Concrete signature match: Trojan - Appears legitimate but performs malicious actions for 32-bit Windows platform, family SmokeLoader
Trojan:Win32/SmokeLoader.L!MTB is a dangerous loader trojan detected through machine learning behavioral analysis, indicating suspicious activities consistent with its function. SmokeLoader typically establishes persistence, downloads secondary malware payloads, and can facilitate data exfiltration or further system compromise. Its primary role is to act as an initial infection vector for other malicious campaigns.
No specific strings found for this threat
rule Trojan_Win32_SmokeLoader_L_2147896609_0
{
meta:
author = "threatcheck.sh"
detection_name = "Trojan:Win32/SmokeLoader.L!MTB"
threat_id = "2147896609"
type = "Trojan"
platform = "Win32: Windows 32-bit platform"
family = "SmokeLoader"
severity = "Critical"
info = "MTB: Microsoft Threat Behavior"
signature_type = "SIGNATURE_TYPE_PEHSTR_EXT"
threshold = "1"
strings_accuracy = "Low"
strings:
$x_1_1 = {8b d7 d3 ea 03 c7 89 45 ec c7 05 ?? ?? ?? ?? ee 3d ea f4 03 55 dc 8b 45 ec 31 45 fc 33 55 fc 81 3d ?? ?? ?? ?? 13 02 00 00 89 55 ec 75 0b} //weight: 1, accuracy: Low
condition:
(filesize < 20MB) and
(all of ($x*))
}5f20a054e3a4c80300a2c020046eb6b4dbfc16631770aab5fd6c4acfcccb6f2fImmediately isolate the affected endpoint to prevent lateral movement. Perform a comprehensive system scan with current antivirus definitions and remove all detected malicious files. Investigate for persistence mechanisms and network connections to potential command and control servers, and consider reimaging the system if compromise is confirmed.