user@threatcheck.sh ~ threat-analysis
bash
$ analyze-threat Trojan:Win64/Radthief.NKB!MTB
Trojan:Win64/Radthief.NKB!MTB - Windows Defender threat signature analysis

Trojan:Win64/Radthief.NKB!MTB - Windows Defender Threat Analysis

$ cat analysis.txt
=== THREAT ANALYSIS REPORT ===
Threat Name: Trojan:Win64/Radthief.NKB!MTB
Classification:
Type:Trojan
Platform:Win64
Family:Radthief
Detection Type:Concrete
Known malware family with identified signatures
Variant:NKB
Specific signature variant within the malware family
Suffix:!MTB
Detected via machine learning and behavioral analysis
Detection Method:Behavioral
Confidence:Very High
False-Positive Risk:Low

Concrete signature match: Trojan - Appears legitimate but performs malicious actions for 64-bit Windows platform, family Radthief

Summary:

This detection identifies a Trojan from the 'Radthief' family, a known information-stealing malware. The '!MTB' designation indicates it was flagged by machine learning behavioral analysis for actions consistent with credential theft and data exfiltration. The malware's primary goal is to steal sensitive data such as passwords, browser information, and system details from the compromised host.

Severity:
High
VDM Static Detection:
Relevant strings associated with this threat:
 - K.X]_D a.9.X_C.J.z.f_Y_c_N5\.C s.r_w.8 A x.cF (PEHSTR_EXT)
 - u_u7 gE_MH m%?_M.x.e.PY1.O.w$.O.o Q_Jc.4_Y G.J M.R N.B.D k.E.TG.5d_r.Q d.g05.FP_d (PEHSTR_EXT)
 - m.E_G.u_b.FQ.hxD.2C f_g.R.de qR_A.u.D.t.K-.Qg$_OJd.S_G (PEHSTR_EXT)
 - 4_Po[ex.E_Z_h S.I O.oh.w.Of.j_E J gQ W_u.h.a.G.8_M.D.W_QO_p (PEHSTR_EXT)
 - _hJ.iV x.vjq(-.r lE_o.u lPTz l T.9d.h (PEHSTR_EXT)
 - u_o!_Yj_V.U j G,v_H.O\.e_w|_VS (PEHSTR_EXT)
 - y_IE B C h.k& q.6.i6 p1.v.F_o_S.y_Z R.r.I A_r.Ds_n.fn.k.u.n.q_v_b_L (PEHSTR_EXT)
YARA Rule:
rule Trojan_Win64_Radthief_NKB_2147953785_0
{
    meta:
        author = "threatcheck.sh"
        detection_name = "Trojan:Win64/Radthief.NKB!MTB"
        threat_id = "2147953785"
        type = "Trojan"
        platform = "Win64: Windows 64-bit platform"
        family = "Radthief"
        severity = "Critical"
        info = "MTB: Microsoft Threat Behavior"
        signature_type = "SIGNATURE_TYPE_PEHSTR_EXT"
        threshold = "8"
        strings_accuracy = "High"
    strings:
        $x_2_1 = "K.X]_D a.9.X_C.J.z.f_Y_c_N5\\.C s.r_w.8 A x.cF" ascii //weight: 2
        $x_1_2 = "u_u7 gE_MH m%?_M.x.e.PY1.O.w$.O.o Q_Jc.4_Y G.J M.R N.B.D k.E.TG.5d_r.Q d.g05.FP_d" ascii //weight: 1
        $x_1_3 = "m.E_G.u_b.FQ.hxD.2C f_g.R.de qR_A.u.D.t.K-.Qg$_OJd.S_G" ascii //weight: 1
        $x_1_4 = "4_Po[ex.E_Z_h S.I O.oh.w.Of.j_E J gQ W_u.h.a.G.8_M.D.W_QO_p" ascii //weight: 1
        $x_1_5 = "_hJ.iV x.vjq(-.r lE_o.u lPTz l T.9d.h" ascii //weight: 1
        $x_1_6 = "u_o!_Yj_V.U j G,v_H.O\\.e_w|_VS" ascii //weight: 1
        $x_1_7 = "y_IE B C h.k& q.6.i6 p1.v.F_o_S.y_Z R.r.I A_r.Ds_n.fn.k.u.n.q_v_b_L" ascii //weight: 1
    condition:
        (filesize < 20MB) and
        (all of ($x*))
}
Known malware which is associated with this threat:
Filename: e864c2c9cfe45a3ac9a15f47ff86dc11.exe
6a7f34b0031736c56964a15258f1f4bd59e36a7fff3569815491103d920d651e
16/11/2025
VirusTotalDownload Sample
Filename: Aero.exe
b98b53ca03e3e9009b31bcc37b90b206064b25effce449dde63c51cef6a47470
15/11/2025
VirusTotalDownload Sample
Remediation Steps:
1. Isolate the affected device from the network immediately to prevent further data exfiltration. 2. Use Windows Defender or another trusted antivirus to perform a full system scan and remove the threat. 3. After removal, change passwords for all critical accounts (email, banking, corporate) that were used or stored on the device, as they should be considered compromised.
=== END REPORT ===
$ reanalyze-threat
This analysis was last updated on 09/11/2025. Do you want to analyze it again?
$ ls available-commands/
→ cd /home
user@threatcheck.sh:~$