user@threatcheck.sh ~ threat-analysis
bash
$ analyze-threat Backdoor:Win32/Zegost.AD
Backdoor:Win32/Zegost.AD - Windows Defender threat signature analysis

Backdoor:Win32/Zegost.AD - Windows Defender Threat Analysis

$ cat analysis.txt
=== THREAT ANALYSIS REPORT ===
Threat Name: Backdoor:Win32/Zegost.AD
Classification:
Type:Backdoor
Platform:Win32
Family:Zegost
Detection Type:Concrete
Known malware family with identified signatures
Variant:AD
Specific signature variant within the malware family
Confidence:Very High
False-Positive Risk:Low

Concrete signature match: Backdoor - Provides unauthorized remote access for 32-bit Windows platform, family Zegost

Summary:

Backdoor:Win32/Zegost.AD is a backdoor trojan that provides attackers with remote control over a compromised system. It uses multiple legitimate Windows utilities (Living-off-the-Land techniques) such as PowerShell, BITSAdmin, and Scheduled Tasks to execute code, transfer files, and establish persistence, while employing API hooking to evade detection.

Severity:
Critical
VDM Static Detection:
Relevant strings associated with this threat:
 - |#d4f940ab-401b-4efc-aadc-ad5f3c50688a (NID)
 - }#d4f940ab-401b-4efc-aadc-ad5f3c50688a (NID)
 - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT)
 - rundll32 (PEHSTR_EXT)
 - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT)
 - bitsadmin (PEHSTR_EXT)
 - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT)
 - !#HSTR:ExecutionGuardrails (PEHSTR_EXT)
 - !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT)
YARA Rule:
rule Backdoor_Win32_Zegost_AD_2147656985_0
{
    meta:
        author = "threatcheck.sh"
        detection_name = "Backdoor:Win32/Zegost.AD"
        threat_id = "2147656985"
        type = "Backdoor"
        platform = "Win32: Windows 32-bit platform"
        family = "Zegost"
        severity = "Critical"
        signature_type = "SIGNATURE_TYPE_PEHSTR_EXT"
        threshold = "11"
        strings_accuracy = "Low"
    strings:
        $x_1_1 = "/stub.dat" ascii //weight: 1
        $x_10_2 = {8b d1 83 e2 01 80 fa 01 8a 14 01 75 05 80 f2 ?? eb 03 80 f2 ?? 88 14 01 41 3b ce}  //weight: 10, accuracy: Low
    condition:
        (filesize < 20MB) and
        (all of ($x*))
}
Known malware which is associated with this threat:
Filename: 93A268E1AD1505C222182E5A4DD75790.dll
f154be4057e821d85890232d3737c28140b396dba65db14a0d6b2db554f1d9a8
12/11/2025
VirusTotalDownload Sample
Filename: 1478C5313977829090D46F9D1F85EA75.dll
b34966c661b9cf5cfc69dc06f129bd3c9f66a437687564a0a90bbb2e3b41db3b
11/11/2025
VirusTotalDownload Sample
Remediation Steps:
Immediately isolate the affected system from the network to prevent further compromise. Use a reputable security tool to remove the threat. If the system is heavily compromised, re-imaging from a known-good backup is the most reliable solution. Investigate for persistence mechanisms and signs of lateral movement.
=== END REPORT ===
$ reanalyze-threat
This analysis was last updated on 11/11/2025. Do you want to analyze it again?
$ ls available-commands/
→ cd /home
user@threatcheck.sh:~$