Trojan:Win32/FraudLoad.A!MTB

user@threatcheck.sh ~ threat-analysis

bash

$ analyze-threat Trojan:Win32/FraudLoad.A!MTB

Trojan:Win32/FraudLoad.A!MTB - Windows Defender threat signature analysis

$ cat analysis.txt

=== THREAT ANALYSIS REPORT ===

Threat Name: Trojan:Win32/FraudLoad.A!MTB

Classification:

Type:Trojan

Platform:Win32

Family:FraudLoad

Detection Type:Concrete

Known malware family with identified signatures

Variant:A

Specific signature variant within the malware family

Suffix:!MTB

Detected via machine learning and behavioral analysis

Detection Method:Behavioral

Confidence:Very High

False-Positive Risk:Low

Concrete signature match: Trojan - Appears legitimate but performs malicious actions for 32-bit Windows platform, family FraudLoad

Summary:

Trojan:Win32/FraudLoad.A!MTB is a trojan that downloads and installs additional unwanted software, often scareware or other malware. The '!MTB' designation indicates it was identified by Microsoft's machine learning behavioral analysis, which detected suspicious actions characteristic of the FraudLoad family.

Severity:

Medium

VDM Static Detection:

Relevant strings associated with this threat:
 - 8@A; (PEHSTR_EXT)
 - QueryPerformanceCounter (PEHSTR_EXT)
 - aC, (PEHSTR)
 - |#d1e49aac-8f56-4280-b9ba-993a6d77406c (NID)
 - }#d1e49aac-8f56-4280-b9ba-993a6d77406c (NID)
 - &|#b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 (NID)
 - &}#b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 (NID)
 - y*|#56a863a9-875e-4185-98a7-b882c64b5ce5 (NID)
 - y*}#56a863a9-875e-4185-98a7-b882c64b5ce5 (NID)
 - C|#be9ba2d9-53ea-4cdc-84e5-9b1eeee46550 (NID)
 - C}#be9ba2d9-53ea-4cdc-84e5-9b1eeee46550 (NID)
 - L|#3b576869-a4ec-4529-8536-b80a7769e899 (NID)
 - L}#3b576869-a4ec-4529-8536-b80a7769e899 (NID)
 - |#5beb7efe-fd9a-4556-801d-275e5ffc04cc (NID)
 - }#5beb7efe-fd9a-4556-801d-275e5ffc04cc (NID)
 - |#01443614-cd74-433a-b99e-2ecdc07bfc25 (NID)
 - }#01443614-cd74-433a-b99e-2ecdc07bfc25 (NID)
 - |#d3e037e1-3eb8-44c8-a917-57927947596d (NID)
 - }#d3e037e1-3eb8-44c8-a917-57927947596d (NID)
 - |#7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c (NID)
 - }#7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c (NID)
 - |#92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b (NID)
 - }#92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b (NID)

YARA Rule:

rule Trojan_Win32_FraudLoad_A_2147917886_0
{
    meta:
        author = "threatcheck.sh"
        detection_name = "Trojan:Win32/FraudLoad.A!MTB"
        threat_id = "2147917886"
        type = "Trojan"
        platform = "Win32: Windows 32-bit platform"
        family = "FraudLoad"
        severity = "Critical"
        info = "MTB: Microsoft Threat Behavior"
        signature_type = "SIGNATURE_TYPE_PEHSTR"
        threshold = "1"
        strings_accuracy = "High"
    strings:
        $x_1_1 = {43 2c eb 03 8b 46 30 99 2b c2 d1 f8 01 43 2c 8b 43 2c 03 c1 c7 45 dc 01 00 00 00 eb 31 8b 55 e8 39 53 30 0f 82 f6 00 00 00 8b 96 bc 00 00 00 3b c2 7e 08 85 d2 0f 8f e4 00 00 00 40 89 43 34 8b 43 2c 03 c1 ff 45 ec c7 43 30 00 00 00 00 8b 55 f4 89 43 28 89 53 14 8b 53 24 89 4b 18 8b 46 18 89}  //weight: 1, accuracy: High
    condition:
        (filesize < 20MB) and
        (all of ($x*))
}

Known malware which is associated with this threat:

44712bce3f57afef3731390e3d6704cddc692a3130ccf94727fbfe23beca1f53

19/11/2025

→VirusTotal ↓Download Sample

Remediation Steps:

Isolate the affected system from the network. Use your security software to perform a full scan and remove the detected threat and any additional payloads. Review recently installed applications and change passwords for accounts used on the system.

=== END REPORT ===

$ reanalyze-threat

This analysis was last updated on 19/11/2025. Do you want to analyze it again?

$ ls available-commands/

→ cd /home

user@threatcheck.sh:~$ ▊

Trojan:Win32/FraudLoad.A!MTB - Windows Defender Threat Analysis