Concrete signature match: Backdoor - Provides unauthorized remote access for .NET (Microsoft Intermediate Language) platform, family XWormRAT
This threat is a specific variant (J) of the XWormRAT family, identified as a backdoor using machine learning behavioral analysis (!MTB). XWormRAT is a sophisticated Remote Access Trojan (RAT) designed to provide attackers with unauthorized remote access and full control over the compromised system, enabling data theft, surveillance, and further malicious activities.
No specific strings found for this threat
rule Backdoor_MSIL_XWormRAT_J_2147904895_0
{
meta:
author = "threatcheck.sh"
detection_name = "Backdoor:MSIL/XWormRAT.J!MTB"
threat_id = "2147904895"
type = "Backdoor"
platform = "MSIL: .NET intermediate language scripts"
family = "XWormRAT"
severity = "Critical"
info = "MTB: Microsoft Threat Behavior"
signature_type = "SIGNATURE_TYPE_PEHSTR_EXT"
threshold = "6"
strings_accuracy = "Low"
strings:
$x_2_1 = {04 20 e8 03 00 00 d8 28} //weight: 2, accuracy: High
$x_2_2 = {0a 0b 07 14 73 ?? ?? ?? 0a 20 10 27 00 00 20 98 3a 00 00 6f} //weight: 2, accuracy: Low
$x_2_3 = {07 6c 23 00 00 00 00 00 00 d0 41 5b 13 04 12 04 28} //weight: 2, accuracy: High
condition:
(filesize < 20MB) and
(all of ($x*))
}7c622d72a82e616159a824854790e747afca0d3b4f596156bc1883f2ecf4ae90Immediately isolate the infected system from the network. Perform a full system scan with Windows Defender to quarantine and remove the detected malware. Conduct a thorough forensic analysis to determine the extent of compromise, including potential data exfiltration or installation of additional malware, and reset all relevant user and administrative passwords.