user@threatcheck.sh ~ threat-analysis
bash
$ analyze-threat Trojan:JS/Malgent!MSR
Trojan:JS/Malgent!MSR - Windows Defender threat signature analysis

Trojan:JS/Malgent!MSR - Windows Defender Threat Analysis

$ cat analysis.txt
=== THREAT ANALYSIS REPORT ===
Threat Name: Trojan:JS/Malgent!MSR
Classification:
Type:Trojan
Platform:JS
Family:Malgent
Detection Type:Concrete
Known malware family with identified signatures
Suffix:!MSR
High-priority threat flagged by Microsoft Security Response
Confidence:Very High
False-Positive Risk:Low

Concrete signature match: Trojan - Appears legitimate but performs malicious actions for JavaScript platform, family Malgent

Summary:

This is a JavaScript-based Trojan (Malgent family) that, often delivered via macros or social engineering, downloads and executes secondary malicious payloads from remote servers. It employs obfuscation, drops executables in user directories like Desktop and AppData, and establishes persistence on the compromised system.

Severity:
Critical
VDM Static Detection:
Relevant strings associated with this threat:
 -  = Environ("USERPROFILE") & "\Desktop" & "\quotation.exe" (MACROHSTR_EXT)
 - http://45.78.21.150/boost/boosting.exe (MACROHSTR_EXT)
 - = Replace("ht##tp##:##/##/ (MACROHSTR_EXT)
 -  = (Err.Number = 0) (MACROHSTR_EXT)
 -  = (Environ("temp") & "\" &  (MACROHSTR_EXT)
 - path_file = Environ$("USERPROFILE") + "\AppData\Roaming\" + "\" + path_dom + a + b + c (MACROHSTR_EXT)
 - path_file = Environ$("USERPROFILE") & "\AppData\" + path_dom + ".ttp" (MACROHSTR_EXT)
 - Variable2.savetofile "234.e" & "xe", 2 (MACROHSTR_EXT)
 - ExecuteExcel4Macro Replace(UserForm1. (MACROHSTR_EXT)
 - 2C:\Codes\Version2\pe_encrypt\Release\PECloner.pdb (PEHSTR)
 - TmDbgLog.dll (PEHSTR_EXT)
 - ssMUIDLL.dll (PEHSTR_EXT)
 - arguments="https://d3727mhevtk2n4.cloudfront.net/srv-stg-agent (MACROHSTR_EXT)
 - Call trenes("http://kuzov-remont.com/wp-admin/js/win.exe", (MACROHSTR_EXT)
 - Environ("AppData") & "\Ds.exe") (MACROHSTR_EXT)
 - Environ("Userprofile") & "\Men (MACROHSTR_EXT)
 -  Inicio\Programas\Inicio\Ds.exe") (MACROHSTR_EXT)
 - Global\gfxQJsVUhkMOSadImwZFBbnpe2Gjv7HA (PEHSTR_EXT)
 - explorer.exe (PEHSTR_EXT)
 - svchost.exe (PEHSTR_EXT)
 - del "C:\Documents and Settings\All Usersd (PEHSTR_EXT)
 - .dll (PEHSTR_EXT)
 - DllRegisterServer (PEHSTR_EXT)
 - CymulateScreenShotTrojan.pdb (PEHSTR_EXT)
 - i.ibb.co/q1B4wyW/nature-field-gra-130247647 (PEHSTR_EXT)
 - sdsdsdsds.pdb (PEHSTR_EXT)
 - DLL\test\Release\Dll1.pdb (PEHSTR_EXT)
 - "C:\Windows\iexplore.exe" (PEHSTR_EXT)
 - \Release\mfc.pdbd (PEHSTR_EXT)
 - zh-CN/NUSData/M2052Hongyu.voiceAssistant.unt (PEHSTR_EXT)
 - zh-CN/NUSData/M2052Kangkang.keyboard.unt (PEHSTR_EXT)
 - https://www.cuochiperungiorno.it/ (PEHSTR_EXT)
 - _Setup.exe (PEHSTR_EXT)
 - https://tapestryoftruth.com/ (PEHSTR_EXT)
 - .exe (PEHSTR_EXT)
 - E:\PROJETOS2023\CSHARP\RAT\MXNOBUGMAG\Bin\Release\msedge_elf.pdb (PEHSTR_EXT)
 - E:\PROJETOS2023\CSHARP\RAT\MXNOBUGMAG\Bin\Release\VCRUNTIME140.pdb (PEHSTR_EXT)
 - AppApi.dll (PEHSTR_EXT)
 - D:\a\_work\1\s\artifacts\obj\coreclr\windows.x86.Release\Corehost.Static\singlefilehost.pdb (PEHSTR_EXT)
 - G:\repos\ApiApp\AppApi\obj\Release\net9.0\win-x86\AppApi.pdb (PEHSTR_EXT)
 - info-sec.jp/attach (PEHSTR_EXT)
 - stgsec-info.jp/acon (PEHSTR_EXT)
 - PdfAttachProduction.exe (PEHSTR_EXT)
 - cm74336.tw1.ru/calc.execalc.exesrc (PEHSTR_EXT)
 - =createobject("msxml2.xmlhttp")http_obj.open"post","http://188.130.234.189/wait.php (MACROHSTR_EXT)
 - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT)
 - rundll32 (PEHSTR_EXT)
 - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT)
 - !#HSTR:ExecutionGuardrails (PEHSTR_EXT)
 - !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)
Known malware which is associated with this threat:
Filename: e965d22eaf3c175e3c204fbbb6154ff5e7714d692b69a63815f01f36b87051d2.js
e965d22eaf3c175e3c204fbbb6154ff5e7714d692b69a63815f01f36b87051d2
11/05/2026
VirusTotalDownload Sample
Filename: VfZUSQi6oerKau.js
c8589ca999526f247db4d3902ade8a85619f8f82338c6230d1b935f413ddcb3d
11/05/2026
VirusTotalDownload Sample
Filename: sysuu2etiprun.js
bedb882c6e2cf896e14ecf12c90aaa6638f780017d1b8687a40b4a81956e230f
11/05/2026
VirusTotalDownload Sample
Filename: PRE-ALERT 876-415130768.js
dc91e962be7b41d32d831d6da40740fcae7684d990110f4bfe47cc581209c558
09/04/2026
VirusTotalDownload Sample
Filename: Purchase Order.js
2593f1f466827aac609ce0a0975c49ac2735befe683ea7e8d5a32172db0c0880
09/04/2026
VirusTotalDownload Sample
Remediation Steps:
Immediately isolate the affected system, perform a comprehensive endpoint scan to eradicate all malicious files and associated persistence mechanisms, and block all network communication to identified command-and-control (C2) infrastructure and download sources.
=== END REPORT ===
$ reanalyze-threat
This analysis was last updated on 26/12/2025. Do you want to analyze it again?
$ ls available-commands/
→ cd /home
user@threatcheck.sh:~$