Concrete signature match: Trojan - Appears legitimate but performs malicious actions for 32-bit Windows platform, family Malex
This is a Trojan from the Malex malware family, detected by Microsoft's machine learning behavioral analysis engine (!MTB). As a Trojan, it likely masquerades as a legitimate program to execute malicious activities such as stealing information, downloading other malware, or providing backdoor access to the compromised system.
No specific strings found for this threat
rule Trojan_Win32_Malex_AMX_2147928584_0
{
meta:
author = "threatcheck.sh"
detection_name = "Trojan:Win32/Malex.AMX!MTB"
threat_id = "2147928584"
type = "Trojan"
platform = "Win32: Windows 32-bit platform"
family = "Malex"
severity = "Critical"
info = "MTB: Microsoft Threat Behavior"
signature_type = "SIGNATURE_TYPE_PEHSTR_EXT"
threshold = "3"
strings_accuracy = "Low"
strings:
$x_2_1 = {6a 01 6a 10 68 94 7a 42 00 68 06 7c 42 00 e8 ?? ?? ?? ?? 83 c4 10 6a 01 6a 10 68 a5 7a 42 00 68 06 7c 42 00 e8 ?? ?? ?? ?? 83 c4 10 6a 01 6a 10 68 b6 7a 42 00 68 06 7c 42 00 e8 ?? ?? ?? ?? 83 c4 10 6a 01 6a 10 ff 35 e4 7a 42 00 68 06 7c 42 00 e8} //weight: 2, accuracy: Low
$x_1_2 = {83 c4 1c ff 35 20 59 42 00 68 80 8d 42 00 68 28 9c 41 00 e8 ?? ?? ?? ?? 83 c4 0c 68 28 9c 41 00 68 a4 8d 42 00 68 30 97 41 00} //weight: 1, accuracy: Low
condition:
(filesize < 20MB) and
(all of ($x*))
}91164c9bfbd47e8fe64db92a79ee734a1bff8741c6635f354794282af0c2e2220db96db2dac4a2c48f79dab2ef1a33f84cfa588ae0031e276dd8b4d2b601895085ce7aef47e18fe2ab48e7fd9eb8bb6843c1d087b4bd07d579ad047cbc995d513cee5e2c9f41396a2ae9d8c40d2ada0b3b03ab219130a4c69aaa009e65fd3f9d7690bca2733e1caaeba502ce15087aad02978efd548ce366cfee25decd7da7ccIsolate the affected machine from the network immediately. Use your endpoint security solution to quarantine and remove the detected file. Investigate for persistence mechanisms or further compromise and ensure all systems and security tools are fully updated.