Concrete signature match: Trojan - Appears legitimate but performs malicious actions for 32-bit Windows platform, family ReverseShell
This is a concrete detection of Trojan:Win32/ReverseShell.GXT!MTB, a malicious program that establishes a reverse shell connection from the compromised Windows system to an attacker-controlled server, granting unauthorized remote control. The threat was identified through machine learning behavioral analysis and has a low false positive risk, indicating high confidence in its malicious nature.
No specific strings found for this threat
rule Trojan_Win32_ReverseShell_GXT_2147951014_0
{
meta:
author = "threatcheck.sh"
detection_name = "Trojan:Win32/ReverseShell.GXT!MTB"
threat_id = "2147951014"
type = "Trojan"
platform = "Win32: Windows 32-bit platform"
family = "ReverseShell"
severity = "Critical"
info = "MTB: Microsoft Threat Behavior"
signature_type = "SIGNATURE_TYPE_PEHSTR_EXT"
threshold = "10"
strings_accuracy = "Low"
strings:
$x_5_1 = {8d 85 50 fe ff ff 89 44 24 04 8b 45 f0 89 04 24 a1 ?? ?? ?? ?? ff d0 83 ec 0c 85 c0} //weight: 5, accuracy: Low
$x_5_2 = {ff d0 83 ec 18 89 45 f0 66 c7 85 ?? ?? ?? ?? 02 00 8b 45 f4 0f b7 c0 89 04 24 a1 ?? ?? ?? ?? ff d0 83 ec 04 66 89 85 52 fe ff ff c7 04 24 ?? ?? ?? ?? a1 ?? ?? ?? ?? ff d0 83 ec 04 89 85} //weight: 5, accuracy: Low
condition:
(filesize < 20MB) and
(all of ($x*))
}08790f082e9636f095ba679f927a35bb945b5e680d9c62f5029364698171623fImmediately isolate the infected system from the network to prevent further compromise or data exfiltration. Perform a full system scan with updated antivirus software to remove the threat and any associated files. Investigate for persistence mechanisms, identify the initial infection vector, and review network logs for C2 communication attempts.