Concrete signature match: Trojan - Appears legitimate but performs malicious actions for Linux platform, family VShell
No specific strings found for this threat
rule Trojan_Linux_VShell_B_2147943670_0
{
meta:
author = "threatcheck.sh"
detection_name = "Trojan:Linux/VShell.B!MTB"
threat_id = "2147943670"
type = "Trojan"
platform = "Linux: Linux platform"
family = "VShell"
severity = "Critical"
info = "MTB: Microsoft Threat Behavior"
signature_type = "SIGNATURE_TYPE_ELFHSTR_EXT"
threshold = "2"
strings_accuracy = "High"
strings:
$x_1_1 = {83 ff 1b 75 f6 b8 00 00 00 00 b9 01 00 00 00 4c 8d 1d 06 34 78 00 f0 41 0f b1 0b 75 de 48 8b 0d 6c 17 75 00 4c 8d 05 75 41 78 00 4c 8d 0d 0e fa ff ff 48 8b 05 f7 1b 75 00 ff e0} //weight: 1, accuracy: High
$x_1_2 = {48 85 c0 74 24 48 8b 38 48 8b 70 08 31 c0 48 8d 1d d4 f7 44 00 b9 0f 00 00 00 e8 ea 7b fe ff 48 83 c4 28 5d c3} //weight: 1, accuracy: High
condition:
(filesize < 20MB) and
(all of ($x*))
}2653e381b45970910f9d5ea628716991e8c8a9b614d43c2c378bd08a83b349e0d56dcc658647bb2b26caf4173ff639cde46b4ddb88f424bf48f1163369b84cc4