Concrete signature match: Trojan - Appears legitimate but performs malicious actions for .NET (Microsoft Intermediate Language) platform, family AgentTesla
This detection identifies a variant of AgentTesla, a .NET-based information-stealing trojan. This malware is designed to capture sensitive data, such as keystrokes and login credentials from web browsers and email clients, and exfiltrate it to an attacker's server.
Relevant strings associated with this threat: - AesCryptoServiceProvider (PEHSTR_EXT)
rule Trojan_MSIL_AgentTesla_LQL_2147805639_0
{
meta:
author = "threatcheck.sh"
detection_name = "Trojan:MSIL/AgentTesla.LQL!MTB"
threat_id = "2147805639"
type = "Trojan"
platform = "MSIL: .NET intermediate language scripts"
family = "AgentTesla"
severity = "Critical"
info = "MTB: Microsoft Threat Behavior"
signature_type = "SIGNATURE_TYPE_PEHSTR_EXT"
threshold = "2"
strings_accuracy = "Low"
strings:
$x_1_1 = {16 13 04 2b 21 02 08 09 11 04 28 ?? ?? ?? 06 28 ?? ?? ?? 0a 13 05 07 06 11 05 28 ?? ?? ?? 0a 9c 11 04 17 58 13 04 11 04 17 32 da} //weight: 1, accuracy: Low
$x_1_2 = "BSTRMarshaler" ascii //weight: 1
condition:
(filesize < 20MB) and
(all of ($x*))
}26e54c0973cd4de1ff00a250344618416034042479a306a337d5f9587cafaf4fIsolate the affected machine from the network immediately. Use an updated antivirus solution to quarantine and remove the threat. Reset all passwords for accounts used on the machine and perform a full system scan to check for any remaining artifacts.