user@threatcheck.sh ~ threat-analysis
bash
$ analyze-threat Trojan:Win64/Lazy!rfn
Trojan:Win64/Lazy!rfn - Windows Defender threat signature analysis

Trojan:Win64/Lazy!rfn - Windows Defender Threat Analysis

$ cat analysis.txt
=== THREAT ANALYSIS REPORT ===
Threat Name: Trojan:Win64/Lazy!rfn
Classification:
Type:Trojan
Platform:Win64
Family:Lazy
Detection Type:Concrete
Known malware family with identified signatures
Suffix:!rfn
Specific ransomware family name
Confidence:Very High
False-Positive Risk:Low

Concrete signature match: Trojan - Appears legitimate but performs malicious actions for 64-bit Windows platform, family Lazy

Summary:

Trojan:Win64/Lazy!rfn is a critical ransomware threat. Technical evidence indicates it attempts to escalate privileges using 'Rotten Potato' techniques before encrypting user files with AES, leaving a ransom note named 'README_encrypted.txt'. The malware is written in Rust and uses advanced methods like shellcode injection for evasion.

Severity:
Critical
VDM Static Detection:
Relevant strings associated with this threat:
 - LazyCat.local_privilege_escalation.rotten_potato (PEHSTR_EXT)
 - ;Beds-Protector-The-Quick-Brown-Fox-Jumped-Over-The-Lazy-Dog (PEHSTR)
 - http://goo.gl/YroZm (PEHSTR)
 - Jumped-Over-The-Lazy-Dog (PEHSTR)
 - syscall.LazyDLL (PEHSTR_EXT)
 - LazyDLL).NewProc (PEHSTR_EXT)
 - brimstone/go-shellcode.Run (PEHSTR_EXT)
 - brimstone/go-shellcode.VirtualProtect (PEHSTR_EXT)
 - C:\Users\Public\Music\key.txt (PEHSTR_EXT)
 - README_encrypted.txt (PEHSTR_EXT)
 - src/bin/ransomware.rs (PEHSTR_EXT)
 - Lazy instance has previously been poisoned (PEHSTR_EXT)
 - Local\RustBacktraceMutex (PEHSTR_EXT)
 - HttpWebRequest (PEHSTR_EXT)
 - LazyInitializer (PEHSTR_EXT)
 - set_UseShellExecute (PEHSTR_EXT)
 - Beds-Protector-The-Quick-Brown-Fox-Jumped-Over-The-Lazy-Dog (PEHSTR_EXT)
 - System.Security.Cryptography.AesCryptoServiceProvider (PEHSTR_EXT)
 - noSXPFMbbZh2Bafej4.bKHDLoYx25MeUohwr7 (PEHSTR_EXT)
 - rJqNEeiWXDvJsanTbLjIo4HO (PEHSTR_EXT)
 - VirtualMemSim.Properties (PEHSTR_EXT)
 - LazyList (PEHSTR_EXT)
 - //cdn.discordapp.com/attachments (PEHSTR_EXT)
 - chrome.exe (PEHSTR_EXT)
 - dlvr.dll (PEHSTR_EXT)
 - libemb.dll (PEHSTR_EXT)
 - wwlib.dll (PEHSTR_EXT)
 - zlibwapi.dll (PEHSTR_EXT)
 - shipinfo.Properties.Resources (PEHSTR_EXT)
