user@threatcheck.sh ~ threat-analysis
bash
$ analyze-threat Trojan:Win64/Reflo!pz
Trojan:Win64/Reflo!pz - Windows Defender threat signature analysis

Trojan:Win64/Reflo!pz - Windows Defender Threat Analysis

$ cat analysis.txt
=== THREAT ANALYSIS REPORT ===
Threat Name: Trojan:Win64/Reflo!pz
Classification:
Type:Trojan
Platform:Win64
Family:Reflo
Detection Type:Concrete
Known malware family with identified signatures
Suffix:!pz
Packed or compressed to evade detection
Confidence:Very High
False-Positive Risk:Low

Concrete signature match: Trojan - Appears legitimate but performs malicious actions for 64-bit Windows platform, family Reflo

Summary:

This is a concrete detection of Trojan:Win64/Reflo!pz, a sophisticated CoinMiner malware delivered by the Amadey botnet. It leverages rootkit capabilities like reflective DLL injection and API hooking for stealth and persistence, alongside various Windows utilities for execution and maintaining its presence.

Severity:
Critical
VDM Static Detection:
Relevant strings associated with this threat:
 - ?ReflectiveDllMain@@YAHPEAE@Z (PEHSTR_EXT)
 - \CRYPTOCOIN\rootkit\r77-rootkit-master_1.3.0\r77-rootkit-master\vs\x64\Release\r77-x64.pdb (PEHSTR_EXT)
 - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT)
 - rundll32 (PEHSTR_EXT)
 - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForSoftwarePacking.C!pli (PEHSTR_EXT)
Known malware which is associated with this threat:
3ced756405771b11daab9d9b24db2faad5aaeeab845a31577d03ee545c27d5ba
14/06/2026
VirusTotalDownload Sample
2d39ed5ea7f2547233f534c4e78edef047051c26c115ac120663705be96b8e5d
23/05/2026
VirusTotalDownload Sample
6e0ef3af90cd3e4a8d48b6e5fee62e5d88f69d007135314f9014e63cfb179e93
22/05/2026
VirusTotalDownload Sample
Filename: 627af5c322a95a42906833fe4d490c05.exe
e462b4cd9a58c4cd538e4d87406fa8659661d260c1eb83f157ba2dd891a3972e
01/02/2026
VirusTotalDownload Sample
Remediation Steps:
Immediately isolate the infected host, perform a full deep scan with updated security software, and investigate for and remove all persistence mechanisms including scheduled tasks and modified system utilities. Block the associated command-and-control IP (62.60.226.140) at the network perimeter and consider re-imaging the system due to the presence of rootkit components.
=== END REPORT ===
$ reanalyze-threat
This analysis was last updated on 15/06/2026. Do you want to analyze it again?
$ ls available-commands/
→ cd /home
user@threatcheck.sh:~$