Concrete signature match: Trojan - Appears legitimate but performs malicious actions for 64-bit Windows platform, family Lazy
This threat is a trojan from the 'Lazy' malware family, targeting 64-bit Windows systems. The detection is based on machine learning behavioral analysis (!MTB), indicating it acts suspiciously, likely to download and execute other malicious payloads or establish a foothold on the system.
No specific strings found for this threat
rule Trojan_Win64_Lazy_RU_2147911217_0
{
meta:
author = "threatcheck.sh"
detection_name = "Trojan:Win64/Lazy.RU!MTB"
threat_id = "2147911217"
type = "Trojan"
platform = "Win64: Windows 64-bit platform"
family = "Lazy"
severity = "Critical"
info = "MTB: Microsoft Threat Behavior"
signature_type = "SIGNATURE_TYPE_PEHSTR_EXT"
threshold = "1"
strings_accuracy = "Low"
strings:
$x_1_1 = {48 0f af f8 49 8b c2 48 f7 e7 48 c1 ea 07 48 69 c2 ?? ?? ?? ?? 48 2b f8 41 8a c8 80 e1 07 c0 e1 03 48 0f be 95 ?? ?? ?? ?? 48 d3 fa 40 32 fa 49 8b c2 49 f7 e1 48 c1 ea 07 48 69 c2 ?? ?? ?? ?? 49 8b c9 48 2b c8 40 32 f9 42 30 bc 05 ?? ?? ?? ?? 4d 03 c3 4c 03 cb} //weight: 1, accuracy: Low
condition:
(filesize < 20MB) and
(all of ($x*))
}9e246fa232a49a29df6a55267291cb815da5546c1d4005e13ef363a1bcb86269Isolate the affected machine from the network. Use Windows Defender to perform a full scan and remove the quarantined file. Investigate for persistence mechanisms and monitor for subsequent alerts or unusual outbound network traffic.