Concrete signature match: Trojan - Appears legitimate but performs malicious actions for .NET (Microsoft Intermediate Language) platform, family AgentTesla
This is a concrete detection of Trojan:MSIL/AgentTesla.AD!MTB, indicating a highly sophisticated information stealer. The malware employs multiple obfuscation techniques, utilizes system hooking, and leverages networking and cryptography to exfiltrate sensitive data, potentially delivered via social engineering tactics like fake resume or restaurant applications.
Relevant strings associated with this threat: - SecureTeam.Attributes.ObfuscatedByAgileDotNetAttribute (PEHSTR_EXT) - SmartAssembly.Attributes.PoweredByAttribute (PEHSTR_EXT) - SecureTeam.Attributes.ObfuscatedByCliSecureAttribute (PEHSTR_EXT) - Xenocode.Client.Attributes.AssemblyAttributes.ProcessedByXenocode (PEHSTR_EXT) - CryptoObfuscator.ProtectedWithCryptoObfuscatorAttribute (PEHSTR_EXT) - NineRays.Obfuscator.Evaluation (PEHSTR_EXT) - System.Net (PEHSTR_EXT) - System.Security.Cryptography.AesCryptoServiceProvider (PEHSTR_EXT) - hOOWd989DTOHFEOtZr.dVHUYZkf5VVcnHC4cP (PEHSTR_EXT) - ResumesApp.Properties.Resources.resources (PEHSTR_EXT) - EP1_Restaurante.Properties (PEHSTR_EXT) - |#d4f940ab-401b-4efc-aadc-ad5f3c50688a (NID) - }#d4f940ab-401b-4efc-aadc-ad5f3c50688a (NID) - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT) - rundll32 (PEHSTR_EXT) - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT) - bitsadmin (PEHSTR_EXT) - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT) - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT) - !#HSTR:ExecutionGuardrails (PEHSTR_EXT) - !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT)
rule Trojan_MSIL_AgentTesla_AD_2147742722_0
{
meta:
author = "threatcheck.sh"
detection_name = "Trojan:MSIL/AgentTesla.AD!MTB"
threat_id = "2147742722"
type = "Trojan"
platform = "MSIL: .NET intermediate language scripts"
family = "AgentTesla"
severity = "Critical"
info = "MTB: Microsoft Threat Behavior"
signature_type = "SIGNATURE_TYPE_PEHSTR_EXT"
threshold = "5"
strings_accuracy = "Low"
strings:
$x_5_1 = {02 11 06 11 07 6f ?? 00 00 0a 13 08 03 11 05 6f ?? 00 00 0a 59 13 09 11 05 12 08 28 ?? 00 00 0a 6f ?? 00 00 0a 00 11 09 17 59 25 13 09 16 fe 02 16 fe 01 13 11 11 11 2c 05} //weight: 5, accuracy: Low
condition:
(filesize < 20MB) and
(all of ($x*))
}86001a3435ac0e6ec179643bfed46e41ac367289869625ae2378537762bfcdb1Immediately isolate the affected system from the network to prevent further data exfiltration or lateral movement. Ensure Windows Defender or an equivalent endpoint detection and response (EDR) solution is up-to-date and run a full system scan to remove all malicious components. Promptly reset all user account passwords, especially for critical services, and reinforce security awareness training to prevent similar infections.