user@threatcheck.sh ~ threat-analysis
bash
$ analyze-threat Trojan:Win32/Eqtonex!dha
Trojan:Win32/Eqtonex!dha - Windows Defender threat signature analysis

Trojan:Win32/Eqtonex!dha - Windows Defender Threat Analysis

$ cat analysis.txt
=== THREAT ANALYSIS REPORT ===
Threat Name: Trojan:Win32/Eqtonex!dha
Classification:
Type:Trojan
Platform:Win32
Family:Eqtonex
Detection Type:Concrete
Known malware family with identified signatures
Suffix:!dha
Caught by dynamic heuristic behavioral analysis
Confidence:Very High
False-Positive Risk:Low

Concrete signature match: Trojan - Appears legitimate but performs malicious actions for 32-bit Windows platform, family Eqtonex

Summary:

Trojan:Win32/Eqtonex!dha is a concrete detection of a malicious program designed for information theft and system compromise. It targets browser credentials (specifically Firefox logins), employs various evasion and persistence techniques using legitimate Windows binaries (mshta, regsvr32, rundll32, PowerShell, BITS jobs, scheduled tasks), and utilizes API hooking.

Severity:
Critical
VDM Static Detection:
Relevant strings associated with this threat:
 - \\%s\IPC$ (PEHSTR_EXT)
 - h.datja (PEHSTR_EXT)
 - .data (PEHSTR_EXT)
 - dll_p (PEHSTR_EXT)
 - dll_u (PEHSTR_EXT)
 - ntevt.sys (PEHSTR_EXT)
 - \??\C: (PEHSTR_EXT)
 - NSELECT hostname,httpRealm,encryptedUsername,encryptedPassword FROM moz_logins; (PEHSTR)
 - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT)
 - rundll32 (PEHSTR_EXT)
 - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT)
 - !#HSTR:ExecutionGuardrails (PEHSTR_EXT)
 - !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)
Known malware which is associated with this threat:
Filename: 7b83e2b619cf6fcc242e066415bf3631c4aa87144e0d595f118f1ee97c156a6c
7b83e2b619cf6fcc242e066415bf3631c4aa87144e0d595f118f1ee97c156a6c
04/01/2026
VirusTotalDownload Sample
Remediation Steps:
Immediately isolate the affected host. Perform a full system scan with updated antivirus software and remove all detected threats. Crucially, change all passwords for accounts that may have been stored in Firefox or other browsers, as credential theft is a primary function. Investigate the system for persistence mechanisms and potential lateral movement or further compromise.
=== END REPORT ===
$ reanalyze-threat
This analysis was last updated on 04/01/2026. Do you want to analyze it again?
$ ls available-commands/
→ cd /home
user@threatcheck.sh:~$