 - Conquer.Properties.Resources (PEHSTR_EXT)
 - COLLECTBIO.Properties.Resources.resources (PEHSTR_EXT)
 - DllRegisterServer (PEHSTR_EXT)
 - obj\Release\Wagerssi_UI Launcher.pdb (PEHSTR_EXT)
 - Mert\Desktop\DiscordTelegram\obj\Release\DiscordTelegram.pdb (PEHSTR_EXT)
 - Cioajsefoieafijae (PEHSTR_EXT)
 - Fjiocoivjsfiiqwi (PEHSTR_EXT)
 - klenecektir. Yedekleme stratejinize g (PEHSTR_EXT)
 - backupso.com/download (PEHSTR_EXT)
 - Herhangi bir FTP/SFTP (PEHSTR_EXT)
 - zamanli.txt (PEHSTR_EXT)
 - Backupso.exe (PEHSTR_EXT)
 - G:\CXR19\BSF\intel_a\code\bin\PPRDCCCORBA_C.pdb (PEHSTR_EXT)
 - PPRDCCCORBA_C.dll (PEHSTR_EXT)
 - .ropf (PEHSTR_EXT)
 - Riceboy.Riceboy (PEHSTR_EXT)
 - transfer.sh/get (PEHSTR_EXT)
 - kfvatlgo.dll (PEHSTR_EXT)
 - myxntihz.dll (PEHSTR_EXT)
 - gpufyikc.dll (PEHSTR_EXT)
 - msvhdfuq.dll (PEHSTR_EXT)
 - whbelnyr.dll (PEHSTR_EXT)
 - tpeufvdx.dll (PEHSTR_EXT)
 - opvbzqcs.dll (PEHSTR_EXT)
 - mjsuqrk (PEHSTR_EXT)
 - ihetaqnm.dll (PEHSTR_EXT)
 - npvfxtsz.dll (PEHSTR_EXT)
 - jngxazil.dll (PEHSTR_EXT)
 - zadvmegt.dll (PEHSTR_EXT)
 - kemavwbu.dll (PEHSTR_EXT)
 - wrmqvyjg.dll (PEHSTR_EXT)
 - zkqhpmrn.dll (PEHSTR_EXT)
 - rxdazwqo.dll (PEHSTR_EXT)
 - yfkceshn.dll (PEHSTR_EXT)
 - nvkalgur.dll (PEHSTR_EXT)
 - ncovkerp.dll (PEHSTR_EXT)
 - bzustyoj.dll (PEHSTR_EXT)
 - roqwesdg.dll (PEHSTR_EXT)
 - C:\Windows\System32\opencv_world470.dll (PEHSTR_EXT)
 - C:\Windows\System32\ds5w_x64.dll (PEHSTR_EXT)
 - cdn.axion.systems/diablo/cf4463f8-6db9-4a8b-9925-16a99a1bdec2.exe (PEHSTR_EXT)
 - npqiwudm.dll (PEHSTR_EXT)
 - zigqvcfd.dll (PEHSTR_EXT)
 - kbiuvfzo.dll (PEHSTR_EXT)
 - plbcozuv.dll (PEHSTR_EXT)
 - ycnzgdjx.dll (PEHSTR_EXT)
 - ka/zG (SNID)
 - eswbxmjsziz (PEHSTR_EXT)
 - \PPLKiller.pdb (PEHSTR_EXT)
 - \Temp\RTCore64.sys (PEHSTR_EXT)
 - Dbatic.Resources.resources (PEHSTR_EXT)
 - WowOpO.TXT (PEHSTR_EXT)
 - payload.bin (PEHSTR_EXT)
 - eRClgZbl.exe (PEHSTR_EXT)
 - NZRB.x (PEHSTR_EXT)
 - ConsoleApplication2.pdb (PEHSTR_EXT)
 - download/football.txt (PEHSTR_EXT)
 - 156.245.19.127 (PEHSTR_EXT)
 - CMD session closed (PEHSTR_EXT)
 - C:\Users\localadmin\Downloads\Lilith-master\Lilith-master\x64\Release\Lilith.pdb (PEHSTR_EXT)
 - CMD session opened (PEHSTR_EXT)
 - lilithRELEASE.exe (PEHSTR_EXT)
 - bardg\Documents\diablo\client\bin\x64\Release\client.pdb (PEHSTR_EXT)
 - ajTSYRJNanDNI.JGOLBA (PEHSTR_EXT)
