user@threatcheck.sh ~ threat-analysis
bash
$ analyze-threat Trojan:Win64/Selfdel!MSR
Trojan:Win64/Selfdel!MSR - Windows Defender threat signature analysis

Trojan:Win64/Selfdel!MSR - Windows Defender Threat Analysis

$ cat analysis.txt
=== THREAT ANALYSIS REPORT ===
Threat Name: Trojan:Win64/Selfdel!MSR
Classification:
Type:Trojan
Platform:Win64
Family:Selfdel
Detection Type:Concrete
Known malware family with identified signatures
Suffix:!MSR
High-priority threat flagged by Microsoft Security Response
Confidence:Very High
False-Positive Risk:Low

Concrete signature match: Trojan - Appears legitimate but performs malicious actions for 64-bit Windows platform, family Selfdel

Summary:

This is a concrete detection of a sophisticated Win64 Trojan from the Selfdel family, capable of extensive malicious activities. It utilizes techniques such as process hooking, abuses legitimate Windows utilities (e.g., mshta, PowerShell, rundll32, regsvr32) for execution and evasion, establishes persistence via scheduled tasks and BITS jobs, performs remote file operations, encodes data, and includes self-deletion capabilities for anti-forensics.

Severity:
Critical
VDM Static Detection:
Relevant strings associated with this threat:
 - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT)
 - rundll32 (PEHSTR_EXT)
 - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT)
 - !#HSTR:ExecutionGuardrails (PEHSTR_EXT)
 - !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)
Known malware which is associated with this threat:
Filename: 名单12月22日.exe
cefe8e08a63508ea77007f4800a8cd12a245789b648bd21e1bdf499bd51f5838
23/12/2025
Remediation Steps:
Immediately isolate the affected endpoint and allow Windows Defender to remove the detected threat. Conduct a thorough post-incident investigation to identify and eradicate any established persistence mechanisms (e.g., scheduled tasks, BITS jobs), abused services, or evidence of lateral movement and data exfiltration. Reset all credentials associated with the compromised system.
=== END REPORT ===
$ reanalyze-threat
This analysis was last updated on 23/12/2025. Do you want to analyze it again?
$ ls available-commands/
user@threatcheck.sh:~$