user@threatcheck.sh ~ threat-analysis
bash
$ analyze-threat Trojan:Win32/Tedy!MTB
Trojan:Win32/Tedy!MTB - Windows Defender threat signature analysis

Trojan:Win32/Tedy!MTB - Windows Defender Threat Analysis

$ cat analysis.txt
=== THREAT ANALYSIS REPORT ===
Threat Name: Trojan:Win32/Tedy!MTB
Classification:
Type:Trojan
Platform:Win32
Family:Tedy
Detection Type:Concrete
Known malware family with identified signatures
Suffix:!MTB
Detected via machine learning and behavioral analysis
Detection Method:Behavioral
Confidence:Very High
False-Positive Risk:Low

Concrete signature match: Trojan - Appears legitimate but performs malicious actions for 32-bit Windows platform, family Tedy

Summary:

Trojan:Win32/Tedy!MTB is a multi-functional malicious program detected by Windows Defender using concrete signatures and machine learning behavioral analysis. It exhibits capabilities including keylogging, screenshot capture, credential stealing from browsers (Firefox/Google), and potential ransomware execution, posing a significant threat to data confidentiality and system integrity.

Severity:
High
VDM Static Detection:
Relevant strings associated with this threat:
 - desktop.d (PEHSTR_EXT)
 - DllRegisterServer (PEHSTR_EXT)
 - oncometric (PEHSTR_EXT)
 - ZirsLocal.exe (PEHSTR_EXT)
 - TFA.Data.FormSecret.resources (PEHSTR_EXT)
 - CaptureAndSaveScreenshot (PEHSTR_EXT)
 - vt_test\obj\Release\vt_test.pdb (PEHSTR_EXT)
 - KeyLoggerDemo\KeyLoggerDemo\obj\Debug\KeyLoggerDemo.pdb (PEHSTR_EXT)
 - SvnTcpnNet.lib (PEHSTR_EXT)
 - SvnTcpnNet.jsonModels.SSH (PEHSTR_EXT)
 - SvnTcpnNet.jsonModels.FTP (PEHSTR_EXT)
 - SvnTcpnNet.jsonModels.Screenshot (PEHSTR_EXT)
 - Keylogger started, see keyloggs at http://{vicitm IP}:8080/keylogger/keylogg.txt (PEHSTR_EXT)
 - \ransomware.bat (PEHSTR_EXT)
 - \output_firefox.txt (PEHSTR_EXT)
 - Usage: steal_pwd <firefox/google> (PEHSTR_EXT)
 - CTools.Properties.Resources (PEHSTR_EXT)
 - C:\Users\SirLennox (PEHSTR_EXT)
 - Release\NekoInstaller.pdb (PEHSTR_EXT)
 - UpdateDemo.Properties.Resources.resources (PEHSTR_EXT)
 - \Program Files\mana break\ (PEHSTR_EXT)
 - 505\505\obj\Release\fuckyouware.pdb (PEHSTR_EXT)
 - fuckyouware.exe (PEHSTR_EXT)
 - cz56954.tw1.ru/ICSharpCode.SharpZipLib.dll (PEHSTR_EXT)
 - PrintNotifyPotato.exe (PEHSTR_EXT)
 - gMqeWOPLGVb37y00zMrL4/VVFHyxBgam/Ukb7bCU3Q8= (PEHSTR_EXT)
 - MySql.Installer.Launcher.wd_T5end.resources (PEHSTR_EXT)
 - Eqggpsce.exe (PEHSTR_EXT)
 - TSAide.stat (PEHSTR_EXT)
 - ver.ourwg.com.tw (PEHSTR_EXT)
 - @.vmp0 (PEHSTR_EXT)
 - ZodiacAide.exe (PEHSTR_EXT)
 - Assistente.Program (PEHSTR_EXT)
 - C:\Users\Public\2.exe (PEHSTR_EXT)
 - C:\Users\wegame.exe (PEHSTR_EXT)
 - http://164.155.255.81/2.exe (PEHSTR_EXT)
 - C:\Users\Public\libcef.dll (PEHSTR_EXT)
 - http://164.155.255.81/libcef.dll (PEHSTR_EXT)
 - c:\windows\god\up.exe (PEHSTR_EXT)
 - c:\windows\god\sendb.exe (PEHSTR_EXT)
 - sendb.Properties.Resources.resources (PEHSTR_EXT)
 - ://ftp.2qk.cn/HD1-2.dll (PEHSTR_EXT)
 - villadentex.pl (PEHSTR_EXT)
 - ibhchocjdb/kfapioijci/fjfkdpkdco/fjfkdpkdco/kbpchiokil.Egcgaefamc (PEHSTR_EXT)
 - BackDoor.pdb (PEHSTR_EXT)
 - EXPLOIT\BINARY (PEHSTR_EXT)
 - cdefcdefcdefcdefcdefhttp://bd.tlysj.com:7979/20.jpg (PEHSTR_EXT)
 - abcdabcdabcdabcdabcdhttp://803.asx51.info:8080/20.jpg (PEHSTR_EXT)
 - HttpWebResponse (PEHSTR_EXT)
 - \Google translate master\ (PEHSTR_EXT)
 - Wrapper\x64 (PEHSTR_EXT)
 - C:\Users\Administrator\Desktop\Pillager_\Pillager\obj\Debug\Pillager.pdb (PEHSTR_EXT)
 - Pillager.dll (PEHSTR_EXT)
 - \output\G2M_Dll.pdb (PEHSTR_EXT)
 - taskkill /IM ProcessHacker.exe /F (PEHSTR_EXT)
 - taskkill /IM dnSpy.exe /F (PEHSTR_EXT)
