Backdoor:Win32/Farfli!pz - ThreatCheck.sh

user@threatcheck.sh ~ threat-analysis

bash

$ analyze-threat Backdoor:Win32/Farfli!pz

Backdoor:Win32/Farfli!pz - Windows Defender threat signature analysis

$ cat analysis.txt

=== THREAT ANALYSIS REPORT ===

Threat Name: Backdoor:Win32/Farfli!pz

Classification:

Type:Backdoor

Platform:Win32

Family:Farfli

Detection Type:Concrete

Known malware family with identified signatures

Suffix:!pz

Packed or compressed to evade detection

Confidence:Very High

False-Positive Risk:Low

Concrete signature match: Backdoor - Provides unauthorized remote access for 32-bit Windows platform, family Farfli

Summary:

Backdoor:Win32/Farfli!pz is a Win32 backdoor that allows unauthorized access and control of the infected system. It appears to attempt to hide its presence and maintain persistence through registry modifications and process injection.

Severity:

High

VDM Static Detection:

Relevant strings associated with this threat:
 - KeServiceDescriptorTable (PEHSTR_EXT)
 - KeDelayExecutionThread (PEHSTR_EXT)
 - ntoskrnl.exe (PEHSTR_EXT)
 - .farfly.org/tj/ (PEHSTR_EXT)
 - SOFTWARE\Microsoft\IE4\ (PEHSTR_EXT)
 - .txt? (PEHSTR_EXT)
 - \\.\Global\ClanAvb (PEHSTR_EXT)
 - !attrib "C:\myapp.exe" -r -a -s -h (PEHSTR)
 - KeServiceDescriptorTable (PEHSTR)
 - 360TraY.exe (PEHSTR)
 - soul*exe (PEHSTR)
 - Dsoftware\Microsoft\Windows\CurrentVersion\exploRER\ShellexecuteHooks (PEHSTR)
 - Ravmond.exe (PEHSTR)
 - avp.exe (PEHSTR)
 - WinExec (PEHSTR_EXT)
 - Software\Microsoft\Windows\CurrentVersion\explorER\ShellExecuteHooks (PEHSTR_EXT)
 - IofCompleteRequest (PEHSTR_EXT)
 - \systemroot\system32\%s (PEHSTR_EXT)
 - PsCreateSystemThread (PEHSTR_EXT)
 - .text (PEHSTR_EXT)
 - h.data (PEHSTR_EXT)
 - .reloc (PEHSTR_EXT)
 - explorer.exe (PEHSTR_EXT)
 - shell\open\command (PEHSTR_EXT)
 - SYSTEM\CurrentControlSet\Services\%s (PEHSTR_EXT)
 - ServiceDll (PEHSTR_EXT)
 - System32\svchost.exe -k netsvcs (PEHSTR_EXT)
 - Global\Gh0st (PEHSTR_EXT)
 - SYSTEM\CurrentControlSet\Services\BITS (PEHSTR_EXT)
 - \\.\MINISAFEDOS (PEHSTR_EXT)
 - SOFTWARE\KasperskyLab\WmiHlp\{2C4D4BC6-0793-4956-A9F9-E252435469C0} (PEHSTR_EXT)
 - s%\secivreS\teSlortnoCtnerruC\METSYS (PEHSTR_EXT)
 - SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost (PEHSTR_EXT)
 - %SystemRoot%\System32\svchost.exe -k netsvcs (PEHSTR_EXT)
 - Net-Temp.ini (PEHSTR_EXT)
 - c:\NT_Path.old (PEHSTR_EXT)
 - \syslog.dat (PEHSTR_EXT)
 - %swindows\xinstall%d.dll (PEHSTR_EXT)
