Concrete signature match: Trojan - Appears legitimate but performs malicious actions for .NET (Microsoft Intermediate Language) platform, family DCRat
This threat is a .NET-based Remote Access Trojan (RAT) from the DCRat family, detected through machine learning behavioral analysis. Once active, it grants an attacker remote control over the compromised system, allowing for data theft, command execution, and surveillance.
No specific strings found for this threat
rule Trojan_MSIL_DCRat_LA_2147901431_0
{
meta:
author = "threatcheck.sh"
detection_name = "Trojan:MSIL/DCRat.LA!MTB"
threat_id = "2147901431"
type = "Trojan"
platform = "MSIL: .NET intermediate language scripts"
family = "DCRat"
severity = "Critical"
info = "MTB: Microsoft Threat Behavior"
signature_type = "SIGNATURE_TYPE_PEHSTR_EXT"
threshold = "5"
strings_accuracy = "Low"
strings:
$x_5_1 = {02 03 02 4b 03 04 61 05 61 58 0e 07 0e 04 95 58 7e b5 08 00 04 0e 06 17 59 95 58 0e 05 28 ?? 0d 00 06 58 54 2a} //weight: 5, accuracy: Low
condition:
(filesize < 20MB) and
(all of ($x*))
}bf97e6b72ce8503056dd5fdaf76e73f9d9d6a787c26d900ee053ad1ccf8175081. Isolate the affected machine from the network to prevent lateral movement. 2. Use Windows Defender or another reputable antivirus to perform a full system scan and remove the threat. 3. Change all passwords for accounts that were used on the system. 4. Investigate the initial point of compromise, such as a phishing email or malicious download.