 - GOfKoBH.(*X_Exr0VpkD).pxroc1 (PEHSTR_EXT)
 - IooHIsa1BYJ.(*AyxWYUb).IsLoopback (PEHSTR_EXT)
 - EngmT5177t1.DlL (PEHSTR_EXT)
 - KUQ4PwoXbg.exe (PEHSTR_EXT)
 - ShellExecuteA (PEHSTR_EXT)
 - lld.23lenre (PEHSTR_EXT)
 - ClassicExplorer32_dll.dll (PEHSTR_EXT)
 - DllExportSettingsXml (PEHSTR_EXT)
 - <)JS6 (SNID)
 - -workspace.pdb (PEHSTR_EXT)
 - start cmd /C "color b && title Error && echo (PEHSTR_EXT)
 - && timeout /t 5 (PEHSTR_EXT)
 - 0t6-+C*Pd2+Wk!e+-.pdb (PEHSTR_EXT)
 - testAPP.exE (PEHSTR_EXT)
 - sELF.Exe (PEHSTR_EXT)
 - KeRNel32.DLl (PEHSTR_EXT)
 - A_A^A]A\_^] (PEHSTR_EXT)
 - PenaJ\Downloads\Osiris\output\build\osiris.pdb (PEHSTR_EXT)
 - fwpuclnt.dll (PEHSTR_EXT)
 - KERNEL32.dll (PEHSTR_EXT)
 - .dll (PEHSTR_EXT)
 - .ctor (PEHSTR_EXT)
 - System.IO.Compression (PEHSTR_EXT)
 - CompressionMode (PEHSTR_EXT)
 - Loader.pdb (PEHSTR_EXT)
 - taskkill /FI "IMAGENAME eq dnSpy.exe (PEHSTR_EXT)
 - taskkill /FI "IMAGENAME eq HTTPDebuggerUI.exe (PEHSTR_EXT)
 - taskkill /FI "IMAGENAME eq ida.exe (PEHSTR_EXT)
 - _crypted.exe (PEHSTR_EXT)
 - khxdled\santo\build\santo.pdb (PEHSTR_EXT)
 - \temp.ps1 (PEHSTR_EXT)
 - \temp.bat (PEHSTR_EXT)
 - get_LazyLoading (PEHSTR_EXT)
 - set_LazyLoading (PEHSTR_EXT)
 - Lazy instance has previously been poisonedOnce (PEHSTR_EXT)
 - fdisk.exe (PEHSTR_EXT)
 - C:\Users\ALIENWARE\Downloads\Telegram Desktop\ConsoleApp1\ConsoleApp1\obj\Debug\ (PEHSTR_EXT)
 - SoftwareInstaller.exe (PEHSTR_EXT)
 - Skup.Resources (PEHSTR_EXT)
 - NJs (PEHSTR_EXT)
 - CVE-2024-30088\x64\Release\poc.pdb (PEHSTR_EXT)
 - lhnwktp80.dll (PEHSTR_EXT)
 - Go build ID: "a2XE2MdOg2bFzkApzkl9/ (PEHSTR_EXT)
 - Go build ID: "4B8-iyNma34aKyyPriEp/ (PEHSTR_EXT)
 - DllInjectSelf (PEHSTR_EXT)
 - C:\Users\ (PEHSTR_EXT)
 - 0\src\x64\Release\tulpical.pdb (PEHSTR_EXT)
 - navegador/logger.Configure (PEHSTR_EXT)
 - main.Execute (PEHSTR_EXT)
 - navegador/cmd/navegador (PEHSTR_EXT)
 - navegador/logger.(*Logger).SetVerbose (PEHSTR_EXT)
 - Software\Bivaji Coms\BivaApp (PEHSTR_EXT)
 - `N/>V (SNID)
 - tokengrabber.SetTelegramCredentials (PEHSTR_EXT)
 - tokengrabber.init (PEHSTR_EXT)
 - tokengrabber.SendDMViaAPI (PEHSTR_EXT)
 - tokengrabber.sendMessage (PEHSTR_EXT)
 - defender.Disable (PEHSTR_EXT)
 - utils/browsers.History (PEHSTR)
 - )ThunderKitty-Grabber/utils/browsers.Login (PEHSTR)
 - ,ThunderKitty-Grabber/utils/tokengrabber.init (PEHSTR)
