HackTool:Linux/Multiverze!rfn - Windows Defender Threat Analysis

This detection identifies HackTool:Linux/Multiverze!rfn, a concrete Linux-based hacktool. Despite its Linux platform, analysis of embedded strings reveals capabilities to establish persistence on Windows systems via the registry's Run key and interact with Windows components like MSVBVM60.DLL. The tool likely facilitates unauthorized access, exploitation, or remote control, potentially communicating with external domains.

Relevant strings associated with this threat:
 - www.gpmce.net (PEHSTR_EXT)
 - www.booble.com (PEHSTR_EXT)
 - MSVBVM60.DLL (PEHSTR_EXT)
 - HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run (PEHSTR_EXT)
 - Vbs$L (SNID)
 - 8Npur_\g (SNID)
 - 9_.pJ] (SNID)
 - ;?._T (SNID)
 - 5js (SNID)
 - RCOM (NID)
 - 7/Oe+f' (SNID)
 - D/ae'r (SNID)
 - M\Y){ (SNID)
 - _\s$& (SNID)
 - Zu4.M (NID)
 - O#=.M (NID)
 - >.'2M (NID)
 - *R/6M (NID)
 - \n(<M (NID)
 - /LuZM (NID)
 - u8R\M (NID)
 - 1em\M (NID)
 - |r/gM (NID)
 - dJsM (NID)
 - B\n^t\ (SNID)
 - N \|P' (SNID)
 - ;-\3(+ (SNID)
 - l%\'% (SNID)
 - M1L\P (SNID)
 - +/0h; (SNID)
 - 2~oS\^ (SNID)
 - P0.PM (SNID)
 - .;<a9 (SNID)
 - .0us/Ev (SNID)
 - /$2pW (SNID)
 - p>O.* (SNID)
 - \u:}N (SNID)
 - 4ggj\ (SNID)
 - ^%+n~/ (SNID)
 - RWt.: (SNID)
 - B/b` ; (SNID)
 - X*-/y (SNID)
 - O|f.i (SNID)
 - Z!Y.,. (SNID)
 - n\YJAq (SNID)
 - 9q/Ui (SNID)
 - \vimM (SNID)
 - ?N/^w*+V (SNID)
 - p]9\Y (SNID)
 - .dD9zE (SNID)
 - #/fYz (SNID)
 - v(gn/ (SNID)
 - \Z:8)O (SNID)
 - 0zsTW\ (SNID)
 - P*Bc. (SNID)
 - H.q(6W (SNID)
 - \,:z-1 (SNID)
 - L(j2.U (SNID)
 - q.$T3;N (SNID)
 - b/Rt] (SNID)
 - m0\r pFZ (SNID)
 - :x/[8_ (SNID)
 - f.Y*M (NID)
 - ND5\[wQ (SNID)
 - /XuzR (SNID)
 - EfB%\T (SNID)
 - sW<+/ (SNID)
 - W+f/Rj (SNID)
 - \vpy< (SNID)
 - /f"lm (SNID)
 - CT6_\ (SNID)
 - y@;O\p (SNID)
 - Q?- {. (SNID)
 - /_eP- (SNID)
 - V/Yjz (SNID)
 - RL\_6 (SNID)
 - hA.&N (SNID)
 - .?Z>U (SNID)
 - VT*y/'ntn[l (SNID)
 - 6~\ L> (SNID)
 - fJS (SNID)
 - idg\u (SNID)
 - u;}jS (SNID)
 - D;e D\ (SNID)
 - uAx/l (SNID)
 - m=~/A (SNID)
 - E/Vq)2/w (SNID)
 - \0#%` (SNID)
 - k!iq/ (SNID)
 - khls4G\ (SNID)
 - e8.m-Z (SNID)
 - /r_pFi (SNID)
