user@threatcheck.sh ~ threat-analysis
bash
$ analyze-threat Backdoor:MSIL/XWormRAT!rfn
Backdoor:MSIL/XWormRAT!rfn - Windows Defender threat signature analysis

Backdoor:MSIL/XWormRAT!rfn - Windows Defender Threat Analysis

$ cat analysis.txt
=== THREAT ANALYSIS REPORT ===
Threat Name: Backdoor:MSIL/XWormRAT!rfn
Classification:
Type:Backdoor
Platform:MSIL
Family:XWormRAT
Detection Type:Concrete
Known malware family with identified signatures
Suffix:!rfn
Specific ransomware family name
Confidence:Very High
False-Positive Risk:Low

Concrete signature match: Backdoor - Provides unauthorized remote access for .NET (Microsoft Intermediate Language) platform, family XWormRAT

Summary:

This is a concrete detection of XWormRAT, a .NET-based Remote Access Trojan (RAT). The technical analysis confirms its ability to establish persistence via Scheduled Tasks, execute commands using system utilities like PowerShell and rundll32, and hook system functions to potentially steal data, giving an attacker remote control over the compromised machine.

Severity:
Critical
VDM Static Detection:
Relevant strings associated with this threat:
 - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT)
 - rundll32 (PEHSTR_EXT)
 - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT)
 - !#HSTR:ExecutionGuardrails (PEHSTR_EXT)
 - !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)
No specific strings found for this threat
YARA Rule:
rule Trojan_Win64_XWormRAT_A_2147891366_0
{
    meta:
        author = "threatcheck.sh"
        detection_name = "Trojan:Win64/XWormRAT.A!MTB"
        threat_id = "2147891366"
        type = "Trojan"
        platform = "Win64: Windows 64-bit platform"
        family = "XWormRAT"
        severity = "Critical"
        info = "MTB: Microsoft Threat Behavior"
        signature_type = "SIGNATURE_TYPE_PEHSTR_EXT"
        threshold = "6"
        strings_accuracy = "High"
    strings:
        $x_2_1 = "go-runpe" ascii //weight: 2
        $x_2_2 = "cipher.NewCFBDecrypter" ascii //weight: 2
        $x_2_3 = "ioutil.TempDir" ascii //weight: 2
    condition:
        (filesize < 20MB) and
        (all of ($x*))
}
Known malware which is associated with this threat:
Filename: dd.bat
78d390316afdd752af4ac8648ef90a51329291c2c13f80509c4163b9bab177bf
24/11/2025
VirusTotalDownload Sample
bf405d5470cb9900f08371031043f5c7c7a790fbc2af3b7d1fe43f9dbca1b705
06/11/2025
VirusTotalDownload Sample
Remediation Steps:
Immediately isolate the affected machine from the network. Use an updated antivirus to perform a full scan and remove all detected components. Since this is a RAT, assume full system compromise: change all passwords associated with the machine and its users, and consider re-imaging the device to ensure complete threat removal.
=== END REPORT ===
$ reanalyze-threat
This analysis was last updated on 08/11/2025. Do you want to analyze it again?
$ ls available-commands/
→ cd /home
user@threatcheck.sh:~$