 - c:\Win_lj.ini (PEHSTR_EXT)
 - ConneCtIOns\pbk\raSPHONE.pbk (PEHSTR_EXT)
 - \user.dat (PEHSTR_EXT)
 -  \cmd.exe (PEHSTR_EXT)
 - %s\Parameters (PEHSTR_EXT)
 - wow.exe (PEHSTR_EXT)
 - tw2.exe (PEHSTR_EXT)
 - <H1>403 Forbidden</H1> (PEHSTR_EXT)
 - ttp://127.0.0.1:8888/ip.txt (PEHSTR_EXT)
 - [C.a.p.s.L.o.c.k.] (PEHSTR_EXT)
 - \Startup\hao567.exe (PEHSTR_EXT)
 - COMMAND_UNPACK_RAR reve (PEHSTR_EXT)
 - lla/4.0 (TOKEZ) (PEHSTR_EXT)
 - \esent.dll (PEHSTR_EXT)
 - %s\wi%dnd.temp (PEHSTR_EXT)
 - 1\Run","Update",,"rundll32.exe "" (PEHSTR_EXT)
 - C:\FW.FW (PEHSTR_EXT)
 - %s%s*.* (PEHSTR_EXT)
 - lla/4.0 (compatible) (PEHSTR_EXT)
 - %s\shell\open\command (PEHSTR_EXT)
 - http://hh.rooter.tk/ytj/ytj.exe (PEHSTR_EXT)
 - \\.\agmkis2 (PEHSTR_EXT)
 - Http/1.1 403 ForbiddeN (PEHSTR_EXT)
 - %s\%s\dat\%d%d (PEHSTR_EXT)
 - %s\%sex.dll (PEHSTR_EXT)
 - .f3322.org:65500/Consys (PEHSTR_EXT)
 - 0-9.dll (PEHSTR_EXT)
 - 202.107.204.209:65500/ (PEHSTR_EXT)
 - .exe (PEHSTR_EXT)
 - C:\Program Files\AppPatch\mysqld.dll (PEHSTR_EXT)
 - TCPConnectFloodThread.target (PEHSTR_EXT)
 - http://119.249.54.113/ (PEHSTR_EXT)
 - HARDWARE\DESCRIPTION\System\CentralProcessor\0 (PEHSTR_EXT)
 - lyb/log.html? (PEHSTR_EXT)
 - 360Safe.exe (PEHSTR_EXT)
 - \Fonts\service.exe (PEHSTR_EXT)
 - KSafeTray.exe (PEHSTR_EXT)
 - 360tray.exe (PEHSTR_EXT)
 - /c del /q %s (PEHSTR_EXT)
 - InjectDLL.dll (PEHSTR_EXT)
 - System%c%c%c.exe (PEHSTR_EXT)
 - SOFTWARE\Microsoft\Windows\CurrentVersion\Run (PEHSTR_EXT)
 - Applications\iexplore.exe\shell\open\command (PEHSTR_EXT)
 - kinh.xmcxmr.com (PEHSTR_EXT)
 - \xhjmjj.dat (PEHSTR_EXT)
 - %SystemRoot%\System32\svchost.exe -k sougou (PEHSTR_EXT)
 - wldlog.dll (PEHSTR_EXT)
 - softWARE\Microsoft\Windows NT\CurrentVersion\SvcHost (PEHSTR_EXT)
 - SVP7.PNG (PEHSTR_EXT)
 - users.qzone.qq.com (PEHSTR_EXT)
 - cgi_get_portrait.fcg (PEHSTR_EXT)
 - c:\windows\blackcat1.log (PEHSTR_EXT)
 - C:\INTERNAL\REMOTE.EXE (PEHSTR_EXT)
 -  in DOS mode. (PEHSTR_EXT)
 - InitCommonControls (PEHSTR_EXT)
 - jesso.3322.org (PEHSTR_EXT)
 - c:\Windows\%s%d.exe (PEHSTR_EXT)
 - c:\Windows\BJ.exe (PEHSTR_EXT)
 - http://users.qzone.qq.com/fcg-bin/cgi_get_portrait.fcg? (PEHSTR_EXT)
 - DUB.exe (PEHSTR_EXT)
 - S.exe (PEHSTR_EXT)
 - YY.exe (PEHSTR_EXT)
 - V3Svc.exe (PEHSTR_EXT)
 - skybluehacker@yahoo.com.cn (PEHSTR_EXT)
 - anonymous@123.com (PEHSTR_EXT)
 - \shell\open\command (PEHSTR_EXT)
 - GetScrollPos (PEHSTR_EXT)
 - Debug\Eidolon.exe (PEHSTR_EXT)
 - www.xy999.com (PEHSTR_EXT)
 - Eidolon.ini (PEHSTR_EXT)
