user@threatcheck.sh ~ threat-analysis
bash
$ analyze-threat Backdoor:MSIL/Crysan
Backdoor:MSIL/Crysan - Windows Defender threat signature analysis

Backdoor:MSIL/Crysan - Windows Defender Threat Analysis

$ cat analysis.txt
=== THREAT ANALYSIS REPORT ===
Threat Name: Backdoor:MSIL/Crysan
Classification:
Type:Backdoor
Platform:MSIL
Family:Crysan
Detection Type:Concrete
Known malware family with identified signatures
Confidence:Very High
False-Positive Risk:Low

Concrete signature match: Backdoor - Provides unauthorized remote access for .NET (Microsoft Intermediate Language) platform, family Crysan

Summary:

Backdoor:MSIL/Crysan is a .NET-based backdoor that provides a remote attacker with unauthorized control over the compromised system. It leverages legitimate Windows tools for execution, establishes persistence via scheduled tasks, and hooks system functions to evade detection and steal information.

Severity:
Critical
VDM Static Detection:
Relevant strings associated with this threat:
 - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT)
 - rundll32 (PEHSTR_EXT)
 - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT)
 - !#HSTR:ExecutionGuardrails (PEHSTR_EXT)
 - !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)
YARA Rule:
rule Backdoor_MSIL_Crysan_AA_2147793589_0
{
    meta:
        author = "threatcheck.sh"
        detection_name = "Backdoor:MSIL/Crysan.AA!MTB"
        threat_id = "2147793589"
        type = "Backdoor"
        platform = "MSIL: .NET intermediate language scripts"
        family = "Crysan"
        severity = "Critical"
        info = "MTB: Microsoft Threat Behavior"
        signature_type = "SIGNATURE_TYPE_PEHSTR_EXT"
        threshold = "19"
        strings_accuracy = "Low"
    strings:
        $x_10_1 = {0b 03 17 fe 02 16 fe 01 0c 08 2c 04 07 0a 2b 34 03 0d 17 13 04 2b 24 07 28 ?? 00 00 0a 11 04 fe 04 13 05 11 05 2c 0d 72 ?? ?? ?? 70 07 28 ?? 00 00 0a 0b 00 00 11 04 17 d6 13 04 11 04 09 31 d7 07 0a 2b 00 06 2a}  //weight: 10, accuracy: Low
        $x_3_2 = "System.Net.Sockets" ascii //weight: 3
        $x_3_3 = "HttpWebRequest" ascii //weight: 3
        $x_3_4 = "FtpWebRequest" ascii //weight: 3
    condition:
        (filesize < 20MB) and
        (all of ($x*))
}
Remediation Steps:
Immediately isolate the affected machine from the network. Use a trusted antivirus tool for a full scan to remove the threat and its components, paying special attention to scheduled tasks for persistence. Reset all user passwords on the machine as credentials may have been compromised.
=== END REPORT ===
$ reanalyze-threat
This analysis was last updated on 09/11/2025. Do you want to analyze it again?
$ ls available-commands/
→ cd /home
user@threatcheck.sh:~$