Concrete signature match: Trojan - Appears legitimate but performs malicious actions for .NET (Microsoft Intermediate Language) platform, family Rozena
Trojan:MSIL/Rozena.HNG!MTB is a .NET based Trojan that uses machine learning behavioral analysis for detection. The malware is related to the Rozena family, which is associated with malicious activity, indicating it likely aims to compromise the system and potentially steal data or perform other malicious actions.
No specific strings found for this threat
rule Trojan_MSIL_Rozena_HNG_2147908587_0
{
meta:
author = "threatcheck.sh"
detection_name = "Trojan:MSIL/Rozena.HNG!MTB"
threat_id = "2147908587"
type = "Trojan"
platform = "MSIL: .NET intermediate language scripts"
family = "Rozena"
severity = "Critical"
info = "MTB: Microsoft Threat Behavior"
signature_type = "SIGNATURE_TYPE_PEHSTR_EXT"
threshold = "1"
strings_accuracy = "High"
strings:
$x_1_1 = {56 00 69 00 72 00 74 00 75 00 61 00 6c 00 41 00 6c 00 6c 00 6f 00 63 00 45 00 78 00 00 25 57 00 72 00 69 00 74 00 65 00 50 00 72 00 6f 00 63 00 65 00 73 00 73 00 4d 00 65 00 6d 00 6f 00 72 00 79 00 00 23 52 00 65 00 61 00 64 00 50 00 72 00 6f 00 63 00 65 00 73 00 73 00 4d 00 65 00 6d 00 6f 00 72 00 79 00 00 0b 6e 00 74 00 64 00 6c 00 6c 00 00 29 5a 00 77 00 55 00 6e 00 6d 00 61 00 70 00 56 00 69 00 65 00 77 00 4f 00 66 00 53 00 65 00 63 00 74 00 69 00 6f 00 6e 00 00 1d 43 00 72 00 65 00 61 00 74 00 65 00 50 00 72 00 6f 00 63 00 65 00 73 00 73 00 41 00} //weight: 1, accuracy: High
condition:
(filesize < 20MB) and
(all of ($x*))
}6a1f394db151cf3b1366c7894f3e18e2e7d23dc8e239ab1bfd9b518479bd5c5fRun a full scan with an updated antivirus, isolate the affected system, and investigate the source of the malware. Consider using a more detailed endpoint detection and response (EDR) if possible.