Concrete signature match: Trojan - Appears legitimate but performs malicious actions for 32-bit Windows platform, family C2Lop
Trojan:Win32/C2Lop.B is a concrete detection for a Win32 Trojan that likely functions as adware or a browser hijacker. It modifies browser settings, installs unwanted toolbars (e.g., via `updbho.dll`), redirects search queries, and maintains persistence through update mechanisms and registry entries.
Relevant strings associated with this threat: - ,software\microsoft\internet explorer\toolbar (PEHSTR) - /http://%s/search/search.cgi?src=autosearch&s=%s (PEHSTR) - Software\%s (PEHSTR) - TrinityAYB (PEHSTR) - swishtoolband (PEHSTR) - 98047B0354E6472E21E7E658C581EAA5 (PEHSTR) - 8F569C59BBD4B05BAFD3963A3A0B22 (PEHSTR) - 4D3A8DC3F9C4F29EE0DB (PEHSTR) - 0643EC0FBDB2DF584BAC9BCC695B98AA3D2E5DD8627D8A3D5 (PEHSTR) - 1760BC9555C116FEB472810F6F05DEF97AFE66A74A2E56BE42 (PEHSTR) - 1.2.1 (PEHSTR) - KRSystem v1.0 (PEHSTR_EXT) - http://upd.lop.com/upd/check (PEHSTR_EXT) - http://upd.zone-media.com/upd/check (PEHSTR_EXT) - 643EC0FBDB2DF584BAC9BCC695B98AA3D2E5DD8627D8A3D5 (PEHSTR_EXT) - Download UBAgent (PEHSTR_EXT) - updbho.dll (PEHSTR_EXT) - 8B08C94D3F34E2D354F293AFE67707 (PEHSTR_EXT) - 7327650404FE207BF7D9C09DA47B38E0 (PEHSTR_EXT) - 4D3A8DC3F9C4F29EE0DB (PEHSTR_EXT) - trinityacquisitions.com (PEHSTR) - Software\Netscape\ (PEHSTR) - \MP3 Music Search.lnk (PEHSTR) - %s/search/search.cgi?s= (PEHSTR) - http://www.%s/searchbar.html (PEHSTR) - Gay and Lesbian (PEHSTR) - http://www.lop.com/search/ (PEHSTR) - Bad Elmo (PEHSTR_EXT) - Web Hosting|hosting (PEHSTR_EXT) - Buy Viagras (PEHSTR_EXT) - Breast Enhancement (PEHSTR_EXT) - |#d1e49aac-8f56-4280-b9ba-993a6d77406c (NID) - }#d1e49aac-8f56-4280-b9ba-993a6d77406c (NID) - |#75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84 (NID) - }#75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84 (NID) - &|#b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 (NID) - &}#b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 (NID) - y*|#56a863a9-875e-4185-98a7-b882c64b5ce5 (NID) - y*}#56a863a9-875e-4185-98a7-b882c64b5ce5 (NID) - C|#be9ba2d9-53ea-4cdc-84e5-9b1eeee46550 (NID) - C}#be9ba2d9-53ea-4cdc-84e5-9b1eeee46550 (NID) - L|#3b576869-a4ec-4529-8536-b80a7769e899 (NID) - L}#3b576869-a4ec-4529-8536-b80a7769e899 (NID) - |#5beb7efe-fd9a-4556-801d-275e5ffc04cc (NID) - }#5beb7efe-fd9a-4556-801d-275e5ffc04cc (NID) - |#01443614-cd74-433a-b99e-2ecdc07bfc25 (NID) - }#01443614-cd74-433a-b99e-2ecdc07bfc25 (NID) - |#d3e037e1-3eb8-44c8-a917-57927947596d (NID) - }#d3e037e1-3eb8-44c8-a917-57927947596d (NID) - |#7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c (NID) - }#7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c (NID)
rule Trojan_Win32_C2Lop_B_122148_0
{
meta:
author = "threatcheck.sh"
detection_name = "Trojan:Win32/C2Lop.B"
threat_id = "122148"
type = "Trojan"
platform = "Win32: Windows 32-bit platform"
family = "C2Lop"
severity = "Critical"
signature_type = "SIGNATURE_TYPE_PEHSTR"
threshold = "1"
strings_accuracy = "High"
strings:
$x_1_1 = {51 55 57 8b 1f 8b 4f 04 ba b9 79 38 9e 8b c2 c1 e0 04 bf 10 00 00 00 8b eb c1 e5 04 2b cd 8b 6e 08 33 eb 2b cd 8b eb c1 ed 05 33 e8 2b cd 2b 4e 0c 8b e9 c1 e5 04 2b dd 8b 2e 33 e9 2b dd 8b e9 c1 ed 05 33 e8 2b dd 2b 5e 04 2b c2 4f 75 c8} //weight: 1, accuracy: High
condition:
(filesize < 20MB) and
(all of ($x*))
}5cf502642914350813993b9415a2da941f21a2732f2ac78e0dab9132b1c90bfbIsolate the infected system immediately. Perform a full system scan with updated antivirus software. Manually remove suspicious browser extensions, toolbars, and unwanted programs, then reset browser settings to default. Consider a system reimage if full eradication is uncertain.