user@threatcheck.sh ~ threat-analysis
bash
$ analyze-threat VirTool:Win32/Injector!pz
VirTool:Win32/Injector!pz - Windows Defender threat signature analysis

VirTool:Win32/Injector!pz - Windows Defender Threat Analysis

$ cat analysis.txt
=== THREAT ANALYSIS REPORT ===
Threat Name: VirTool:Win32/Injector!pz
Classification:
Type:VirTool
Platform:Win32
Family:Injector
Detection Type:Concrete
Known malware family with identified signatures
Suffix:!pz
Packed or compressed to evade detection
Confidence:Very High
False-Positive Risk:Low

Concrete signature match: Virus Tool - Tool used to create or modify malware for 32-bit Windows platform, family Injector

Summary:

VirTool:Win32/Injector!pz is a trojan designed to inject malicious code into legitimate processes, such as Internet Explorer, to hide its activity. It establishes persistence through registry modifications (e.g., Run, Winlogon keys), communicates with a remote command-and-control server, and may drop additional malicious files or drivers onto the system.

Severity:
Critical
VDM Static Detection:
Relevant strings associated with this threat:
 - SOFTWARE\Borland\Delphi\RTL (PEHSTR)
 - -\Program Files\Internet Explorer\IEXPLORE.EXE (PEHSTR)
 - 5Software\Microsoft\Windows NT\CurrentVersion\Winlogon (PEHSTR)
 - KvMon.exe (PEHSTR)
 - cmd.exe /c del  (PEHSTR)
 - Winsta0\Default (PEHSTR)
 - system32\userinit.exe, (PEHSTR)
 - Control Panel\ (PEHSTR_EXT)
 - Content-Type: application/x-www-form-urlencoded (PEHSTR_EXT)
 - htmlfile\shell\open\command (PEHSTR_EXT)
 - www.2ppp.com (PEHSTR_EXT)
 - iexigub.sys (PEHSTR_EXT)
 - Msyjhxuc.exe (PEHSTR_EXT)
 - Mshucx.exe (PEHSTR_EXT)
 - - Sysinternals: www.sysinternals.com (PEHSTR_EXT)
 - C:\file.exe (PEHSTR_EXT)
 - C:\sample.exe (PEHSTR_EXT)
 - -SOFTWARE\Microsoft\Windows\CurrentVersion\Run (PEHSTR)
 - cmd.exe /c del (PEHSTR)
 - es\Common Files\ServetDown.exe (PEHSTR_EXT)
 - NDOWS\SYSTEM32\mstsc.exe (PEHSTR_EXT)
 - :8080/Dow (PEHSTR_EXT)
 - .exe (PEHSTR_EXT)
 - \test123\4444\Release\4444.pdb (PEHSTR_EXT)
 - Internet Explorer\ie.exe (PEHSTR_EXT)
 - KPlugin.Section (PEHSTR_EXT)
 - inject\release\Inject.pdb (PEHSTR_EXT)
 - document.body.innerHTML='<br/><form NAME=PriForm id="PriForm" method="post" ACTION = (PEHSTR_EXT)
 - :\SVN\360tcpview\Release\360TcpView.pdb (PEHSTR_EXT)
 - FuckJagex.com_s_Binder_Stub (PEHSTR)
 - SysDLL (PEHSTR_EXT)
 - ;txeT.metsyS gnisu (PEHSTR_EXT)
 - LdrUnloadDll (PEHSTR_EXT)
 - \tcrypt\Release\s_low.pdb (PEHSTR_EXT)
 - :\projects (PEHSTR_EXT)
 - :\src\tcrypt\Release\s_ (PEHSTR_EXT)
 - lowhigh.pdb (PEHSTR_EXT)