 - NisSrv.exe (PEHSTR_EXT)
 - %s\%s.exe (PEHSTR_EXT)
 - UnThreat.exe (PEHSTR_EXT)
 - ad-watch.exe (PEHSTR_EXT)
 - avcenter.exe (PEHSTR_EXT)
 - knsdtray.exe (PEHSTR_EXT)
 - C:Windows88.exe (PEHSTR_EXT)
 - 203.160.54.250/9 (PEHSTR_EXT)
 - File created successfully. (PEHSTR_EXT)
 - C:\%ssvchast.exe (PEHSTR_EXT)
 - .symtab (PEHSTR_EXT)
 - ScreenToClient (PEHSTR_EXT)
 - */y6n (SNID)
 - :\Windows\DNomb\Mpec.mbt (PEHSTR_EXT)
 - ://whtty.oss-cn-hongkong.aliyuncs.com (PEHSTR_EXT)
 - cmd.exe /c del (PEHSTR_EXT)
 - haidishijie.3322.org (PEHSTR_EXT)
 - unknown compression method (PEHSTR_EXT)
 - c:\%s.exe (PEHSTR_EXT)
 - http://192.168.100.83 (PEHSTR_EXT)
 - http://www.1.com (PEHSTR_EXT)
 - DatePickerDemo.EXE (PEHSTR_EXT)
 - MFCApplication1.AppID.NoVersion (PEHSTR_EXT)
 - Users\MRK (PEHSTR_EXT)
 - MFCApplication1.pdb (PEHSTR_EXT)
 - Consys21.dll (PEHSTR_EXT)
 - http://users.qzone.qq.com/fcg-bin/cgi_get_portrait.fcg?uins (PEHSTR_EXT)
 - Server\Debug\DHL2012.pdb (PEHSTR_EXT)
 - ResSkin.exe (PEHSTR_EXT)
 - Server.Dat (PEHSTR_EXT)
 - Speed.exe (PEHSTR_EXT)
 - 111.cf599.com (PEHSTR_EXT)
 - C:\WINDOWS\SYSTEM32\explor.exe (PEHSTR_EXT)
 - Software\Microsoft\Windows\CurrentVersion\Run (PEHSTR_EXT)
 - C:\documents and settings\ All users\start menu\programs\start up\explor.exe (PEHSTR_EXT)
 - 192.168.1.244 (PEHSTR_EXT)
 - c:\Program Files\NT_Path.gif (PEHSTR_EXT)
 - SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost (PEHSTR_EXT)
 - SYSTEM\CurrentControlSet\Services\RemoteAccess\RouterManagers\Ip (PEHSTR_EXT)
 - SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp (PEHSTR_EXT)
 - SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon (PEHSTR_EXT)
 - sfwu.3322.org (PEHSTR_EXT)
 - Scroll (PEHSTR_EXT)
 - SOFTWARE\Classes\.386 (PEHSTR_EXT)
 - C:\ProgramData\rundll3222.exe (PEHSTR_EXT)
 - http://107.151.94.70 (PEHSTR_EXT)
 - C:\ProgramData\svchost.txt (PEHSTR_EXT)
 - ojbkcg.exe (PEHSTR_EXT)
 - e:\vs\lujk\Release\lujk.pdb (PEHSTR_EXT)
 - http://194.146.84.243:4397/77 (PEHSTR_EXT)
 - \rundll3222.exe (PEHSTR_EXT)
 - \svchost.txt (PEHSTR_EXT)
 - ShellExecute (PEHSTR_EXT)
 - L/Z0e (PEHSTR_EXT)
 - /Bfb7AvC (PEHSTR_EXT)
 - .themida (PEHSTR_EXT)
 - .boot (PEHSTR_EXT)
 - TelegramDll.dll (PEHSTR_EXT)
 - /dumpstatus (PEHSTR_EXT)
 - /checkprotection (PEHSTR_EXT)
 - /forcerun (PEHSTR_EXT)
 - DllUpdate (PEHSTR_EXT)
 - maindll.dll (PEHSTR_EXT)
 - @.themida (PEHSTR_EXT)
 - 156.234.65 (PEHSTR_EXT)
 - \Documents\svchost.txt (PEHSTR_EXT)
 - \Documents\1.rar (PEHSTR_EXT)
