user@threatcheck.sh ~ threat-analysis
bash
$ analyze-threat Trojan:Win64/Lazy.MKB!MTB
Trojan:Win64/Lazy.MKB!MTB - Windows Defender threat signature analysis

Trojan:Win64/Lazy.MKB!MTB - Windows Defender Threat Analysis

$ cat analysis.txt
=== THREAT ANALYSIS REPORT ===
Threat Name: Trojan:Win64/Lazy.MKB!MTB
Classification:
Type:Trojan
Platform:Win64
Family:Lazy
Detection Type:Concrete
Known malware family with identified signatures
Variant:MKB
Specific signature variant within the malware family
Suffix:!MTB
Detected via machine learning and behavioral analysis
Detection Method:Behavioral
Confidence:Very High
False-Positive Risk:Low

Concrete signature match: Trojan - Appears legitimate but performs malicious actions for 64-bit Windows platform, family Lazy

Summary:

This is a Trojan from the 'Lazy' malware family, identified through machine learning behavioral analysis. It leverages multiple built-in Windows tools (LOLBAS) like PowerShell, mshta, and rundll32 for execution and persistence, and demonstrates advanced capabilities such as API hooking, creating scheduled tasks, and file transfers to maintain control and evade detection.

Severity:
Medium
VDM Static Detection:
Relevant strings associated with this threat:
 - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT)
 - rundll32 (PEHSTR_EXT)
 - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT)
 - !#HSTR:ExecutionGuardrails (PEHSTR_EXT)
 - !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)
No specific strings found for this threat
YARA Rule:
rule Trojan_Win64_Lazy_MKB_2147953775_0
{
    meta:
        author = "threatcheck.sh"
        detection_name = "Trojan:Win64/Lazy.MKB!MTB"
        threat_id = "2147953775"
        type = "Trojan"
        platform = "Win64: Windows 64-bit platform"
        family = "Lazy"
        severity = "Critical"
        info = "MTB: Microsoft Threat Behavior"
        signature_type = "SIGNATURE_TYPE_PEHSTR_EXT"
        threshold = "25"
        strings_accuracy = "Low"
    strings:
        $x_15_1 = {48 8d 71 01 46 0f b6 04 08 48 39 f2 ?? ?? 48 89 44 24 58 44 88 44 24 43 48 89 4c 24 78}  //weight: 15, accuracy: Low
        $x_10_2 = {48 83 ec 48 48 89 6c 24 40 48 8d 6c 24 40 66 81 38 64 86 ?? ?? 48 8b 50 18 48 8b 70 20}  //weight: 10, accuracy: Low
    condition:
        (filesize < 20MB) and
        (all of ($x*))
}
Known malware which is associated with this threat:
f451ad43e1f3f8366a1967c779e72fb6d3f53ddbe523ae8f66a58a79e23a83bb
07/11/2025
VirusTotalDownload Sample
Remediation Steps:
Isolate the affected machine from the network immediately. Use an updated EDR or antivirus tool to perform a full system scan and remove the detected threat. Investigate and remove persistence mechanisms such as scheduled tasks, BITS jobs, and suspicious registry keys. Change credentials used on the compromised system.
=== END REPORT ===
$ reanalyze-threat
This analysis was last updated on 08/11/2025. Do you want to analyze it again?
$ ls available-commands/
→ cd /home
user@threatcheck.sh:~$