 - :\projects\tcrypt_cl2\tcrypt_cl2\Release\s_ (PEHSTR_EXT)
 - http\shell\open\command (PEHSTR_EXT)
 - .dllu (PEHSTR)
 - C:\Work\DPacker64\Release\DExeStub32.pdb (PEHSTR_EXT)
 - keProcInjectorMName (PEHSTR_EXT)
 - System\Core2Inner (PEHSTR_EXT)
 - TEMP\ke64 (PEHSTR_EXT)
 - MEDION-888B89C6\Administrator\VB6.OLB (PEHSTR_EXT)
 - C:\deact\VB6.OLB (PEHSTR_EXT)
 - C:\Programme\DUFFY\loreley\VB6.OLB (PEHSTR_EXT)
 - Tools\VAC\BypassLLI.dll (PEHSTR_EXT)
 - Xylitol knows the answer. (PEHSTR_EXT)
 - Btw, THE GAME. (PEHSTR_EXT)
 - (You just lost it.) (PEHSTR_EXT)
 - \Run /v msmmsgr /t REG_SZ /d  (PEHSTR_EXT)
 - cmd /c REG ADD HKCU (PEHSTR_EXT)
 - services.exe (PEHSTR_EXT)
 - .cn/gate.php (PEHSTR_EXT)
 - DataProtector\ClassLibrary1 (PEHSTR_EXT)
 - cmd.exe /C PING 127.0.0.1 -n 5 & del /F /Q (PEHSTR_EXT)
 - Local\%p (PEHSTR_EXT)
 - avpNexe (PEHSTR_EXT)
 - ntdll (PEHSTR_EXT)
 - crome1.exe (PEHSTR_EXT)
 - get_Comite (PEHSTR_EXT)
 - detect.dll (PEHSTR_EXT)
 - active.dll (PEHSTR_EXT)
 - alg.exe (PEHSTR_EXT)
 - userinit.exe (PEHSTR_EXT)
 - http://project-7.net (PEHSTR_EXT)
 - Injector Msp V1. (PEHSTR_EXT)
 - Botom.exe (PEHSTR_EXT)
 - 56sgjsfgj5.pdb (PEHSTR)
 - YApp.EXE (PEHSTR_EXT)
 - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe (PEHSTR_EXT)
 - System.Drawing.Bitmap (PEHSTR_EXT)
 - Injector.dll (PEHSTR_EXT)
 - 127.0.0.1:8080 (PEHSTR_EXT)
 - NOKIAN95/WEB (PEHSTR_EXT)
 - Software\Microsoft\Windows\CurrentVersion\Run (PEHSTR_EXT)
 - prompt.ini (PEHSTR_EXT)
 - Config.ini (PEHSTR_EXT)
 - \xmcrypto.pdb (PEHSTR_EXT)
 - hr_decryptor\bin\HRDecrypter.pdb (PEHSTR_EXT)
 - kernel32.dVl (PEHSTR_EXT)
 - codeblox\___stubz\Gccalaxy\main.cpp (PEHSTR_EXT)
 - wzxscuYT.pLegvoHe (PEHSTR_EXT)
 - rostam.exe (PEHSTR_EXT)
 - NoIkarus + Injections\Msi\Msi (PEHSTR)
 - Windows\EFS.exe (PEHSTR)
 - Sefule.exe (PEHSTR)
 - LOADER.resources (PEHSTR_EXT)
 - LaysOre.exe (PEHSTR_EXT)
 - %,.^E (PEHSTR_EXT)
 - pfMRqOwQbH.Properties (PEHSTR_EXT)
 - pfMRqOwQbH.exe (PEHSTR_EXT)
 - .saojoao.Properties (PEHSTR_EXT)
 - Drena.saopedro (PEHSTR_EXT)
 - RernQl32.dll (PEHSTR_EXT)
 - wernelu2.dllJXOrvOI (PEHSTR_EXT)
 - kyCnel32vdllSX (PEHSTR_EXT)
 - OYfcsLMrtDnFFmfMrD.cKAo41wcePaJBLMQrw.resources (PEHSTR_EXT)
 - k2wWMPO6dx5JfynXIr.qUly9uMdedtVg6H9c1.resources (PEHSTR_EXT)
 - aR3nbf8dQp2feLmk31.lSfgApatkdxsVcGcrktoFd.resources (PEHSTR_EXT)
 - brico.exe (PEHSTR_EXT)
 - tocat.exe (PEHSTR_EXT)
 - cloloir.exe (PEHSTR_EXT)
 - LozCw\BSr (PEHSTR_EXT)
 - hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD (PEHSTR_EXT)
 - c:\Users\Administrator\Desktop\Cryptex\ (PEHSTR_EXT)
