user@threatcheck.sh ~ threat-analysis
bash
$ analyze-threat Trojan:MSIL/XWorm.C!MTB
Trojan:MSIL/XWorm.C!MTB - Windows Defender threat signature analysis

Trojan:MSIL/XWorm.C!MTB - Windows Defender Threat Analysis

$ cat analysis.txt
=== THREAT ANALYSIS REPORT ===
Threat Name: Trojan:MSIL/XWorm.C!MTB
Classification:
Type:Trojan
Platform:MSIL
Family:XWorm
Detection Type:Concrete
Known malware family with identified signatures
Variant:C
Specific signature variant within the malware family
Suffix:!MTB
Detected via machine learning and behavioral analysis
Detection Method:Behavioral
Confidence:Very High
False-Positive Risk:Low

Concrete signature match: Trojan - Appears legitimate but performs malicious actions for .NET (Microsoft Intermediate Language) platform, family XWorm

Summary:

Trojan:MSIL/XWorm.C!MTB is a concrete detection of a sophisticated, multi-functional XWorm malware variant. It employs anti-analysis techniques, encrypts directories and passwords, and uses `paste.ee` for command-and-control or data exfiltration, posing a critical threat to data integrity and system security.

Severity:
Critical
VDM Static Detection:
Relevant strings associated with this threat:
 - CheckDefender (PEHSTR_EXT)
 - CrowdStrike (PEHSTR_EXT)
 - encryptDirectory (PEHSTR_EXT)
 - EncryptPassword (PEHSTR_EXT)
 - AntiCis (PEHSTR_EXT)
 - .dll (PEHSTR_EXT)
 - lloc (PEHSTR_EXT)
 - http (PEHSTR_EXT)
 - https://paste.ee/r/Y6rkf (PEHSTR_EXT)
 - |#d1e49aac-8f56-4280-b9ba-993a6d77406c (NID)
 - }#d1e49aac-8f56-4280-b9ba-993a6d77406c (NID)
 - |#75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84 (NID)
 - }#75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84 (NID)
 - &|#b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 (NID)
 - &}#b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 (NID)
 - y*|#56a863a9-875e-4185-98a7-b882c64b5ce5 (NID)
 - y*}#56a863a9-875e-4185-98a7-b882c64b5ce5 (NID)
 - C|#be9ba2d9-53ea-4cdc-84e5-9b1eeee46550 (NID)
 - C}#be9ba2d9-53ea-4cdc-84e5-9b1eeee46550 (NID)
 - L|#3b576869-a4ec-4529-8536-b80a7769e899 (NID)
 - L}#3b576869-a4ec-4529-8536-b80a7769e899 (NID)
 - |#5beb7efe-fd9a-4556-801d-275e5ffc04cc (NID)
 - }#5beb7efe-fd9a-4556-801d-275e5ffc04cc (NID)
 - |#01443614-cd74-433a-b99e-2ecdc07bfc25 (NID)
 - }#01443614-cd74-433a-b99e-2ecdc07bfc25 (NID)
 - |#d3e037e1-3eb8-44c8-a917-57927947596d (NID)
 - }#d3e037e1-3eb8-44c8-a917-57927947596d (NID)
 - |#7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c (NID)
 - }#7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c (NID)
Known malware which is associated with this threat:
Filename: RBCDk.ps1
64aed0731939b7efb3032ad834d794151c8821e3afb7af034bd70236c71feb3c
26/01/2026
VirusTotalDownload Sample
Filename: 8ef393be8088c928677beb1f04a2196338edc5ef2abec01273724306cc2c4723
8ef393be8088c928677beb1f04a2196338edc5ef2abec01273724306cc2c4723
26/01/2026
VirusTotalDownload Sample
Filename: mootoo.exe
9f269d664f5824eb7a79ea03fe887f895ec920df8d6e2013777933f2b0987ed1
11/12/2025
VirusTotalDownload Sample
Filename: 0D161FE363FDCB75C6D99489573F3384.exe
44afc306bbc5d88a38f409b16593fd5046eddba21af7f4d43697b27cb421c298
07/12/2025
VirusTotalDownload Sample
Remediation Steps:
Immediately isolate the affected system, perform a full comprehensive malware scan, reset all user and service credentials, and monitor network traffic for any outbound C2 communication. Re-image the system from a trusted backup if available.
=== END REPORT ===
$ reanalyze-threat
This analysis was last updated on 07/12/2025. Do you want to analyze it again?
$ ls available-commands/
→ cd /home
user@threatcheck.sh:~$