Trojan:Win32/DCRat!rfn - ThreatCheck.sh

user@threatcheck.sh ~ threat-analysis

bash

$ analyze-threat Trojan:Win32/DCRat!rfn

Trojan:Win32/DCRat!rfn - Windows Defender threat signature analysis

$ cat analysis.txt

=== THREAT ANALYSIS REPORT ===

Threat Name: Trojan:Win32/DCRat!rfn

Classification:

Type:Trojan

Platform:Win32

Family:DCRat

Detection Type:Concrete

Known malware family with identified signatures

Suffix:!rfn

Specific ransomware family name

Confidence:Very High

False-Positive Risk:Low

Concrete signature match: Trojan - Appears legitimate but performs malicious actions for 32-bit Windows platform, family DCRat

Summary:

This is a concrete detection of the DCRat Remote Access Trojan (RAT). This malware provides an attacker with full control over the infected system, enabling them to steal data (including from applications like Discord), execute commands, take screenshots, and download additional malicious payloads from remote servers.

Severity:

Critical

VDM Static Detection:

Relevant strings associated with this threat:
 - DCRatBuild.exe (PEHSTR_EXT)
 - DCRatBuild.Visitors (PEHSTR_EXT)
 - DCRatBuild.Configurations (PEHSTR_EXT)
 - DCRatBuild.Dictionaries (PEHSTR_EXT)
 - %s%s.dll (PEHSTR_EXT)
 - C:\TEMP\dal.exe (PEHSTR_EXT)
 - \mnb.exe (PEHSTR_EXT)
 - \discord\Local Storage\leveldb (PEHSTR_EXT)
 - Work.log (PEHSTR_EXT)
 - ZGKiHslGPo6vWnIjal.y9LylEaSct3rSferV0 (PEHSTR_EXT)
 - root\SecurityCenter (PEHSTR_EXT)
 - x5E0awbitEqjSDmgDX.oN8Qlsvu43PVCqLX8G (PEHSTR_EXT)
 - 2020.4.11.16511847 (PEHSTR_EXT)
 - System.Security.Cryptography.AesCryptoServiceProvider (PEHSTR_EXT)
 - BHxqwq8oyu12VhypWS.fueOfykw4Q0JxKbAk1 (PEHSTR_EXT)
 - 2020.4.11f1_fbf367ac14e9 (PEHSTR_EXT)
 - pestilence.pdb (PEHSTR_EXT)
 - System.Text.RegularExpressions (PEHSTR_EXT)
 - DCRat (PEHSTR_EXT)
 - DCRat.Code (PEHSTR_EXT)
 - Screenshot (PEHSTR_EXT)
 - l&a \ (PEHSTR_EXT)
 - .themida (PEHSTR_EXT)
 - cMDTM.pdb (PEHSTR_EXT)
 - //a0791030.xsph.ru/exta.exe (PEHSTR_EXT)
 - start C:\ProgramData\exta.exe (PEHSTR_EXT)
 - RustCheatCheck.pdb (PEHSTR_EXT)
 - DCRatLoader (PEHSTR_EXT)
 - FtOHK.g.resources (PEHSTR_EXT)
 - SOFTWARE\Microsoft\Windows Defender\Exclusions (PEHSTR_EXT)
 - vmsrvc.sys (PEHSTR_EXT)
 - UNCOMPRESSED_END (PEHSTR_EXT)
 - \vGN+T (SNID)
 - HttpMessageInvoker (PEHSTR_EXT)
 - Ingjqgvfofy.Properties.Resources (PEHSTR_EXT)
 - jSECRMN2uUh0fW6MeH.Y7OR5DLD9poLlR4axw (PEHSTR_EXT)
 - GxV7QmoeICF2mh50fu.FP6E8LuOYh1uRDvJng (PEHSTR_EXT)
 - mvpbOg99PjLvdbnkrI.cLBjm8fZMMinCvfQFZ (PEHSTR_EXT)
 - hBG0VnIlUfOCISBMZK.WTT95vPmmENthbNmPH (PEHSTR_EXT)
 - bqs6JKWlADqlEDalKA.MbWDAkGFfnmAESC5PM (PEHSTR_EXT)
