Concrete signature match: Trojan - Appears legitimate but performs malicious actions for .NET (Microsoft Intermediate Language) platform, family Heracles
This is a .NET-based Trojan from the Heracles family, identified as Trojan:MSIL/Heracles.AB!MTB. The malware is obfuscated using the 'Confuser' tool to evade analysis and likely communicates with a remote server to exfiltrate data or receive commands, as indicated by its ability to bypass security certificate validation. Its malicious nature was confirmed through machine learning behavioral detection (!MTB).
Relevant strings associated with this threat: - lpProceskcabllaCnoitadilaVtreCetomeRytiruceSteNmetsyS81617 (PEHSTR_EXT) - HttpUtility (PEHSTR_EXT) - HttpServerUtility (PEHSTR_EXT) - GetExecutingAssembly (PEHSTR_EXT) - Confuser.Core 1.6.0+447341964f (PEHSTR_EXT) - Sprauncy.exe (PEHSTR_EXT)
rule Trojan_MSIL_Heracles_AB_2147849707_0
{
meta:
author = "threatcheck.sh"
detection_name = "Trojan:MSIL/Heracles.AB!MTB"
threat_id = "2147849707"
type = "Trojan"
platform = "MSIL: .NET intermediate language scripts"
family = "Heracles"
severity = "Critical"
info = "MTB: Microsoft Threat Behavior"
signature_type = "SIGNATURE_TYPE_PEHSTR_EXT"
threshold = "10"
strings_accuracy = "High"
strings:
$x_10_1 = {fe 0c 01 00 fe 0c 02 00 93 fe 0e 03 00 fe 0c 00 00 fe 0c 03 00 fe 09 02 00 59 d1 6f 07 00 00 0a 26 fe 0c 02 00 20 01 00 00 00 58 fe 0e 02 00 fe 0c 02 00 fe 0c 01 00 8e 69 32 c5} //weight: 10, accuracy: High
condition:
(filesize < 20MB) and
(all of ($x*))
}04e1f69458d2d6d073a4b61f97ba8a4d1219f8d57d4d682b48b9473bfc5dd1d4Isolate the affected system from the network. Use antivirus to remove the threat (e.g., Sprauncy.exe). Scan for persistence mechanisms like startup entries or scheduled tasks and review network logs for suspicious outbound connections. Change all user passwords associated with the machine and consider reimaging it if a wider compromise is suspected.