PWS:MSIL/Browsstl!rfn - ThreatCheck.sh

user@threatcheck.sh ~ threat-analysis

bash

$ analyze-threat PWS:MSIL/Browsstl!rfn

PWS:MSIL/Browsstl!rfn - Windows Defender threat signature analysis

$ cat analysis.txt

=== THREAT ANALYSIS REPORT ===

Threat Name: PWS:MSIL/Browsstl!rfn

Classification:

Type:PWS

Platform:MSIL

Family:Browsstl

Detection Type:Concrete

Known malware family with identified signatures

Suffix:!rfn

Specific ransomware family name

Confidence:Very High

False-Positive Risk:Low

Concrete signature match: Password Stealer - Steals credentials and sensitive information for .NET (Microsoft Intermediate Language) platform, family Browsstl

Summary:

This is a concrete detection of a .NET-based password/browser stealer (PWS:MSIL/Browsstl!rfn) designed to extract sensitive information, particularly browser cookies and credentials. It utilizes advanced techniques like process hooking, abuse of legitimate Windows tools (mshta, rundll32, powershell), BITS jobs, and scheduled tasks for persistence, execution, and exfiltration, potentially using Telegram for data transfer.

Severity:

Critical

VDM Static Detection:

Relevant strings associated with this threat:
 - Telegram.Bot (PEHSTR_EXT)
 - SELECT host_key, name, path, is_secure, expires_utc, encrypted_value, is_httponly FROM cookies (PEHSTR_EXT)
 - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT)
 - rundll32 (PEHSTR_EXT)
 - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT)
 - !#HSTR:ExecutionGuardrails (PEHSTR_EXT)
 - !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)

Known malware which is associated with this threat:

21aa58fb5016581a2f766acf0288377c584b602f735cb28197c1b3a4b1383c73

27/12/2025

→VirusTotal ↓Download Sample

Remediation Steps:

Immediately isolate the compromised system, perform a full system scan with updated security software, and remove all detected threats. Force password resets for all accounts whose credentials might have been stored in browsers on the affected machine. Investigate and remove any established persistence mechanisms (e.g., scheduled tasks, suspicious startup entries) and monitor for unusual network activity.

=== END REPORT ===

$ reanalyze-threat

This analysis was last updated on 27/12/2025. Do you want to analyze it again?

$ ls available-commands/

→ cd /home

user@threatcheck.sh:~$ ▊

PWS:MSIL/Browsstl!rfn - Windows Defender Threat Analysis