user@threatcheck.sh ~ threat-analysis
bash
$ analyze-threat Trojan:Win32/Yomal!rfn
Trojan:Win32/Yomal!rfn - Windows Defender threat signature analysis

Trojan:Win32/Yomal!rfn - Windows Defender Threat Analysis

$ cat analysis.txt
=== THREAT ANALYSIS REPORT ===
Threat Name: Trojan:Win32/Yomal!rfn
Classification:
Type:Trojan
Platform:Win32
Family:Yomal
Detection Type:Concrete
Known malware family with identified signatures
Suffix:!rfn
Specific ransomware family name
Confidence:Very High
False-Positive Risk:Low

Concrete signature match: Trojan - Appears legitimate but performs malicious actions for 32-bit Windows platform, family Yomal

Summary:

Trojan:Win32/Yomal!rfn is a malicious program that executes using legitimate Windows tools (LOLBins) like PowerShell, mshta, and rundll32 to evade detection. It establishes persistence via scheduled tasks, downloads additional payloads using BITS, and utilizes API hooking techniques to potentially steal information or interfere with system security.

Severity:
Critical
VDM Static Detection:
Relevant strings associated with this threat:
 - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT)
 - rundll32 (PEHSTR_EXT)
 - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT)
 - !#HSTR:ExecutionGuardrails (PEHSTR_EXT)
 - !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)
Known malware which is associated with this threat:
Filename: bps.exe
2c0ab7c94847d93be174d1f17cf47204347939a331ba763e2a24aeffa22aac9b
20/05/2026
VirusTotalDownload Sample
Filename: 6380418228eeb94248b850f1baa05be12104120dc0e8ef0c50d72891318ab04d
6380418228eeb94248b850f1baa05be12104120dc0e8ef0c50d72891318ab04d
21/04/2026
VirusTotalDownload Sample
Filename: IMG-805068627.png.lnk
c50d258aafaae549acc64e7c3fccf0d3d568f27855c604f46fae296f3957605c
13/04/2026
VirusTotalDownload Sample
Filename: IMG-257980788.png.lnk
a4468bf9496338f4718c6a1064b7d9dd760c5e86b663ba5e14f340ecada7270d
13/04/2026
VirusTotalDownload Sample
Filename: DiagnosticDriver.exe
459c5374a9c6b6109a19bda99e4ab4b81239a53fbd0b9915cb1a51b34e2ccb4d
03/04/2026
VirusTotalDownload Sample
Remediation Steps:
1. Isolate the affected machine from the network immediately to prevent lateral movement. 2. Use Windows Defender to perform a full scan and remove all detected components. 3. Manually investigate and remove persistence mechanisms (e.g., scheduled tasks, netsh helpers). 4. Reset all user credentials used on the system, as they may be compromised. 5. For full remediation, consider reimaging the affected device from a known-good source.
=== END REPORT ===
$ reanalyze-threat
This analysis was last updated on 03/12/2025. Do you want to analyze it again?
$ ls available-commands/
→ cd /home
user@threatcheck.sh:~$