 - \Documents\jdi.lnk (PEHSTR_EXT)
 - \Release\sdasdasd.pdb (PEHSTR_EXT)
 - Public\Documents\7z.exe (PEHSTR_EXT)
 - C:\ProgramData\7z.exe (PEHSTR_EXT)
 - .vLncpy0 (PEHSTR_EXT)
 - .vLncpy1 (PEHSTR_EXT)
 - c ping 127.0.0.1 -n 1 && del /f/q  (PEHSTR_EXT)
 - post.f2pool.info (PEHSTR_EXT)
 - MainDll.dll (PEHSTR_EXT)
 - WINDOWS\system32\BRemotes.exe (PEHSTR_EXT)
 - user.qzone.qq.com (PEHSTR_EXT)
 - SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v BATCOM (PEHSTR_EXT)
 - RECYLLE.BIN\TorchWooc (PEHSTR_EXT)
 - ChromeSecsv7%d7.exe (PEHSTR_EXT)
 - Program Files\Common Files\scvhost.exe (PEHSTR_EXT)
 - cmd /C  regedit /s Uac.reg (PEHSTR_EXT)
 - CcMainDll.dll (PEHSTR_EXT)
 - svchsot.exe (PEHSTR_EXT)
 - host123.zz.am (PEHSTR_EXT)
 - main.php (PEHSTR_EXT)
 - %s.exe (PEHSTR_EXT)
 - termsrvhack.dll (PEHSTR_EXT)
 - taskkill /f /im cmd.exe (PEHSTR_EXT)
 - .rotext (PEHSTR_EXT)
 - .rodata (PEHSTR_EXT)
 - C:/Users/Public/Documents/Powermonster.exe (PEHSTR_EXT)
 - C:/Users/Public/Documents/unzip.exe (PEHSTR_EXT)
 - benson.pdb (PEHSTR_EXT)
 - C:\input.txt (PEHSTR_EXT)
 - 360\360Safe\SB360.exe (PEHSTR_EXT)
 - baidu.com (PEHSTR_EXT)
 - Sbrjar Kbskb (PEHSTR_EXT)
 - Jbrja.exe (PEHSTR_EXT)
 - tatusbar.bmp (PEHSTR_EXT)
 - 7zz.exe (PEHSTR_EXT)
 - \ProgramData\360.dll (PEHSTR_EXT)
 - ProgramData\rundll3222.exe (PEHSTR_EXT)
 - \ProgramData\svchost.txt (PEHSTR_EXT)
 - www.appspeed.com (PEHSTR_EXT)
 - AADz6AABBY/zxuDQzOXS4daPANLh5cbQ0q8 (PEHSTR_EXT)
 - kuge3907@sina.com (PEHSTR_EXT)
 - C:\myself.dll (PEHSTR_EXT)
 - Control_RunDLLW (PEHSTR_EXT)
 - HlMain.dll (PEHSTR_EXT)
 - \Program Files\%d%D.COM (PEHSTR_EXT)
 - sjaklej4ijalkbnlksjlksjkg.exe (PEHSTR_EXT)
 - [Scroll Lock] (PEHSTR_EXT)
 - lld.23ipavda (PEHSTR_EXT)
 - [Print Screen] (PEHSTR_EXT)
 - gitee.com//standar//plug-in-2//raw/master//Sen (PEHSTR_EXT)
 - hloworld.cn (PEHSTR_EXT)
 - Program Files\Common Files\scvh0st.exe (PEHSTR_EXT)
 - admind.f3322.net (PEHSTR_EXT)
 - cmd.exe /c ping 127.0.0.1 (PEHSTR_EXT)
 - www.jinjin.com (PEHSTR_EXT)
 - C:\Program Files\Common Files\scvh0st.exe (PEHSTR_EXT)
 - [Execute] (PEHSTR_EXT)
 - C:\ProgramData\1.txt (PEHSTR_EXT)
 - 103.59.103.16/SHELL.txt (PEHSTR_EXT)
 - s\dllcache\sethc.exe (PEHSTR_EXT)
 - s\dllcache\osk.exe (PEHSTR_EXT)
 - s\dllcache\magnify.exe (PEHSTR_EXT)
 - SystemRoot%\system32\termsrvhack.dll (PEHSTR_EXT)
 - Program Files\Ru%d.EXE (PEHSTR_EXT)
 - vmps1 (PEHSTR_EXT)
 - cmd.exe /c ping 127.0.0.1 -n 2&%s (PEHSTR_EXT)
 - [PRINT_SCREEN] (PEHSTR_EXT)
