user@threatcheck.sh ~ threat-analysis
bash
$ analyze-threat Worm:Win32/Hamweq!pz
Worm:Win32/Hamweq!pz - Windows Defender threat signature analysis

Worm:Win32/Hamweq!pz - Windows Defender Threat Analysis

$ cat analysis.txt
=== THREAT ANALYSIS REPORT ===
Threat Name: Worm:Win32/Hamweq!pz
Classification:
Type:Worm
Platform:Win32
Family:Hamweq
Detection Type:Concrete
Known malware family with identified signatures
Suffix:!pz
Packed or compressed to evade detection
Confidence:Very High
False-Positive Risk:Low

Concrete signature match: Worm - Self-replicating malware for 32-bit Windows platform, family Hamweq

Summary:

Worm:Win32/Hamweq!pz is a concrete detection for a self-propagating worm. It engages in network flooding, establishes persistence using scheduled tasks and common Windows utilities (like PowerShell, MSHTA, BITS, rundll32, regsvr32), employs API hooking for evasion, and communicates with command-and-control servers like tassweq.com for potential remote control or data exfiltration.

Severity:
Critical
VDM Static Detection:
Relevant strings associated with this threat:
 - tassweq.com (PEHSTR)
 - ise.exe (PEHSTR)
 - Start flooding. (PEHSTR_EXT)
 - Flooding done. (PEHSTR_EXT)
 - 8VirUs.. (PEHSTR_EXT)
 - DEW.exe (PEHSTR_EXT)
 - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT)
 - rundll32 (PEHSTR_EXT)
 - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT)
 - !#HSTR:ExecutionGuardrails (PEHSTR_EXT)
 - !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)
Known malware which is associated with this threat:
Filename: c35d3d00df7a0e8151ed013a202796cf453830dd9b40c8e23b0f0eb49ea42c0c.exe
c35d3d00df7a0e8151ed013a202796cf453830dd9b40c8e23b0f0eb49ea42c0c
31/01/2026
VirusTotalDownload Sample
Remediation Steps:
Immediately isolate affected systems, perform a full system scan with updated antivirus, remove all detected malicious files, block associated C2 domains (e.g., tassweq.com) at the network perimeter, and thoroughly investigate for persistence mechanisms (e.g., scheduled tasks, startup entries) and potential lateral movement.
=== END REPORT ===
$ reanalyze-threat
This analysis was last updated on 30/01/2026. Do you want to analyze it again?
$ ls available-commands/
→ cd /home
user@threatcheck.sh:~$