Concrete signature match: Trojan - Appears legitimate but performs malicious actions for .NET (Microsoft Intermediate Language) platform, family NjRat
This detection identifies a variant of the NjRat Remote Access Trojan (RAT), a well-known malware that allows attackers to gain complete control over an infected system. Its capabilities include stealing data, logging keystrokes, and accessing the webcam and microphone. The '!MTB' suffix indicates this was identified by a machine learning behavioral model, suggesting the file exhibits actions characteristic of this threat.
No specific strings found for this threat
rule Trojan_MSIL_NjRat_ABUA_2147941477_0
{
meta:
author = "threatcheck.sh"
detection_name = "Trojan:MSIL/NjRat.ABUA!MTB"
threat_id = "2147941477"
type = "Trojan"
platform = "MSIL: .NET intermediate language scripts"
family = "NjRat"
severity = "Critical"
info = "MTB: Microsoft Threat Behavior"
signature_type = "SIGNATURE_TYPE_PEHSTR_EXT"
threshold = "5"
strings_accuracy = "Low"
strings:
$x_5_1 = {fe 0c 03 00 fe 0c 02 00 9a fe 0e 01 00 fe 0c 00 00 fe 0c 01 00 20 02 00 00 00 28 ?? 00 00 0a 28 ?? 00 00 0a 28 ?? 00 00 0a 28 ?? 00 00 0a fe 0e 00 00 fe 0c 02 00 20 01 00 00 00 d6 fe 0e 02 00 fe 0c 02 00 fe 0c 03 00 8e b7 3f ?? ff ff ff fe 0c 00 00 28 ?? 00 00 0a 28 ?? 00 00 0a 6f ?? 00 00 0a 14 14 6f ?? 00 00 0a 26 2a} //weight: 5, accuracy: Low
condition:
(filesize < 20MB) and
(all of ($x*))
}5bc0dcb006307b8c5475a301c3396feed74941d577c33cb65aa8a0ae3bbccf81Isolate the affected machine from the network immediately. Use Windows Defender to perform a full scan and ensure the threat is removed. Due to the risk of full system compromise from this RAT, consider re-imaging the device and resetting all user credentials that were used on it.