 - 29kPcnkQO6kESJwAVp.F4xJDtTN9YB4err3DC (PEHSTR_EXT)
 - p91naAPJ3ftIdgWgHn.eIcV1J10NMXHttmQkC (PEHSTR_EXT)
 - QNCrsiJpiyNybOjyV3.Ph5OjfZTud820ZkHal (PEHSTR_EXT)
 - FVodu0kYNVZZ56GXoDG4sjRevFjsrsPWS7OySoti1G7D (PEHSTR_EXT)
 - )qwqdanchun.Properties.Resources.resources (PEHSTR)
 - eBqg1qYY2MBJc40AiZ.t1oQwgWNtVa1T4XkgM (PEHSTR_EXT)
 - cktOgAu20kZfM6aZTzWLhk6dDlzbKi.vbe (PEHSTR_EXT)
 - ecktOgAu20kZfM6aZTzWLhk6dDlzbKi.vbe (PEHSTR_EXT)
 - WLhk6dDlzbKi.vbe (PEHSTR_EXT)
 - serverWebBroker.exe (PEHSTR_EXT)
 - DrivermonitorCommon (PEHSTR_EXT)
 - ".NET Reactor" (PEHSTR_EXT)
 - clrjit.dll (PEHSTR_EXT)
 - YRYpuOK33h3Iv3xmfo.TBC8XU5AL96GUo8htw (PEHSTR_EXT)
 - muel9jwYZZsixLNgC6.2xmOdSgAEH8u1RLSnf (PEHSTR_EXT)
 - jluiR6INEsGUXyjwaS.LKSvsOfnqhRnCSdLh4 (PEHSTR_EXT)
 - Q9uica2a622InXT8Sx.4aYyTZRtX532xwliFI (PEHSTR_EXT)
 - 0ywRuctNsJTbkcJr0l.5XcA1kVBcXdCKURQ4I (PEHSTR_EXT)
 - ER\SO (MACROHSTR_EXT)
 - FT" + "WARE\Mic" + "rosoft\Win" + "dows NT\Curre" + "ntVers (MACROHSTR_EXT)
 - ion\Win" + "dows\L" + "OAD" (MACROHSTR_EXT)
 - = CreateObject("WScr" + "ipt.Sh" + "ell") (MACROHSTR_EXT)
 - fileNameDigitalRSASignature = "Use" + "rCac" + "he.in" + "i.h" + "ta (MACROHSTR_EXT)
 - fileNameCHECKSUM = "Us" + "erC" + "ac" + "he.i" + "ni (MACROHSTR_EXT)
 - net/http.fakeLocker,sync.Locker (PEHSTR_EXT)
 - github.com/MrBrounr/main/raw/main/naker.exe (PEHSTR_EXT)
 - TessaLetMeDie601Violet.jnfvqq (PEHSTR_EXT)
 - scoree.dCl (PEHSTR_EXT)
 - Something is fishy. [{0}] (PEHSTR_EXT)
 - [Screenshot] Saving screenshots from (PEHSTR_EXT)
 - [Clipboard] Saving information... (PEHSTR_EXT)
 - [SystemInfromation] Saving information... (PEHSTR_EXT)
 - Loader.pdb (PEHSTR_EXT)
 - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT)
 - rundll32 (PEHSTR_EXT)
 - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT)
 - !#HSTR:ExecutionGuardrails (PEHSTR_EXT)
 - !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)

Known malware which is associated with this threat:

Filename: E7C799DB693AE5E67D89FDBB310D1C2D.exe

89d515fe47e82922e3a449ed45a42bffab9e7ca73da575e02b9c2732d365256b

23/11/2025

→VirusTotal ↓Download Sample

Remediation Steps:

Immediately isolate the affected machine from the network. Perform a full antivirus scan to remove all malicious components. Due to the complete system access granted by this RAT, change all credentials used on the machine and consider a full re-image of the system to ensure complete removal.

=== END REPORT ===

$ reanalyze-threat

This analysis was last updated on 23/11/2025. Do you want to analyze it again?

$ ls available-commands/

→ cd /home

user@threatcheck.sh:~$ ▊

Trojan:Win32/DCRat!rfn - Windows Defender Threat Analysis