 - [EXECUTE_key] (PEHSTR_EXT)
 - c:\wiseman.exe (PEHSTR_EXT)
 - AlibabaisSB\mian.exe (PEHSTR_EXT)
 - ://43.142.187.203/ (PEHSTR_EXT)
 - www.testzake.com (PEHSTR_EXT)
 - C:\TEMP\syslog (PEHSTR_EXT)
 - baobeier\Dll1\Release\Dll1.pdb (PEHSTR_EXT)
 - Users\Public\Documents\\IBoxHelper.dll (PEHSTR_EXT)
 - s\%sair.dll (PEHSTR_EXT)
 - C:\syslog.dat (PEHSTR_EXT)
 - \A2\Release\A2.pdb (PEHSTR_EXT)
 - C://ProgramData//zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz (PEHSTR_EXT)
 - mod_s0beit.dll (PEHSTR_EXT)
 - .sedata (PEHSTR_EXT)
 - 211.152.147.97/bbs (PEHSTR_EXT)
 - www.sarahclub.com (PEHSTR_EXT)
 - c:\WinRecel\air.dll (PEHSTR_EXT)
 - .vmps0 (PEHSTR_EXT)
 - .vmps1 (PEHSTR_EXT)
 - 1.exe (PEHSTR_EXT)
 - note.youdao.com/yws/public/resource (PEHSTR_EXT)
 - c%c%c%c%c%c.exe (PEHSTR_EXT)
 - xui.ptlogin2.qq.com (PEHSTR_EXT)
 - %s.dmp (PEHSTR_EXT)
 - @shift /0 (PEHSTR_EXT)
 - Melody.dat (PEHSTR_EXT)
 - ShellExecuteExA (PEHSTR_EXT)
 - 103.163.47.247 (PEHSTR_EXT)
 - ProgramData//H (PEHSTR_EXT)
 - AA1\Release\AA1.pdb (PEHSTR_EXT)
 - https://note.youdao.com/yws/public/resource/d443b2f84ff00a25620bd5562b07a800/xmlnote (PEHSTR_EXT)
 - programB.exe (PEHSTR_EXT)
 - 47.242.89.34 (PEHSTR_EXT)
 - F-PROT.exe (PEHSTR_EXT)
 - avgaurd.exe (PEHSTR_EXT)
 - spidernt.exe (PEHSTR_EXT)
 - TrojanHunter.exe (PEHSTR_EXT)
 - QUHLPSVC.EXE (PEHSTR_EXT)
 - CppBackdoor\Loader\Release\Loader.pdb (PEHSTR_EXT)
 - ewteam.e2.luyouxia.net (PEHSTR_EXT)
 - guduo.xyz (PEHSTR_EXT)
 - 115.28.72.212:5760/850lobby.exe (PEHSTR_EXT)
 - batiya.exe (PEHSTR_EXT)
 - ProgramData\homo\2.exe (PEHSTR_EXT)
 - 154.39.239.202 (PEHSTR_EXT)
 - tock.exe (PEHSTR_EXT)
 - test.exe (PEHSTR_EXT)
 - ShellExecuteA (PEHSTR_EXT)
 - C:\Users\Public\565.zip (PEHSTR_EXT)
 - 123.55.89.88 (PEHSTR_EXT)
 - C:\Users\Public\555.zip (PEHSTR_EXT)
 - Software\Microsoft\Plus!\Themes\Current (PEHSTR_EXT)
 - tg://setlanguage? (PEHSTR_EXT)
 - imgcache.vip033324.xyz (PEHSTR_EXT)
 - 87.251.txt (PEHSTR_EXT)
 - pdate360.dat (PEHSTR_EXT)
 - C:\ProgramData\ThunderUpdate (PEHSTR_EXT)
 - hdietrich2@hotmail.com (PEHSTR_EXT)
 - C:\2.txt (PEHSTR_EXT)
 - C:\Windows\Temp\hankjin.temp.%d (PEHSTR_EXT)
 - Startup\hao567.exe (PEHSTR_EXT)
 - 103.100.210.9 (PEHSTR_EXT)
 - 154.211.13.11 (PEHSTR_EXT)
 - C:\Del.bat (PEHSTR_EXT)
 - \KLSNIF.key (PEHSTR_EXT)
 - cloudservicesdevc.tk/picturess/2023 (PEHSTR_EXT)
 - \shellcode\Release\shellcode.pdb (PEHSTR_EXT)
 - CfLHQFYYypycvyszNnPjLmbVYDQMhuenBjKXJSmb (PEHSTR_EXT)
 - LCfxLWkJSsZAglRHckBdnibACKggCDMAqne (PEHSTR_EXT)
