user@threatcheck.sh ~ threat-analysis
bash
$ analyze-threat Trojan:Win32/Suschil!rfn
Trojan:Win32/Suschil!rfn - Windows Defender threat signature analysis

Trojan:Win32/Suschil!rfn - Windows Defender Threat Analysis

$ cat analysis.txt
=== THREAT ANALYSIS REPORT ===
Threat Name: Trojan:Win32/Suschil!rfn
Classification:
Type:Trojan
Platform:Win32
Family:Suschil
Detection Type:Concrete
Known malware family with identified signatures
Suffix:!rfn
Specific ransomware family name
Confidence:Very High
False-Positive Risk:Low

Concrete signature match: Trojan - Appears legitimate but performs malicious actions for 32-bit Windows platform, family Suschil

Summary:

Trojan:Win32/Suschil!rfn is a multi-functional trojan that leverages numerous 'living-off-the-land' binaries (mshta, rundll32, PowerShell) for execution and evasion. It establishes persistence via scheduled tasks and BITS jobs and employs API hooking, indicating capabilities for system control, data theft, or deploying additional malware.

Severity:
Critical
VDM Static Detection:
Relevant strings associated with this threat:
 - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT)
 - rundll32 (PEHSTR_EXT)
 - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT)
 - !#HSTR:ExecutionGuardrails (PEHSTR_EXT)
 - !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)
Known malware which is associated with this threat:
Filename: 0edaef84db45bc107dca9ae3c43c1c4498263c9a31ba1f07376cd3093e743765
0edaef84db45bc107dca9ae3c43c1c4498263c9a31ba1f07376cd3093e743765
22/01/2026
VirusTotalDownload Sample
Filename: Aerodrome.msi
699c6e21eefddaebb9ebd36c4648142a8fbbc78faa3112240cd856b49b37f116
22/01/2026
VirusTotalDownload Sample
Filename: DH9338297YV389821.msi
cdf433cc71691769012cdfb80c1df31bc31ae63a0b30bc2a94feb506d2afd83d
13/01/2026
VirusTotalDownload Sample
Filename: PO#14309876_pdf.arj
ce489dbc5ecb376acb4784f93631a9c5f6dfa4bf096c84ed29aeefd480a5d487
17/12/2025
VirusTotalDownload Sample
Filename: diskopti.exe
adef30df8354575e73fc75c36058203e6fa2ee164467b381816582624823da84
15/12/2025
VirusTotalDownload Sample
Remediation Steps:
Isolate the endpoint from the network immediately. Use Windows Defender or another endpoint security solution to perform a full scan and remove the threat. Manually inspect and remove suspicious scheduled tasks, BITS jobs, and startup entries. Due to the high risk of compromise, a full system reimage is strongly recommended.
=== END REPORT ===
$ reanalyze-threat
This analysis was last updated on 13/11/2025. Do you want to analyze it again?
$ ls available-commands/
→ cd /home
user@threatcheck.sh:~$