โ
Case #413
general.YARA Detection in Memory
๐ท๏ธ Analyst Verdict Classification
FP by analyst๐ค AI Analysis
๐ Detections (1)
YARA Detection in Memory - Windows_Trojan_Generic_9997489c
informational
Rule: general.YARA Detection in Memory
Hostname: desktop-atsepsk ยท Sensor: 8f3a47be-5629-4c...
Event Type: YARA_DETECTION
Confidence: 92% ยท Verdict: false positive
Event Data:
PROCESS:
{'BASE_ADDRESS': 140702246764544, 'COMMAND_LINE': '"C:\\Program Files\\Bitdefender\\Bitdefender Security\\bdservicehost.exe" "settings/services/configs/bdshieldsrv_config.json"', 'FILE_PATH': 'C:\\Program Files\\Bitdefender\\Bitdefender Security\\bdservicehost.exe', 'MEMORY_USAGE': 1966514176, 'PARENT_PROCESS_ID': 1680, 'PROCESS_ID': 6096, 'THREADS': 274, 'USER_NAME': 'NT AUTHORITY\\SYSTEM'}
PROCESS_ID:
6096
RULE_NAME:
Windows_Trojan_Generic_9997489c
IOCs:
{'type': 'process_path', 'value': 'C:\\Program Files\\Bitdefender\\Bitdefender Security\\bdservicehost.exe'}
{'type': 'rule_name', 'value': 'Windows_Trojan_Generic_9997489c'}
Analyst Declaration:
๐ Raw Detection JSON
{
"author": "ckeller@fusioncybersecurity.us",
"cat": "YARA Detection in Memory - Windows_Trojan_Generic_9997489c",
"detect": {
"event": {
"PROCESS": {
"BASE_ADDRESS": 140702246764544,
"COMMAND_LINE": "\"C:\\Program Files\\Bitdefender\\Bitdefender Security\\bdservicehost.exe\" \"settings/services/configs/bdshieldsrv_config.json\"",
"FILE_PATH": "C:\\Program Files\\Bitdefender\\Bitdefender Security\\bdservicehost.exe",
"MEMORY_USAGE": 1966514176,
"PARENT_PROCESS_ID": 1680,
"PROCESS_ID": 6096,
"THREADS": 274,
"USER_NAME": "NT AUTHORITY\\SYSTEM"
},
"PROCESS_ID": 6096,
"RULE_NAME": "Windows_Trojan_Generic_9997489c"
},
"routing": {
"arch": 2,
"did": "",
"event_id": "cb4be47a-e924-48b1-b04e-fccb9cbb52b8",
"event_time": 1774166301729,
"event_type": "YARA_DETECTION",
"ext_ip": "23.128.32.10",
"hostname": "desktop-atsepsk",
"iid": "b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175",
"int_ip": "192.168.50.200",
"latency": 191,
"moduleid": 2,
"oid": "d3541070-8b0e-4663-8a6a-aa0727aacd36",
"parent": "0e216ebc38526920dcc17e5a69b2ef6f",
"plat": 268435456,
"sid": "8f3a47be-5629-4c66-921d-17c39ed07e87",
"tags": [
"fusion-soc-alert",
"fusion-soc-case",
"fusion-soc-pulled",
"fusion-soc-triage",
"fusionsoc-critical",
"fusionsoc-high",
"fusionsoc-investigated",
"joys",
"windows",
"yara_detection_memory"
],
"this": "13a5fd53f7187bdd24d1f6fa69bfa11d"
}
},
"detect_id": "6d6a2e52-d093-4729-af47-4b2b69bfa11d",
"gen_time": 1774166301920,
"link": "https://app.limacharlie.io/orgs/d3541070-8b0e-4663-8a6a-aa0727aacd36/sensors/8f3a47be-5629-4c66-921d-17c39ed07e87/timeline?time=1774166301\u0026selected=13a5fd53f7187bdd24d1f6fa69bfa11d",
"namespace": "general",
"routing": {
"arch": 2,
"did": "",
"event_id": "cb4be47a-e924-48b1-b04e-fccb9cbb52b8",
"event_time": 1774166301729,
"event_type": "YARA_DETECTION",
"ext_ip": "23.128.32.10",
"hostname": "desktop-atsepsk",
"iid": "b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175",
"int_ip": "192.168.50.200",
"latency": 191,
"moduleid": 2,
"oid": "d3541070-8b0e-4663-8a6a-aa0727aacd36",
"parent": "0e216ebc38526920dcc17e5a69b2ef6f",
"plat": 268435456,
"sid": "8f3a47be-5629-4c66-921d-17c39ed07e87",
"tags": [
"fusion-soc-alert",
"fusion-soc-case",
"fusion-soc-pulled",
"fusion-soc-triage",
