user@threatcheck.sh ~ threat-analysis
bash
$ analyze-threat Trojan:MSIL/Vidar.AVI!MTB
Trojan:MSIL/Vidar.AVI!MTB - Windows Defender threat signature analysis

Trojan:MSIL/Vidar.AVI!MTB - Windows Defender Threat Analysis

$ cat analysis.txt
=== THREAT ANALYSIS REPORT ===
Threat Name: Trojan:MSIL/Vidar.AVI!MTB
Classification:
Type:Trojan
Platform:MSIL
Family:Vidar
Detection Type:Concrete
Known malware family with identified signatures
Variant:AVI
Specific signature variant within the malware family
Suffix:!MTB
Detected via machine learning and behavioral analysis
Detection Method:Behavioral
Confidence:Very High
False-Positive Risk:Low

Concrete signature match: Trojan - Appears legitimate but performs malicious actions for .NET (Microsoft Intermediate Language) platform, family Vidar

Summary:

This is a concrete detection of a Vidar trojan variant designed for MSIL platforms. It functions as an information stealer, targeting cryptocurrency wallet keys (Monero) and credentials from applications like FileZilla, while also establishing persistence through hidden scheduled tasks.

Severity:
Critical
VDM Static Detection:
Relevant strings associated with this threat:
 - SOFTWARE\monero-project\monero-core (PEHSTR_EXT)
 - \Monero\wallet.keys (PEHSTR_EXT)
 - \AppData\Roaming\FileZilla\recentservers.xml (PEHSTR_EXT)
 - New-ScheduledTaskAction -Execute $tempPath -ErrorAction SilentlyContinue (PEHSTR_EXT)
 - New-ScheduledTaskSettingsSet -Hidden -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -ErrorAction SilentlyContinue (PEHSTR_EXT)
YARA Rule:
rule Trojan_MSIL_Vidar_AVI_2147927385_0
{
    meta:
        author = "threatcheck.sh"
        detection_name = "Trojan:MSIL/Vidar.AVI!MTB"
        threat_id = "2147927385"
        type = "Trojan"
        platform = "MSIL: .NET intermediate language scripts"
        family = "Vidar"
        severity = "Critical"
        info = "MTB: Microsoft Threat Behavior"
        signature_type = "SIGNATURE_TYPE_PEHSTR_EXT"
        threshold = "1"
        strings_accuracy = "Low"
    strings:
        $x_1_1 = {0a 00 25 06 6f ?? ?? ?? 0a 00 25 17 6f ?? ?? ?? 0a 00 25 16 6f ?? ?? ?? 0a 00 25 17 6f ?? ?? ?? 0a 00 25 17 6f ?? ?? ?? 0a 00 0b 07 28}  //weight: 1, accuracy: Low
    condition:
        (filesize < 20MB) and
        (all of ($x*))
}
Known malware which is associated with this threat:
Filename: SecuriteInfo.com.Win32.Malware-gen.85378374
b1cebd305c6aa27048a3673e70f8e1604735b2c06c83452d2935c330b5a3eb58
11/01/2026
VirusTotalDownload Sample
Filename: SecuriteInfo.com.Trojan.DownLoad4.18009.24750.24179
c96e2c1035a72c1bef5ff5887998c54dd5ce758707c261977347107122963d1d
11/12/2025
VirusTotalDownload Sample
Remediation Steps:
Immediately isolate the infected system, remove the detected malware, and promptly change all potentially compromised credentials, including cryptocurrency wallet passphrases and any stored FTP credentials. Conduct a thorough forensic analysis to identify the initial compromise vector and ensure all persistence mechanisms are eradicated. Implement strong security practices, regularly backup data, and monitor network activity for further suspicious behavior.
=== END REPORT ===
$ reanalyze-threat
This analysis was last updated on 11/12/2025. Do you want to analyze it again?
$ ls available-commands/
→ cd /home
user@threatcheck.sh:~$