Concrete signature match: Trojan - Appears legitimate but performs malicious actions for 32-bit Windows platform, family OffLoader
Trojan:Win32/OffLoader.AH!MTB is a concrete detection of a Trojan designed for the Win32 platform. This malware is configured to communicate with various command-and-control (C2) servers to download and execute additional malicious payloads, often operating stealthily as suggested by the '/silent' string.
Relevant strings associated with this threat: - ://memoryneck.info/goo.php? (PEHSTR_EXT) - ://volleyballsong.xyz/goos.php? (PEHSTR_EXT) - /silent (PEHSTR_EXT)
rule Trojan_Win32_OffLoader_AH_2147945057_0
{
meta:
author = "threatcheck.sh"
detection_name = "Trojan:Win32/OffLoader.AH!MTB"
threat_id = "2147945057"
type = "Trojan"
platform = "Win32: Windows 32-bit platform"
family = "OffLoader"
severity = "Critical"
info = "MTB: Microsoft Threat Behavior"
signature_type = "SIGNATURE_TYPE_PEHSTR_EXT"
threshold = "8"
strings_accuracy = "High"
strings:
$x_3_1 = "seabusiness.xyz/fkis.php" wide //weight: 3
$x_3_2 = "sonplane.info/fki.php?pe" wide //weight: 3
$x_3_3 = "cakestoothbrush.icu/lui.php?pe" wide //weight: 3
$x_3_4 = "sodabedroom.xyz/luis.php" wide //weight: 3
$x_3_5 = "teethelbow.icu/tri.php?pe" wide //weight: 3
$x_3_6 = "ministerkiss.xyz/tris.php?pe" wide //weight: 3
$x_3_7 = "frogtruck.xyz/mee.php?" wide //weight: 3
$x_3_8 = "quincestreet.icu/mees.php?" wide //weight: 3
$x_3_9 = "creatoreggs.icu/oiu.php?" wide //weight: 3
$x_3_10 = "buttonsize.xyz/oius.php?pe" wide //weight: 3
$x_3_11 = "eventauthority.info/kkk.php?pe" wide //weight: 3
$x_3_12 = "quincepart.icu/kkks.php?" wide //weight: 3
$x_3_13 = "biketoes.xyz/slf.php?pe" wide //weight: 3
$x_3_14 = "smellstamp.icu/slfs.php" wide //weight: 3
$x_3_15 = "railwaytime.xyz/slfs.php" wide //weight: 3
$x_3_16 = "laughincome.icu/slf.php?pe" wide //weight: 3
$x_3_17 = "memoryneck.info/goo.php?pe" wide //weight: 3
$x_3_18 = "volleyballsong.xyz/goos.php" wide //weight: 3
$x_3_19 = "airplanemove.info/yut.php?pe" wide //weight: 3
$x_3_20 = "producesound.xyz/yuts.php?" wide //weight: 3
$x_3_21 = "stoveweather.info/too.php?pe" wide //weight: 3
$x_3_22 = "yarncontool.icu/toos.php?" wide //weight: 3
$x_3_23 = "daughtercemetery.xyz/par.php?pe" wide //weight: 3
$x_3_24 = "committeedinner.icu/pars.php?pe" wide //weight: 3
$x_1_25 = "nocookies" wide //weight: 1
$x_1_26 = "Do you want to reboot now?" wide //weight: 1
condition:
(filesize < 20MB) and
(
((2 of ($x_3_*) and 2 of ($x_1_*))) or
((3 of ($x_3_*))) or
(all of ($x*))
)
}6f10858bf67f3416c3b35f872e2afbaacc82ae77946a5e468fcc2ff720687ac577a3da4cedb91ae9c3a83e4dade09e05caa76acb1db7c5b20c257f1ec0951303Immediately isolate the affected system from the network. Perform a full system scan using up-to-date antivirus software and ensure all detected malicious files are removed. Investigate for persistence mechanisms, secondary infections, and consider restoring from a known clean backup if extensive compromise is suspected.