 - browsers.dataBlob (PEHSTR)
 - defender.Disable (PEHSTR)
 - browsers.CreditCard (PEHSTR)
 - 5o\r` (SNID)
 - D3;S/ (SNID)
 - ILa9j1onAAMadBsyyUJv5cack8Y1WT26yLj/V+ulKp8= (PEHSTR_EXT)
 - /thesunwave/pososyamba_bot (PEHSTR_EXT)
 - :\Temp (PEHSTR_EXT)
 - /c timeout /t 10 & del /f /q (PEHSTR_EXT)
 - d3.largesder.com (PEHSTR_EXT)
 - Enc_Output.exe (PEHSTR_EXT)
 - Desktop\solo\examples\example_win32_directx11\Release\calculator.p (PEHSTR_EXT)
 - Software\Yuwei Qusi\Oovi Appc (PEHSTR_EXT)
 - gd_.Properties.Resources (PEHSTR_EXT)
 - \gd].pdb (PEHSTR_EXT)
 - \lol.pdb (PEHSTR_EXT)
 - \loader.cpp.bc.obj.pdb (PEHSTR_EXT)
 - cmd.exe /c {} (PEHSTR_EXT)
 - C:\Windows\System32\ (PEHSTR_EXT)
 - X\d{6}\.dat$ (PEHSTR_EXT)
 - {}Windows\System32\backup_f64.exe (PEHSTR_EXT)
 - {}Windows\System32\czero_log (PEHSTR_EXT)
 - schtasks /create /tn "{}" /sc ONLOGON /tr "{}" /rl HIGHEST /f (PEHSTR_EXT)
 - SAKURATECH\Project\B290_OneDigiMMIC\MSVC\mr12e\mr12e\mr12e\x64\Release\mr12e.pdb (PEHSTR_EXT)
 - Spybot.exe (PEHSTR_EXT)
 - trojascreenshot (PEHSTR_EXT)
 - .rsrc (PEHSTR_EXT)
 - main.AesDecrypt (PEHSTR_EXT)
 - main.HexStrToBytes (PEHSTR_EXT)
 - main.isNonChinese (PEHSTR_EXT)
 - main.isNonChinese.deferwrap1 (PEHSTR_EXT)
 - main.isPythonInCDrive (PEHSTR_EXT)
 - main.main (PEHSTR_EXT)
 - main.isCPULow (PEHSTR_EXT)
 - main.HideConsoleWindow (PEHSTR_EXT)
 - main.HexParseKey (PEHSTR_EXT)
 - /ShellCode/ShellCode (PEHSTR_EXT)
 - LazyDLL (PEHSTR_EXT)
 - Em/fE47ClCu263lwWIPe3GASleLBc/E (PEHSTR_EXT)
 - Anti-VT.exe (PEHSTR_EXT)
 - snake.My.Resources (PEHSTR_EXT)
 - ExecutePayload (PEHSTR_EXT)
 - Stub\obj\Debug\Stub.pdb (PEHSTR_EXT)
 - System\CurrentControlSet\Services\Amaterasu (PEHSTR_EXT)
 - Registry\Machine\System\CurrentControlSet\Services\Amaterasu (PEHSTR_EXT)
 - UwUdisRAT.pdb (PEHSTR_EXT)
 - @.ACE0 (PEHSTR_EXT)
 - LazyProc (PEHSTR_EXT)
 - main.LoadDriver (PEHSTR_EXT)
 - fmt.Printf (PEHSTR_EXT)
 - fmt.Println (PEHSTR_EXT)
 - main.LoadDriver.func3 (PEHSTR_EXT)
 - main.LoadDriver.func2 (PEHSTR_EXT)
 - main.LoadDriver.func1 (PEHSTR_EXT)
 - main.FindProcessByName (PEHSTR_EXT)
 - main.FindProcessByName.func1 (PEHSTR_EXT)
 - main.RegisterProcessByIOCTL (PEHSTR_EXT)
 - good.5dfruitjkgreat (PEHSTR_EXT)
 - Cwon.ttheir2Kabundantly.land (PEHSTR_EXT)
 - o:\dir_for_builds\bldObj (PEHSTR_EXT)
