user@threatcheck.sh ~ threat-analysis
bash
$ analyze-threat Trojan:Win32/Suschil!rfn
Trojan:Win32/Suschil!rfn - Windows Defender threat signature analysis

Trojan:Win32/Suschil!rfn - Windows Defender Threat Analysis

$ cat analysis.txt
=== THREAT ANALYSIS REPORT ===
Threat Name: Trojan:Win32/Suschil!rfn
Classification:
Type:Trojan
Platform:Win32
Family:Suschil
Detection Type:Concrete
Known malware family with identified signatures
Suffix:!rfn
Specific ransomware family name
Confidence:Very High
False-Positive Risk:Low

Concrete signature match: Trojan - Appears legitimate but performs malicious actions for 32-bit Windows platform, family Suschil

Summary:

Trojan:Win32/Suschil!rfn is a multi-functional trojan that leverages numerous 'living-off-the-land' binaries (mshta, rundll32, PowerShell) for execution and evasion. It establishes persistence via scheduled tasks and BITS jobs and employs API hooking, indicating capabilities for system control, data theft, or deploying additional malware.

Severity:
Critical
VDM Static Detection:
Relevant strings associated with this threat:
 - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT)
 - rundll32 (PEHSTR_EXT)
 - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT)
 - !#HSTR:ExecutionGuardrails (PEHSTR_EXT)
 - !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)
Known malware which is associated with this threat:
Filename: Заявка на закупку от компании Юнилаб на июнь 2026г.zip
b24b8d96ebea10cb7e9ffb73256cc46f9041123e7c2cc26fe92d355a8378a87c
21/05/2026
VirusTotalDownload Sample
Filename: fd69e111dd3b5b868826a06cfabf3a4604de9facdc3c227058a4cf5c9d51fcd2.bat
fd69e111dd3b5b868826a06cfabf3a4604de9facdc3c227058a4cf5c9d51fcd2
20/05/2026
VirusTotalDownload Sample
Filename: SO-P1010922.arj.rar
0700bf4e41f59fa51e093c4678b5b41bf7cde3e3c0d50af436f337407aa766ca
20/05/2026
VirusTotalDownload Sample
Filename: PO2604002.pdf.rar
08a11119acd104fe34f86f6082b59bcc84472a0affc1135ae7728e09bab7dd20
20/05/2026
VirusTotalDownload Sample
Filename: img20231013_16470649.rar
b10777e7b8a549c310aff5e6b1d575df37e92e9c73865643af25b9a40089d13b
20/05/2026
VirusTotalDownload Sample
Remediation Steps:
Isolate the endpoint from the network immediately. Use Windows Defender or another endpoint security solution to perform a full scan and remove the threat. Manually inspect and remove suspicious scheduled tasks, BITS jobs, and startup entries. Due to the high risk of compromise, a full system reimage is strongly recommended.
=== END REPORT ===
$ reanalyze-threat
This analysis was last updated on 13/11/2025. Do you want to analyze it again?
$ ls available-commands/
→ cd /home
user@threatcheck.sh:~$