user@threatcheck.sh ~ threat-analysis
bash
$ analyze-threat Trojan:Win32/Egairtigado!rfn
Trojan:Win32/Egairtigado!rfn - Windows Defender threat signature analysis

Trojan:Win32/Egairtigado!rfn - Windows Defender Threat Analysis

$ cat analysis.txt
=== THREAT ANALYSIS REPORT ===
Threat Name: Trojan:Win32/Egairtigado!rfn
Classification:
Type:Trojan
Platform:Win32
Family:Egairtigado
Detection Type:Concrete
Known malware family with identified signatures
Suffix:!rfn
Specific ransomware family name
Confidence:Very High
False-Positive Risk:Low

Concrete signature match: Trojan - Appears legitimate but performs malicious actions for 32-bit Windows platform, family Egairtigado

Summary:

Trojan:Win32/Egairtigado!rfn is a concrete detection of the sophisticated TigerRAT backdoor, attributed to the Andariel APT group. This malware uses extensive hooking, legitimate Windows utilities (mshta, regsvr32, rundll32, PowerShell, BITS) for execution and persistence, enabling remote control, data exfiltration, and evasion.

Severity:
Critical
VDM Static Detection:
Relevant strings associated with this threat:
 - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT)
 - rundll32 (PEHSTR_EXT)
 - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT)
 - !#HSTR:ExecutionGuardrails (PEHSTR_EXT)
 - !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)
Known malware which is associated with this threat:
708c15db3d4b8a0884845081f980ef86910d0006cc2130dc6bc42683f68280cf
01/02/2026
VirusTotalDownload Sample
Filename: iran.armv4l
435eb42400199e9ff6e6889e5025095ca3c3b9019fbddbac915d50ed35f9f87a
01/02/2026
VirusTotalDownload Sample
0019e0aeb5f6afec763e9e8c237b6f64cddfb4e8d7cba98cfdc0ba0d569d2460
01/02/2026
VirusTotalDownload Sample
ad848546ad8796f472e439e5aaeefa3bf114b27a471ea19ee893d1fce6ae0b0b
01/02/2026
VirusTotalDownload Sample
034f9fbdb8af588003f697f76ac20ed8f7b6849219146055f7084740dd605677
01/02/2026
VirusTotalDownload Sample
0b4eea74eacbc6add1fe935e4b4268fb12c049ecb6f63aec9905d81df23a19a2
01/02/2026
VirusTotalDownload Sample
413dee3b7d0be24e07d586292319125ebf493bc4bd0b2ee2a75ce0c1fe2b1e6f
01/02/2026
VirusTotalDownload Sample
Remediation Steps:
Immediately isolate the affected system. Perform a full system scan with updated antivirus, then conduct a thorough forensic investigation to identify the initial compromise vector, scope, and any lateral movement. Reset all potentially compromised credentials and enhance network monitoring for related indicators of compromise.
=== END REPORT ===
$ reanalyze-threat
This analysis was last updated on 22/01/2026. Do you want to analyze it again?
$ ls available-commands/
→ cd /home
user@threatcheck.sh:~$