Concrete signature match: Trojan - Appears legitimate but performs malicious actions for .NET (Microsoft Intermediate Language) platform, family FormBook
Trojan:MSIL/FormBook.ABF!MTB is a concrete detection of the FormBook information-stealing malware, specifically targeting .NET applications. This variant, identified through machine learning behavioral analysis, aims to compromise systems and exfiltrate sensitive data, potentially using lures or disguises related to Vietnamese educational or student management applications.
Relevant strings associated with this threat: - GUI_Services.CanBoGiaoVienGUI (PEHSTR_EXT) - GUI_Services.DanhSachGV1Lop (PEHSTR_EXT) - GUI_Services.DanhSachHocSinh (PEHSTR_EXT) - GUI_Services.PhanCongGiangDayGUI (PEHSTR_EXT) - GUI_Services.QuanLyHoSoHocSinh (PEHSTR_EXT) - GUI_Services.QuanLyLopGUI (PEHSTR_EXT) - GUI_Services.QuanLyMonHocGUI (PEHSTR_EXT) - GUI_Services.ThongTinGUI (PEHSTR_EXT)
rule Trojan_MSIL_FormBook_ABF_2147900366_0
{
meta:
author = "threatcheck.sh"
detection_name = "Trojan:MSIL/FormBook.ABF!MTB"
threat_id = "2147900366"
type = "Trojan"
platform = "MSIL: .NET intermediate language scripts"
family = "FormBook"
severity = "Critical"
info = "MTB: Microsoft Threat Behavior"
signature_type = "SIGNATURE_TYPE_PEHSTR_EXT"
threshold = "2"
strings_accuracy = "High"
strings:
$x_2_1 = {16 13 07 2b 15 11 06 11 07 91 13 08 00 11 08 04 61 13 09 00 11 07 17 58 13 07 11 07 11 06 8e 69 32 e3} //weight: 2, accuracy: High
condition:
(filesize < 20MB) and
(all of ($x*))
}6a6af729bcfe6c368c81300a7b3f078b6077b365d7dad49b9c0bc4d1ee3f71b2Immediately isolate the infected system from the network. Perform a full, deep scan with updated antivirus software and remove all detected malicious files. Reset all user credentials, especially for online services and critical accounts, as FormBook is an infostealer. Investigate the initial compromise vector to prevent future infections.