Concrete signature match: Trojan - Appears legitimate but performs malicious actions for 64-bit Windows platform, family Lazy
Trojan:Win64/Lazy.NS!MTB is a trojan targeting 64-bit Windows systems, detected via machine learning behavioral analysis. Evidence, including the string 'trojascreenshot', indicates it is designed to steal sensitive information by capturing screenshots of the user's desktop.
Relevant strings associated with this threat: - Spybot.exe (PEHSTR_EXT) - trojascreenshot (PEHSTR_EXT)
rule Trojan_Win64_Lazy_NS_2147950417_0
{
meta:
author = "threatcheck.sh"
detection_name = "Trojan:Win64/Lazy.NS!MTB"
threat_id = "2147950417"
type = "Trojan"
platform = "Win64: Windows 64-bit platform"
family = "Lazy"
severity = "Critical"
info = "MTB: Microsoft Threat Behavior"
signature_type = "SIGNATURE_TYPE_PEHSTR_EXT"
threshold = "3"
strings_accuracy = "High"
strings:
$x_2_1 = {41 0f b6 46 08 88 07 49 63 46 04 41 3b 06 7e 07 49 8d 3c 07 c6 07 cc} //weight: 2, accuracy: High
$x_1_2 = {8d 83 00 10 00 00 4c 63 e0 49 8b} //weight: 1, accuracy: High
condition:
(filesize < 20MB) and
(all of ($x*))
}356cb3251394d86db58de7b279f044c36159f0decd98b8ef8f9b1117795ab495Isolate the affected system from the network to prevent data exfiltration. Use your security software to quarantine and remove the detected file. As a precaution, change passwords for any accounts used on the compromised machine and perform a full system scan.