Concrete signature match: Trojan - Appears legitimate but performs malicious actions for .NET (Microsoft Intermediate Language) platform, family AgentTesla
This detection indicates AgentTesla, a notorious .NET-based information stealer and remote access trojan. It is designed to capture keystrokes, log screen activity, steal credentials from web browsers and email clients, and exfiltrate sensitive system information, posing a significant data breach risk.
Relevant strings associated with this threat: - screenLogger (PEHSTR_EXT)
rule Trojan_MSIL_AgentTesla_CCHS_2147902336_0
{
meta:
author = "threatcheck.sh"
detection_name = "Trojan:MSIL/AgentTesla.CCHS!MTB"
threat_id = "2147902336"
type = "Trojan"
platform = "MSIL: .NET intermediate language scripts"
family = "AgentTesla"
severity = "Critical"
info = "MTB: Microsoft Threat Behavior"
signature_type = "SIGNATURE_TYPE_PEHSTR_EXT"
threshold = "15"
strings_accuracy = "High"
strings:
$x_1_1 = "screenLogger" ascii //weight: 1
$x_1_2 = "keyLogger" ascii //weight: 1
$x_1_3 = "OSFullName" wide //weight: 1
$x_1_4 = "CPU:" wide //weight: 1
$x_1_5 = "User Name" wide //weight: 1
$x_1_6 = "SbieDll.dll" wide //weight: 1
$x_1_7 = "Opera Mail\\Opera Mail" wide //weight: 1
$x_1_8 = "Software\\TightVNC" wide //weight: 1
$x_1_9 = "DownloadManager\\Passwords" wide //weight: 1
$x_1_10 = "hostname|encryptedPassword|encryptedUsername" wide //weight: 1
$x_1_11 = "Google\\Chrome\\User Data" wide //weight: 1
$x_1_12 = "Chromium\\User Data" wide //weight: 1
$x_1_13 = "Mozilla\\icecat" wide //weight: 1
$x_1_14 = "Elements Browser\\User Data" wide //weight: 1
$x_1_15 = "Microsoft\\Edge\\User Data" wide //weight: 1
condition:
(filesize < 20MB) and
(all of ($x*))
}24fe87b1951171c60a79a85bd1edc5da865222b2065c8cd30de6d5dacabb5f85Immediately isolate the affected system, perform a full malware scan, force a password reset for all potentially compromised credentials, and investigate for lateral movement or data exfiltration. Rebuild the system from a trusted backup.