user@threatcheck.sh ~ threat-analysis
bash
$ analyze-threat PWS:Win32/Fareit
PWS:Win32/Fareit - Windows Defender threat signature analysis

PWS:Win32/Fareit - Windows Defender Threat Analysis

$ cat analysis.txt
=== THREAT ANALYSIS REPORT ===
Threat Name: PWS:Win32/Fareit
Classification:
Type:PWS
Platform:Win32
Family:Fareit
Detection Type:Concrete
Known malware family with identified signatures
Confidence:Very High
False-Positive Risk:Low

Concrete signature match: Password Stealer - Steals credentials and sensitive information for 32-bit Windows platform, family Fareit

Summary:

PWS:Win32/Fareit is a critical password-stealing trojan designed to exfiltrate sensitive credentials from the compromised system. It specifically targets applications like WinRAR and FTP clients, captures clipboard data, and communicates with command-and-control servers to transmit stolen information.

Severity:
Critical
VDM Static Detection:
Relevant strings associated with this threat:
 - MSVBVM60.DLL (PEHSTR_EXT)
 - MSVBVM60.DLL (PEHSTR)
 - Kawaii-Unicorn.exe (PEHSTR_EXT)
 - cmd /c rename (PEHSTR_EXT)
 - DllFunctionCall (PEHSTR_EXT)
 - \Unicorn (PEHSTR_EXT)
 - VB.Clipboard (PEHSTR_EXT)
 - YlcF3nkOJOKQ88SJsUazBPvEmrRIR0D5tWBdkT (PEHSTR_EXT)
 - System.IO.Compression (PEHSTR_EXT)
 - System.Threading (PEHSTR_EXT)
 - System.Runtime.Remoting (PEHSTR_EXT)
 - @*\AProject1 (PEHSTR_EXT)
 - 185.7.214.7/ADS11/RED.PNG (PEHSTR_EXT)
 - https://iplogger.org/1pucu7 (PEHSTR_EXT)
 - 6////6/61661 (PEHSTR_EXT)
 - euisfdjsxadfds7 (PEHSTR_EXT)
 - cmdCancel (PEHSTR_EXT)
 - TIPOFDAY.TXT (PEHSTR_EXT)
 - OFFTHERECORD-32.dll (PEHSTR_EXT)
 - http://www.ssnbc.com/wiz/ (PEHSTR_EXT)
 - gzipDecom (PEHSTR_EXT)
 - kErnEl32.DLL (PEHSTR_EXT)
 - Ui.TrackingRecord.resources (PEHSTR_EXT)
 - 60.dll (PEHSTR)
 - /gate.php (PEHSTR)
 - software\winrar (PEHSTR)
 - /gate.php (PEHSTR_EXT)
 - Software\WinRAR (PEHSTR_EXT)
 - Software\Far2\SavedDialogHistory\FTPHost (PEHSTR_EXT)
 - PKDFILE0YUICRYPTED0YUI1.0 (PEHSTR_EXT)
 - software\winrar (PEHSTR_EXT)
 - \estsoft\alftp (PEHSTR_EXT)
 - inetcomm server passwords (PEHSTR_EXT)
 - \VanDyke\Config\Sessions (PEHSTR_EXT)
 - oid.bat (PEHSTR_EXT)
 - abcd.bat (PEHSTR_EXT)
 - http (PEHSTR_EXT)
 - F:\hVjjmsck\zunzMo\dAQQ.pdb (PEHSTR)
 - Far\Plugins\FTP\Hosts (PEHSTR_EXT)
 - \Estsoft\ALFTP (PEHSTR_EXT)
 - \Ipswitch\WS_FTP (PEHSTR_EXT)
 - \win.ini (PEHSTR_EXT)
 - Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders (PEHSTR_EXT)
 - SiteServer %d\Remote Directory (PEHSTR_EXT)
 - PQRVW=/ (PEHSTR)
 - imagehlp.dll (PEHSTR)
 - shell32.dll (PEHSTR)
 - shell32.dll (PEHSTR_EXT)
 - kernel32.dll (PEHSTR_EXT)
 - %s\%sPasswords.log (PEHSTR)
 - file%d.exe (PEHSTR)
 - http://butterchoco.net/admin/bull/gate.php (PEHSTR_EXT)
 - YUIPWDFILE0YUIPKDFILE0YUICRYPTED0YUI1.0 (PEHSTR_EXT)
 - http://akdoganevdeneve.net/wp-content/Panel/gate.php (PEHSTR_EXT)
 - AlienRunPE.AlienRunPE (PEHSTR_EXT)
 - StringComparison (PEHSTR_EXT)
 - Roslyn.Utilities (PEHSTR_EXT)
 - {M.344:4 (PEHSTR_EXT)
 - fC<Y**// (PEHSTR_EXT)
 - d******// (PEHSTR_EXT)
 - . #0qb (SNID)
 - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT)
 - rundll32 (PEHSTR_EXT)
 - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT)
 - !#HSTR:ExecutionGuardrails (PEHSTR_EXT)
 - !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)
YARA Rule:
rule PWS_Win32_Fareit_2147806423_0
{
    meta:
        author = "threatcheck.sh"
        detection_name = "PWS:Win32/Fareit"
        threat_id = "2147806423"
        type = "PWS"
        platform = "Win32: Windows 32-bit platform"
        family = "Fareit"
        severity = "Critical"
        signature_type = "SIGNATURE_TYPE_PEHSTR"
        threshold = "22"
        strings_accuracy = "High"
    strings:
        $x_20_1 = "PWDFILE0YUIPKDFILE0YUICRYPTED" ascii //weight: 20
        $x_1_2 = "/gate.php" ascii //weight: 1
        $x_1_3 = {73 6f 66 74 77 61 72 65 5c 77 69 6e 72 61 72 00}  //weight: 1, accuracy: High
    condition:
        (filesize < 20MB) and
        (all of ($x*))
}
Known malware which is associated with this threat:
Filename: 13814d5dedfb6e7c3a3b5dde40c0f896.exe
cdb7e330d5d198d8207399452334b5bd1e5b5e7f7c1dbd7ea4eac990c8bef3cc
21/01/2026
VirusTotalDownload Sample
Remediation Steps:
Immediately isolate the infected system, perform a full antivirus scan to remove the threat and any associated files. Change all passwords for accounts accessed from the device, prioritizing banking, email, and critical services. Consider a full system reimage to ensure complete eradication.
=== END REPORT ===
$ reanalyze-threat
This analysis was last updated on 21/01/2026. Do you want to analyze it again?
$ ls available-commands/
→ cd /home
user@threatcheck.sh:~$