Concrete signature match: Trojan - Appears legitimate but performs malicious actions for .NET (Microsoft Intermediate Language) platform, family Marsilia
This is a behavioral detection of a Marsilia family Trojan, a type of malware designed to secretly perform malicious actions on systems running .NET applications. Its identification relies on machine learning-driven analysis of suspicious behaviors rather than a specific, unique code signature.
No specific strings found for this threat
rule Trojan_MSIL_Marsilia_SPFV_2147909807_0
{
meta:
author = "threatcheck.sh"
detection_name = "Trojan:MSIL/Marsilia.SPFV!MTB"
threat_id = "2147909807"
type = "Trojan"
platform = "MSIL: .NET intermediate language scripts"
family = "Marsilia"
severity = "Critical"
info = "MTB: Microsoft Threat Behavior"
signature_type = "SIGNATURE_TYPE_PEHSTR_EXT"
threshold = "5"
strings_accuracy = "Low"
strings:
$x_5_1 = {02 07 91 28 ?? ?? ?? 0a 03 6f ?? ?? ?? 0a 07 28 ?? ?? ?? 0a 03 6f ?? ?? ?? 0a 8e 69 5d 91 61 d2 9c 07 17 58 0b} //weight: 5, accuracy: Low
condition:
(filesize < 20MB) and
(all of ($x*))
}781b6211fe7e291d52cf690e3bbb508714f4608aa879cedc2a61199312dff91aIsolate the affected system, perform a full system scan with updated antivirus software, and remove all detected threats. Ensure all system software and security patches are up to date.