user@threatcheck.sh ~ threat-analysis
bash
$ analyze-threat Trojan:MSIL/FormBook.CD!MTB
Trojan:MSIL/FormBook.CD!MTB - Windows Defender threat signature analysis

Trojan:MSIL/FormBook.CD!MTB - Windows Defender Threat Analysis

$ cat analysis.txt
=== THREAT ANALYSIS REPORT ===
Threat Name: Trojan:MSIL/FormBook.CD!MTB
Classification:
Type:Trojan
Platform:MSIL
Family:FormBook
Detection Type:Concrete
Known malware family with identified signatures
Variant:CD
Specific signature variant within the malware family
Suffix:!MTB
Detected via machine learning and behavioral analysis
Detection Method:Behavioral
Confidence:Very High
False-Positive Risk:Low

Concrete signature match: Trojan - Appears legitimate but performs malicious actions for .NET (Microsoft Intermediate Language) platform, family FormBook

Summary:

This threat is a variant of the FormBook infostealer trojan, designed to steal sensitive information such as login credentials, financial data, and keystrokes from the compromised system. Technical analysis indicates it uses API hooking techniques to intercept data and leverages system tools like PowerShell, Rundll32, and Scheduled Tasks for execution and persistence.

Severity:
High
VDM Static Detection:
Relevant strings associated with this threat:
 - C|#be9ba2d9-53ea-4cdc-84e5-9b1eeee46550 (NID)
 - C}#be9ba2d9-53ea-4cdc-84e5-9b1eeee46550 (NID)
 - |#01443614-cd74-433a-b99e-2ecdc07bfc25 (NID)
 - }#01443614-cd74-433a-b99e-2ecdc07bfc25 (NID)
 - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT)
 - rundll32 (PEHSTR_EXT)
 - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT)
 - !#HSTR:ExecutionGuardrails (PEHSTR_EXT)
Known malware which is associated with this threat:
Filename: 2cbdf96c80d1e9167282ecb6f5f1033d4b747c5417ef5849d91b7a6104f99870
2cbdf96c80d1e9167282ecb6f5f1033d4b747c5417ef5849d91b7a6104f99870
04/12/2025
VirusTotalDownload Sample
Filename: 1a88149b7336622ebb280d2d5ac67314.exe
fae48fe6a0c7b167093f0f6481ff9f67bab9b023fb43a4c6265403d4e57b2bec
03/12/2025
VirusTotalDownload Sample
Filename: Client.exe
fa975ead71873519e79b3f7e4dfca87812c2acd11483c2e331f2ad563f31670d
23/11/2025
VirusTotalDownload Sample
Remediation Steps:
Isolate the compromised machine from the network immediately to prevent further data exfiltration. Run a full antivirus scan to remove the threat. Change all passwords for accounts accessed from this device and investigate for persistence mechanisms, such as new scheduled tasks.
=== END REPORT ===
$ reanalyze-threat
This analysis was last updated on 23/11/2025. Do you want to analyze it again?
$ ls available-commands/
→ cd /home
user@threatcheck.sh:~$