Trojan:MSIL/Malgent!MSR - ThreatCheck.sh

user@threatcheck.sh ~ threat-analysis

bash

$ analyze-threat Trojan:MSIL/Malgent!MSR

Trojan:MSIL/Malgent!MSR - Windows Defender threat signature analysis

$ cat analysis.txt

=== THREAT ANALYSIS REPORT ===

Threat Name: Trojan:MSIL/Malgent!MSR

Classification:

Type:Trojan

Platform:MSIL

Family:Malgent

Detection Type:Concrete

Known malware family with identified signatures

Suffix:!MSR

High-priority threat flagged by Microsoft Security Response

Confidence:Very High

False-Positive Risk:Low

Concrete signature match: Trojan - Appears legitimate but performs malicious actions for .NET (Microsoft Intermediate Language) platform, family Malgent

Summary:

Trojan:MSIL/Malgent!MSR is a concrete detection of a Trojan that leverages macro-enabled documents to download and execute additional malicious payloads from various external URLs. It establishes persistence by dropping executables into user directories and likely uses obfuscation and potentially advanced evasion techniques, indicating a high-impact threat.

Severity:

Critical

VDM Static Detection:

Relevant strings associated with this threat:
 -  = Environ("USERPROFILE") & "\Desktop" & "\quotation.exe" (MACROHSTR_EXT)
 - http://45.78.21.150/boost/boosting.exe (MACROHSTR_EXT)
 - = Replace("ht##tp##:##/##/ (MACROHSTR_EXT)
 -  = (Err.Number = 0) (MACROHSTR_EXT)
 -  = (Environ("temp") & "\" &  (MACROHSTR_EXT)
 - path_file = Environ$("USERPROFILE") + "\AppData\Roaming\" + "\" + path_dom + a + b + c (MACROHSTR_EXT)
 - path_file = Environ$("USERPROFILE") & "\AppData\" + path_dom + ".ttp" (MACROHSTR_EXT)
 - Variable2.savetofile "234.e" & "xe", 2 (MACROHSTR_EXT)
 - ExecuteExcel4Macro Replace(UserForm1. (MACROHSTR_EXT)
 - 2C:\Codes\Version2\pe_encrypt\Release\PECloner.pdb (PEHSTR)
 - TmDbgLog.dll (PEHSTR_EXT)
 - ssMUIDLL.dll (PEHSTR_EXT)
 - arguments="https://d3727mhevtk2n4.cloudfront.net/srv-stg-agent (MACROHSTR_EXT)
 - Call trenes("http://kuzov-remont.com/wp-admin/js/win.exe", (MACROHSTR_EXT)
 - Environ("AppData") & "\Ds.exe") (MACROHSTR_EXT)
 - Environ("Userprofile") & "\Men (MACROHSTR_EXT)
 -  Inicio\Programas\Inicio\Ds.exe") (MACROHSTR_EXT)
 - Global\gfxQJsVUhkMOSadImwZFBbnpe2Gjv7HA (PEHSTR_EXT)
 - explorer.exe (PEHSTR_EXT)
 - svchost.exe (PEHSTR_EXT)
 - del "C:\Documents and Settings\All Usersd (PEHSTR_EXT)
 - .dll (PEHSTR_EXT)
 - DllRegisterServer (PEHSTR_EXT)
 - CymulateScreenShotTrojan.pdb (PEHSTR_EXT)
 - i.ibb.co/q1B4wyW/nature-field-gra-130247647 (PEHSTR_EXT)
 - sdsdsdsds.pdb (PEHSTR_EXT)
 - DLL\test\Release\Dll1.pdb (PEHSTR_EXT)
 - "C:\Windows\iexplore.exe" (PEHSTR_EXT)
 - \Release\mfc.pdbd (PEHSTR_EXT)
 - zh-CN/NUSData/M2052Hongyu.voiceAssistant.unt (PEHSTR_EXT)
 - zh-CN/NUSData/M2052Kangkang.keyboard.unt (PEHSTR_EXT)
 - https://www.cuochiperungiorno.it/ (PEHSTR_EXT)
 - _Setup.exe (PEHSTR_EXT)
 - https://tapestryoftruth.com/ (PEHSTR_EXT)
 - .exe (PEHSTR_EXT)
 - E:\PROJETOS2023\CSHARP\RAT\MXNOBUGMAG\Bin\Release\msedge_elf.pdb (PEHSTR_EXT)
 - E:\PROJETOS2023\CSHARP\RAT\MXNOBUGMAG\Bin\Release\VCRUNTIME140.pdb (PEHSTR_EXT)
 - AppApi.dll (PEHSTR_EXT)
 - D:\a\_work\1\s\artifacts\obj\coreclr\windows.x86.Release\Corehost.Static\singlefilehost.pdb (PEHSTR_EXT)
 - G:\repos\ApiApp\AppApi\obj\Release\net9.0\win-x86\AppApi.pdb (PEHSTR_EXT)
 - info-sec.jp/attach (PEHSTR_EXT)
 - stgsec-info.jp/acon (PEHSTR_EXT)
 - PdfAttachProduction.exe (PEHSTR_EXT)
 - cm74336.tw1.ru/calc.execalc.exesrc (PEHSTR_EXT)
 - =createobject("msxml2.xmlhttp")http_obj.open"post","http://188.130.234.189/wait.php (MACROHSTR_EXT)
 - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT)
 - rundll32 (PEHSTR_EXT)
 - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT)
 - !#HSTR:ExecutionGuardrails (PEHSTR_EXT)
 - !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)

Known malware which is associated with this threat:

Filename: Vertical Bars.dll

0ab39ca995426be4df7bbfa3aaeb514c769f772b6cf9097a01d40fa1bed3bfcf

30/01/2026

→VirusTotal ↓Download Sample

Filename: e51a8d123e2865d75fb429567c272fdb045a1ffdb89e10549c2e8ca0d3baedc5(2)

e51a8d123e2865d75fb429567c272fdb045a1ffdb89e10549c2e8ca0d3baedc5

30/12/2025

→VirusTotal ↓Download Sample

Remediation Steps:

Immediately isolate the infected endpoint from the network. Perform a full system scan with updated antivirus software to quarantine and remove all detected threats. Investigate and remove any established persistence mechanisms (e.g., registry run keys, startup folders, scheduled tasks). Block identified malicious URLs and IP addresses at the network perimeter.

=== END REPORT ===

$ reanalyze-threat

This analysis was last updated on 30/12/2025. Do you want to analyze it again?

$ ls available-commands/

→ cd /home

user@threatcheck.sh:~$ ▊

Trojan:MSIL/Malgent!MSR - Windows Defender Threat Analysis