 - .saojose.Properties (PEHSTR_EXT)
 - baricm.exe (PEHSTR_EXT)
 - rlcsys.exe (PEHSTR_EXT)
 - rlcsys.Properties (PEHSTR_EXT)
 - desen .resources (PEHSTR_EXT)
 - etufgdzh.Properties (PEHSTR_EXT)
 - plapuma .resources (PEHSTR_EXT)
 - popic .resources (PEHSTR_EXT)
 - AzuraMan.Properties (PEHSTR_EXT)
 - \js (PEHSTR_EXT)
 - Scribe (PEHSTR_EXT)
 - leverage.exe (PEHSTR_EXT)
 - System.IO.Compression (PEHSTR_EXT)
 - leverage.Properties (PEHSTR_EXT)
 - Bas.exe (PEHSTR_EXT)
 - Carpati.exe (PEHSTR_EXT)
 - youmehim.Resources.resources (PEHSTR_EXT)
 - .dll (PEHSTR_EXT)
 - shlwapi.dll (PEHSTR_EXT)
 - A3dq3dee54f.resources (PEHSTR_EXT)
 - SmartAssembly.Attributes (PEHSTR_EXT)
 - cIfHeflW.Resources.resources (PEHSTR_EXT)
 - SevenZip.Compression.LZMA (PEHSTR_EXT)
 - Post_MarkMail.Resources.resources (PEHSTR_EXT)
 - dll. (PEHSTR_EXT)
 - dll (PEHSTR_EXT)
 - <Pause/Break> (PEHSTR_EXT)
 - PersistenceModuleInjector (PEHSTR_EXT)
 - Hahshes do not have the same lenght. (PEHSTR_EXT)
 - Control\Keyboard Layouts\%.8x (PEHSTR_EXT)
 - \wmpnetwk\wmpnetwk (PEHSTR_EXT)
 - nSub.g.resources (PEHSTR_EXT)
 - System.IO (PEHSTR_EXT)
 - CompressionMode (PEHSTR_EXT)
 - Decompress (PEHSTR_EXT)
 - DownloadDLL (PEHSTR_EXT)
 - GetDownloadDLL (PEHSTR_EXT)
 - rp.dll (PEHSTR_EXT)
 - System.Runtime.CompilerServices (PEHSTR_EXT)
 - CompileAssemblyFromSource (PEHSTR_EXT)
 - get_CompiledAssembly (PEHSTR_EXT)
 - System.CodeDom.Compiler (PEHSTR_EXT)
 - .Resources.resources (PEHSTR_EXT)
 - busnet.exe (PEHSTR_EXT)
 - .resources (PEHSTR_EXT)
 - CompilerGeneratedAttribute (PEHSTR_EXT)
 - System.Text (PEHSTR_EXT)
 - ForMe.dll (PEHSTR_EXT)
 - System.Reflection (PEHSTR_EXT)
 - C:\Intel\tmp3AC.tmp (PEHSTR)
 - MSVBVM60.DLL (PEHSTR_EXT)
 - C:\Users\Jamie\Documents\Visual Studio 2008\Projects\WindowsApplication15\WindowsApplication15\obj\Release\WindowsApplication15.pdb (PEHSTR_EXT)
 - ", "vnp.dll", " (MACROHSTR_EXT)
 - delaymailto = Passant.beastmode(0) (MACROHSTR_EXT)
 - exec bypass (PEHSTR_EXT)
 - gitee.com (PEHSTR_EXT)
 - inf\usbstor.inf (PEHSTR)
 - .SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ (PEHSTR)
 - \AntiOpenProcess.dll (PEHSTR)
 - hookdll.dll (PEHSTR)
 - OxygenInjector (PEHSTR_EXT)
 - SazInjector.exe (PEHSTR_EXT)
 - SazInjector.Resources.resources (PEHSTR_EXT)
 - Assembly System.Reflection (PEHSTR_EXT)
 - gigcapaste\loader\obj\Release\ (PEHSTR_EXT)
 -  .pdb (PEHSTR_EXT)
 - ManualMapInjector (PEHSTR_EXT)
 - ManualMapInjection.Injection.Types (PEHSTR_EXT)
 - GetExecutingAssembly (PEHSTR_EXT)
 - set_UseShellExecute (PEHSTR_EXT)
 - qq.com (PEHSTR_EXT)
 - C:\TEMP\Fluck_32.tmp (PEHSTR_EXT)
