{
  "author": "ckeller@fusioncybersecurity.us",
  "cat": "YARA Detection on Disk - Macos_Infostealer_Wallets_8e469ea0",
  "detect": {
    "event": {
      "FILE_PATH": "C:\\Program Files (x86)\\Microsoft\\EdgeWebView\\Application\\145.0.3800.97\\msedge.dll",
      "RULE_NAME": "Macos_Infostealer_Wallets_8e469ea0"
    },
    "routing": {
      "arch": 2,
      "did": "",
      "event_id": "75567534-a248-4bfa-a0fd-c8ecf0c4b7f4",
      "event_time": 1774295551305,
      "event_type": "YARA_DETECTION",
      "ext_ip": "23.128.32.10",
      "hostname": "desktop-atsepsk",
      "iid": "b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175",
      "int_ip": "192.168.50.200",
      "latency": -771,
      "moduleid": 2,
      "oid": "d3541070-8b0e-4663-8a6a-aa0727aacd36",
      "plat": 268435456,
      "sid": "8f3a47be-5629-4c66-921d-17c39ed07e87",
      "tags": [
        "fusion-soc-alert",
        "fusion-soc-case",
        "fusion-soc-pulled",
        "fusion-soc-triage",
        "fusionsoc-critical",
        "fusionsoc-high",
        "fusionsoc-investigated",
        "joys",
        "windows",
        "yara_detection_memory"
      ],
      "this": "a2289de8c13d48d60eccded169c199ff"
    }
  },
  "detect_id": "92a95d6e-a51a-47ac-97bf-461269c199fe",
  "gen_time": 1774295550533,
  "link": "https://app.limacharlie.io/orgs/d3541070-8b0e-4663-8a6a-aa0727aacd36/sensors/8f3a47be-5629-4c66-921d-17c39ed07e87/timeline?time=1774295551\u0026selected=a2289de8c13d48d60eccded169c199ff",
  "namespace": "general",
  "routing": {
    "arch": 2,
    "did": "",
    "event_id": "75567534-a248-4bfa-a0fd-c8ecf0c4b7f4",
    "event_time": 1774295551305,
    "event_type": "YARA_DETECTION",
    "ext_ip": "23.128.32.10",
    "hostname": "desktop-atsepsk",
    "iid": "b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175",
    "int_ip": "192.168.50.200",
    "latency": -771,
    "moduleid": 2,
    "oid": "d3541070-8b0e-4663-8a6a-aa0727aacd36",
    "plat": 268435456,
    "sid": "8f3a47be-5629-4c66-921d-17c39ed07e87",
    "tags": [
      "fusion-soc-alert",
      "fusion-soc-case",
      "fusion-soc-pulled",
      "fusion-soc-triage",
      "fusionsoc-critical",
      "fusionsoc-high",
      "fusionsoc-investigated",
      "joys",
      "windows",
      "yara_detection_memory"
    ],
    "this": "a2289de8c13d48d60eccded169c199ff"
  },
  "source": "d3541070-8b0e-4663-8a6a-aa0727aacd36.b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175.8f3a47be-5629-4c66-921d-17c39ed07e87.10000000.2",
  "source_rule": "general.YARA Detection on Disk",
  "ts": 1774295550000
}

{
  "confidence": 0.925,
  "false_positive_reason": "The file is a legitimate Microsoft Edge WebView2 component located in its expected Program Files directory, and the YARA rule appears to be incorrectly flagging standard Windows system binaries.",
  "investigation_questions": [
    "Has this detection occurred before on other hosts?",
    "Is there a recent update or deployment of Microsoft Edge WebView2?"
  ],
  "ioc_analysis": "The file path C:\\Program Files (x86)\\Microsoft\\EdgeWebView\\Application\\145.0.3800.97\\msedge.dll is a standard location for Microsoft Edge WebView2 components. The process tree shows no suspicious parent processes or command line arguments, and the file resides in an expected directory structure for legitimate software.",
  "iocs_extracted": [
    "C:\\Program Files (x86)\\Microsoft\\EdgeWebView\\Application\\145.0.3800.97\\msedge.dll",
    "Rule: Macos_Infostealer_Wallets_8e469ea0"
  ],
  "mitre_techniques": [],
  "recommended_actions": [
    "Close case as false positive (unanimous AI verdict)",
    "Verify the file hash against Microsoft\u0027s official repository",
    "Check if the YARA rule signature matches known legitimate Edge binaries",
    "Review rule configuration to ensure it does not flag standard Windows system files"
  ],
  "risk_score": 10,
  "severity": "low",
  "summary": "**Vote: UNANIMOUS (2/2 -\u003e FALSE POSITIVE)**\n\n### \u264a gemini-cli Analysis (Primary)\nFailed or timed out.\n\n---\n\n### \ud83e\udd16 qwen3.5:4b Analysis (Secondary)\n**Verdict:** false_positive | **Confidence:** 0.95\nThe detection flags a legitimate Microsoft Edge WebView2 DLL file located in its expected Program Files directory. The YARA rule appears to be misconfigured or targeting incorrect signatures for this known-good Windows component.\n\n**IOC Analysis:** The file path C:\\Program Files (x86)\\Microsoft\\EdgeWebView\\Application\\145.0.3800.97\\msedge.dll is a standard location for Microsoft Edge WebView2 components. The process tree shows no suspicious parent processes or command line arguments, and the file resides in an expected directory structure for legitimate software.\n\n---\n\n### \ud83e\udd16 deepseek-r1:8b Analysis (Secondary)\n**Verdict:** false_positive | **Confidence:** 0.9\nThe detection is likely a false positive as the file path corresponds to a legitimate Microsoft Edge WebView component, which is expected to be located in this directory. Historical analyst feedback confirms false positives for this rule.\n\n**IOC Analysis:** The IOC FILE_PATH is located in C:\\Program Files (x86)\\Microsoft\\EdgeWebView\\, which is a known legitimate directory for Microsoft Edge components. No malicious indicators like hashes or signatures were provided, and the rule has a history of false positives.",
  "verdict": "false_positive",
  "voting": {
    "auto_action": "auto_close_fp",
    "mode": "unanimous",
    "total_models": 2,
    "vote_summary": [
      "qwen3.5:4b: false_positive (low, 95% confidence)",
      "deepseek-r1:8b: false_positive (low, 90% confidence)"
    ],
    "votes": [
      {
        "confidence": 0.95,
        "model": "qwen3.5:4b",
        "verdict": "false_positive"
      },
      {
        "confidence": 0.9,
        "model": "deepseek-r1:8b",
        "verdict": "false_positive"
      }
    ],
    "winning_count": 2,
    "winning_verdict": "false_positive"
  }
}