Trojan:MSIL/Spynoon!rfn - ThreatCheck.sh

user@threatcheck.sh ~ threat-analysis

bash

$ analyze-threat Trojan:MSIL/Spynoon!rfn

Trojan:MSIL/Spynoon!rfn - Windows Defender threat signature analysis

$ cat analysis.txt

=== THREAT ANALYSIS REPORT ===

Threat Name: Trojan:MSIL/Spynoon!rfn

Classification:

Type:Trojan

Platform:MSIL

Family:Spynoon

Detection Type:Concrete

Known malware family with identified signatures

Suffix:!rfn

Specific ransomware family name

Confidence:Very High

False-Positive Risk:Low

Concrete signature match: Trojan - Appears legitimate but performs malicious actions for .NET (Microsoft Intermediate Language) platform, family Spynoon

Summary:

Trojan:MSIL/Spynoon!rfn is a .NET-based Trojan. The presence of WinHttp functions suggests it likely communicates over HTTP(S), and email ig_zub@ukr.net is a potential contact point.

Severity:

High

VDM Static Detection:

Relevant strings associated with this threat:
 - WinHttpConnect (PEHSTR_EXT)
 - WinHttpOpenRequest (PEHSTR_EXT)
 - WinHttpReceiveResponse (PEHSTR_EXT)
 - u1N16\{k (SNID)
 - xampp\htdocs\Cryptor\ (PEHSTR_EXT)
 -  \Loader\Loader\Release\ (PEHSTR_EXT)
 - LLD PDB. (PEHSTR_EXT)
 - C:\xampp\htdocs\Cryptor\ (PEHSTR_EXT)
 - RpcMgmtInqComTimeout (PEHSTR_EXT)
 - rexec (PEHSTR_EXT)
 - .rdata$zzzdbg (PEHSTR_EXT)
 - e-mail ig_zub@ukr.net (PEHSTR_EXT)
 - }v[{.( (SNID)
 - Y\,<; (SNID)
 - Z/7bj (SNID)
 - tAG., (SNID)
 - btgzlvbjss (PEHSTR_EXT)
 - WindowsFormsApp1.Properties.Resources (PEHSTR_EXT)
 - OptNIstones.Properties.Resources.resources (PEHSTR_EXT)
 - Quan_Ly_Thu_Vien.Properties.Resources (PEHSTR_EXT)
 - FinalProject.Resources (PEHSTR_EXT)
 - Dean.Edwards.Properties.Resources (PEHSTR_EXT)
 - JhHh.Resources.resources (PEHSTR_EXT)
 - QuanLyTC.GUI.DangNhap.resources (PEHSTR_EXT)
 - Power_Troubleshooter.Properties (PEHSTR_EXT)
 - Student_Housing.Properties.Resources (PEHSTR_EXT)
 - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT)
 - rundll32 (PEHSTR_EXT)
 - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT)
 - !#HSTR:ExecutionGuardrails (PEHSTR_EXT)
 - !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)

Known malware which is associated with this threat:

Filename: C0A1FCFDE4A6A8EA6ED180D5B5E21A50.exe

6960b195f9cca224e216556a8df9b359fcc13219a311b6edcb2a85164c32a692

17/12/2025

→VirusTotal ↓Download Sample

Remediation Steps:

Quarantine the detected file. Investigate network traffic for suspicious HTTP(S) communication. Examine related systems for similar indicators of compromise.

=== END REPORT ===

$ reanalyze-threat

This analysis was last updated on 17/12/2025. Do you want to analyze it again?

$ ls available-commands/

→ cd /home

user@threatcheck.sh:~$ ▊

Trojan:MSIL/Spynoon!rfn - Windows Defender Threat Analysis