user@threatcheck.sh ~ threat-analysis
bash
$ analyze-threat Ransom:MSIL/HiddenTear!rfn
Ransom:MSIL/HiddenTear!rfn - Windows Defender threat signature analysis

Ransom:MSIL/HiddenTear!rfn - Windows Defender Threat Analysis

$ cat analysis.txt
=== THREAT ANALYSIS REPORT ===
Threat Name: Ransom:MSIL/HiddenTear!rfn
Classification:
Type:Ransom
Platform:MSIL
Family:HiddenTear
Detection Type:Concrete
Known malware family with identified signatures
Suffix:!rfn
Specific ransomware family name
Confidence:Very High
False-Positive Risk:Low

Concrete signature match: Ransomware - Encrypts files and demands payment for .NET (Microsoft Intermediate Language) platform, family HiddenTear

Summary:

Ransom:MSIL/HiddenTear!rfn is a ransomware variant based on the open-source HiddenTear project. It is designed to encrypt user files, delete system backups (Volume Shadow Copies) to prevent recovery, and demand a ransom payment in exchange for the decryption key.

Severity:
Critical
VDM Static Detection:
Relevant strings associated with this threat:
 - /hiddentear/ (PEHSTR_EXT)
 - _WORK\encrypter (PEHSTR_EXT)
 - HiddenTear\ (PEHSTR_EXT)
 - \winupdate\w (PEHSTR_EXT)
 - #How_Decrypt_Files.txt (PEHSTR_EXT)
 - \Desktop\test\READ_IT.txt (PEHSTR_EXT)
 - \Desktop\Hacked.txt (PEHSTR_EXT)
 - InfiniteDecryptor@Protonmail.com (PEHSTR_EXT)
 - blackgold123@protonmail.com (PEHSTR_EXT)
 - vnransomware@zoho.com (PEHSTR_EXT)
 - .Infinite (PEHSTR_EXT)
 - .locked (PEHSTR_EXT)
 - vssadmin.exe delete shadows /all /Quiet (PEHSTR_EXT)
 - WMIC.exe shadowcopy delete (PEHSTR_EXT)
 - Bcdedit.exe /set {default} recoveryenabled no (PEHSTR_EXT)
 - Bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures (PEHSTR_EXT)
 - Locker.pdb (PEHSTR_EXT)
 - \obj\Debug\ScreenLocker.pdb (PEHSTR_EXT)
 - \Sanction Ransomware\Project Encryptor\hidden-tear (PEHSTR_EXT)
 - LComputer code on a screen with a skull representing a computer virus / malware attack. (PEHSTR_EXT)
 - If you are smart you know how to decrypt your files with this key. (PEHSTR_EXT)
 - Key is wrong! Please restart the program to send it again. (PEHSTR_EXT)
 - del /Q /F C:\Program Files\kasper (PEHSTR_EXT)
 - del /Q /F C:\Program Files\Norton (PEHSTR_EXT)
 - del /Q /F C:\Program Files\Mcafee (PEHSTR_EXT)
 - del /Q /F C:\Program Files\trojan (PEHSTR_EXT)
 - del /Q /F C:\Program Files\nood32 (PEHSTR_EXT)
 - del /Q /F C:\Program Files\panda (PEHSTR_EXT)
 - HiddenTear.Properties.Resources (PEHSTR_EXT)
 - RANSOM_NOTE.txt (PEHSTR_EXT)
 - /C vssadmin Delete Shadows /All /Quiet (PEHSTR_EXT)
 - .LOCKED (PEHSTR_EXT)
 - vssadmin.exe Delete Shadows /All /Quiet (PEHSTR_EXT)
 - .encrypted11 (PEHSTR_EXT)
 - @tutanota.com (PEHSTR_EXT)
 - Your computer is infected with a virus (PEHSTR_EXT)
 - .info.hta (PEHSTR_EXT)
 - .[neftet@tutanota.com].boom (PEHSTR_EXT)
 - READ_ME.hta (PEHSTR_EXT)
 - /C choice /C Y /N /D Y /T 1 & Del (PEHSTR_EXT)
 - \READ_ME.hta (PEHSTR_EXT)
 - .Encrypted (PEHSTR_EXT)
 - @protonmail.com (PEHSTR_EXT)
 - Important.txt (PEHSTR_EXT)
 - .dark (PEHSTR_EXT)
 - vssadmin delete shadows /All /Quiet (PEHSTR_EXT)
 - DECRYPT_ME_.TXT.locked (PEHSTR_EXT)
 - Encryption completed (PEHSTR_EXT)
 - HiddenTear (PEHSTR_EXT)
 - \xxx\source\repos\Launcher\Launcher\obj\Debug\BY.pdb (PEHSTR_EXT)
 - Launcher.Properties.Resources (PEHSTR_EXT)
 - /f /im BY.exe (PEHSTR_EXT)
 - BabaYaga.exe (PEHSTR_EXT)
 - Ransomware2.0 (PEHSTR_EXT)
 - ReadToRestore.txt (PEHSTR_EXT)
 - Malware 2.0 (PEHSTR_EXT)
 - Malware_2._0.Payloads (PEHSTR_EXT)
 - \IS_room_start.pdb (PEHSTR_EXT)
 - ransom.jpg (PEHSTR_EXT)
 - .flyper (PEHSTR_EXT)
 - hidden_tear2.exe (PEHSTR_EXT)
 - hidden_tear2.Properties (PEHSTR_EXT)
 - 0.5 bitcons | Address: (PEHSTR_EXT)
 - \locky.pdb (PEHSTR_EXT)
 - \Goodwill Encryptor.pdb (PEHSTR_EXT)
 - mrmalransom\obj\Release\mrmalransom.pdb (PEHSTR_EXT)
 - Mr. Malware (PEHSTR_EXT)
 - mrmalransom.Properties.Resources (PEHSTR_EXT)
 - Your computer files have been encrypted! (PEHSTR_EXT)
 - Screen_Glitching@Payloads (PEHSTR_EXT)
 - Ransomeware.pdb (PEHSTR_EXT)
 - The Security of This Computer Has Been Compromised (PEHSTR_EXT)
 - JupiterLocker has encrypted all the data on this computer with military-grade AES-256 encryption (PEHSTR_EXT)
 - JC:\Users\15138\source\repos\TestRansom\TestRansom\obj\Debug\TestRansom.pdb (PEHSTR)
 - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT)
 - rundll32 (PEHSTR_EXT)
 - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT)
 - !#HSTR:ExecutionGuardrails (PEHSTR_EXT)
 - !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)
Known malware which is associated with this threat:
Filename: a959f2b1028472fcea4f85c525453560.exe
322316e47680273f8fc9e19ebc184f79ef034df9bd9cbaca16981830cc1ae836
16/11/2025
VirusTotalDownload Sample
Remediation Steps:
Immediately isolate the infected machine from the network to prevent further spread. Do not pay the ransom. Ensure the threat is fully removed and restore encrypted files from a known-good, offline backup. Investigate the initial access vector to prevent re-infection.
=== END REPORT ===
$ reanalyze-threat
This analysis was last updated on 16/11/2025. Do you want to analyze it again?
$ ls available-commands/
→ cd /home
user@threatcheck.sh:~$