user@threatcheck.sh ~ threat-analysis
bash
$ analyze-threat Backdoor:Win32/Berbew!pz
Backdoor:Win32/Berbew!pz - Windows Defender threat signature analysis

Backdoor:Win32/Berbew!pz - Windows Defender Threat Analysis

$ cat analysis.txt
=== THREAT ANALYSIS REPORT ===
Threat Name: Backdoor:Win32/Berbew!pz
Classification:
Type:Backdoor
Platform:Win32
Family:Berbew
Detection Type:Concrete
Known malware family with identified signatures
Suffix:!pz
Packed or compressed to evade detection
Confidence:Very High
False-Positive Risk:Low

Concrete signature match: Backdoor - Provides unauthorized remote access for 32-bit Windows platform, family Berbew

Summary:

Backdoor:Win32/Berbew!pz is a concrete detection of a sophisticated backdoor from the Berbew family. It establishes remote access, maintains persistence via methods like scheduled tasks, and executes commands using legitimate tools such as PowerShell, rundll32, and regsvr32. This threat is designed for extensive system control, data exfiltration, and further malicious activity.

Severity:
Critical
VDM Static Detection:
Relevant strings associated with this threat:
 - io\Programas\Inicio\ (PEHSTR_EXT)
 - \WINME\M (PEHSTR_EXT)
 - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT)
 - rundll32 (PEHSTR_EXT)
 - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForSoftwarePacking.C!pli (PEHSTR_EXT)
Known malware which is associated with this threat:
Filename: virussign.com_c9e539c1c3eb6af4309a87bdcf35f870
f06b863f0be9c9f925627f92eceae12c73000ec254b5bcc7c56b913845b30a0f
22/03/2026
VirusTotalDownload Sample
Filename: virussign.com_cfc706ff85023c98fe196951e30aefa0
5601eb09023210296350c4c312ddab59018e974c372f3944af3175147874a762
22/03/2026
VirusTotalDownload Sample
Filename: virussign.com_d8f5762ac873b7b1d0d02fb4335eb6b0
bdffb755157cfd5184418218f1ab2c5115ea50e09efeeebed9f211c2e957b490
22/03/2026
VirusTotalDownload Sample
Filename: virussign.com_e1557950973b077756c7be25d3806270
e63f6f96da59c6a894fd3614faaadd47b5ce0d8e1828c5fbd2dbc0b4a33fe01d
22/03/2026
VirusTotalDownload Sample
Filename: virussign.com_f7fb4aa203764d61b52080ac38a2a9c0
cb3c27c07347120395212a72516e708891c2620d92a2f48bcf84b71523deb506
22/03/2026
VirusTotalDownload Sample
Remediation Steps:
Immediately isolate the affected system, perform a full antivirus scan to remove the threat, and investigate for any persistence mechanisms or lateral movement. Change all credentials used on the compromised machine and consider a full system re-image if deep compromise is suspected.
=== END REPORT ===
$ reanalyze-threat
This analysis was last updated on 22/03/2026. Do you want to analyze it again?
$ ls available-commands/
→ cd /home
user@threatcheck.sh:~$