 - cT.dZ@ (SNID)
 - x(bl#. (SNID)
 - '\HWJI (SNID)
 - :/sf'i (SNID)
 - g;jY[\ (SNID)
 - .EDu_G (SNID)
 - jsi (SNID)
 - ddU#/ (SNID)
 - IB%=!z}/ (SNID)
 - Y/<{j (SNID)
 - PV%r\ (SNID)
 - X@B"{\[ (SNID)
 - 2G$;-/ (SNID)
 - v4.`L+ (SNID)
 - \-a'f (SNID)
 - 82W9\yH (SNID)
 - [\*{y (SNID)
 - KW+v{\[ (SNID)
 - /WRIt (SNID)
 - QFC\ H"* (SNID)
 - a@R-./ (SNID)
 - !\D[w (SNID)
 - Ru/ ! (SNID)
 - ]Y9G\ (SNID)
 - \3z=E (SNID)
 - E_m\p (SNID)
 - /#$h: (SNID)
 - \WN?/-f (SNID)
 - L@\jJ (SNID)
 - MKV2/( (SNID)
 - )\xzZ (SNID)
 - ts\wv (SNID)
 - T5uv\ (SNID)
 - '/Bhn (SNID)
 - >#t.05& (SNID)
 - `*lF_\ (SNID)
 - @t~>.yY (SNID)
 - .k,nbqm} (SNID)
 - m1EF.{ (SNID)
 - Y.`7# (SNID)
 - Iem:. (SNID)
 - /}+r% (SNID)
 - i?"8X. (SNID)
 - j6/*M (NID)
 - c~;:*#l\ (SNID)
 - dlL (SNID)
 - .zM|E= (SNID)
 - \h,t" (SNID)
 - YR.XU (SNID)
 - r=.c!& (SNID)
 - cfL>Dmu/ (SNID)
 - u/jcU (SNID)
 - "\q-6x (SNID)
 - #e-j0/ (SNID)
 - /RFWz (SNID)
 - (J].u (SNID)
 - ,f/L#& (SNID)
 - i.L98& (SNID)
 - :%JS (SNID)
 - .#]>D (SNID)
 - WFzB\l (SNID)
 - &!bOv/D> (SNID)
 - &/%#2 (SNID)
 - dI/-K (SNID)
 - u0XDg_. (SNID)
 - \fL"+ (SNID)
 - Tbp/L0 (SNID)
 - *E~\> (SNID)
 - jSoZ (SNID)
 - l\I~@S\ (SNID)
 - Z\v:9T (SNID)
 - (|9\/ (SNID)
 - e.}w[Lo} (SNID)
 - JJs (SNID)
 - 2jSi (SNID)
 - ioX\cZ (SNID)
 - 6\J|C (SNID)
 - %\X*Z (SNID)
 - .!Y,-k: (SNID)
 - =MU\M (SNID)
 - m\`6^ (SNID)
 - qX,}\ (SNID)
 - FOaUy.; (SNID)
 - /@_~; (SNID)
 -  t/C^ (SNID)
 - .O-X/ (SNID)
 - <q_H\ (SNID)
 - \TT+M (SNID)
 - \9xS,l+ (SNID)
 - +.XrV (SNID)
 - JSi (SNID)
 - 8N@\. (SNID)
 - ;\A(e@ (SNID)
 - /2uf% (SNID)
 - jL3/I (SNID)
 - R4\RR (SNID)
 - r-d@/ (SNID)
 - J)_!/ (SNID)
 - \7hd# (SNID)
 - l*7Q.Q (SNID)
 - OJsv (SNID)
 - 59/@M (SNID)
 - IC(\4 (SNID)
 - Go/+/s- (SNID)
 - "Q@%/ (SNID)
 - `\1Y7 (SNID)
 - a\f:NY (SNID)
 - e/o8ip (SNID)
 - R6\^M (NID)
 - 2.O)~8 (SNID)
 - n5X?[Rw. (SNID)
 - m.p<p (SNID)
 - H{l'Z.o (SNID)
 - aP=T.x (SNID)
 - (V9/: (SNID)
 - .\hg,SKAa (SNID)
 - #N."- (SNID)
 - )/77! (SNID)
 - /Q-"D, (SNID)
 - E.=ps (SNID)
 - K/Ti8 (SNID)
 - \&-," (SNID)
 - <k/Z[ (SNID)
 - /mO1v (SNID)
 - }!A\X (SNID)
 - \*r`D_ (SNID)
 - [,/8X4 (SNID)
 - RG5s\r (SNID)
 - -f/d0KS" (SNID)
