user@threatcheck.sh ~ threat-analysis
bash
$ analyze-threat Trojan:MSIL/Solorigate.BR!dha
Trojan:MSIL/Solorigate.BR!dha - Windows Defender threat signature analysis

Trojan:MSIL/Solorigate.BR!dha - Windows Defender Threat Analysis

$ cat analysis.txt
=== THREAT ANALYSIS REPORT ===
Threat Name: Trojan:MSIL/Solorigate.BR!dha
Classification:
Type:Trojan
Platform:MSIL
Family:Solorigate
Detection Type:Concrete
Known malware family with identified signatures
Variant:BR
Specific signature variant within the malware family
Suffix:!dha
Caught by dynamic heuristic behavioral analysis
Confidence:Very High
False-Positive Risk:Low

Concrete signature match: Trojan - Appears legitimate but performs malicious actions for .NET (Microsoft Intermediate Language) platform, family Solorigate

Summary:

This is a concrete detection of Trojan:MSIL/Solorigate.BR!dha, identifying the notorious SUNBURST backdoor. This highly sophisticated threat, originating from a supply chain attack on SolarWinds, enables remote code execution, lateral movement, persistence, and data exfiltration through compromised `SolarWinds.Orion.Core.BusinessLayer.dll`.

Severity:
Critical
VDM Static Detection:
Relevant strings associated with this threat:
 - \SolarWinds\Orion\SolarWinds.Orion.Core.BusinessLayer.dll (ASEP_FILEPATH)
 -  (x86)\SolarWinds\Orion\SolarWinds.Orion.Core.BusinessLayer.dll (ASEP_FILEPATH)
Relevant strings associated with this threat:
 - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT)
 - rundll32 (PEHSTR_EXT)
 - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT)
 - !#HSTR:ExecutionGuardrails (PEHSTR_EXT)
 - !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)
Remediation Steps:
Immediately isolate affected systems from the network. Conduct a thorough forensic investigation to identify the full scope of compromise, including lateral movement, additional backdoors, and data exfiltration. Rebuild all compromised systems from trusted, clean backups, and reset all credentials that may have been exposed. Implement strong network segmentation and enhanced threat hunting.
=== END REPORT ===
$ reanalyze-threat
This analysis was last updated on 04/11/2025. Do you want to analyze it again?
$ ls available-commands/
→ cd /home
user@threatcheck.sh:~$