โ
Case #401
general.YARA Detection in Memory
๐ท๏ธ Analyst Verdict Classification
FP by analyst๐ค AI Analysis
๐ Detections (1)
YARA Detection in Memory - Windows_Trojan_Generic_9997489c
low
Rule: general.YARA Detection in Memory
Hostname: desktop-atsepsk ยท Sensor: 8f3a47be-5629-4c...
Event Type: YARA_DETECTION
Confidence: 93% ยท Verdict: false positive
Event Data:
PROCESS:
{'BASE_ADDRESS': 140702246764544, 'COMMAND_LINE': '"C:\\Program Files\\Bitdefender\\Bitdefender Security\\bdservicehost.exe" "settings/services/configs/bdshieldsrv_config.json"', 'FILE_PATH': 'C:\\Program Files\\Bitdefender\\Bitdefender Security\\bdservicehost.exe', 'MEMORY_USAGE': 1961951232, 'PARENT_PROCESS_ID': 1680, 'PROCESS_ID': 6096, 'THREADS': 276, 'USER_NAME': 'NT AUTHORITY\\SYSTEM'}
PROCESS_ID:
6096
RULE_NAME:
Windows_Trojan_Generic_9997489c
IOCs:
C:\Program Files\Bitdefender\Bitdefender Security\bdservicehost.exe
Analyst Declaration:
๐ Raw Detection JSON
{
"author": "ckeller@fusioncybersecurity.us",
"cat": "YARA Detection in Memory - Windows_Trojan_Generic_9997489c",
"detect": {
"event": {
"PROCESS": {
"BASE_ADDRESS": 140702246764544,
"COMMAND_LINE": "\"C:\\Program Files\\Bitdefender\\Bitdefender Security\\bdservicehost.exe\" \"settings/services/configs/bdshieldsrv_config.json\"",
"FILE_PATH": "C:\\Program Files\\Bitdefender\\Bitdefender Security\\bdservicehost.exe",
"MEMORY_USAGE": 1961951232,
"PARENT_PROCESS_ID": 1680,
"PROCESS_ID": 6096,
"THREADS": 276,
"USER_NAME": "NT AUTHORITY\\SYSTEM"
},
"PROCESS_ID": 6096,
"RULE_NAME": "Windows_Trojan_Generic_9997489c"
},
"routing": {
"arch": 2,
"did": "",
"event_id": "170d6c6f-7b01-4464-aab7-733b313169b6",
"event_time": 1774052108720,
"event_type": "YARA_DETECTION",
"ext_ip": "23.128.32.10",
"hostname": "desktop-atsepsk",
"iid": "b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175",
"int_ip": "192.168.50.200",
"latency": -250,
"moduleid": 2,
"oid": "d3541070-8b0e-4663-8a6a-aa0727aacd36",
"parent": "0e216ebc38526920dcc17e5a69b2ef6f",
"plat": 268435456,
"sid": "8f3a47be-5629-4c66-921d-17c39ed07e87",
"tags": [
"fusion-soc-alert",
"fusion-soc-case",
"fusion-soc-pulled",
"fusion-soc-triage",
"fusionsoc-critical",
"fusionsoc-high",
"fusionsoc-investigated",
"joys",
"windows",
"yara_detection_memory"
],
"this": "2afe70a9036fd9e20ca05f4a69bde30c"
}
},
"detect_id": "cfd2ab87-5113-4a65-ae5b-c78669bde30c",
"gen_time": 1774052108469,
"link": "https://app.limacharlie.io/orgs/d3541070-8b0e-4663-8a6a-aa0727aacd36/sensors/8f3a47be-5629-4c66-921d-17c39ed07e87/timeline?time=1774052108\u0026selected=2afe70a9036fd9e20ca05f4a69bde30c",
"namespace": "general",
"routing": {
"arch": 2,
"did": "",
"event_id": "170d6c6f-7b01-4464-aab7-733b313169b6",
"event_time": 1774052108720,
"event_type": "YARA_DETECTION",
"ext_ip": "23.128.32.10",
"hostname": "desktop-atsepsk",
"iid": "b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175",
"int_ip": "192.168.50.200",
"latency": -250,
"moduleid": 2,
"oid": "d3541070-8b0e-4663-8a6a-aa0727aacd36",
"parent": "0e216ebc38526920dcc17e5a69b2ef6f",
"plat": 268435456,
"sid": "8f3a47be-5629-4c66-921d-17c39ed07e87",
"tags": [
"fusion-soc-alert",
"fusion-soc-case",
"fusion-soc-pulled",
"fusion-soc-triage",
"fusionsoc-critical",
"fusionsoc-high",
"fusionsoc-investigated",
"joys",
"windows",
"yara_detection_memory"
],
"this": "2afe70a9036fd9e20ca05f4a69bde30c"
},
"source": "d3541070-8b0e-4663-8a6a-aa0727aacd36.b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175.8f3a47be-5629-4c66-921d-17c39ed07e87.10000000.2",
"source_rule": "general.YARA Detection in Memory",
"ts": 1774052109000
}
๐ค Triage JSON
{
"confidence": 0.933,
"false_positive_reason": "Security software processing malware signatures or samples in memory during active scanning or signature updates.",
"investigation_questions": [
"Was the system undergoing a scheduled antivirus scan at the time of the alert?"
