Concrete signature match: Trojan - Appears legitimate but performs malicious actions for .NET (Microsoft Intermediate Language) platform, family DCRat
This threat is a Remote Access Trojan (RAT) from the DCRat family, which allows an attacker to gain unauthorized remote control over the infected system. This can lead to data theft, surveillance, and the installation of additional malware. The detection is based on machine learning behavioral analysis, indicating suspicious activity consistent with this threat family.
No specific strings found for this threat
rule Trojan_MSIL_DCRat_RDJ_2147897646_0
{
meta:
author = "threatcheck.sh"
detection_name = "Trojan:MSIL/DCRat.RDJ!MTB"
threat_id = "2147897646"
type = "Trojan"
platform = "MSIL: .NET intermediate language scripts"
family = "DCRat"
severity = "Critical"
info = "MTB: Microsoft Threat Behavior"
signature_type = "SIGNATURE_TYPE_PEHSTR_EXT"
threshold = "3"
strings_accuracy = "High"
strings:
$x_1_1 = "SGxDUr5uRrbW2X9YcTIdUkMi5E" ascii //weight: 1
$x_1_2 = "pxqDsBPmp0nY" ascii //weight: 1
$x_1_3 = "$TR$4E" ascii //weight: 1
condition:
(filesize < 20MB) and
(all of ($x*))
}49f4ceb17f9e44be27e065513a036f22da0bd0688a9a5d9c479b8aa70b7f3110Isolate the affected machine from the network immediately to prevent lateral movement. Use the security software to quarantine and remove the threat. Investigate the initial access vector and reset credentials for any user accounts associated with the compromised device.