"fusionsoc-critical",
"fusionsoc-high",
"fusionsoc-investigated",
"joys",
"windows",
"yara_detection_memory"
],
"this": "13a5fd53f7187bdd24d1f6fa69bfa11d"
},
"source": "d3541070-8b0e-4663-8a6a-aa0727aacd36.b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175.8f3a47be-5629-4c66-921d-17c39ed07e87.10000000.2",
"source_rule": "general.YARA Detection in Memory",
"ts": 1774166301000
}
๐ค Triage JSON
{
"confidence": 0.925,
"false_positive_reason": "Legitimate antivirus software (Bitdefender) triggered a generic Trojan detection rule. The process is located in its expected directory and is from a known security vendor, making it benign.",
"investigation_questions": [
"Is Bitdefender installed on this system?",
"Has this process been running recently without user intervention?"
],
"ioc_analysis": "The process path C:\\Program Files\\Bitdefender\\Bitdefender Security\\bdservicehost.exe matches known-good Windows application locations, and the executable is from a reputable antivirus vendor. Generic Trojan rules often flag legitimate security software as malicious due to behavioral patterns that mimic malware (e.g., memory usage, service spawning).",
"iocs_extracted": [
{
"type": "process_path",
"value": "C:\\Program Files\\Bitdefender\\Bitdefender Security\\bdservicehost.exe"
},
{
"type": "rule_name",
"value": "Windows_Trojan_Generic_9997489c"
}
],
"mitre_techniques": [],
"recommended_actions": [
"Close case as false positive (unanimous AI verdict)",
"Allow the process in future detections",
"Review and whitelist Bitdefender processes on this host",
"Suppress generic Trojan rules for known security vendor binaries"
],
"risk_score": 10,
"severity": "informational",
"summary": "**Vote: UNANIMOUS (2/2 -\u003e FALSE POSITIVE)**\n\n### \ud83e\udde0 dgx-122b Analysis (Primary)\nFailed or timed out.\n\n---\n\n### \ud83e\udd16 qwen3.5:4b Analysis (Secondary)\n**Verdict:** false_positive | **Confidence:** 0.95\nThe detection flagged Bitdefender\u0027s bdservicehost.exe as a Trojan, but the process is running from its expected location in Program Files and is signed by a known vendor. This is a classic false positive where legitimate security software triggers generic malware rules.\n\n**IOC Analysis:** The process path C:\\Program Files\\Bitdefender\\Bitdefender Security\\bdservicehost.exe matches known-good Windows application locations, and the executable is from a reputable antivirus vendor. Generic Trojan rules often flag legitimate security software as malicious due to behavioral patterns that mimic malware (e.g., memory usage, service spawning).\n\n---\n\n### \ud83e\udd16 deepseek-r1:8b Analysis (Secondary)\n**Verdict:** false_positive | **Confidence:** 0.9\nThe detection is likely a false positive as the process is part of Bitdefender antivirus software, running with SYSTEM privileges, which is typical for legitimate security tools.\n\n**IOC Analysis:** The FILE_PATH is located in the Bitdefender installation directory, which is a legitimate software location. No malicious hashes or signatures are provided, and it aligns with common false positive scenarios for antivirus processes.",
"verdict": "false_positive",
"voting": {
"auto_action": "auto_close_fp",
"mode": "unanimous",
"total_models": 2,
"vote_summary": [
"qwen3.5:4b: false_positive (informational, 95% confidence)",
