Trojan:Win32/Sonbokli.A!cl

user@threatcheck.sh ~ threat-analysis

bash

$ analyze-threat Trojan:Win32/Sonbokli.A!cl

Trojan:Win32/Sonbokli.A!cl - Windows Defender threat signature analysis

$ cat analysis.txt

=== THREAT ANALYSIS REPORT ===

Threat Name: Trojan:Win32/Sonbokli.A!cl

Classification:

Type:Trojan

Platform:Win32

Family:Sonbokli

Detection Type:Concrete

Known malware family with identified signatures

Variant:A

Specific signature variant within the malware family

Suffix:!cl

Confidence:Very High

False-Positive Risk:Low

Concrete signature match: Trojan - Appears legitimate but performs malicious actions for 32-bit Windows platform, family Sonbokli

VDM Static Detection:

Relevant strings associated with this threat:
 - |#d1e49aac-8f56-4280-b9ba-993a6d77406c (NID)
 - }#d1e49aac-8f56-4280-b9ba-993a6d77406c (NID)
 - &|#b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 (NID)
 - &}#b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 (NID)
 - y*|#56a863a9-875e-4185-98a7-b882c64b5ce5 (NID)
 - y*}#56a863a9-875e-4185-98a7-b882c64b5ce5 (NID)
 - C|#be9ba2d9-53ea-4cdc-84e5-9b1eeee46550 (NID)
 - C}#be9ba2d9-53ea-4cdc-84e5-9b1eeee46550 (NID)
 - L|#3b576869-a4ec-4529-8536-b80a7769e899 (NID)
 - L}#3b576869-a4ec-4529-8536-b80a7769e899 (NID)
 - |#5beb7efe-fd9a-4556-801d-275e5ffc04cc (NID)
 - }#5beb7efe-fd9a-4556-801d-275e5ffc04cc (NID)
 - |#01443614-cd74-433a-b99e-2ecdc07bfc25 (NID)
 - }#01443614-cd74-433a-b99e-2ecdc07bfc25 (NID)
 - |#d3e037e1-3eb8-44c8-a917-57927947596d (NID)
 - }#d3e037e1-3eb8-44c8-a917-57927947596d (NID)
 - |#7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c (NID)
 - }#7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c (NID)
 - |#92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b (NID)
 - }#92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b (NID)
No specific strings found for this threat

YARA Rule:

rule Trojan_MSIL_Sonbokli_ASN_2147907198_0
{
    meta:
        author = "threatcheck.sh"
        detection_name = "Trojan:MSIL/Sonbokli.ASN!MTB"
        threat_id = "2147907198"
        type = "Trojan"
        platform = "MSIL: .NET intermediate language scripts"
        family = "Sonbokli"
        severity = "Critical"
        info = "MTB: Microsoft Threat Behavior"
        signature_type = "SIGNATURE_TYPE_PEHSTR_EXT"
        threshold = "2"
        strings_accuracy = "Low"
    strings:
        $x_1_1 = {2c 10 08 7b 02 00 00 04 8e 69 16 fe 02 16 fe 01 2b 01 17 00 13 05 11 05 2d 0c 00 07 16 6f 13 00 00 0a 00 00 2b 0a 00 07 17 6f 13 00 00 0a 00 00 07}  //weight: 1, accuracy: High
        $x_1_2 = {0a 00 00 06 02 6f ?? 00 00 0a 6f ?? 00 00 0a 0c de 21 0b 00 72 ?? 00 00 70 28 ?? 00 00 0a 00 14 0c de 10 06 14 fe 01 0d 09 2d 07 06}  //weight: 1, accuracy: Low
    condition:
        (filesize < 20MB) and
        (all of ($x*))
}

Known malware which is associated with this threat:

Filename: Order Confirmation#120125B90.PDF.zip

4263d0f0596b1cba4cca044b449bfa8dcbdfa0561f02095f6813209d826cc261

07/12/2025

→VirusTotal ↓Download Sample

7ac1ba70373c520485ea3a32bbb21a5d296720c7b9bce41b42a6c663254cd464

06/12/2025

→VirusTotal ↓Download Sample

Filename: 0e1ef03cf85f84a9798b518f70f20811.exe

d1fc6072f240470c0149a5688e8eb638b7c29cc9f210e8a5c5fc55df9b06491c

05/12/2025

→VirusTotal ↓Download Sample