Trojan:MSIL/AgentTesla!rfn

user@threatcheck.sh ~ threat-analysis

bash

$ analyze-threat Trojan:MSIL/AgentTesla!rfn

Trojan:MSIL/AgentTesla!rfn - Windows Defender threat signature analysis

$ cat analysis.txt

=== THREAT ANALYSIS REPORT ===

Threat Name: Trojan:MSIL/AgentTesla!rfn

Classification:

Type:Trojan

Platform:MSIL

Family:AgentTesla

Detection Type:Concrete

Known malware family with identified signatures

Suffix:!rfn

Specific ransomware family name

Confidence:Very High

False-Positive Risk:Low

Concrete signature match: Trojan - Appears legitimate but performs malicious actions for .NET (Microsoft Intermediate Language) platform, family AgentTesla

Summary:

This detection identifies Agent Tesla, a well-known information-stealing Trojan. It is designed to steal sensitive data such as login credentials from web browsers, email clients, and other applications, often by logging keystrokes. The 'Concrete' detection type indicates a high-confidence match to a known malware sample.

Severity:

Critical

VDM Static Detection:

No specific strings found for this threat

YARA Rule:

rule __HSTR_MSIL_AgentTesla_AQ_MTB_0
{
    meta:
        author = "threatcheck.sh"
        detection_name = "!#HSTR:MSIL/AgentTesla.AQ!MTB"
        threat_id = "1879049645"
        signature_type = "SIGNATURE_TYPE_PEHSTR_EXT"
        threshold = "4"
        strings_accuracy = "High"
    strings:
        $x_1_1 = "\\stub\\eopyEx\\achiyMe{\\Ochii_ui\\objnReleqsw\\kilo." ascii //weight: 1
        $x_1_2 = "lpNwwFiluNsme" ascii //weight: 1
        $x_1_3 = "Rxadbbjxctdrrty" ascii //weight: 1
        $x_1_4 = "ddgrstufes.exe" ascii //weight: 1
    condition:
        (filesize < 20MB) and
        (all of ($x*))
}

Known malware which is associated with this threat:

Filename: Nueva Orden 12102025.VBE

1ead3a2fdce2ee206d2ccd6e85f701f006429fe5bb76fbc400af65483e7766c9

11/12/2025

→VirusTotal ↓Download Sample

Filename: New Shipment-- EV8756005-2511.zip

fa644a6801a4b559f14a989ec2510bbeb66910399e79ea44d26dd60419844350

09/12/2025

→VirusTotal ↓Download Sample

Filename: 191901bedbfc9521e8d346058964cbaca797f07d6e52f9ec285296acc5faa847

191901bedbfc9521e8d346058964cbaca797f07d6e52f9ec285296acc5faa847

08/12/2025

→VirusTotal ↓Download Sample

Filename: INV098765456789000.exe

e0b8afbe86f2b6e851ac5b3ed3eb621e7daf8d67918e22e7723b8c944ed116af

18/11/2025

→VirusTotal ↓Download Sample

Filename: 885ef9a1ef4ae7b212628622f6b72e29381a8c8bb5abf.exe

885ef9a1ef4ae7b212628622f6b72e29381a8c8bb5abf667e7da6f537493a0be

11/11/2025

→VirusTotal ↓Download Sample

Remediation Steps:

1. Isolate the affected device from the network immediately to prevent data exfiltration. 2. Perform a full antivirus scan to remove the threat; re-imaging the device is the most reliable solution. 3. Reset all passwords for accounts accessed from the device and enable multi-factor authentication (MFA).

=== END REPORT ===

$ reanalyze-threat

This analysis was last updated on 08/11/2025. Do you want to analyze it again?

$ ls available-commands/

→ cd /home

user@threatcheck.sh:~$ ▊

Trojan:MSIL/AgentTesla!rfn - Windows Defender Threat Analysis