Concrete signature match: Trojan - Appears legitimate but performs malicious actions for .NET (Microsoft Intermediate Language) platform, family Zilla
This threat is a Trojan from the Zilla malware family, a known group of malicious software. It was detected by a machine learning model based on its suspicious behavior, which often includes stealing sensitive information or downloading additional malware onto the system.
No specific strings found for this threat
rule Trojan_MSIL_Zilla_SLB_2147920864_0
{
meta:
author = "threatcheck.sh"
detection_name = "Trojan:MSIL/Zilla.SLB!MTB"
threat_id = "2147920864"
type = "Trojan"
platform = "MSIL: .NET intermediate language scripts"
family = "Zilla"
severity = "Critical"
info = "MTB: Microsoft Threat Behavior"
signature_type = "SIGNATURE_TYPE_PEHSTR"
threshold = "1"
strings_accuracy = "High"
strings:
$x_1_1 = {06 16 fe 01 39 03 00 00 00 00 17 0a 00 06 17 fe 01} //weight: 1, accuracy: High
condition:
(filesize < 20MB) and
(all of ($x*))
}b8fe102219ac498f855d823704eba0e2973547d2ce5abaf5b91eb0f84d57e21cIsolate the affected machine from the network. Use Windows Defender to perform a full scan and remove the detected threat. Change passwords for all accounts used on this machine and investigate the initial infection vector.