โ
Case #370
general.YARA Detection on Disk
๐ท๏ธ Analyst Verdict Classification
FP by analyst๐ค AI Analysis
๐ Detections (1)
YARA Detection on Disk - Macos_Infostealer_Wallets_8e469ea0
high
Rule: general.YARA Detection on Disk
Hostname: desktop-atsepsk ยท Sensor: 8f3a47be-5629-4c...
Event Type: YARA_DETECTION
Confidence: 95% ยท Verdict: suspicious
Event Data:
FILE_PATH:
C:\Program Files (x86)\Microsoft\Edge\Application\146.0.3856.59\msedge.dll
RULE_NAME:
Macos_Infostealer_Wallets_8e469ea0
IOCs:
{'type': 'file_path', 'value': 'C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\146.0.3856.59\\msedge.dll'}
{'type': 'rule_name', 'value': 'Macos_Infostealer_Wallets_8e469ea0'}
Analyst Declaration:
๐ Raw Detection JSON
{
"author": "ckeller@fusioncybersecurity.us",
"cat": "YARA Detection on Disk - Macos_Infostealer_Wallets_8e469ea0",
"detect": {
"event": {
"FILE_PATH": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\146.0.3856.59\\msedge.dll",
"RULE_NAME": "Macos_Infostealer_Wallets_8e469ea0"
},
"routing": {
"arch": 2,
"did": "",
"event_id": "3c726628-5cb7-43a8-9638-c533d17dc05e",
"event_time": 1773676110521,
"event_type": "YARA_DETECTION",
"ext_ip": "23.128.32.10",
"hostname": "desktop-atsepsk",
"iid": "b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175",
"int_ip": "192.168.50.200",
"latency": 66357,
"moduleid": 2,
"oid": "d3541070-8b0e-4663-8a6a-aa0727aacd36",
"plat": 268435456,
"sid": "8f3a47be-5629-4c66-921d-17c39ed07e87",
"tags": [
"fusion-soc-alert",
"fusion-soc-case",
"fusion-soc-pulled",
"fusion-soc-triage",
"fusionsoc-critical",
"fusionsoc-high",
"fusionsoc-investigated",
"joys",
"windows",
"yara_detection_memory"
],
"this": "c866015e3012e3ee2784a7aa69b8264e"
}
},
"detect_id": "797d2e08-3833-49f4-81fd-bfb669b82690",
"gen_time": 1773676176878,
"link": "https://app.limacharlie.io/orgs/d3541070-8b0e-4663-8a6a-aa0727aacd36/sensors/8f3a47be-5629-4c66-921d-17c39ed07e87/timeline?time=1773676110\u0026selected=c866015e3012e3ee2784a7aa69b8264e",
"namespace": "general",
"routing": {
"arch": 2,
"did": "",
"event_id": "3c726628-5cb7-43a8-9638-c533d17dc05e",
"event_time": 1773676110521,
"event_type": "YARA_DETECTION",
"ext_ip": "23.128.32.10",
"hostname": "desktop-atsepsk",
"iid": "b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175",
"int_ip": "192.168.50.200",
"latency": 66357,
"moduleid": 2,
"oid": "d3541070-8b0e-4663-8a6a-aa0727aacd36",
"plat": 268435456,
"sid": "8f3a47be-5629-4c66-921d-17c39ed07e87",
"tags": [
"fusion-soc-alert",
"fusion-soc-case",
"fusion-soc-pulled",
"fusion-soc-triage",
"fusionsoc-critical",
"fusionsoc-high",
"fusionsoc-investigated",
"joys",
"windows",
"yara_detection_memory"
],
"this": "c866015e3012e3ee2784a7aa69b8264e"
},
"source": "d3541070-8b0e-4663-8a6a-aa0727aacd36.b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175.8f3a47be-5629-4c66-921d-17c39ed07e87.10000000.2",
"source_rule": "general.YARA Detection on Disk",
"ts": 1773676176000
}
๐ค Triage JSON
{
"confidence": 0.95,
"false_positive_reason": "The YARA rule targets macOS infostealers but is incorrectly flagging a legitimate Windows DLL file in its expected installation directory.",
"investigation_questions": [
"Is there a legitimate reason for this YARA rule to detect Windows files?",
"Has Microsoft Edge been updated recently with suspicious changes?"
