Trojan:MSIL/DCRat.J!MTB - Windows Defender Threat Analysis

Trojan:MSIL/DCRat.J!MTB is a concrete detection of a Remote Access Trojan (RAT) specifically targeting systems running the .NET framework. This sophisticated malware grants attackers full remote control over the compromised machine, enabling activities like surveillance, data exfiltration, and execution of arbitrary commands. The detection utilizes both static signatures and machine learning behavioral analysis for high confidence.

No specific strings found for this threat

rule Trojan_MSIL_DCRat_J_2147900129_0
{
    meta:
        author = "threatcheck.sh"
        detection_name = "Trojan:MSIL/DCRat.J!MTB"
        threat_id = "2147900129"
        type = "Trojan"
        platform = "MSIL: .NET intermediate language scripts"
        family = "DCRat"
        severity = "Critical"
        info = "MTB: Microsoft Threat Behavior"
        signature_type = "SIGNATURE_TYPE_PEHSTR_EXT"
        threshold = "6"
        strings_accuracy = "High"
    strings:
        $x_2_1 = {08 09 20 ff 00 00 00 9c 09 17 58 0d 09 08 8e 69 32}  //weight: 2, accuracy: High
        $x_2_2 = {25 17 58 13 0a 91 08 61 d2 9c 09 17 5f 17}  //weight: 2, accuracy: High
        $x_1_3 = "GetDelegateForFunctionPointer" ascii //weight: 1
        $x_1_4 = "get_EntryPoint" ascii //weight: 1
    condition:
        (filesize < 20MB) and
        (all of ($x*))
}

Immediately isolate the infected system from the network to prevent further compromise or lateral movement. Perform a comprehensive full system scan using an updated antivirus solution to thoroughly remove the DCRat Trojan and any associated malicious components. Additionally, review and strengthen network perimeter defenses, apply all security updates, and educate users on recognizing phishing attempts.