user@threatcheck.sh ~ threat-analysis
bash
$ analyze-threat Trojan:Win64/Donut!pz
Trojan:Win64/Donut!pz - Windows Defender threat signature analysis

Trojan:Win64/Donut!pz - Windows Defender Threat Analysis

$ cat analysis.txt
=== THREAT ANALYSIS REPORT ===
Threat Name: Trojan:Win64/Donut!pz
Classification:
Type:Trojan
Platform:Win64
Family:Donut
Detection Type:Concrete
Known malware family with identified signatures
Suffix:!pz
Packed or compressed to evade detection
Confidence:Very High
False-Positive Risk:Low

Concrete signature match: Trojan - Appears legitimate but performs malicious actions for 64-bit Windows platform, family Donut

Summary:

This is a concrete detection of a Win64 Donut family Trojan. It leverages various Windows system binaries (e.g., PowerShell, mshta, rundll32, schtasks, BITS) and techniques like process hooking for execution, persistence, and defense evasion, communicating with a command-and-control server at 141.98.6.14.

Severity:
Critical
VDM Static Detection:
Relevant strings associated with this threat:
 - SM_LASTSM_x64.exe (PEHSTR_EXT)
 - Y+;+.+:P+: (PEHSTR_EXT)
 - 141.98.6.14:5563/ (PEHSTR_EXT)
 - .exe (PEHSTR_EXT)
 - executePowerShell (PEHSTR_EXT)
 - schtasks /create /tn (PEHSTR_EXT)
 - djkggosj.bat (PEHSTR_EXT)
 - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT)
 - rundll32 (PEHSTR_EXT)
 - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT)
 - !#HSTR:ExecutionGuardrails (PEHSTR_EXT)
 - !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)
Known malware which is associated with this threat:
be6928a5935f0b49ec86015be3f600a635d3aef55f602827a7104a661b13200a
29/12/2025
VirusTotalDownload Sample
4d90753ef2115ad9c5c646f537c1b10285bed07b4f96813557c2a80013af24d9
29/12/2025
VirusTotalDownload Sample
Remediation Steps:
Immediately isolate the infected system, perform a full antivirus scan, remove identified persistence mechanisms (scheduled tasks), block communication to 141.98.6.14 at the network perimeter, and consider re-imaging the system to ensure complete eradication.
=== END REPORT ===
$ reanalyze-threat
This analysis was last updated on 29/12/2025. Do you want to analyze it again?
$ ls available-commands/
→ cd /home
user@threatcheck.sh:~$