 - explorer.exe (PEHSTR_EXT)
 - explorer.Resources (PEHSTR_EXT)
 - ZIP RC2 RC4\decode\ (PEHSTR_EXT)
 - 0\obj\Release\explorer.pdb (PEHSTR_EXT)
 - [*] Running the target executable (PEHSTR_EXT)
 - [*] Writing executable image into child process (PEHSTR_EXT)
 - \fin7_injectDLL-shim_step19\Release\step19.pdb (PEHSTR_EXT)
 - NineRays.Obfuscator.Evaluation (PEHSTR_EXT)
 - Full-Source_ShareAppsCrack.com (PEHSTR_EXT)
 - C:\Users\HiddenTask\Downloads (PEHSTR_EXT)
 - UXTHEME.DLL (PEHSTR_EXT)
 - SOFTWARE\Borland\Delphi\RTL (PEHSTR_EXT)
 - Project51.dll (PEHSTR_EXT)
 - loadperf.dll (PEHSTR_EXT)
 - NetInjector (PEHSTR_EXT)
 - PeNet.Structures (PEHSTR_EXT)
 - RtlFillMemory Lib "k32.tmp" (MACROHSTR_EXT)
 - VirtualAlloc Lib "k32.tmp" (MACROHSTR_EXT)
 - IsDebuggerPresent Lib "k32.tmp" (MACROHSTR_EXT)
 - execute Lib "k32.tmp" Alias "CreateThread" (MACROHSTR_EXT)
 - FileCopy "C:\windows\system32\kernel32.dll", Environ("TEMP") & "\k32.tmp" (MACROHSTR_EXT)
 - get_IsEXE (PEHSTR_EXT)
 - ExecuteShellcodeInTargetProcess (PEHSTR_EXT)
 - Loader.pdb (PEHSTR_EXT)
 - ujmakfun.dll (PEHSTR_EXT)
 - Injector (PEHSTR_EXT)
 - DllInjector (PEHSTR_EXT)
 - pMM:DocumentID>adobe:docid:photoshop:e4a3f931-627e-11dc-ba81-9bfb3cc4cbdf</xapMM (PEHSTR_EXT)
 - t.ptlogin2.qq.com:4300/pt_get_uins?callback=ptui_getuins_CB&r=0.7478418888058513&pt_local_tk=0.38584163924 (PEHSTR_EXT)
 - Http DownLoad (PEHSTR_EXT)
 - TrikIE/1.0 (PEHSTR_EXT)
 - JitHelpers.Ms3dLoader (PEHSTR_EXT)
 - http://yupsearch.com (PEHSTR_EXT)
 - /silent_install.exe (PEHSTR_EXT)
 - /sideb.exe (PEHSTR_EXT)
 - \%ld%d.exe (PEHSTR_EXT)
 - InjectorLoaderMMF (PEHSTR_EXT)
 - HttpClient (PEHSTR_EXT)
 - YippHB.dll (PEHSTR_EXT)
 - [i] Injecting The Reflective DLL Into (PEHSTR_EXT)
 - RlfDllInjector.pdb (PEHSTR_EXT)
 - C:\Users\Public\Documents\zy.log (PEHSTR_EXT)
 - software\WOW6432Node\Tencent\QQ2009\Install (PEHSTR_EXT)
 - HipsTray.exe (PEHSTR_EXT)
 - 360tray.exe (PEHSTR_EXT)
 - V@\bhdll.dat (PEHSTR_EXT)
 - Skattedepartementet\Anagogy.dll (PEHSTR_EXT)
 - \Daitya.ini (PEHSTR_EXT)
 - \Gldsfordring (PEHSTR_EXT)
 - AMD.Power.Processor.ppkg (PEHSTR_EXT)
 - \Virtuosa\Livor (PEHSTR_EXT)
 - PSReadline.psd1 (PEHSTR_EXT)
 - (C:\Program Files\Windows NT\MSSVCCFG.dll (PEHSTR)
 - (Failed to set up service. Error code: %d (PEHSTR)
 - .VirtualQuery failed for %d bytes at address %p (PEHSTR)
 - Shellcode Process Injector.pdb (PEHSTR_EXT)
 - computerholocaust (PEHSTR)
 - SvchostInjector.x64.dll (PEHSTR_EXT)
 - MapDLL (PEHSTR_EXT)
 - ayendonjeans.com/Zvejhoosrg.vdf (PEHSTR_EXT)
 - Extreme Injector.exe (PEHSTR_EXT)
