user@threatcheck.sh ~ threat-analysis
bash
$ analyze-threat Trojan:Win32/Detplock
Trojan:Win32/Detplock - Windows Defender threat signature analysis

Trojan:Win32/Detplock - Windows Defender Threat Analysis

$ cat analysis.txt
=== THREAT ANALYSIS REPORT ===
Threat Name: Trojan:Win32/Detplock
Classification:
Type:Trojan
Platform:Win32
Family:Detplock
Detection Type:Concrete
Known malware family with identified signatures
Confidence:Very High
False-Positive Risk:Low

Concrete signature match: Trojan - Appears legitimate but performs malicious actions for 32-bit Windows platform, family Detplock

Summary:

Trojan:Win32/Detplock is a dangerous Windows Trojan with concrete detection, known for employing sophisticated techniques for execution, persistence, and evasion. It leverages system utilities like mshta, regsvr32, rundll32, and PowerShell for execution, establishes persistence via scheduled tasks and BITS jobs, and can perform API hooking, remote file operations, network manipulation, and file deletion.

Severity:
Critical
VDM Static Detection:
Relevant strings associated with this threat:
 - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT)
 - rundll32 (PEHSTR_EXT)
 - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT)
 - !#HSTR:ExecutionGuardrails (PEHSTR_EXT)
 - !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)
YARA Rule:
rule Trojan_Win32_Detplock_RPX_2147845774_0
{
    meta:
        author = "threatcheck.sh"
        detection_name = "Trojan:Win32/Detplock.RPX!MTB"
        threat_id = "2147845774"
        type = "Trojan"
        platform = "Win32: Windows 32-bit platform"
        family = "Detplock"
        severity = "Critical"
        info = "MTB: Microsoft Threat Behavior"
        signature_type = "SIGNATURE_TYPE_PEHSTR_EXT"
        threshold = "2"
        strings_accuracy = "High"
    strings:
        $x_1_1 = {21 fb 4f 31 11 29 ff 81 ef 01 00 00 00 01 fb 41 81 eb 01 00 00 00}  //weight: 1, accuracy: High
        $x_1_2 = {8b 12 89 ff 81 e2 ff 00 00 00 09 df 29 db 29 db 46}  //weight: 1, accuracy: High
    condition:
        (filesize < 20MB) and
        (all of ($x*))
}
Known malware which is associated with this threat:
Filename: fxETk.exe
b4f8b12e45dcecfd72eadf5e55e8e1cbd69951ce3d3f5e17c9f5a160350d896f
15/05/2026
VirusTotalDownload Sample
fb63c9cfcfad8a2e256fc76806a056b8a052f087cc83f5079abe5bdb35cfb99a
11/05/2026
VirusTotalDownload Sample
Filename: xnxnxnxnxnxnxnxnor1kxnxn
0b144535a366d68cb8bbacaeb53097a8a7d4ee4843dccc2bb61f252af90aa573
11/04/2026
VirusTotalDownload Sample
Remediation Steps:
Immediately isolate the infected system, perform a full system scan with updated antivirus software to remove the threat, and thoroughly investigate for and eradicate any established persistence mechanisms or secondary infections. Patch all systems, reset compromised user credentials, and consider a system reimage or restore from a clean backup to ensure complete eradication.
=== END REPORT ===
$ reanalyze-threat
This analysis was last updated on 13/12/2025. Do you want to analyze it again?
$ ls available-commands/
→ cd /home
user@threatcheck.sh:~$