user@threatcheck.sh ~ threat-analysis
bash
$ analyze-threat PWS:Win32/PrimaryPass!pz
PWS:Win32/PrimaryPass!pz - Windows Defender threat signature analysis

PWS:Win32/PrimaryPass!pz - Windows Defender Threat Analysis

$ cat analysis.txt
=== THREAT ANALYSIS REPORT ===
Threat Name: PWS:Win32/PrimaryPass!pz
Classification:
Type:PWS
Platform:Win32
Family:PrimaryPass
Detection Type:Concrete
Known malware family with identified signatures
Suffix:!pz
Packed or compressed to evade detection
Confidence:Very High
False-Positive Risk:Low

Concrete signature match: Password Stealer - Steals credentials and sensitive information for 32-bit Windows platform, family PrimaryPass

Summary:

This threat is a password-stealing trojan from the PrimaryPass family, which actively steals user credentials. It uses advanced techniques like API hooking to capture sensitive data and leverages legitimate Windows tools such as PowerShell, BITS, and Scheduled Tasks to maintain persistence and exfiltrate the stolen information.

Severity:
Critical
VDM Static Detection:
Relevant strings associated with this threat:
 - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT)
 - rundll32 (PEHSTR_EXT)
 - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT)
 - !#HSTR:ExecutionGuardrails (PEHSTR_EXT)
 - !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)
Known malware which is associated with this threat:
Filename: ED7AFD820CD75E547BA46EB45E370ECB.exe
d5030b07278ebd86460b06d207ce1761b29837afda17515f31513795441edb40
13/05/2026
VirusTotalDownload Sample
Filename: 17C90D25E449CFE53FD275649A19D32D.exe
4524b41122fe4c00fb1f97ad22e259e2ad55bd8e91f1aae6874c9cbb2c473dc4
11/05/2026
VirusTotalDownload Sample
Filename: 034E591604F04CD5AAA4C8648DBC80E2.exe
bc875836116bad3eff27994c4dc15ff45553f945a1d72a6694512fbe1fb8761e
16/04/2026
VirusTotalDownload Sample
Filename: 37f4ed360649161e73d7fe12ec120463.exe
8f69af0fce0ccbacb9fac1d2ba551ff3982336700ebb59280c0b1b09a637c4f4
23/01/2026
VirusTotalDownload Sample
Filename: 09dbef12d48816c9a750b7d2b1a7ba55.exe
0178df6a04b3743e242f1680e26eb071791fb999a3d36f080f5dfec4ece1bc24
04/01/2026
VirusTotalDownload Sample
Remediation Steps:
Immediately isolate the affected machine from the network. Use Windows Defender to perform a full system scan and remove the threat. Assume all credentials on the system have been compromised; change all passwords and enable multi-factor authentication (MFA) for all critical accounts.
=== END REPORT ===
$ reanalyze-threat
This analysis was last updated on 17/11/2025. Do you want to analyze it again?
$ ls available-commands/
→ cd /home
user@threatcheck.sh:~$