Concrete signature match: Trojan - Appears legitimate but performs malicious actions for 32-bit Windows platform, family Copak
This threat is a Trojan from the Copak family, detected by Windows Defender's machine learning behavioral analysis (!MTB). It has been identified based on actions consistent with known malware, such as attempting to download other malicious payloads, steal information, or create a backdoor for remote access.
No specific strings found for this threat
rule Trojan_Win32_Copak_KAV_2147917474_0
{
meta:
author = "threatcheck.sh"
detection_name = "Trojan:Win32/Copak.KAV!MTB"
threat_id = "2147917474"
type = "Trojan"
platform = "Win32: Windows 32-bit platform"
family = "Copak"
severity = "Critical"
info = "MTB: Microsoft Threat Behavior"
signature_type = "SIGNATURE_TYPE_PEHSTR_EXT"
threshold = "1"
strings_accuracy = "Low"
strings:
$x_1_1 = {7c 9a 65 00 [0-20] 70 9c 65 00 [0-40] 81 ?? ff 00 00 00 [0-15] 31 [0-50] 81 ?? 92 9c 65 00 0f 8c} //weight: 1, accuracy: Low
condition:
(filesize < 20MB) and
(all of ($x*))
}b4016039bc3d533659cc7367c260cc2545f620288284d403b75e0095fa4ea0ccIsolate the affected machine from the network immediately. Use Windows Defender to remove the threat, then perform a full system scan to find any related malicious components. Investigate system and network logs for any unauthorized activity and change all user passwords associated with the machine.