user@threatcheck.sh ~ threat-analysis
bash
$ analyze-threat Backdoor:MSIL/DCRat!pz
Backdoor:MSIL/DCRat!pz - Windows Defender threat signature analysis

Backdoor:MSIL/DCRat!pz - Windows Defender Threat Analysis

$ cat analysis.txt
=== THREAT ANALYSIS REPORT ===
Threat Name: Backdoor:MSIL/DCRat!pz
Classification:
Type:Backdoor
Platform:MSIL
Family:DCRat
Detection Type:Concrete
Known malware family with identified signatures
Suffix:!pz
Packed or compressed to evade detection
Confidence:Very High
False-Positive Risk:Low

Concrete signature match: Backdoor - Provides unauthorized remote access for .NET (Microsoft Intermediate Language) platform, family DCRat

Summary:

This threat is a .NET-based Remote Access Trojan (RAT) known as DCRat. It provides attackers with backdoor access to the compromised system, enabling them to steal sensitive information, take screenshots, and download and execute additional malware from a command-and-control server. The malware uses obfuscation and encryption to evade detection and secure its communications.

Severity:
Critical
VDM Static Detection:
Relevant strings associated with this threat:
 - DCRatBuild.exe (PEHSTR_EXT)
 - DCRatBuild.Visitors (PEHSTR_EXT)
 - DCRatBuild.Configurations (PEHSTR_EXT)
 - DCRatBuild.Dictionaries (PEHSTR_EXT)
 - %s%s.dll (PEHSTR_EXT)
 - C:\TEMP\dal.exe (PEHSTR_EXT)
 - \mnb.exe (PEHSTR_EXT)
 - \discord\Local Storage\leveldb (PEHSTR_EXT)
 - Work.log (PEHSTR_EXT)
 - ZGKiHslGPo6vWnIjal.y9LylEaSct3rSferV0 (PEHSTR_EXT)
 - root\SecurityCenter (PEHSTR_EXT)
 - x5E0awbitEqjSDmgDX.oN8Qlsvu43PVCqLX8G (PEHSTR_EXT)
 - 2020.4.11.16511847 (PEHSTR_EXT)
 - System.Security.Cryptography.AesCryptoServiceProvider (PEHSTR_EXT)
 - BHxqwq8oyu12VhypWS.fueOfykw4Q0JxKbAk1 (PEHSTR_EXT)
 - 2020.4.11f1_fbf367ac14e9 (PEHSTR_EXT)
 - pestilence.pdb (PEHSTR_EXT)
 - System.Text.RegularExpressions (PEHSTR_EXT)
 - DCRat (PEHSTR_EXT)
 - DCRat.Code (PEHSTR_EXT)
 - Screenshot (PEHSTR_EXT)
 - l&a \ (PEHSTR_EXT)
 - .themida (PEHSTR_EXT)
 - cMDTM.pdb (PEHSTR_EXT)
 - //a0791030.xsph.ru/exta.exe (PEHSTR_EXT)
 - start C:\ProgramData\exta.exe (PEHSTR_EXT)
 - RustCheatCheck.pdb (PEHSTR_EXT)
 - DCRatLoader (PEHSTR_EXT)
 - FtOHK.g.resources (PEHSTR_EXT)
 - SOFTWARE\Microsoft\Windows Defender\Exclusions (PEHSTR_EXT)
 - vmsrvc.sys (PEHSTR_EXT)
 - UNCOMPRESSED_END (PEHSTR_EXT)
 - \vGN+T (SNID)
 - HttpMessageInvoker (PEHSTR_EXT)
 - Ingjqgvfofy.Properties.Resources (PEHSTR_EXT)
 - jSECRMN2uUh0fW6MeH.Y7OR5DLD9poLlR4axw (PEHSTR_EXT)
 - GxV7QmoeICF2mh50fu.FP6E8LuOYh1uRDvJng (PEHSTR_EXT)
 - mvpbOg99PjLvdbnkrI.cLBjm8fZMMinCvfQFZ (PEHSTR_EXT)
 - hBG0VnIlUfOCISBMZK.WTT95vPmmENthbNmPH (PEHSTR_EXT)