"deepseek-r1:8b: false_positive (low, 90% confidence)"
],
"votes": [
{
"confidence": 0.95,
"model": "qwen3.5:4b",
"verdict": "false_positive"
},
{
"confidence": 0.9,
"model": "deepseek-r1:8b",
"verdict": "false_positive"
}
],
"winning_count": 2,
"winning_verdict": "false_positive"
}
}
โ๏ธ Response Actions
| Action | Target | Status | Result | |
|---|---|---|---|---|
| tag | executed | Tag applied | ||
| recommended | executed | General Activity Sweep: 0 events found | ||
| recommended | executed | Process Tree Investigation: 13 events found | ||
| recommended | executed | Process Tree Investigation: 13 events found | ||
| recommended | executed | General Activity Sweep: 0 events found |
๐ Add Note
๐ฌ Notes (5)
๐ค FusionSOC AI
2026-03-22T23:41
๐ค FusionSOC AI
2026-03-22T23:41
๐ค FusionSOC AI
2026-03-22T23:41
๐ค FusionSOC AI
2026-03-22T23:41
๐ค FusionSOC AI
2026-03-22T23:41
๐ Timeline
2026-03-23T01:43:36
analyst
Status changed: investigating โ closed
2026-03-23T01:43:25
analyst
Analyst classified as False Positive (FP)
2026-03-22T23:41:36
FusionSOC AI
Status changed: investigating โ investigating
2026-03-22T23:41:36
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-22T23:41:36
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** Suppress generic Trojan rules for known security vendor binaries **Sensor:** `8f...
2026-03-22T23:41:36
FusionSOC
Response action queued: recommended on Suppress generic Trojan rules for known security vendor binaries
2026-03-22T23:41:36
FusionSOC AI
Status changed: investigating โ investigating
2026-03-22T23:41:36
FusionSOC
Action recommended โ executed: Process Tree Investigation: 13 events found
2026-03-22T23:41:36
FusionSOC AI
Note by FusionSOC AI: ## ๐ Process Tree Investigation **Action:** Review and whitelist Bitdefender processes on this host **Sensor:** `8f3a47b...
2026-03-22T23:41:35
FusionSOC
Response action queued: recommended on Review and whitelist Bitdefender processes on this host
2026-03-22T23:41:35
FusionSOC AI
Status changed: investigating โ investigating
2026-03-22T23:41:35
FusionSOC
Action recommended โ executed: Process Tree Investigation: 13 events found
2026-03-22T23:41:35
FusionSOC AI
Note by FusionSOC AI: ## ๐ Process Tree Investigation **Action:** Allow the process in future detections **Sensor:** `8f3a47be-5629-4c...` **T...
2026-03-22T23:41:34
FusionSOC
Response action queued: recommended on Allow the process in future detections
2026-03-22T23:41:34
FusionSOC AI
Status changed: open โ investigating
2026-03-22T23:41:34
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-22T23:41:34
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** Close case as false positive (unanimous AI verdict) **Sensor:** `8f3a47be-5629-4...
2026-03-22T23:41:33
FusionSOC
Response action queued: recommended on Close case as false positive (unanimous AI verdict)
2026-03-22T23:41:33
FusionSOC
Action tag โ executed: Tag applied
2026-03-22T23:41:33
FusionSOC
Response action queued: tag on 8f3a47be-5629-4c66-921d-17c39ed07e87:fusionsoc-investigated
2026-03-22T23:41:33
FusionSOC AI
Detection 6d6a2e52-d093-4729-af47-4b2b69bfa11d triaged as false_positive (informational severity, confidence: 92%)
2026-03-22T23:41:33
FusionSOC AI
Case created from detection: general.YARA Detection in Memory