Concrete signature match: Trojan - Appears legitimate but performs malicious actions for 32-bit Windows platform, family Phorpiex
This threat is a Trojan from the Phorpiex botnet family, a worm known for self-propagation and delivering additional malware payloads. The detection, which includes the string 'xmr.exe', indicates the Trojan has likely dropped a Monero cryptocurrency miner, which steals system resources and causes significant performance degradation.
No specific strings found for this threat
rule Trojan_Win32_Phorpiex_SX_2147957801_0
{
meta:
author = "threatcheck.sh"
detection_name = "Trojan:Win32/Phorpiex.SX!MTB"
threat_id = "2147957801"
type = "Trojan"
platform = "Win32: Windows 32-bit platform"
family = "Phorpiex"
severity = "Critical"
info = "MTB: Microsoft Threat Behavior"
signature_type = "SIGNATURE_TYPE_PEHSTR_EXT"
threshold = "31"
strings_accuracy = "Low"
strings:
$x_20_1 = {f7 f9 6b d2 0f 52 ff 15 ?? ?? ?? ?? e8 ?? ?? ?? ?? 99 8b cf f7 f9 03 d6} //weight: 20, accuracy: Low
$x_10_2 = {53 8d 45 e8 50 ff 75 f8 8d 85 dc fc ff ff 50 ff 75 f0 ff 15 ?? ?? ?? ?? 8d 45 f8 50 68} //weight: 10, accuracy: Low
$x_1_3 = "xmr.exe" ascii //weight: 1
condition:
(filesize < 20MB) and
(all of ($x*))
}3bfe06669545cf2b91a149149cc23073d631e237f5aaac237dbe7da67b2274771. Isolate the affected machine from the network to prevent lateral movement. 2. Run a full scan with an updated antivirus product to remove all malicious components. 3. Check for persistence mechanisms (e.g., scheduled tasks, registry run keys) and any dropped files like 'xmr.exe'. 4. Change all user and administrative passwords associated with the system.