Trojan:MSIL/Formbook.AMAJ!MTB - Windows Defender Threat Analysis

This is a concrete detection of Trojan:MSIL/Formbook.AMAJ, a sophisticated information-stealing malware designed to exfiltrate sensitive data from compromised Windows systems. Its presence indicates a high-risk compromise with a low false positive risk, leveraging .NET intermediate language.

No specific strings found for this threat

rule Trojan_MSIL_Formbook_AMAJ_2147915324_0
{
    meta:
        author = "threatcheck.sh"
        detection_name = "Trojan:MSIL/Formbook.AMAJ!MTB"
        threat_id = "2147915324"
        type = "Trojan"
        platform = "MSIL: .NET intermediate language scripts"
        family = "Formbook"
        severity = "Critical"
        info = "MTB: Microsoft Threat Behavior"
        signature_type = "SIGNATURE_TYPE_PEHSTR_EXT"
        threshold = "1"
        strings_accuracy = "Low"
    strings:
        $x_1_1 = {1f 16 5d 91 13 ?? 07 09 91 11 ?? 61 09 18 58 17 59 08 5d}  //weight: 1, accuracy: Low
    condition:
        (filesize < 20MB) and
        (all of ($x*))
}

Immediately isolate the affected system to prevent further data exfiltration and network spread. Perform a full system scan with updated antivirus definitions, remove all detected malicious files, and investigate for any persistence mechanisms or additional compromise indicators. Reset all potentially exposed credentials and consider a system reimage due to the nature of info-stealing malware.