 - 15/zN (SNID)
 - P,A;. (SNID)
 - }jsSM (NID)
 - I1.zM (NID)
 - /g@*s (SNID)
 - CY!\+ (SNID)
 - ewf/{s (SNID)
 - \\5J' (SNID)
 - /EqXs (SNID)
 - Jjs (SNID)
 - />]P!+ (SNID)
 - eM.]&! (SNID)
 - e\3|fC: (SNID)
 - JSs (SNID)
 -  V/'| (SNID)
 - CscRX (SNID)
 - S\sYO (SNID)
 - (@W$. (SNID)
 - .Js (SNID)
 - :H4A\ (SNID)
 - @,.{q"fn (SNID)
 - .py3B (SNID)
 - Br.[Ny (SNID)
 - GsV\={3 (SNID)
 - x/7~N} (SNID)
 - piF (SNID)
 - \g\3Ex (SNID)
 - 0!{\2 (SNID)
 - /&-JT(] (SNID)
 - CmXzY.y (SNID)
 - eZBWinj1.` (SNID)
 - .J::v (SNID)
 - q4\n! (SNID)
 - #c[\K3 (SNID)
 - g8 \6 (SNID)
 - 3WH_4/" (SNID)
 - ]H\+E (SNID)
 - .ii%25t (SNID)
 - #w$_. (SNID)
 - ]!.`2~ (SNID)
 - Hf\/Jw{w (SNID)
 - .c*2\_ (SNID)
 - .}!xg (SNID)
 - 2I/nmbM (SNID)
 - /%Y[a (SNID)
 - /'QGj (SNID)
 - 1.W7P (SNID)
 - $53\F> (SNID)
 - A.}7rs (SNID)
 - Ed/Q6B (SNID)
 - DP|d/oy (SNID)
 - \|xge (SNID)
 - `hm/" (SNID)
 - k$\@) (SNID)
 - EhyS\ja (SNID)
 - JS: (SNID)
 - jSP (SNID)
 - 4SN;/ (SNID)
 - R/r'h (SNID)
 - /+v4TU (SNID)
 - 5x&r\ (SNID)
 - TY@g/ (SNID)
 - \d:a0 (SNID)
 - \+O~: (SNID)
 - \fnyQ (SNID)
 - /A]S1C (SNID)
 - i,:/2 (SNID)
 - faH/T (SNID)
 - E)/eW (SNID)
 - f".@4. (SNID)
 - XBPX\ (SNID)
 - z\qVG (SNID)
 - /e&pu (SNID)
 - :\# M (NID)
 - z>.$M (NID)
 - \:E%M (NID)
 - M!.,M (NID)
 - k[!.M (NID)
 - )Kn.M (NID)
 -  IR/M (NID)
 - N b/M (NID)
 - `y/<M (NID)
 - /v/=M (NID)
 - O\]>M (NID)
 - .|uAM (NID)
 - g\ZBM (NID)
 - 7.LCM (NID)
 - U.)DM (NID)
 - l\YDM (NID)
 - .ulDM (NID)
 - G'.EM (NID)
 - T[/EM (NID)
 - z.qGM (NID)
 - mu1._ (SNID)
 - tzc?:o.LIX (SNID)
 - <SPF. (SNID)
 - +2\(8 (SNID)
 - TM.BWikk (SNID)
 - .d3lL> (SNID)
 - k/o=. (SNID)
 - %JS (SNID)
 - \QmQ~{ (SNID)
 - G\JS (SNID)
 - .zQ=6> (SNID)
 - B/q#7u (SNID)
 - js2< (SNID)
 - ;*gT/ (SNID)
 - rRc6)p/ (SNID)
 - 0}T:\ (SNID)
 - 4\(nM (NID)
 - W\ R9 (SNID)
 - .nK%} (SNID)
 - (T. h (SNID)
 - [BS,/ (SNID)
 - /l}/I (SNID)
 - R`>.A (SNID)
 - Fg=.  (SNID)
 - /a6}&ktrH (SNID)
 - jZ+/% (SNID)
 - Vp.Q3 (SNID)
 - ?Xk/< (SNID)
 - /AiQL* (SNID)
 - .:u9j (SNID)
 - 9r;.m (SNID)
 - g'(pM.c (SNID)
 - x/U.D\5 (SNID)
 - Jsy? (SNID)
 - jsry (SNID)
 - -[\3q (SNID)
 - g.dLM (NID)
 - /h:o[ (SNID)
 - %|O/S (SNID)
 - |GU\x (SNID)
