Concrete signature match: Trojan - Appears legitimate but performs malicious actions for 64-bit Windows platform, family Lazy
This threat is a Trojan for 64-bit Windows systems, identified by its behavior and specific file characteristics. It targets Google Chrome browser data, likely for stealing cookies, and attempts to delete itself after a short delay to cover its tracks and evade analysis.
Relevant strings associated with this threat: - /c timeout /t 10 & del /f /q (PEHSTR_EXT)
rule Trojan_Win64_Lazy_GM_2147922335_0
{
meta:
author = "threatcheck.sh"
detection_name = "Trojan:Win64/Lazy.GM!MTB"
threat_id = "2147922335"
type = "Trojan"
platform = "Win64: Windows 64-bit platform"
family = "Lazy"
severity = "Critical"
info = "MTB: Microsoft Threat Behavior"
signature_type = "SIGNATURE_TYPE_PEHSTR_EXT"
threshold = "4"
strings_accuracy = "High"
strings:
$x_2_1 = "ChromeFuckNewCookies" ascii //weight: 2
$x_2_2 = "/c timeout /t 10 & del /f /q" ascii //weight: 2
condition:
(filesize < 20MB) and
(all of ($x*))
}29e7e1c1e1a7e5f26f6961d8036cdd04ee4557dec0a7dcadcd8e7651f5e53f43Isolate the affected system from the network immediately. Run a full scan with an updated antivirus product to remove the threat. Since it targets browser cookies, change passwords for all critical online accounts (e.g., email, banking), log out of all active sessions, and enable multi-factor authentication.