user@threatcheck.sh ~ threat-analysis
bash
$ analyze-threat Trojan:Win64/Donut!rfn
Trojan:Win64/Donut!rfn - Windows Defender threat signature analysis

Trojan:Win64/Donut!rfn - Windows Defender Threat Analysis

$ cat analysis.txt
=== THREAT ANALYSIS REPORT ===
Threat Name: Trojan:Win64/Donut!rfn
Classification:
Type:Trojan
Platform:Win64
Family:Donut
Detection Type:Concrete
Known malware family with identified signatures
Suffix:!rfn
Specific ransomware family name
Confidence:Very High
False-Positive Risk:Low

Concrete signature match: Trojan - Appears legitimate but performs malicious actions for 64-bit Windows platform, family Donut

Summary:

This concrete detection identifies Trojan:Win64/Donut!rfn, a sophisticated malware that establishes persistence via scheduled tasks and communicates with a command-and-control server (141.98.6.14). It leverages multiple execution methods including PowerShell, MSHTA, Regsvr32, and Rundll32, and employs techniques like process hooking and data encoding, indicating a comprehensive threat capable of remote control and further malicious activity.

Severity:
Critical
VDM Static Detection:
Relevant strings associated with this threat:
 - SM_LASTSM_x64.exe (PEHSTR_EXT)
 - Y+;+.+:P+: (PEHSTR_EXT)
 - 141.98.6.14:5563/ (PEHSTR_EXT)
 - .exe (PEHSTR_EXT)
 - executePowerShell (PEHSTR_EXT)
 - schtasks /create /tn (PEHSTR_EXT)
 - djkggosj.bat (PEHSTR_EXT)
 - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT)
 - rundll32 (PEHSTR_EXT)
 - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT)
 - !#HSTR:ExecutionGuardrails (PEHSTR_EXT)
 - !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)
Known malware which is associated with this threat:
Filename: mscorsvc.dll
b25ccdcb1830239c3709b0fa1e3e337eded4b7240d2e0470eb2aa7533b0c61f4
08/01/2026
VirusTotalDownload Sample
Filename: Setup.exe
696352b6b7c282736cb240651682b07a5feaa68ac065e9128f946779db00b02b
25/12/2025
VirusTotalDownload Sample
Filename: mscorsvc.dll
5731d0fec3b864f35d7711803d93db4b80cde7a52bc81d89053ad11c0ac9f10c
18/12/2025
VirusTotalDownload Sample
Filename: 19b066ed4fae241bf7e9f22bdf56f647.exe
2b5cc5dedd93fd77ec4d8c28d26df606b16e6a5bdd3b88dd77be9e38f24a98b1
15/12/2025
VirusTotalDownload Sample
Remediation Steps:
Immediately isolate the infected host and perform a full antivirus scan to remove all detected components. Manually check for and remove persistence mechanisms like scheduled tasks (`djkggosj.bat`). Block the C2 IP (141.98.6.14) at the network firewall and investigate for lateral movement or data exfiltration.
=== END REPORT ===
$ reanalyze-threat
This analysis was last updated on 14/12/2025. Do you want to analyze it again?
$ ls available-commands/
→ cd /home
user@threatcheck.sh:~$