Concrete signature match: Trojan - Appears legitimate but performs malicious actions for .NET (Microsoft Intermediate Language) platform, family PureLogs
This is a concrete detection of a Trojan:MSIL/PureLogs.AD!MTB, identified as an MSIL/TrojanDropper. It targets .NET environments and is likely obfuscated with DotNet Reactor, suggesting its purpose is to deploy additional malicious payloads or establish persistence on the compromised system.
No specific strings found for this threat
rule Trojan_MSIL_PureLogs_AD_2147954437_0
{
meta:
author = "threatcheck.sh"
detection_name = "Trojan:MSIL/PureLogs.AD!MTB"
threat_id = "2147954437"
type = "Trojan"
platform = "MSIL: .NET intermediate language scripts"
family = "PureLogs"
severity = "Critical"
info = "MTB: Microsoft Threat Behavior"
signature_type = "SIGNATURE_TYPE_PEHSTR_EXT"
threshold = "1"
strings_accuracy = "High"
strings:
$x_1_1 = {fe 0e 14 00 fe 0e 15 00 20 ce 8a f8 01 20 51 f5 b2 79 61 20 02 df cf 6c 61 fe 0e 14 00 fe 0c 12 00 20 0f 0f 0f 0f 5f fe 0e 17 00} //weight: 1, accuracy: High
condition:
(filesize < 20MB) and
(all of ($x*))
}7a28a02a5ce1d3e19ab2d35feb2b585f096e56175fb2980e29947079d3467a2bImmediately isolate the infected host, perform a full system scan with updated security software, and remove the detected malware. Investigate for any dropped payloads, persistence mechanisms, or signs of further compromise and potential data exfiltration.