],
"ioc_analysis": "The FILE_PATH C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\146.0.3856.59\\msedge.dll is a legitimate Microsoft Edge component located in the expected installation directory. The YARA rule Macos_Infostealer_Wallets_8e469ea0 appears to be misconfigured for Windows environments, as it targets macOS infostealers but is detecting a Windows DLL file.",
"iocs_extracted": [
{
"type": "file_path",
"value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\146.0.3856.59\\msedge.dll"
},
{
"type": "rule_name",
"value": "Macos_Infostealer_Wallets_8e469ea0"
}
],
"mitre_techniques": [],
"recommended_actions": [
"Manual analyst review required \u2014 AI models disagree or one model failed",
"Verify the YARA rule is not misconfigured for Windows environments",
"Confirm Microsoft Edge file signatures and hashes match known-good binaries",
"Monitor for actual infostealer behavior rather than static file detection"
],
"risk_score": 10,
"severity": "high",
"summary": "**Vote: SPLIT (1/2 -\u003e SUSPICIOUS)**\n\n### \u264a Gemini Analysis (Primary)\nFailed or timed out.\n\n---\n\n### \ud83e\udd16 Qwen Analysis (Secondary)\n**Verdict:** false_positive | **Confidence:** 0.95\nThe detection flags a legitimate Microsoft Edge DLL file in its expected Program Files directory, which is a common false positive for YARA rules targeting infostealers. The process path and file type are consistent with known Windows system software.\n\n**IOC Analysis:** The FILE_PATH C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\146.0.3856.59\\msedge.dll is a legitimate Microsoft Edge component located in the expected installation directory. The YARA rule Macos_Infostealer_Wallets_8e469ea0 appears to be misconfigured for Windows environments, as it targets macOS infostealers but is detecting a Windows DLL file.",
"verdict": "suspicious",
"voting": {
"auto_action": "manual_review",
"mode": "split",
"total_models": 2,
"vote_summary": [
"qwen3.5:4b: false_positive (low, 95% confidence)"
],
"votes": [],
"winning_count": 1,
"winning_verdict": "suspicious"
}
}
โ๏ธ Response Actions
| Action | Target | Status | Result | |
|---|---|---|---|---|
| tag | executed | Tag applied | ||
| recommended | executed | General Activity Sweep: 0 events found | ||
| recommended | executed | General Activity Sweep: 0 events found | ||
| recommended | executed | File Activity Investigation: 0 events found | ||
| recommended | executed | File Activity Investigation: 0 events found |
๐ Add Note
๐ฌ Notes (5)
๐ค FusionSOC AI
2026-03-16T15:56
๐ค FusionSOC AI
2026-03-16T15:56
๐ค FusionSOC AI
2026-03-16T15:56
๐ค FusionSOC AI
2026-03-16T15:56
๐ค FusionSOC AI
2026-03-16T15:56
๐ Timeline
2026-03-18T01:33:40
analyst
Status changed: triaging โ closed
2026-03-18T01:33:35
analyst
Analyst classified as False Positive (FP)
2026-03-16T15:56:59
FusionSOC
Action recommended โ executed: File Activity Investigation: 0 events found
2026-03-16T15:56:59
FusionSOC AI
Note by FusionSOC AI: ## ๐ File Activity Investigation **Action:** Monitor for actual infostealer behavior rather than static file detection *...
2026-03-16T15:56:59
FusionSOC
Response action queued: recommended on Monitor for actual infostealer behavior rather than static file detection
2026-03-16T15:56:59
FusionSOC
Action recommended โ executed: File Activity Investigation: 0 events found
2026-03-16T15:56:59
FusionSOC AI
Note by FusionSOC AI: ## ๐ File Activity Investigation **Action:** Confirm Microsoft Edge file signatures and hashes match known-good binaries...
2026-03-16T15:56:56
FusionSOC
Response action queued: recommended on Confirm Microsoft Edge file signatures and hashes match known-good binaries
2026-03-16T15:56:56
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-16T15:56:56
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** Verify the YARA rule is not misconfigured for Windows environments **Sensor:** `...
2026-03-16T15:56:56
FusionSOC
Response action queued: recommended on Verify the YARA rule is not misconfigured for Windows environments
2026-03-16T15:56:56
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-16T15:56:56
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** Manual analyst review required โ AI models disagree or one model failed **Sensor...
2026-03-16T15:56:56
FusionSOC
Response action queued: recommended on Manual analyst review required โ AI models disagree or one model failed
2026-03-16T15:56:56
FusionSOC
Action tag โ executed: Tag applied
2026-03-16T15:56:55
FusionSOC
Response action queued: tag on 8f3a47be-5629-4c66-921d-17c39ed07e87:fusionsoc-investigated
2026-03-16T15:56:55
FusionSOC AI
Detection 797d2e08-3833-49f4-81fd-bfb669b82690 triaged as suspicious (high severity, confidence: 95%)
2026-03-16T15:56:55
FusionSOC AI
Case created from detection: general.YARA Detection on Disk