNID)
 - HttpMessageInvoker (PEHSTR_EXT)
 - Ingjqgvfofy.Properties.Resources (PEHSTR_EXT)
 - jSECRMN2uUh0fW6MeH.Y7OR5DLD9poLlR4axw (PEHSTR_EXT)
 - GxV7QmoeICF2mh50fu.FP6E8LuOYh1uRDvJng (PEHSTR_EXT)
 - mvpbOg99PjLvdbnkrI.cLBjm8fZMMinCvfQFZ (PEHSTR_EXT)
 - hBG0VnIlUfOCISBMZK.WTT95vPmmENthbNmPH (PEHSTR_EXT)
 - bqs6JKWlADqlEDalKA.MbWDAkGFfnmAESC5PM (PEHSTR_EXT)
 - 29kPcnkQO6kESJwAVp.F4xJDtTN9YB4err3DC (PEHSTR_EXT)
 - p91naAPJ3ftIdgWgHn.eIcV1J10NMXHttmQkC (PEHSTR_EXT)
 - QNCrsiJpiyNybOjyV3.Ph5OjfZTud820ZkHal (PEHSTR_EXT)
 - FVodu0kYNVZZ56GXoDG4sjRevFjsrsPWS7OySoti1G7D (PEHSTR_EXT)
 - )qwqdanchun.Properties.Resources.resources (PEHSTR)
 - eBqg1qYY2MBJc40AiZ.t1oQwgWNtVa1T4XkgM (PEHSTR_EXT)
 - cktOgAu20kZfM6aZTzWLhk6dDlzbKi.vbe (PEHSTR_EXT)
 - ecktOgAu20kZfM6aZTzWLhk6dDlzbKi.vbe (PEHSTR_EXT)
 - WLhk6dDlzbKi.vbe (PEHSTR_EXT)
 - serverWebBroker.exe (PEHSTR_EXT)
 - DrivermonitorCommon (PEHSTR_EXT)
 - ".NET Reactor" (PEHSTR_EXT)
 - clrjit.dll (PEHSTR_EXT)
 - YRYpuOK33h3Iv3xmfo.TBC8XU5AL96GUo8htw (PEHSTR_EXT)
 - muel9jwYZZsixLNgC6.2xmOdSgAEH8u1RLSnf (PEHSTR_EXT)
 - jluiR6INEsGUXyjwaS.LKSvsOfnqhRnCSdLh4 (PEHSTR_EXT)
 - Q9uica2a622InXT8Sx.4aYyTZRtX532xwliFI (PEHSTR_EXT)
 - 0ywRuctNsJTbkcJr0l.5XcA1kVBcXdCKURQ4I (PEHSTR_EXT)
 - ER\SO (MACROHSTR_EXT)
 - FT" + "WARE\Mic" + "rosoft\Win" + "dows NT\Curre" + "ntVers (MACROHSTR_EXT)
 - ion\Win" + "dows\L" + "OAD" (MACROHSTR_EXT)
 - = CreateObject("WScr" + "ipt.Sh" + "ell") (MACROHSTR_EXT)
 - fileNameDigitalRSASignature = "Use" + "rCac" + "he.in" + "i.h" + "ta (MACROHSTR_EXT)
 - fileNameCHECKSUM = "Us" + "erC" + "ac" + "he.i" + "ni (MACROHSTR_EXT)
 - net/http.fakeLocker,sync.Locker (PEHSTR_EXT)
 - github.com/MrBrounr/main/raw/main/naker.exe (PEHSTR_EXT)
 - TessaLetMeDie601Violet.jnfvqq (PEHSTR_EXT)
 - scoree.dCl (PEHSTR_EXT)
 - Something is fishy. [{0}] (PEHSTR_EXT)
 - [Screenshot] Saving screenshots from (PEHSTR_EXT)
 - [Clipboard] Saving information... (PEHSTR_EXT)
 - [SystemInfromation] Saving information... (PEHSTR_EXT)
 - Loader.pdb (PEHSTR_EXT)
 - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT)
 - rundll32 (PEHSTR_EXT)
 - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT)
 - !#HSTR:ExecutionGuardrails (PEHSTR_EXT)
 - !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)
YARA Rule:
rule Backdoor_MSIL_DCRat_2147825893_0
{
    meta:
        author = "threatcheck.sh"
        detection_name = "Backdoor:MSIL/DCRat!MTB"
        threat_id = "2147825893"
        type = "Backdoor"
        platform = "MSIL: .NET intermediate language scripts"
        family = "DCRat"
        severity = "Critical"
        info = "MTB: Microsoft Threat Behavior"
        signature_type = "SIGNATURE_TYPE_PEHSTR_EXT"
        threshold = "6"
        strings_accuracy = "High"
    strings:
        $x_3_1 = {57 ff 03 3e 09 1f 00 00 00 00 00 00 00 00 00 00 02 00 00 00 35 01 00 00 22 01 00 00 ad 04}  //weight: 3, accuracy: High
        $x_1_2 = "{11111-22222-10009-11112}" wide //weight: 1
        $x_1_3 = "{11111-22222-50001-00000}" wide //weight: 1
        $x_1_4 = "System.Security.Cryptography.AesCryptoServiceProvider" wide //weight: 1
    condition:
        (filesize < 20MB) and
        (all of ($x*))
}
Known malware which is associated with this threat:
Filename: 5B2143F96B4320321DD6DF5F40A98D4A.exe
3f54db25b01ad924cf34808063d6e13c9d1bab97693fc7bf5f7d73d37771efba
29/01/2026
VirusTotalDownload Sample
Filename: BloodLineStudiosWebHost.bat.exe
45e0089a6b986d4dc371d363848c52443e7e9680bbbf3fe6fe9b4520ebcc45df
20/01/2026
VirusTotalDownload Sample
Filename: BloodlineStudiosBuilder.exe2
dac6ceef5ed0906713c1f1b319ba7bf1e56a9aae6201c9f59bf97cbb94c787e0
20/01/2026
VirusTotalDownload Sample
Filename: BloodLineBuilder.exe
168590617d117480032f0760fd43c1aaf7bd33bb9d9e7542ef8411b196aea7f3
20/01/2026
VirusTotalDownload Sample
Filename: NymphisLoader.exe
f4e46d611e83f8ef064455346b9290d3228ba059eae629fa8d06b0e392b22d97
14/01/2026
VirusTotalDownload Sample
Remediation Steps:
Isolate the affected machine from the network immediately. Use antivirus software to remove the detected threat. Investigate for associated files (e.g., exta.exe, dal.exe), persistence mechanisms, and suspicious network traffic. Reset user credentials, particularly for any applications targeted for data theft.
=== END REPORT ===
$ reanalyze-threat
This analysis was last updated on 21/11/2025. Do you want to analyze it again?
$ ls available-commands/
→ cd /home
user@threatcheck.sh:~$