user@threatcheck.sh ~ threat-analysis
bash
$ analyze-threat VirTool:Win64/Godosesz.A!MTB
VirTool:Win64/Godosesz.A!MTB - Windows Defender threat signature analysis

VirTool:Win64/Godosesz.A!MTB - Windows Defender Threat Analysis

$ cat analysis.txt
=== THREAT ANALYSIS REPORT ===
Threat Name: VirTool:Win64/Godosesz.A!MTB
Classification:
Type:VirTool
Platform:Win64
Family:Godosesz
Detection Type:Concrete
Known malware family with identified signatures
Variant:A
Specific signature variant within the malware family
Suffix:!MTB
Detected via machine learning and behavioral analysis
Detection Method:Behavioral
Confidence:Very High
False-Positive Risk:Low

Concrete signature match: Virus Tool - Tool used to create or modify malware for 64-bit Windows platform, family Godosesz

Summary:

VirTool:Win64/Godosesz.A!MTB is a sophisticated Windows 64-bit malware detected via concrete signatures and machine learning behavioral analysis. It exhibits capabilities for comprehensive data exfiltration and surveillance, including capturing screenshots, stealing clipboard contents, exfiltrating files, and establishing command-and-control communications.

Severity:
Critical
VDM Static Detection:
Relevant strings associated with this threat:
 - domain (PEHSTR)
 - ).Hostname (PEHSTR)
 - .Cookies (PEHSTR)
 - .socksauthmethod (PEHSTR)
 - useragent (PEHSTR)
 - CaptureScreen (PEHSTR)
 - GetClipboard (PEHSTR)
 - namedpipe (PEHSTR)
 -  net/http.persistConnWriter.Write (PEHSTR)
 - ChannelFileSend (PEHSTR)
 - addConn (PEHSTR)
YARA Rule:
rule VirTool_Win64_Godosesz_A_2147904476_0
{
    meta:
        author = "threatcheck.sh"
        detection_name = "VirTool:Win64/Godosesz.A!MTB"
        threat_id = "2147904476"
        type = "VirTool"
        platform = "Win64: Windows 64-bit platform"
        family = "Godosesz"
        severity = "Critical"
        info = "MTB: Microsoft Threat Behavior"
        signature_type = "SIGNATURE_TYPE_PEHSTR"
        threshold = "13"
        strings_accuracy = "High"
    strings:
        $x_1_1 = "domain" ascii //weight: 1
        $x_1_2 = ").Hostname" ascii //weight: 1
        $x_1_3 = ".Cookies" ascii //weight: 1
        $x_1_4 = "SetSessionTicket" ascii //weight: 1
        $x_1_5 = ".socksauthmethod" ascii //weight: 1
        $x_1_6 = "useragent" ascii //weight: 1
        $x_1_7 = "shutdown" ascii //weight: 1
        $x_1_8 = "CaptureScreen" ascii //weight: 1
        $x_1_9 = "GetClipboard" ascii //weight: 1
        $x_1_10 = "namedpipe" ascii //weight: 1
        $x_1_11 = "net/http.persistConnWriter.Write" ascii //weight: 1
        $x_1_12 = "ChannelFileSend" ascii //weight: 1
        $x_1_13 = "addConn" ascii //weight: 1
    condition:
        (filesize < 20MB) and
        (all of ($x*))
}
Known malware which is associated with this threat:
Filename: zetarat.exe
a103d477621b4e43d13e601ba6a0390b9d95671c792f981c32b0cfffec39d878
10/12/2025
VirusTotalDownload Sample
Remediation Steps:
Immediately isolate the infected system from the network. Perform a full system scan with updated antivirus software, preferably in safe mode, to remove all detected components. Investigate for signs of data compromise, stolen credentials, or lateral movement.
=== END REPORT ===
$ reanalyze-threat
This analysis was last updated on 10/12/2025. Do you want to analyze it again?
$ ls available-commands/
→ cd /home
user@threatcheck.sh:~$