Trojan:VBS/PSRunner!MSR - ThreatCheck.sh

user@threatcheck.sh ~ threat-analysis

bash

$ analyze-threat Trojan:VBS/PSRunner!MSR

Trojan:VBS/PSRunner!MSR - Windows Defender threat signature analysis

$ cat analysis.txt

=== THREAT ANALYSIS REPORT ===

Threat Name: Trojan:VBS/PSRunner!MSR

Classification:

Type:Trojan

Platform:VBS

Family:PSRunner

Detection Type:Concrete

Known malware family with identified signatures

Suffix:!MSR

High-priority threat flagged by Microsoft Security Response

Confidence:Very High

False-Positive Risk:Low

Concrete signature match: Trojan - Appears legitimate but performs malicious actions for VBScript platform, family PSRunner

Summary:

Trojan:VBS/PSRunner!MSR is a concrete detection of a VBScript-based Trojan that extensively uses PowerShell and various Windows utilities (MSHTA, Regsvr32, Rundll32, BITS, Scheduled Tasks) for stealthy execution, persistence, and potential data exfiltration. Despite containing a string that suggests a 'demo attack scenario', its observed behaviors represent a sophisticated threat capable of significant system compromise.

Severity:

Critical

VDM Static Detection:

Relevant strings associated with this threat:
 - powershell.exe -W Hidden -Exec Bypass -Command cd /; (MACROHSTR_EXT)
 - You are about to run a demo attack scenario provided as part of the Microsoft WDATP Preview/Trial program (MACROHSTR_EXT)
 - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT)
 - rundll32 (PEHSTR_EXT)
 - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT)
 - !#HSTR:ExecutionGuardrails (PEHSTR_EXT)
 - !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)

Known malware which is associated with this threat:

1e9c29d7af6011ca9d5609cb93b554965c61105a42df9fe0c36274e60db71b1d

29/12/2025

→VirusTotal ↓Download Sample

Remediation Steps:

Immediately isolate the affected system to prevent further spread. Perform a full system scan, thoroughly investigate and remove all persistent artifacts and dropped payloads, and reset any compromised credentials. Confirm if the activity was part of an authorized Microsoft Defender ATP demo; if not, initiate a full incident response.

=== END REPORT ===

$ reanalyze-threat

This analysis was last updated on 29/12/2025. Do you want to analyze it again?

$ ls available-commands/

→ cd /home

user@threatcheck.sh:~$ ▊

Trojan:VBS/PSRunner!MSR - Windows Defender Threat Analysis