Trojan:Linux/SAgnt!MTB - ThreatCheck.sh

user@threatcheck.sh ~ threat-analysis

bash

$ analyze-threat Trojan:Linux/SAgnt!MTB

Trojan:Linux/SAgnt!MTB - Windows Defender threat signature analysis

$ cat analysis.txt

=== THREAT ANALYSIS REPORT ===

Threat Name: Trojan:Linux/SAgnt!MTB

Classification:

Type:Trojan

Platform:Linux

Family:SAgnt

Detection Type:Concrete

Known malware family with identified signatures

Suffix:!MTB

Detected via machine learning and behavioral analysis

Detection Method:Behavioral

Confidence:Very High

False-Positive Risk:Low

Concrete signature match: Trojan - Appears legitimate but performs malicious actions for Linux platform, family SAgnt

Summary:

This is a Trojan detected on a Windows system using machine learning behavioral analysis (!MTB) from the SAgnt family, despite its naming suggesting a Linux platform. It exhibits behaviors indicative of abusing legitimate Windows utilities such as mshta, rundll32, PowerShell, and BITS for execution, persistence, and network communications. The threat also shows intent to perform hooking, data encoding, file operations, and potentially bypass security measures, indicating sophisticated malicious activity.

Severity:

High

VDM Static Detection:

Relevant strings associated with this threat:
 - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT)
 - rundll32 (PEHSTR_EXT)
 - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT)
 - !#HSTR:ExecutionGuardrails (PEHSTR_EXT)
 - !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)

Known malware which is associated with this threat:

Filename: 0f4e3711c8b9ca49584d924f62c6d2e48d88f60583cf3d3db8300d1246bdb2aa

0f4e3711c8b9ca49584d924f62c6d2e48d88f60583cf3d3db8300d1246bdb2aa

14/12/2025

→VirusTotal ↓Download Sample

Remediation Steps:

Immediately isolate the affected system to prevent further compromise. Conduct a thorough antivirus scan to remove all detected components and investigate for persistence mechanisms, such as scheduled tasks, modified registry entries, or startup items. Review system logs for suspicious activity involving Windows utilities like PowerShell, rundll32, or mshta, and ensure all operating system and applications are patched; consider re-imaging the system if complete eradication cannot be confirmed.

=== END REPORT ===

$ reanalyze-threat

This analysis was last updated on 14/12/2025. Do you want to analyze it again?

$ ls available-commands/

→ cd /home

user@threatcheck.sh:~$ ▊

Trojan:Linux/SAgnt!MTB - Windows Defender Threat Analysis