user@threatcheck.sh ~ threat-analysis
bash
$ analyze-threat Trojan:PowerShell/Boxter!rfn
Trojan:PowerShell/Boxter!rfn - Windows Defender threat signature analysis

Trojan:PowerShell/Boxter!rfn - Windows Defender Threat Analysis

$ cat analysis.txt
=== THREAT ANALYSIS REPORT ===
Threat Name: Trojan:PowerShell/Boxter!rfn
Classification:
Type:Trojan
Platform:PowerShell
Family:Boxter
Detection Type:Concrete
Known malware family with identified signatures
Suffix:!rfn
Specific ransomware family name
Confidence:Very High
False-Positive Risk:Low

Concrete signature match: Trojan - Appears legitimate but performs malicious actions for PowerShell platform, family Boxter

Summary:

Trojan:PowerShell/Boxter!rfn is a malicious PowerShell script that functions as a downloader and execution tool for further malware. It utilizes multiple living-off-the-land binaries (LOLBINs) like cmd.exe, rundll32, and mshta to evade detection, communicates with a command-and-control server via an ngrok.io URL, and attempts to establish persistence using scheduled tasks.

Severity:
Critical
VDM Static Detection:
Relevant strings associated with this threat:
 - $.value.toString()+ (PEHSTR_EXT)
 - .value.toString());powershell (PEHSTR_EXT)
 - .value.toString() (PEHSTR_EXT)
 - "C:\WINDOWS\SYSTEM32\cmd" /c C:\TEMP\ (PEHSTR_EXT)
 - .bat (PEHSTR_EXT)
 - @shift /0 (PEHSTR_EXT)
 - 3\$0S (PEHSTR_EXT)
 - http://9ecc-23-243-99-186.ngrok.io (PEHSTR_EXT)
 - CALL mflink.bat (PEHSTR_EXT)
 - copy proyecto\mflink.bat wget\wget_32bit\ (PEHSTR_EXT)
 - %temp%\getadmin.vbs (PEHSTR_EXT)
 - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT)
 - rundll32 (PEHSTR_EXT)
 - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT)
 - !#HSTR:ExecutionGuardrails (PEHSTR_EXT)
 - !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)
Known malware which is associated with this threat:
Filename: a9b5db00bc7f94c8f01fa7465585a1244c02085747bac9981be63e70ba8f46ed.ps1
a9b5db00bc7f94c8f01fa7465585a1244c02085747bac9981be63e70ba8f46ed
05/12/2025
VirusTotalDownload Sample
Remediation Steps:
Isolate the affected host from the network immediately. Block the malicious ngrok.io URL at the network perimeter. Use an EDR tool or antivirus to perform a full scan and remove all detected malicious files and artifacts. Investigate for and remove persistence mechanisms, such as scheduled tasks, and rotate all credentials associated with the compromised host.
=== END REPORT ===
$ reanalyze-threat
This analysis was last updated on 05/12/2025. Do you want to analyze it again?
$ ls available-commands/
→ cd /home
user@threatcheck.sh:~$