user@threatcheck.sh ~ threat-analysis
bash
$ analyze-threat SupportScam:Win32/Screcwon.MD!MTB
SupportScam:Win32/Screcwon.MD!MTB - Windows Defender threat signature analysis

SupportScam:Win32/Screcwon.MD!MTB - Windows Defender Threat Analysis

$ cat analysis.txt
=== THREAT ANALYSIS REPORT ===
Threat Name: SupportScam:Win32/Screcwon.MD!MTB
Classification:
Type:SupportScam
Platform:Win32
Family:Screcwon
Detection Type:Concrete
Known malware family with identified signatures
Variant:MD
Specific signature variant within the malware family
Suffix:!MTB
Detected via machine learning and behavioral analysis
Detection Method:Behavioral
Confidence:Very High
False-Positive Risk:Low

Concrete signature match: SupportScam for 32-bit Windows platform, family Screcwon

Summary:

This threat is a technical support scam tool, identified as a .NET application, designed to deceive users by displaying fake security alerts or system errors. It communicates with a network of malicious domains to facilitate the scam, aiming to coerce the user into contacting fraudulent support agents who may demand payment or install further malware.

Severity:
High
VDM Static Detection:
Relevant strings associated with this threat:
 - Release\ClickOnceRunner.pdb (PEHSTR_EXT)
 - Release\DotNetRunner.pdb (PEHSTR_EXT)
 - .filesdonwloads.com (PEHSTR_EXT)
 - relay.magaretcap.com (PEHSTR_EXT)
 - relay.shipperzone.online (PEHSTR_EXT)
 - fmt2as.ddns.net (PEHSTR_EXT)
 - app.ratoscreensell.com (PEHSTR_EXT)
 - relay.ale3rt.in (PEHSTR_EXT)
 - microsoffeedd4ackapiz.enterprisesolutions.su (PEHSTR_EXT)
 - .putinswin.es (PEHSTR_EXT)
 - dual.saltuta.com (PEHSTR_EXT)
 - brovanti.de (PEHSTR_EXT)
 - .ratoscbom.com (PEHSTR_EXT)
 - pulseriseglobal.com (PEHSTR_EXT)
 - .myedelta.de (PEHSTR_EXT)
 - kingcardano.io (PEHSTR_EXT)
 - .viewyourstatementonline.com (PEHSTR_EXT)
 - preyinthewild.online (PEHSTR_EXT)
 - download.e-statement.estate (PEHSTR_EXT)
 - hp.noleggiodisciza.com (PEHSTR_EXT)
YARA Rule:
rule SupportScam_Win32_Screcwon_MD_2147947634_0
{
    meta:
        author = "threatcheck.sh"
        detection_name = "SupportScam:Win32/Screcwon.MD!MTB"
        threat_id = "2147947634"
        type = "SupportScam"
        platform = "Win32: Windows 32-bit platform"
        family = "Screcwon"
        severity = "Critical"
        info = "MTB: Microsoft Threat Behavior"
        signature_type = "SIGNATURE_TYPE_PEHSTR_EXT"
        threshold = "50"
        strings_accuracy = "High"
    strings:
        $x_20_1 = "Release\\ClickOnceRunner.pdb" ascii //weight: 20
        $x_20_2 = "Release\\DotNetRunner.pdb" ascii //weight: 20
        $x_30_3 = ".filesdonwloads.com" ascii //weight: 30
        $x_30_4 = "relay.magaretcap.com" ascii //weight: 30
        $x_30_5 = "relay.shipperzone.online" ascii //weight: 30
        $x_30_6 = "fmt2as.ddns.net" ascii //weight: 30
        $x_30_7 = "app.ratoscreensell.com" ascii //weight: 30
        $x_30_8 = "relay.ale3rt.in" ascii //weight: 30
        $x_30_9 = "microsoffeedd4ackapiz.enterprisesolutions.su" ascii //weight: 30
        $x_30_10 = ".putinswin.es" ascii //weight: 30
        $x_30_11 = "dual.saltuta.com" ascii //weight: 30
        $x_30_12 = "brovanti.de" ascii //weight: 30
        $x_30_13 = ".ratoscbom.com" ascii //weight: 30
        $x_30_14 = "pulseriseglobal.com" ascii //weight: 30
        $x_30_15 = ".myedelta.de" ascii //weight: 30
        $x_30_16 = "kingcardano.io" ascii //weight: 30
        $x_30_17 = ".viewyourstatementonline.com" ascii //weight: 30
        $x_30_18 = "preyinthewild.online" ascii //weight: 30
        $x_30_19 = "download.e-statement.estate" ascii //weight: 30
        $x_30_20 = "hp.noleggiodisciza.com" ascii //weight: 30
        $x_30_21 = "dev.southsideblackancestry.com" ascii //weight: 30
        $x_30_22 = "server.ygoogley.in" ascii //weight: 30
        $x_30_23 = "camp.organzoperate.com" ascii //weight: 30
        $x_30_24 = "mail.securedocumentfiledownload.com" ascii //weight: 30
        $x_30_25 = "doc-sas.marqulsmitchel.com" ascii //weight: 30
        $x_30_26 = "jntl.shop" ascii //weight: 30
        $x_30_27 = "solandalucia-carcosmetics.com" ascii //weight: 30
        $x_30_28 = "dynomar.gandizon.com" ascii //weight: 30
        $x_30_29 = "bw36back93.site" ascii //weight: 30
        $x_30_30 = "fw396back6.site" ascii //weight: 30
        $x_30_31 = "relay.adobpdf.com" ascii //weight: 30
        $x_30_32 = "sent.costariga.de" ascii //weight: 30
        $x_30_33 = "pilwerui.rchelp.top" ascii //weight: 30
        $x_30_34 = "rwbhelp.top" ascii //weight: 30
        $x_30_35 = "zvhelp.top" ascii //weight: 30
        $x_30_36 = "kcclive.top" ascii //weight: 30
        $x_30_37 = "mango.quatrocliche.com" ascii //weight: 30
    condition:
        (filesize < 20MB) and
        (
            ((1 of ($x_30_*) and 1 of ($x_20_*))) or
            ((2 of ($x_30_*))) or
            (all of ($x*))
        )
}
Known malware which is associated with this threat:
Filename: CoreTool1753368313.exe
8401a048f5f4523667b02e4e49a8b76d800051cac0f8044f9698ac4c70558861
22/11/2025
VirusTotalDownload Sample
Filename: SysConfig1753368342.exe
b1978688891fd36ed3e215a5b496b0500db7f238aff6176d87613c133249e5b7
22/11/2025
VirusTotalDownload Sample
Filename: SysConfig1753373971.exe
93e4fbed69c23ab3e4262e39f0b2409fc692cbc57aa68c72af94fdfd3c71c482
22/11/2025
VirusTotalDownload Sample
Remediation Steps:
Isolate the affected machine from the network immediately. Run a full antivirus scan with updated definitions to locate and quarantine all malicious files. Block all domains listed in the technical analysis at the network firewall or proxy. Review and remove any suspicious persistence mechanisms, such as scheduled tasks, startup entries, or browser extensions.
=== END REPORT ===
$ reanalyze-threat
This analysis was last updated on 22/11/2025. Do you want to analyze it again?
$ ls available-commands/
→ cd /home
user@threatcheck.sh:~$