Concrete signature match: Backdoor - Provides unauthorized remote access for .NET (Microsoft Intermediate Language) platform, family Bladabindi
This detection identifies a backdoor from the Bladabindi (NJRat) family, a .NET-based Remote Access Trojan (RAT). The malware provides an attacker with remote control over the infected system, enabling data theft, keystroke logging, and remote command execution. The '!MTB' suffix indicates this was identified by a machine learning behavioral model, not a static signature.
No specific strings found for this threat
rule Backdoor_MSIL_Bladabindi_AMBE_2147902976_0
{
meta:
author = "threatcheck.sh"
detection_name = "Backdoor:MSIL/Bladabindi.AMBE!MTB"
threat_id = "2147902976"
type = "Backdoor"
platform = "MSIL: .NET intermediate language scripts"
family = "Bladabindi"
severity = "Critical"
info = "MTB: Microsoft Threat Behavior"
signature_type = "SIGNATURE_TYPE_PEHSTR_EXT"
threshold = "2"
strings_accuracy = "Low"
strings:
$x_2_1 = {07 11 09 11 08 5d 17 6f ?? 00 00 0a 6f ?? 00 00 0a 16 93} //weight: 2, accuracy: Low
condition:
(filesize < 20MB) and
(all of ($x*))
}2c1c1e5c6028ca269261ec084975bb58a0a4f6b3e72bd377f6cce0b961b2e5f2Isolate the affected machine from the network immediately to prevent lateral movement. Use antivirus software to quarantine and remove the detected file. Investigate the system for signs of further compromise and change all user credentials associated with the machine.