 - taskkill /IM cheatengine-x86_64.exe /F (PEHSTR_EXT)
 - taskkill /IM ollydbg.exe /F (PEHSTR_EXT)
 - taskkill /IM ida64.exe /F (PEHSTR_EXT)
 - taskkill /IM x64dbg.exe /F (PEHSTR_EXT)
 - static/loader_client_no_literals_compression.bin (PEHSTR_EXT)
 - updater.exe (PEHSTR_EXT)
 - \\.\VBoxMiniRdrDN (PEHSTR_EXT)
 - FortniteClient-Win64-Shipping.exe (PEHSTR_EXT)
 - d3d11.dll (PEHSTR_EXT)
 - cdn.discordapp.com/attachments/1223133498550911067/1231358676225359932/svhost.exe (PEHSTR_EXT)
 - cdn.discordapp.com/attachments (PEHSTR_EXT)
 - ces.exe (PEHSTR_EXT)
 - TestMalvare.pdb (PEHSTR_EXT)
 - Musquitao\Desktop\BR_2023\LOAD_2023\DLL-CPP\D\x64\Release\D.pdb (PEHSTR_EXT)
 - \Documents (PEHSTR_EXT)
 - D.dll (PEHSTR_EXT)
 - /tuiguang/qudao (PEHSTR_EXT)
 - pos.baidu.com (PEHSTR_EXT)
 - <a id=x href=/wzs/ (PEHSTR_EXT)
 - .html target=_self></a> (PEHSTR_EXT)
 - @FACK YOU Donkey. (PEHSTR_EXT)
 - start cmd /C "color b && title Error && echo (PEHSTR_EXT)
 - && timeout /t 5 (PEHSTR_EXT)
 - \Microsoft\Windows\.winSession (PEHSTR_EXT)
 - \Startup\NVIDIAGraphics.lnk (PEHSTR_EXT)
 - \Startup\MicrosoftDefender.lnk (PEHSTR_EXT)
 - Set-MpPreference -DisableRealtimeMonitoring $true -DisableScriptScanning $true (PEHSTR_EXT)
 - https://xiamo.dasiqueiros.info/fuiwfbjksd/stetdsvj (PEHSTR_EXT)
 - InitializeSecurityDescriptor (PEHSTR_EXT)
 - CuzPP.exe (PEHSTR_EXT)
 - GoonEye.exe (PEHSTR_EXT)
 - \Release\CuzPP.pdb (PEHSTR_EXT)
 - Imgui-Blue-loader-master\Imgui-Blue-loader-master\ImGui\imstb_textedit.h (PEHSTR_EXT)
 - run_exe_from_memory (PEHSTR_EXT)
 - DllInstall (PEHSTR_EXT)
 - execute_python_entrypoint (PEHSTR_EXT)
 - @.data (PEHSTR_EXT)
 - .vmp0 (PEHSTR_EXT)
 - cmd.exe /c C:\Windows\System32\cmstp.exe /au %TEMP%\corpvpn.inf (PEHSTR_EXT)
 - source\repos\CVE-2024-20656\Expl\x64\Release (PEHSTR_EXT)
 - Vixen.exe (PEHSTR_EXT)
 - chrome_decrypt_cookies.txt (PEHSTR_EXT)
 - chrome_decrypt_payments.txt (PEHSTR_EXT)
 - **User:** %s\n**Computer:** %s\n**IP:** %s (PEHSTR_EXT)
 - pintest.exe (PEHSTR)
 - curl --silent https://files.catbox.moe/ (PEHSTR_EXT)
 -  --output C:\Windows\Temp\ (PEHSTR_EXT)
 - cd C:\Windows\Temp\ &&  (PEHSTR_EXT)
 - .exe  (PEHSTR_EXT)
 - .sys >nul 2>&1 (PEHSTR_EXT)
 - ! fud cat shit also fuck niggers frfrfr. (PEHSTR_EXT)
 - main.deobfuscateShellcode (PEHSTR_EXT)
 - DLL injected (PEHSTR_EXT)
 - chrome_decrypt.dll (PEHSTR_EXT)
 - NoxVMHandle.exe (PEHSTR_EXT)
 - DLL already exists. Attempting to inject. (PEHSTR_EXT)
 - Injection failed. (PEHSTR_EXT)
 - Injected Successfully. (PEHSTR_EXT)
 - C:\Users\pollo\source\repos\Loader\x64\Release\Loader.pdb (PEHSTR_EXT)
 - credentials.txt (PEHSTR_EXT)
 - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT)
 - rundll32 (PEHSTR_EXT)
 - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT)
 - !#HSTR:ExecutionGuardrails (PEHSTR_EXT)
 - !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)
Known malware which is associated with this threat:
Filename: python39.dll
afcd9414a380b3f08de2c4ff6d9f4e861d749af187d95742b63c3643b5ef6309
30/01/2026
VirusTotalDownload Sample
Filename: boong.exe
372eeac0fd2419d73e7572065e5ae598d01e629b8fcfc50d4336c8b16013a784
26/01/2026
VirusTotalDownload Sample
Remediation Steps:
Immediately isolate the affected system to prevent further compromise. Perform a full antivirus scan with the latest definitions. Change all credentials used on the system, especially for online services, and restore the system from a known clean backup or reimage it to ensure complete eradication.
=== END REPORT ===
$ reanalyze-threat
This analysis was last updated on 30/01/2026. Do you want to analyze it again?
$ ls available-commands/
→ cd /home
user@threatcheck.sh:~$