 - cmd.exe /c ping 127.0.0.1 -n 2 (PEHSTR_EXT)
 - c:\Microsoft.cjk (PEHSTR_EXT)
 - taskkill /IM 360tray.exe /F (PEHSTR_EXT)
 - .g~b< (SNID)
 - j\%fr (SNID)
 - rossecorPlartneC\metsyS\NOITPIRCSED\ERAWDRAH (PEHSTR_EXT)
 - index[3].txt (PEHSTR_EXT)
 - zhu.exe (PEHSTR_EXT)
 - C:\ProgramData\ProgramData.txt (PEHSTR_EXT)
 - C:\Program Files\Common Files\scvhost.exe (PEHSTR_EXT)
 - 6)\Mf (PEHSTR_EXT)
 - www.97dmu.net (PEHSTR_EXT)
 - 97mu.f3322.org (PEHSTR_EXT)
 - Okbyqce.exe (PEHSTR_EXT)
 - taskkill /f /im rundll32.exe (PEHSTR_EXT)
 - K7TSecurity.exe (PEHSTR_EXT)
 - CMCTrayIcon.exe (PEHSTR_EXT)
 - F-PROT.EXE (PEHSTR_EXT)
 - CorantiControlCenter32.exe (PEHSTR_EXT)
 - //gitee.com (PEHSTR_EXT)
 - //ProgramData//Sen.png (PEHSTR_EXT)
 - %s\%d.bak (PEHSTR_EXT)
 - chrome.exe (PEHSTR_EXT)
 - firefox.exe (PEHSTR_EXT)
 - QQBrowser.exe (PEHSTR_EXT)
 - software\mICROSOFT\wINDOWS nt\cURRENTvERSION\sVCHOST (PEHSTR_EXT)
 - SystemRoot%\System32\svchost.exe -k sougou (PEHSTR_EXT)
 - jinjin.com (PEHSTR_EXT)
 - \ProgramData\update.exe (PEHSTR_EXT)
 - \ProgramData\jfds.txt (PEHSTR_EXT)
 - Windows\Temp\upgrader.back (PEHSTR_EXT)
 - wscript.exe //E:vbscript (PEHSTR_EXT)
 - baiduSafeTray.exe (PEHSTR_EXT)
 - C:\Users\Public\Documents\logo.cco (PEHSTR_EXT)
 - Parallels Software International Inc. (PEHSTR_EXT)
 - HARDWARE\DESCRIPTION\System\BIOS (PEHSTR_EXT)
 - C:\Users\inx.cod (PEHSTR_EXT)
 - \VC\include\streambuf (PEHSTR_EXT)
 - C:\Users\Public\Documents\QeiySBcapV.dat (PEHSTR_EXT)
 - C:\Users\Public\Documents\WindowsData\kail.exe (PEHSTR_EXT)
 - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT)
 - rundll32 (PEHSTR_EXT)
 - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT)
 - !#HSTR:ExecutionGuardrails (PEHSTR_EXT)
 - !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)

Known malware which is associated with this threat:

c0839998e41d029efd4bb304440cd029acf32ce8f541be6f813c5c4d935e9350

17/11/2025

→VirusTotal ↓Download Sample

Remediation Steps:

Run a full system scan with an updated antivirus program. Investigate and remove any suspicious registry entries and processes identified as associated with the Farfli family. Consider reinstalling the operating system if compromise is suspected.

=== END REPORT ===

$ reanalyze-threat

This analysis was last updated on 17/11/2025. Do you want to analyze it again?

$ ls available-commands/

→ cd /home

user@threatcheck.sh:~$ ▊

Backdoor:Win32/Farfli!pz - Windows Defender Threat Analysis