Concrete signature match: Trojan - Appears legitimate but performs malicious actions for 32-bit Windows platform, family Phorpiex
This detection identifies Trojan:Win32/Phorpiex.BF!MTB, a specific variant of the notorious Phorpiex botnet. Phorpiex is known for its role in distributing other malware (such as ransomware and info-stealers), sending spam, and launching DDoS attacks. The concrete detection with a specific YARA signature and low false positive risk indicates a high-confidence threat.
No specific strings found for this threat
rule Trojan_Win32_Phorpiex_BF_2147837208_0
{
meta:
author = "threatcheck.sh"
detection_name = "Trojan:Win32/Phorpiex.BF!MTB"
threat_id = "2147837208"
type = "Trojan"
platform = "Win32: Windows 32-bit platform"
family = "Phorpiex"
severity = "Critical"
info = "MTB: Microsoft Threat Behavior"
signature_type = "SIGNATURE_TYPE_PEHSTR_EXT"
threshold = "2"
strings_accuracy = "High"
strings:
$x_2_1 = {8b 45 f0 0f be 4c 05 f4 8b 55 08 03 55 fc 0f be 02 33 c1 8b 4d 08 03 4d fc 88 01 eb c9 8b 55 08 03 55 fc 0f be 02 f7 d0 8b 4d 08 03 4d fc 88 01 eb} //weight: 2, accuracy: High
condition:
(filesize < 20MB) and
(all of ($x*))
}a0f9d89853963fa2ead2a079952d1d321a60058a3e1198f445162489fa65661574fcf1e27180d840b8de78ec4cfbb48e5b7a43f13c579c9afbef17fc2b47ac0226b441b6ac06968d8029babb90fba7927e1d21c9cb84b0492c4890bca5dd2660b9b52cc15fa1c03663a49c10af56e8f7aaa786d7688a75176d6fbfb779e8faca553972250e6766defd1125152eef38c0b8024e9ba2d65c5ca83ef1d04a1685ebImmediately isolate the infected system from the network to prevent further spread or command-and-control communication. Perform a full system scan using updated antivirus software and remove or quarantine the detected threat. Additionally, ensure all operating system and application patches are current, implement strong password policies, and educate users on recognizing phishing attempts and practicing safe browsing habits.