Backdoor:MSIL/XWormRAT.J!MTB - Windows Defender Threat Analysis

This threat is a specific variant (J) of the XWormRAT family, identified as a backdoor using machine learning behavioral analysis (!MTB). XWormRAT is a sophisticated Remote Access Trojan (RAT) designed to provide attackers with unauthorized remote access and full control over the compromised system, enabling data theft, surveillance, and further malicious activities.

No specific strings found for this threat

rule Backdoor_MSIL_XWormRAT_J_2147904895_0
{
    meta:
        author = "threatcheck.sh"
        detection_name = "Backdoor:MSIL/XWormRAT.J!MTB"
        threat_id = "2147904895"
        type = "Backdoor"
        platform = "MSIL: .NET intermediate language scripts"
        family = "XWormRAT"
        severity = "Critical"
        info = "MTB: Microsoft Threat Behavior"
        signature_type = "SIGNATURE_TYPE_PEHSTR_EXT"
        threshold = "6"
        strings_accuracy = "Low"
    strings:
        $x_2_1 = {04 20 e8 03 00 00 d8 28}  //weight: 2, accuracy: High
        $x_2_2 = {0a 0b 07 14 73 ?? ?? ?? 0a 20 10 27 00 00 20 98 3a 00 00 6f}  //weight: 2, accuracy: Low
        $x_2_3 = {07 6c 23 00 00 00 00 00 00 d0 41 5b 13 04 12 04 28}  //weight: 2, accuracy: High
    condition:
        (filesize < 20MB) and
        (all of ($x*))
}

Immediately isolate the infected system from the network. Perform a full system scan with Windows Defender to quarantine and remove the detected malware. Conduct a thorough forensic analysis to determine the extent of compromise, including potential data exfiltration or installation of additional malware, and reset all relevant user and administrative passwords.