Trojan:Win32/FormBook.NF!MTB - Windows Defender Threat Analysis

This detection indicates a concrete identification of Trojan:Win32/FormBook.NF, a sophisticated information stealer known for keylogging, screenshot capture, and exfiltration of sensitive data. The threat utilizes various techniques including API hooking, process injection, abuse of legitimate system utilities (mshta, regsvr32, rundll32, PowerShell, BITS jobs), and scheduled tasks for persistence and malicious execution.

Relevant strings associated with this threat:
 - FrmForca.resources (PEHSTR_EXT)
 - WindowsApp3.Resources.resources (PEHSTR_EXT)
 - AlgorithmSimulator.Properties.Resources (PEHSTR_EXT)
 - XigGSm.g.resources (PEHSTR_EXT)
 - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT)
 - rundll32 (PEHSTR_EXT)
 - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT)
 - !#HSTR:ExecutionGuardrails (PEHSTR_EXT)
 - !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)

rule Trojan_Win32_FormBook_NF_2147912072_0
{
    meta:
        author = "threatcheck.sh"
        detection_name = "Trojan:Win32/FormBook.NF!MTB"
        threat_id = "2147912072"
        type = "Trojan"
        platform = "Win32: Windows 32-bit platform"
        family = "FormBook"
        severity = "Critical"
        info = "MTB: Microsoft Threat Behavior"
        signature_type = "SIGNATURE_TYPE_PEHSTR_EXT"
        threshold = "6"
        strings_accuracy = "Low"
    strings:
        $x_3_1 = {8d 52 01 66 89 06 8a ?? 8d 76 02 84 c0 75 ef 5e}  //weight: 3, accuracy: Low
        $x_3_2 = {33 c0 38 01 74 0d 8d 49 00 80 7c 08 01 ?? 8d 40 01 75 f6 33 c9 66}  //weight: 3, accuracy: Low
    condition:
        (filesize < 20MB) and
        (all of ($x*))
}

Immediately isolate the infected system to prevent further compromise or data exfiltration. Perform a full system scan with up-to-date antivirus and remove all detected malicious files. Subsequently, reset all user and system credentials associated with or accessed from the compromised host, and thoroughly investigate for any established persistence mechanisms or signs of data exfiltration.