 - bqs6JKWlADqlEDalKA.MbWDAkGFfnmAESC5PM (PEHSTR_EXT)
 - 29kPcnkQO6kESJwAVp.F4xJDtTN9YB4err3DC (PEHSTR_EXT)
 - p91naAPJ3ftIdgWgHn.eIcV1J10NMXHttmQkC (PEHSTR_EXT)
 - QNCrsiJpiyNybOjyV3.Ph5OjfZTud820ZkHal (PEHSTR_EXT)
 - FVodu0kYNVZZ56GXoDG4sjRevFjsrsPWS7OySoti1G7D (PEHSTR_EXT)
 - )qwqdanchun.Properties.Resources.resources (PEHSTR)
 - eBqg1qYY2MBJc40AiZ.t1oQwgWNtVa1T4XkgM (PEHSTR_EXT)
 - cktOgAu20kZfM6aZTzWLhk6dDlzbKi.vbe (PEHSTR_EXT)
 - ecktOgAu20kZfM6aZTzWLhk6dDlzbKi.vbe (PEHSTR_EXT)
 - WLhk6dDlzbKi.vbe (PEHSTR_EXT)
 - serverWebBroker.exe (PEHSTR_EXT)
 - DrivermonitorCommon (PEHSTR_EXT)
 - ".NET Reactor" (PEHSTR_EXT)
 - clrjit.dll (PEHSTR_EXT)
 - YRYpuOK33h3Iv3xmfo.TBC8XU5AL96GUo8htw (PEHSTR_EXT)
 - muel9jwYZZsixLNgC6.2xmOdSgAEH8u1RLSnf (PEHSTR_EXT)
 - jluiR6INEsGUXyjwaS.LKSvsOfnqhRnCSdLh4 (PEHSTR_EXT)
 - Q9uica2a622InXT8Sx.4aYyTZRtX532xwliFI (PEHSTR_EXT)
 - 0ywRuctNsJTbkcJr0l.5XcA1kVBcXdCKURQ4I (PEHSTR_EXT)
 - ER\SO (MACROHSTR_EXT)
 - FT" + "WARE\Mic" + "rosoft\Win" + "dows NT\Curre" + "ntVers (MACROHSTR_EXT)
 - ion\Win" + "dows\L" + "OAD" (MACROHSTR_EXT)
 - = CreateObject("WScr" + "ipt.Sh" + "ell") (MACROHSTR_EXT)
 - fileNameDigitalRSASignature = "Use" + "rCac" + "he.in" + "i.h" + "ta (MACROHSTR_EXT)
 - fileNameCHECKSUM = "Us" + "erC" + "ac" + "he.i" + "ni (MACROHSTR_EXT)
 - net/http.fakeLocker,sync.Locker (PEHSTR_EXT)
 - github.com/MrBrounr/main/raw/main/naker.exe (PEHSTR_EXT)
 - TessaLetMeDie601Violet.jnfvqq (PEHSTR_EXT)
 - scoree.dCl (PEHSTR_EXT)
 - Something is fishy. [{0}] (PEHSTR_EXT)
 - [Screenshot] Saving screenshots from (PEHSTR_EXT)
 - [Clipboard] Saving information... (PEHSTR_EXT)
 - [SystemInfromation] Saving information... (PEHSTR_EXT)
 - Loader.pdb (PEHSTR_EXT)
 - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT)
 - rundll32 (PEHSTR_EXT)
 - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT)
 - !#HSTR:ExecutionGuardrails (PEHSTR_EXT)
 - !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)
Known malware which is associated with this threat:
Filename: 0fe900d19ee3853bb96b268c67732ee9.exe
02b818e2058a60b7e826d6187c970f6a3e377c00fcb650a2af867ee8fe10fee1
24/11/2025
VirusTotalDownload Sample
Remediation Steps:
Isolate the affected machine from the network immediately. Run a full antivirus scan to remove the threat. Change all passwords and credentials that were used on the system. Consider re-imaging the device as the system is considered fully compromised.
=== END REPORT ===
$ reanalyze-threat
This analysis was last updated on 24/11/2025. Do you want to analyze it again?
$ ls available-commands/
→ cd /home
user@threatcheck.sh:~$