user@threatcheck.sh ~ threat-analysis
bash
$ analyze-threat Trojan:Win64/Cobaltstrike!rfn
Trojan:Win64/Cobaltstrike!rfn - Windows Defender threat signature analysis

Trojan:Win64/Cobaltstrike!rfn - Windows Defender Threat Analysis

$ cat analysis.txt
=== THREAT ANALYSIS REPORT ===
Threat Name: Trojan:Win64/Cobaltstrike!rfn
Classification:
Type:Trojan
Platform:Win64
Family:Cobaltstrike
Detection Type:Concrete
Known malware family with identified signatures
Suffix:!rfn
Specific ransomware family name
Confidence:Very High
False-Positive Risk:Low

Concrete signature match: Trojan - Appears legitimate but performs malicious actions for 64-bit Windows platform, family Cobaltstrike

Summary:

This detection identifies a Cobalt Strike beacon, a sophisticated post-exploitation tool heavily used by advanced threat actors for remote command and control, lateral movement, and data exfiltration. The presence of this threat indicates an active, hands-on-keyboard adversary has compromised the system, posing a significant risk to the entire network.

Severity:
Critical
VDM Static Detection:
Relevant strings associated with this threat:
 - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT)
 - rundll32 (PEHSTR_EXT)
 - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT)
 - !#HSTR:ExecutionGuardrails (PEHSTR_EXT)
 - !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)
No specific strings found for this threat
YARA Rule:
rule Trojan_Win64_CobaltstrikeLoader_LKAM_2147888312_0
{
    meta:
        author = "threatcheck.sh"
        detection_name = "Trojan:Win64/CobaltstrikeLoader.LKAM!MTB"
        threat_id = "2147888312"
        type = "Trojan"
        platform = "Win64: Windows 64-bit platform"
        family = "CobaltstrikeLoader"
        severity = "Critical"
        info = "MTB: Microsoft Threat Behavior"
        signature_type = "SIGNATURE_TYPE_PEHSTR_EXT"
        threshold = "2"
        strings_accuracy = "High"
    strings:
        $x_1_1 = "1github.com/larksuite/oapi-sdk-go/v3/service/im/v1" ascii //weight: 1
        $x_1_2 = "github.com/latortuga71/GoPeLoader/pkg/peloader" ascii //weight: 1
    condition:
        (filesize < 20MB) and
        (all of ($x*))
}
Known malware which is associated with this threat:
Filename: PO 13337642.docx
31e7ddc5e0da4a829a01e968d96a6fd568b16bb5c6177dccfa5d9ae91917433f
13/11/2025
VirusTotalDownload Sample
Filename: PURCHASEXORDERXPO-2025-10024.docx
71b906576bc6809759b059d50c843f86d57cfcc44c9b54f07256a7e9b09f472e
13/11/2025
VirusTotalDownload Sample
Filename: PI-0008102024002REMAP.docx
4efe3ebdbf79630bda1a3f0280d637613f9fd03f65773a9fa1d1fca183a61590
12/11/2025
VirusTotalDownload Sample
c56c2dc825e3d4907530d5bb6785e71fac1d7e5014119ef9fef46a4699139666
07/11/2025
VirusTotalDownload Sample
Remediation Steps:
Immediately isolate the host from the network to contain the threat. Initiate a full incident response investigation to determine the initial access vector and scope of the breach. Reimage the compromised system from a known-good source and reset all credentials that were used on or accessible from the machine.
=== END REPORT ===
$ reanalyze-threat
This analysis was last updated on 08/11/2025. Do you want to analyze it again?
$ ls available-commands/
→ cd /home
user@threatcheck.sh:~$