Concrete signature match: Trojan - Appears legitimate but performs malicious actions for 32-bit Windows platform, family ShellCodeRunner
This threat is a trojan identified by its behavior as a shellcode runner. Its primary function is to execute malicious code in memory, a common technique used to bypass security controls and download additional malware payloads.
No specific strings found for this threat
rule Trojan_Win32_ShellCodeRunner_NZL_2147942096_0
{
meta:
author = "threatcheck.sh"
detection_name = "Trojan:Win32/ShellCodeRunner.NZL!MTB"
threat_id = "2147942096"
type = "Trojan"
platform = "Win32: Windows 32-bit platform"
family = "ShellCodeRunner"
severity = "Critical"
info = "MTB: Microsoft Threat Behavior"
signature_type = "SIGNATURE_TYPE_PEHSTR_EXT"
threshold = "9"
strings_accuracy = "Low"
strings:
$x_5_1 = {8b c3 8b 5d f0 88 0c 3a 8b 55 e0 0f b6 0c 02 0f b6 04 3a 03 c8 83 7e ?? 0f 0f b6 c1 8b ce 89 45 ec 76} //weight: 5, accuracy: Low
$x_4_2 = {8a 0c 01 32 0c 16 8b 53 ?? 88 4d ff 3b 53 08 74} //weight: 4, accuracy: Low
condition:
(filesize < 20MB) and
(all of ($x*))
}33007149b2e210384c82ebdc51994db576e71149c39d43dd46cb973c551eb21c0b586f16ba08538d8779a08b19004993f2bad1aa936ef2e75899c24133309357Isolate the affected system from the network. Use your security software to remove the threat and perform a full system scan. Investigate for signs of further compromise, such as unusual network traffic or persistence mechanisms, as this threat may have downloaded other malware.