user@threatcheck.sh ~ threat-analysis
bash
$ analyze-threat PWS:MSIL/Stealgen!pz
PWS:MSIL/Stealgen!pz - Windows Defender threat signature analysis

PWS:MSIL/Stealgen!pz - Windows Defender Threat Analysis

$ cat analysis.txt
=== THREAT ANALYSIS REPORT ===
Threat Name: PWS:MSIL/Stealgen!pz
Classification:
Type:PWS
Platform:MSIL
Family:Stealgen
Detection Type:Concrete
Known malware family with identified signatures
Suffix:!pz
Packed or compressed to evade detection
Confidence:Very High
False-Positive Risk:Low

Concrete signature match: Password Stealer - Steals credentials and sensitive information for .NET (Microsoft Intermediate Language) platform, family Stealgen

Summary:

PWS:MSIL/Stealgen!pz is a .NET-based information stealer, identified as 44CaliberStealer. It is designed to steal sensitive information such as browser credentials, cryptocurrency wallets, and system data. The malware utilizes various built-in Windows tools and techniques for execution, persistence, and data exfiltration.

Severity:
Critical
VDM Static Detection:
Relevant strings associated with this threat:
 - .walletMastercard (PEHSTR_EXT)
 - *.walletorigin_url (PEHSTR_EXT)
Relevant strings associated with this threat:
 - \Google\Chrome\User Data\ (PEHSTR_EXT)
 - \Screen. (PEHSTR_EXT)
 - SELECT ExecutablePath, ProcessID FROM Win32_Process (PEHSTR_EXT)
Relevant strings associated with this threat:
 - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT)
 - rundll32 (PEHSTR_EXT)
 - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT)
 - !#HSTR:ExecutionGuardrails (PEHSTR_EXT)
 - !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)
No specific strings found for this threat
Known malware which is associated with this threat:
e1639816682dfab588eeeaf7282aacaf9653183ba4bd1610d6e6777d714c9c14
09/12/2025
VirusTotalDownload Sample
Filename: Krnl_69205.exe
a747a2f7264c60c28b052f122ef3d054390cb7514731ad14f401951cf2440b23
15/11/2025
VirusTotalDownload Sample
Remediation Steps:
Isolate the affected host from the network immediately. Ensure the threat is removed by security software and conduct a full system scan. Reset all passwords and credentials that were used or stored on the compromised machine and investigate the initial infection vector. Consider re-imaging the device for full remediation.
=== END REPORT ===
$ reanalyze-threat
This analysis was last updated on 15/11/2025. Do you want to analyze it again?
$ ls available-commands/
→ cd /home
user@threatcheck.sh:~$