Concrete signature match: MonitoringTool for 64-bit Windows platform, family AwardKeylogger
This threat is the AwardKeylogger, a monitoring tool designed to secretly record user keystrokes. It operates stealthily in the background to capture sensitive information such as login credentials, financial details, and private messages for exfiltration. The detection is based on a specific signature for the file 'kl.exe' being run with silent parameters, indicating a confirmed and active threat.
Relevant strings associated with this threat: - \kl.exe (PEHSTR_EXT) - /Silent /NoIcon (PEHSTR_EXT)
rule MonitoringTool_Win64_AwardKeylogger_166310_0
{
meta:
author = "threatcheck.sh"
detection_name = "MonitoringTool:Win64/AwardKeylogger"
threat_id = "166310"
type = "MonitoringTool"
platform = "Win64: Windows 64-bit platform"
family = "AwardKeylogger"
severity = "Critical"
signature_type = "SIGNATURE_TYPE_PEHSTR_EXT"
threshold = "3"
strings_accuracy = "Low"
strings:
$x_1_1 = {00 5c 6b 6c 2e 65 78 65 00} //weight: 1, accuracy: High
$x_1_2 = "/Silent /NoIcon" ascii //weight: 1
$x_1_3 = {80 7b 10 aa 74 08 c6 04 25 00 00 00 00 78 44 8b 44 24 ?? 48 8b 54 24 ?? 48 8b cb e8 ?? ?? ?? ?? b2 20 48 8b cb e8 ?? ?? ?? ?? 80 7b 10 aa 74 08 c6 04 25 00 00 00 00 78} //weight: 1, accuracy: Low
condition:
(filesize < 20MB) and
(all of ($x*))
}Immediately use your antivirus to remove the threat. Disconnect the machine from the network and change all passwords for accounts accessed from this device, prioritizing email, banking, and corporate services. Perform a full system scan to identify any additional malicious components.