],
"ioc_analysis": "The process \u0027bdservicehost.exe\u0027 is located in the legitimate \u0027C:\\Program Files\\Bitdefender\\Bitdefender Security\\\u0027 directory and is running as NT AUTHORITY\\SYSTEM, which is standard behavior for an antivirus service. The command line arguments point to a legitimate configuration file for the Bitdefender Shield service.",
"iocs_extracted": [
"C:\\Program Files\\Bitdefender\\Bitdefender Security\\bdservicehost.exe"
],
"mitre_techniques": [],
"recommended_actions": [
"Close case as false positive (unanimous AI verdict)",
"Close this alert as a False Positive.",
"Consider adding \u0027bdservicehost.exe\u0027 to an exclusion list for this specific YARA rule to prevent future noise."
],
"risk_score": 8,
"severity": "low",
"summary": "**Vote: UNANIMOUS (3/3 -\u003e FALSE POSITIVE)**\n\n### \u264a gemini-cli Analysis (Primary)\n**Verdict:** false_positive | **Confidence:** 0.95\nThe YARA detection triggered within the memory space of \u0027bdservicehost.exe\u0027, which is a core component of Bitdefender Antivirus. This is a common false positive scenario where security software triggers generic malware signatures while scanning files or holding malware definitions in its memory buffers.\n\n**IOC Analysis:** The process \u0027bdservicehost.exe\u0027 is located in the legitimate \u0027C:\\Program Files\\Bitdefender\\Bitdefender Security\\\u0027 directory and is running as NT AUTHORITY\\SYSTEM, which is standard behavior for an antivirus service. The command line arguments point to a legitimate configuration file for the Bitdefender Shield service.\n\n---\n\n### \ud83e\udd16 qwen3.5:4b Analysis (Secondary)\n**Verdict:** false_positive | **Confidence:** 0.95\nThe detection flagged Bitdefender\u0027s bdservicehost.exe as a Trojan based on YARA rules, but the process is running from its expected location in Program Files and is signed by Microsoft/Bitdefender.\n\n**IOC Analysis:** The process path C:\\Program Files\\Bitdefender\\Bitdefender Security\\bdservicehost.exe matches known-good Windows system binary locations for legitimate software. The command line shows configuration management which is typical for endpoint protection services. This is a common false positive where antivirus engines trigger on their own processes.\n\n---\n\n### \ud83e\udd16 deepseek-r1:8b Analysis (Secondary)\n**Verdict:** false_positive | **Confidence:** 0.9\nThe detection event involves a process from Bitdefender Security, a legitimate antivirus software, running with SYSTEM privileges. Given the file path and context, this is likely a false positive from a generic detection rule.\n\n**IOC Analysis:** The IOC FILE_PATH \u0027C:\\Program Files\\Bitdefender\\Bitdefender Security\\bdservicehost.exe\u0027 is located in a legitimate directory for installed software. No malicious hashes or signatures were provided, and the process is associated with a known vendor, indicating benign behavior.",
"verdict": "false_positive",
"voting": {
"auto_action": "auto_close_fp",
"mode": "unanimous",
"total_models": 3,
"vote_summary": [
"gemini-cli: false_positive (low, 95% confidence)",
"qwen3.5:4b: false_positive (low, 95% confidence)",
"deepseek-r1:8b: false_positive (low, 90% confidence)"
],
"votes": [
{
"confidence": 0.95,
"model": "gemini-cli",
"verdict": "false_positive"
},
{
"confidence": 0.95,
"model": "qwen3.5:4b",
"verdict": "false_positive"
},
{
"confidence": 0.9,
"model": "deepseek-r1:8b",
"verdict": "false_positive"
}
],
"winning_count": 3,
"winning_verdict": "false_positive"
}
}
โ๏ธ Response Actions
| Action | Target | Status | Result | |
|---|---|---|---|---|
| tag | executed | Tag applied | ||
| recommended | executed | General Activity Sweep: 0 events found | ||
| recommended | executed | General Activity Sweep: 0 events found | ||
| recommended | executed | General Activity Sweep: 0 events found |
๐ Add Note
๐ฌ Notes (4)
๐ค FusionSOC AI
2026-03-21T02:50
๐ค FusionSOC AI
2026-03-21T02:50
๐ค FusionSOC AI
2026-03-21T02:50
๐ค FusionSOC AI
2026-03-21T02:50
๐ Timeline
2026-03-21T02:51:57
analyst
Status changed: triaging โ closed
2026-03-21T02:51:55
analyst
Analyst classified as False Positive (FP)
2026-03-21T02:50:40
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-21T02:50:40
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** Consider adding 'bdservicehost.exe' to an exclusion list for this specific YARA ...
2026-03-21T02:50:40
FusionSOC
Response action queued: recommended on Consider adding 'bdservicehost.exe' to an exclusion list for this specific YARA rule to prevent future noise.
2026-03-21T02:50:40
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-21T02:50:40
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** Close this alert as a False Positive. **Sensor:** `8f3a47be-5629-4c...` **Time W...
2026-03-21T02:50:40
FusionSOC
Response action queued: recommended on Close this alert as a False Positive.
2026-03-21T02:50:40
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-21T02:50:40
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** Close case as false positive (unanimous AI verdict) **Sensor:** `8f3a47be-5629-4...
2026-03-21T02:50:40
FusionSOC
Response action queued: recommended on Close case as false positive (unanimous AI verdict)
2026-03-21T02:50:40
FusionSOC
Action tag โ executed: Tag applied
2026-03-21T02:50:39
FusionSOC
Response action queued: tag on 8f3a47be-5629-4c66-921d-17c39ed07e87:fusionsoc-investigated
2026-03-21T02:50:39
FusionSOC AI
Detection cfd2ab87-5113-4a65-ae5b-c78669bde30c triaged as false_positive (low severity, confidence: 93%)
2026-03-21T02:50:39
FusionSOC AI
Case created from detection: general.YARA Detection in Memory