 - Crypter\AdelTutorials (PEHSTR_EXT)
 - Crypter\server1 (PEHSTR_EXT)
 - Virus.Autorun (PEHSTR_EXT)
 - Virus.Delself (PEHSTR_EXT)
 - Virus.Down (PEHSTR_EXT)
 - Virus.Danger (PEHSTR_EXT)
 - Virus.Hijack (PEHSTR_EXT)
 - Virus.Hooker (PEHSTR_EXT)
 - Virus.Homepage (PEHSTR_EXT)
 - Virus.Injector (PEHSTR_EXT)
 - Virus.Sysbot (PEHSTR_EXT)
 - Virus.Killav (PEHSTR_EXT)
 - Trojan.Hooker (PEHSTR_EXT)
 - Trojan.Autorun (PEHSTR_EXT)
 - Trojan.Homepage (PEHSTR_EXT)
 - Trojan.Danger (PEHSTR_EXT)
 - Trojan.Hijack (PEHSTR_EXT)
 - Trojan.Sysbot (PEHSTR_EXT)
 - Trojan.Killav (PEHSTR_EXT)
 - Trojan.Injector (PEHSTR_EXT)
 - Virus.Infector (PEHSTR_EXT)
 - \\.\filddsapi (PEHSTR_EXT)
 - mscoree.dll (PEHSTR_EXT)
 - _.pdb (PEHSTR_EXT)
 - taskkill /FI "IMAGENAME eq dnSpy.exe (PEHSTR_EXT)
 - taskkill /FI "IMAGENAME eq HTTPDebuggerUI.exe (PEHSTR_EXT)
 - taskkill /FI "IMAGENAME eq ida.exe (PEHSTR_EXT)
 - Blocker Injector1 (PEHSTR_EXT)
 - Cant Bypass R.A.C Hook (PEHSTR_EXT)
 - CrInjectorc++ (PEHSTR_EXT)
 - SelfInjector (PEHSTR_EXT)
 - RemoteInjector (PEHSTR_EXT)
 - SpawnInjector (PEHSTR_EXT)
 - X.NpM (PEHSTR)
 - eaf89bed.Resources (PEHSTR_EXT)
 - HXX.Form1.resources (PEHSTR_EXT)
 - ps://www.new.eventawardsrussia.com/wp-includes/ (PEHSTR_EXT)
 - Injection completed successfully! (PEHSTR_EXT)
 - Monetization.InjectApp (PEHSTR_EXT)
 - DllInjectionResult (PEHSTR_EXT)
 - \Monetization\Smartbar.Monetization.InjectApp\obj (PEHSTR_EXT)
 - \Release\smia.pdb (PEHSTR_EXT)
 - PennyBeeW.exe (PEHSTR_EXT)
 - \PennyBee (FOLDERNAME)
 - \Smartbar (FOLDERNAME)
 - \PennyBeePro (FOLDERNAME)
 -  (x86)\PennyBee (FOLDERNAME)
 -  (x86)\PennyBeePro (FOLDERNAME)
 - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT)
 - rundll32 (PEHSTR_EXT)
 - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT)
 - !#HSTR:ExecutionGuardrails (PEHSTR_EXT)
 - !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)
Known malware which is associated with this threat:
2672b6688d7b32a90f9153d2ff607d6801e6cbde61f509ed36d0450745998d58
02/12/2025
VirusTotalDownload Sample
Remediation Steps:
Immediately isolate the affected machine from the network. Run a full antivirus scan to remove all detected components. Manually inspect and clean persistence locations like the Run and Winlogon registry keys. Due to the risk of deep system compromise, reimaging the device from a known-good backup is the most effective solution.
=== END REPORT ===
$ reanalyze-threat
This analysis was last updated on 02/12/2025. Do you want to analyze it again?
$ ls available-commands/
→ cd /home
user@threatcheck.sh:~$