Concrete signature match: Trojan - Appears legitimate but performs malicious actions for .NET (Microsoft Intermediate Language) platform, family AgentTesla
This detection identifies Trojan:MSIL/AgentTesla.SJ!MTB, a sophisticated .NET-based infostealer and remote access trojan. It exhibits capabilities for extensive system compromise including process hooking for data theft (e.g., keylogging), establishing persistence using system utilities (rundll32, regsvr32, mshta, scheduled tasks), and exfiltrating data via BITS jobs and remote file operations.
Relevant strings associated with this threat: - FolderSearcher.Form1.resources (PEHSTR_EXT) - QuanLyBanGiay.CCM (PEHSTR_EXT) - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT) - rundll32 (PEHSTR_EXT) - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT) - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT) - !#HSTR:ExecutionGuardrails (PEHSTR_EXT) - !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT) - !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)
rule Trojan_MSIL_AgentTesla_SJ_2147756279_0
{
meta:
author = "threatcheck.sh"
detection_name = "Trojan:MSIL/AgentTesla.SJ!MTB"
threat_id = "2147756279"
type = "Trojan"
platform = "MSIL: .NET intermediate language scripts"
family = "AgentTesla"
severity = "Critical"
info = "MTB: Microsoft Threat Behavior"
signature_type = "SIGNATURE_TYPE_PEHSTR_EXT"
threshold = "4"
strings_accuracy = "High"
strings:
$x_2_1 = {00 08 17 58 13 06 07 08 07 08 91 28 15 00 00 06 08 1f 16 5d 91 61 07 11 06 09 5d 91 59 20 00 01 00 00 58 20 ff 00 00 00 5f d2 9c 08 17 58 0c 00 08 09 fe 04 13 07 11 07 2d c6} //weight: 2, accuracy: High
$x_2_2 = "FolderSearcher.Form1.resources" ascii //weight: 2
condition:
(filesize < 20MB) and
(all of ($x*))
}1f6409653cb9163caee32ecc1652b8f7a778f44c492e6c74ca652505c37313d83b74f2bc2c5f52c9c6d9a4ccec72a5dc9ff7a1676c17483c1b734d91ff06a2f5468b7d7df75898e6cb22d0964283e2b080a40cda5aaf55d83e72c504c03ffb00c695505c3cbe55b147b4c44f9290cc6594a2452792aaab1474b01bdd0a7f7a94Immediately isolate the affected host from the network to prevent further spread or data exfiltration. Perform a full system scan with updated antivirus software to ensure complete removal of the threat. Crucially, reset all credentials (user accounts, network shares, applications, and browser-saved passwords) that were present on or accessible from the compromised system, as AgentTesla is designed to steal sensitive information. Review system and network logs for any signs of lateral movement or data exfiltration.