Concrete signature match: Backdoor - Provides unauthorized remote access for 32-bit Windows platform, family Farfli
This threat is a backdoor from the Farfli (Gh0st RAT) malware family, detected by machine learning behavioral analysis. It is designed to grant a remote attacker unauthorized control over the infected system, allowing for data theft, remote command execution, and surveillance.
No specific strings found for this threat
rule Backdoor_Win32_Farfli_BH_2147686457_0
{
meta:
author = "threatcheck.sh"
detection_name = "Backdoor:Win32/Farfli.BH"
threat_id = "2147686457"
type = "Backdoor"
platform = "Win32: Windows 32-bit platform"
family = "Farfli"
severity = "Critical"
signature_type = "SIGNATURE_TYPE_PEHSTR_EXT"
threshold = "2"
strings_accuracy = "High"
strings:
$x_1_1 = {66 89 44 24 44 c6 44 24 39 65 c6 44 24 3c 79 c6 44 24 40 6d ff d5 8b 35} //weight: 1, accuracy: High
$x_1_2 = {89 4c 24 24 88 54 24 28 c6 44 24 1c 47 c6 44 24 1f 55 c6 44 24 23 4e ff d5 50 ff d6} //weight: 1, accuracy: High
$x_1_3 = {c6 44 24 2c 72 c6 44 24 2e 6f c6 44 24 2f 74 ff d3 56 ff 15} //weight: 1, accuracy: High
$x_1_4 = {c6 44 24 11 4d c6 44 24 12 42 c6 44 24 14 30 c6 44 24 16 6d c6 44 24 17 62 0f 84 c3} //weight: 1, accuracy: High
$x_1_5 = {c6 44 24 18 47 c6 44 24 1a 74 c6 44 24 1b 55 c6 44 24 1f 4e c6 44 24 21 6d ff d5} //weight: 1, accuracy: High
$x_1_6 = {c6 44 24 54 47 c6 44 24 56 74 c6 44 24 57 56 c6 44 24 5b 6d c6 44 24 5d 49 c6 44 24 60 6f c6 44 24 64 74 ff d5} //weight: 1, accuracy: High
condition:
(filesize < 20MB) and
(2 of ($x*))
}1f8cdb119164550161cddba78f7d30f36cd3304dc4c127c37b15d3030b743b4b580e6c64ba71bf32dc63c34204dc48d17ff8de949c916f101e89472222b41a88Isolate the affected machine from the network immediately. Use Windows Defender to perform a full system scan and remove the detected threat. Investigate for persistence mechanisms and change all user credentials associated with the machine.