Concrete signature match: Trojan - Appears legitimate but performs malicious actions for 32-bit Windows platform, family DCRat
This is a concrete detection of Trojan:Win32/DCRat.MQ!MTB, a variant of the DarkCrystal Remote Access Trojan (RAT). DCRat is a highly malicious tool that allows attackers to gain remote control over infected systems. It facilitates data theft, execution of arbitrary commands, and deployment of further malicious payloads, posing a significant threat to system integrity and data confidentiality.
No specific strings found for this threat
rule Trojan_Win32_DCRat_MQ_2147907303_0
{
meta:
author = "threatcheck.sh"
detection_name = "Trojan:Win32/DCRat.MQ!MTB"
threat_id = "2147907303"
type = "Trojan"
platform = "Win32: Windows 32-bit platform"
family = "DCRat"
severity = "Critical"
info = "MTB: Microsoft Threat Behavior"
signature_type = "SIGNATURE_TYPE_PEHSTR_EXT"
threshold = "11"
strings_accuracy = "High"
strings:
$x_5_1 = {74 0f b0 01 eb 30 85 ff 74 03 c6 07 01 32 c0 eb 25} //weight: 5, accuracy: High
$x_5_2 = ".vbe" ascii //weight: 5
$x_1_3 = "DarkCrystal RAT" wide //weight: 1
$x_1_4 = "DCrat" wide //weight: 1
condition:
(filesize < 20MB) and
(
((2 of ($x_5_*) and 1 of ($x_1_*))) or
(all of ($x*))
)
}4f0f3951ba8bd012f30d3a7fe30b0ab88bbbf74c6ec47766608f683e5e7532edImmediately isolate the infected system from the network. Conduct a full system scan with updated antivirus, remove all detected malicious files, and diligently investigate for persistence mechanisms. Reset any potentially compromised credentials and ensure all system security patches are applied.