 - sayingr7Zshe.dfruitfuldzfemalegreater (PEHSTR_EXT)
 - 6maleyou.re,multiply,Thegreenreplenishfitselfw (PEHSTR_EXT)
 - vg05b3wE.Dll (PEHSTR_EXT)
 - sELF.eXe (PEHSTR_EXT)
 - .managed(t1 (PEHSTR_EXT)
 - ScreenCap.png (PEHSTR_EXT)
 - shellexec (PEHSTR_EXT)
 - `.rsrc (PEHSTR_EXT)
 - .idata   (PEHSTR_EXT)
 - Encrypting payload with ChaCha20+XOR. (PEHSTR_EXT)
 - Encrypted payload size: %u bytes. (PEHSTR_EXT)
 - Output saved to packed.exe (PEHSTR_EXT)
 - \Release\bigDawg.pdb (PEHSTR_EXT)
 - SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths (PEHSTR_EXT)
 - GetComputerNameW (PEHSTR_EXT)
 - d ID: "N2ILNbUimIXCE0IMV_xd/Cin94ZCSPQPVagQSCpa0/cT5BkHWKzhyB0QFem (PEHSTR_EXT)
 - schtasks.exe /create /tn "SystemHelperTask" /tr "%s" /sc onlogon /rl HIGHEST /f (PEHSTR_EXT)
 - powershell.exe -NoProfile -WindowStyle Hidden -EncodedCommand %s (PEHSTR_EXT)
 - 4start /min cmd.exe /c powershell -WindowStyle Hidden (PEHSTR)
 - zetolacs-cloud.top (PEHSTR)
 - textpubshiers.top (PEHSTR)
 - DATA.bat (PEHSTR_EXT)
 - notepad.exe (PEHSTR_EXT)
 - \x.exe (PEHSTR_EXT)
 - WinExec (PEHSTR_EXT)
 - crackmy.app/ (PEHSTR_EXT)
 - $RMLoader.LoginClassWindows.resources (PEHSTR)
 - https://discord.horse/js/bw_bundle.js (PEHSTR_EXT)
 - DllExport (PEHSTR_EXT)
 - offkeylogger.dll.compressed (PEHSTR_EXT)
 - Shellcode executed successfully. (PEHSTR_EXT)
 - _new.exe (PEHSTR_EXT)
 - MLogin.exe (PEHSTR_EXT)
 - http://110.42.4.105 (PEHSTR_EXT)
 - \$@I; (PEHSTR_EXT)
 - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT)
 - rundll32 (PEHSTR_EXT)
 - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT)
 - !#HSTR:ExecutionGuardrails (PEHSTR_EXT)
 - !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)
Known malware which is associated with this threat:
Filename: 4bhnwo.exe
72e46c4bb14985ea3efc7a44b00aab5ab8f53350701a15de7d209f2fc85727f2
16/11/2025
VirusTotalDownload Sample
Remediation Steps:
Immediately isolate the affected host from the network to prevent lateral movement. Do not pay the ransom. Reimage the system from a known-good offline backup. Investigate the network for signs of compromise and ensure all systems are patched and endpoint protection is updated.
=== END REPORT ===
$ reanalyze-threat
This analysis was last updated on 16/11/2025. Do you want to analyze it again?
$ ls available-commands/
→ cd /home
user@threatcheck.sh:~$