Heuristic detection based on suspicious behavior patterns, not a confirmed malware match
SuspGolang.AG is a heuristic detection for a file, likely written in Go, with capabilities for network proxying, service management, and backdoor functions. This suggests it may be a remote access trojan (RAT), but the high false positive risk means it could also be a legitimate networking or administration tool.
Relevant strings associated with this threat: - WGSocksStopReq). (PEHSTR_EXT) - WGTCPForwardersReq). (PEHSTR_EXT) - WGSocksServersReq). (PEHSTR_EXT) - WGTCPForwarder). (PEHSTR_EXT) - ServiceInfoReq). (PEHSTR_EXT) - StopServiceReq). (PEHSTR_EXT) - RemoveServiceReq). (PEHSTR_EXT) - BackdoorReq). (PEHSTR_EXT) - ).SetUniformBytes (PEHSTR_EXT) - ).SetCanonicalBytes (PEHSTR_EXT) - ).SetBytesWithClamping (PEHSTR_EXT)
rule Trojan_Win32_SuspGolang_AG_2147915794_0
{
meta:
author = "threatcheck.sh"
detection_name = "Trojan:Win32/SuspGolang.AG"
threat_id = "2147915794"
type = "Trojan"
platform = "Win32: Windows 32-bit platform"
family = "SuspGolang"
severity = "Critical"
signature_type = "SIGNATURE_TYPE_PEHSTR_EXT"
threshold = "11"
strings_accuracy = "High"
strings:
$x_1_1 = "WGSocksStopReq)." ascii //weight: 1
$x_1_2 = "WGTCPForwardersReq)." ascii //weight: 1
$x_1_3 = "WGSocksServersReq)." ascii //weight: 1
$x_1_4 = "WGTCPForwarder)." ascii //weight: 1
$x_1_5 = "ServiceInfoReq)." ascii //weight: 1
$x_1_6 = "StopServiceReq)." ascii //weight: 1
$x_1_7 = "RemoveServiceReq)." ascii //weight: 1
$x_1_8 = "BackdoorReq)." ascii //weight: 1
$x_1_9 = ").SetUniformBytes" ascii //weight: 1
$x_1_10 = ").SetCanonicalBytes" ascii //weight: 1
$x_1_11 = ").SetBytesWithClamping" ascii //weight: 1
condition:
(filesize < 20MB) and
(all of ($x*))
}Isolate the host and quarantine the file. Investigate the file's origin, purpose, and hash. If confirmed malicious, delete the file and hunt for related activity. If it is a legitimate tool, restore the file and create an antivirus exclusion.