Concrete signature match: Trojan - Appears legitimate but performs malicious actions for 32-bit Windows platform, family Dusvext
Trojan:Win32/Dusvext.B is a concrete threat identified as a Trojan that likely establishes command-and-control (C2) communication via HTTP requests to scripts like 'adduser.php' and 'poster.php', potentially to exfiltrate data or receive further commands. The presence of the string 'getklogs' strongly suggests it has keylogging capabilities, aiming to steal sensitive user input.
Relevant strings associated with this threat: - adduser.php?uid= (PEHSTR_EXT) - poster.php?uid= (PEHSTR_EXT)
rule Trojan_Win32_Dusvext_B_2147648491_0
{
meta:
author = "threatcheck.sh"
detection_name = "Trojan:Win32/Dusvext.B"
threat_id = "2147648491"
type = "Trojan"
platform = "Win32: Windows 32-bit platform"
family = "Dusvext"
severity = "Critical"
signature_type = "SIGNATURE_TYPE_PEHSTR_EXT"
threshold = "4"
strings_accuracy = "High"
strings:
$x_1_1 = "]&country=" ascii //weight: 1
$x_1_2 = "&cmpname=" ascii //weight: 1
$x_1_3 = "adduser.php?uid=" ascii //weight: 1
$x_1_4 = "poster.php?uid=" ascii //weight: 1
$x_1_5 = "VertexNet" ascii //weight: 1
$x_1_6 = "getklogs" ascii //weight: 1
condition:
(filesize < 20MB) and
(4 of ($x*))
}55e5642c9d816b5710303286881ed71532ffa9e4ad5a55966dc61a20fa1abaaeImmediately isolate the infected host from the network. Perform a full system scan with updated antivirus software and remove all detected malicious files. Investigate for persistence mechanisms (e.g., registry run keys, scheduled tasks) and remove them. Given the suspected keylogging functionality, reset all user credentials that may have been entered on the compromised system and monitor for any unauthorized activity.