title: ZxShell Malware id: f0b70adb-0075-43b0-9745-e82a1c608fcc description: Detects a ZxShell start by the called and well-known function name author: Florian Roth date: 2017/07/20 references: - https://www.hybrid-analysis.com/sample/5d2a4cde9fa7c2fdbf39b2e2ffd23378d0c50701a3095d1e91e3cf922d7b0b16?environmentId=100 tags: - attack.g0001 - attack.execution - attack.t1059 - attack.defense_evasion - attack.t1085 - attack.t1218.011 logsource: category: process_creation product: windows detection: selection: CommandLine|contains: - 'rundll32.exe *,zxFunction*' - 'rundll32.exe *,RemoteDiskXXXXX' condition: selection fields: - CommandLine - ParentCommandLine falsepositives: - Unlikely level: critical