Trojan:Win64/Donut.C!MTB - ThreatCheck.sh

user@threatcheck.sh ~ threat-analysis

bash

$ analyze-threat Trojan:Win64/Donut.C!MTB

Trojan:Win64/Donut.C!MTB - Windows Defender threat signature analysis

$ cat analysis.txt

=== THREAT ANALYSIS REPORT ===

Threat Name: Trojan:Win64/Donut.C!MTB

Classification:

Type:Trojan

Platform:Win64

Family:Donut

Detection Type:Concrete

Known malware family with identified signatures

Variant:C

Specific signature variant within the malware family

Suffix:!MTB

Detected via machine learning and behavioral analysis

Detection Method:Behavioral

Confidence:Very High

False-Positive Risk:Low

Concrete signature match: Trojan - Appears legitimate but performs malicious actions for 64-bit Windows platform, family Donut

Summary:

Trojan:Win64/Donut.C!MTB is a critical 64-bit Windows trojan detected via a concrete signature and machine learning behavioral analysis. This malware variant, associated with `SM_LASTSM_x64.exe`, is designed to establish unauthorized access, control, or perform malicious actions on the compromised system.

Severity:

Critical

VDM Static Detection:

Relevant strings associated with this threat:
 - SM_LASTSM_x64.exe (PEHSTR_EXT)
 - |#d1e49aac-8f56-4280-b9ba-993a6d77406c (NID)
 - }#d1e49aac-8f56-4280-b9ba-993a6d77406c (NID)
 - |#75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84 (NID)
 - }#75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84 (NID)
 - &|#b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 (NID)
 - &}#b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 (NID)
 - y*|#56a863a9-875e-4185-98a7-b882c64b5ce5 (NID)
 - y*}#56a863a9-875e-4185-98a7-b882c64b5ce5 (NID)
 - C|#be9ba2d9-53ea-4cdc-84e5-9b1eeee46550 (NID)
 - C}#be9ba2d9-53ea-4cdc-84e5-9b1eeee46550 (NID)
 - L|#3b576869-a4ec-4529-8536-b80a7769e899 (NID)
 - L}#3b576869-a4ec-4529-8536-b80a7769e899 (NID)
 - |#5beb7efe-fd9a-4556-801d-275e5ffc04cc (NID)
 - }#5beb7efe-fd9a-4556-801d-275e5ffc04cc (NID)
 - |#01443614-cd74-433a-b99e-2ecdc07bfc25 (NID)
 - }#01443614-cd74-433a-b99e-2ecdc07bfc25 (NID)
 - |#d3e037e1-3eb8-44c8-a917-57927947596d (NID)
 - }#d3e037e1-3eb8-44c8-a917-57927947596d (NID)
 - |#7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c (NID)
 - }#7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c (NID)

YARA Rule:

rule Trojan_Win64_Donut_C_2147906065_0
{
    meta:
        author = "threatcheck.sh"
        detection_name = "Trojan:Win64/Donut.C!MTB"
        threat_id = "2147906065"
        type = "Trojan"
        platform = "Win64: Windows 64-bit platform"
        family = "Donut"
        severity = "Critical"
        info = "MTB: Microsoft Threat Behavior"
        signature_type = "SIGNATURE_TYPE_PEHSTR_EXT"
        threshold = "7"
        strings_accuracy = "High"
    strings:
        $x_7_1 = {48 83 ec 20 65 48 8b 04 25 30 00 00 00 49 8b f8 48 8b f2 48 8b e9 45 33 d2 4c 8b 48 60 49 8b 41}  //weight: 7, accuracy: High
    condition:
        (filesize < 20MB) and
        (all of ($x*))
}

Known malware which is associated with this threat:

Filename: identity.exe

f50b9b888107644204921d8449bc7ef4fe358cd5ccca87a7cf5944a00d00dcc8

05/01/2026

→VirusTotal ↓Download Sample

Remediation Steps:

Immediately isolate the affected system, remove the detected malware, perform a full system scan, and ensure all security software is fully updated. Investigate for potential persistence mechanisms or further compromise within the environment.

=== END REPORT ===

$ reanalyze-threat

This analysis was last updated on 05/01/2026. Do you want to analyze it again?

$ ls available-commands/

→ cd /home

user@threatcheck.sh:~$ ▊

Trojan:Win64/Donut.C!MTB - Windows Defender Threat Analysis