AI Triage

Overview

AI Triage performs analysis on uploaded files to determine their potential maliciousness.
Each analysis includes structured scoring, similarity assessments, and a synthesized summary based on the underlying model outputs.

Analysis Pipeline

1. File Ingestion and Parsing

When a file is submitted, AI Triage performs independent binary analysis.
It extracts and normalizes key features such as:

• File sections and entropy
• Imports and exports
• Strings and embedded resources
• Behavioral indicators (where available)

⚙️

Note: No external verdicts or third-party datasets are used during this phase.

All analysis is performed using Stairwell’s internal tooling and models.

2. High-Signal Feature Extraction

Not all file attributes are equally valuable for detection.
AI Triage isolates high-signal indicators — those with the greatest predictive and analytical value — and assigns weights to each based on model importance.

This approach reduces noise and false positives while maintaining analytic transparency.

💡

Tip: Analysts can focus on top-weighted features to quickly understand which aspects of the file contributed most to the verdict.

3. Machine Learning & Behavioral Models

AI Triage applies neural-network models (Mal-Eval) to evaluate extracted features and detect behavioral patterns.
These models identify relationships between the sample and known malware families or previously analyzed files, even when file hashes or signatures differ.

4. Variant and Prevalence Correlation

After scoring, AI Triage correlates results with prevalence data to determine how common or unique the file is within Stairwell’s datasets.

• variant_similarity: Degree of similarity to known variants
• customer_prevalence: Whether this sample or close variants have appeared in your environment
• global_prevalence: Whether the sample has been seen elsewhere across Stairwell’s corpus

5. YARA and Threat Intelligence Integration

Each file is checked against Stairwell’s curated YARA rules and internal threat intelligence.
Matches provide additional evidence for classification and explainability.

⚙️

Note: These YARA rules are derived from active investigations and internal research.

Rule names and triggers are displayed in the results where available.

6. LLM-Based Summary Generation

After analysis and correlation, AI Triage uses a large language model to produce a structured natural-language summary of the findings.
This synthesis step converts raw model outputs into a concise, human-readable assessment.

⚙️

Note: The summary is derived directly from Stairwell’s proprietary telemetry and model results.

It does not include or reference external OSINT sources.

Result Example

TL;DR: This file appears to be a tampered version of the legitimate SolarWinds Orion Business Layer module (OrionImprovementBusinessLayer.dll), exhibiting hallmarks of the SUNBURST malware used in the 2020 SolarWinds supply chain compromise. Analysis indicates characteristics consistent with backdoor functionality, advanced evasion, and long-term persistence across networked environments.

MALICIOUS_LIKELIHOOD: 95%

CONFIDENCE: 85%

THREAT TYPE: Supply Chain Attack / Remote Access Trojan (RAT)

IOCs

File Name: SolarWinds.Orion.Core.BusinessLayer.dll (version 2019.4.5200.9083)

Certificate: Signed with Symantec certificate used in SUNBURST campaign

Strings:

FNV1A hashing with XOR – unique SUNBURST marker

Encoded C2 communications

Fake variable names to mislead analysts

Behavioral Indicators:

Scheduled discovery and network reconnaissance

Credential access and management routines

Anti-analysis mechanisms and evasion routines


Persistence Mechanisms:

Scheduled tasks and registry modifications

Dormancy techniques for delayed execution

Details

This file includes embedded logic intended for covert operation within enterprise environments:

Masquerading: Appears as legitimate Orion DLL with valid business logic

Remote Control: Enables remote access and data exfiltration over stealthy C2 channels

Credential Access: Steals credentials for lateral movement

Persistence: Survives reboots and updates via task scheduling and registry persistence

Evasion: Employs techniques like fake variable naming and encoded communication to evade detection

Key Considerations

High Sophistication: Aligns with SUNBURST’s known TTPs and tooling

Threat Actor: Attributed to UNC2452 / Nobelium (APT29)

Impact: Long-term network compromise and espionage

Low Detection: Blended within legitimate update infrastructure

Best Practices

• Treat AI Triage verdicts as structured intelligence, not as final decisions — especially for low-confidence scores.
• Combine AI Triage results with manual triage or other Stairwell modules for full context.
• Leverage the API to programmatically use in internal tooling or SOAR workflows.
  • API Triage API Doc

Summary

AI Triage provides automated, explainable analysis for suspicious files using Stairwell’s proprietary detection stack.
It exposes structured results, similarity metrics, and synthesized explanations that enable analysts to make informed triage decisions efficiently and consistently.