Concrete signature match: Trojan - Appears legitimate but performs malicious actions for .NET (Microsoft Intermediate Language) platform, family AveMaria
Trojan:MSIL/AveMaria.NEEC!MTB is a variant of the AveMaria RAT (Remote Access Trojan) detected via machine learning behavioral analysis. It is likely delivered as or masquerading as a legitimate application (mini calculator) and exhibits behavior consistent with typical AveMaria RAT functionality like remote access, keylogging, and data exfiltration.
Relevant strings associated with this threat: - mini calculator.exe (PEHSTR_EXT) - mini_calculator.My (PEHSTR_EXT) - GetExecutingAssembly (PEHSTR_EXT)
rule Trojan_MSIL_AveMaria_NEEC_2147839966_0
{
meta:
author = "threatcheck.sh"
detection_name = "Trojan:MSIL/AveMaria.NEEC!MTB"
threat_id = "2147839966"
type = "Trojan"
platform = "MSIL: .NET intermediate language scripts"
family = "AveMaria"
severity = "Critical"
info = "MTB: Microsoft Threat Behavior"
signature_type = "SIGNATURE_TYPE_PEHSTR_EXT"
threshold = "21"
strings_accuracy = "High"
strings:
$x_5_1 = "bbff2a71-7db6-4243-8acb-d38c32bc310d" ascii //weight: 5
$x_5_2 = "kLjw4iIsCLsZtxc4lksN0j" ascii //weight: 5
$x_5_3 = "WindowsDataC.exe" wide //weight: 5
$x_2_4 = "mini calculator.exe" ascii //weight: 2
$x_2_5 = "mini_calculator.My" ascii //weight: 2
$x_1_6 = "Invoke" ascii //weight: 1
$x_1_7 = "GetExecutingAssembly" ascii //weight: 1
condition:
(filesize < 20MB) and
(all of ($x*))
}0e7aa42d81a35200a205b426dd88c0c487b785851a081bedd9978ced12fb09deIsolate the affected system immediately. Perform a full malware scan with updated antivirus definitions. Analyze network traffic for suspicious connections and review recently opened files, removing the malicious file (mini calculator.exe) from the system and network.