 - .g~}  (SNID)
 - /C2a* (SNID)
 - @.D1_ (SNID)
 - jsQ7E (SNID)
 - pNjs (SNID)
 - pb.@V (SNID)
 - .#.S3%/. (SNID)
 - / T:- (SNID)
 - 8_/;( (SNID)
 - .4bnv (SNID)
 - SoQ/M (SNID)
 - :T/H^ (SNID)
 - F`;/C (SNID)
 - \X=ub (SNID)
 - I}`\Tq}} (SNID)
 - .5&;fB (SNID)
 - S."Oi (SNID)
 - %Mnu\ (SNID)
 - MgS0/\ (SNID)
 - PcT.;G (SNID)
 - OCh\o (SNID)
 - . #0qb (SNID)
 - .Az'azGvQ (SNID)
 - LRl/=D (SNID)
 - jsa (SNID)
 - {<%.[u (SNID)
 - /r3<( (SNID)
 - kS\Py (SNID)
 - ^8$\M (NID)
 - .</RI (SNID)
 - /rI]*5. (SNID)
 - j/ $& (SNID)
 - :31b/ (SNID)
 - :N/zW (SNID)
 - wl.WO (SNID)
 - JsL/+ (SNID)
 - ^pe\} (SNID)
 - \w&Lz/X (SNID)
 - cm.W"b (SNID)
 - iHYr|\ (SNID)
 - /QW1>F (SNID)
 - 4/EY,wo (SNID)
 - \YuHH (SNID)
 - 0\iQ8 (SNID)
 - -.h:I (SNID)
 - 'i/-J (SNID)
 - )-W$.) (SNID)
 - Y<}6/k (SNID)
 - -/etj (SNID)
 - \!LKq (SNID)
 - 1mW;. (SNID)
 - 9\"Wtn_ (SNID)
 - js}a (SNID)
 - g.t'; (SNID)
 - AfM/e (SNID)
 - 3W\^|%_ (SNID)
 - @nHu. (SNID)
 - D=3.T (SNID)
 - 9Js (SNID)
 - Z.wxg (SNID)
 - nqf?\j (SNID)
 - P.2t? (SNID)
 - \L8n+3 (SNID)
 - PE/b)]x2T (SNID)
 - %?.,WY (SNID)
 - \`.i9 (SNID)
 - Gc2/nI13 (SNID)
 - .?!/F`,' (SNID)
 -  I/$e!B (SNID)
 - 2j>\M (NID)
 - <*rZ\ (SNID)
 - D,gJ/ (SNID)
 - .[x9A (SNID)
 - OAb3\ (SNID)
 - EkI.M- (SNID)
 - MM<.^ (SNID)
 - Gq/1# (SNID)
 - ao].m (SNID)
 - K3\9qj (SNID)
 - E\ z@ (SNID)
 - y'W/- (SNID)
 - /=)sg8M (SNID)
 - _q/6@ (SNID)
 - K"oO\ (SNID)
 - /,Fs@~J8 (SNID)
 - 5A/!a (SNID)
 - o!H.eCf (SNID)
 - m8.7bQ (SNID)
 - O<\8X (SNID)
 - $bC/D (SNID)
 - SX\,> (SNID)
 - pL\,; (SNID)
 - r(w/] (SNID)
 - Ke\BE (SNID)
 - N?/>xA (SNID)
 - w\}CL (SNID)
 - ]t{$. (SNID)
 - nTF/W (SNID)
 - V6.sT}; (SNID)
 -  YV/E (SNID)
 - /}TMKQ (SNID)
 - ?e/*6 (SNID)
 - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT)
 - rundll32 (PEHSTR_EXT)
 - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForSoftwarePacking.C!pli (PEHSTR_EXT)

Isolate affected systems. Perform a full system scan with updated security software and remove the detected hacktool. Investigate for broader compromise, remove any persistence mechanisms (e.g., Windows Run key), block associated domains, and patch exploited vulnerabilities.