Trojan:Win32/SpyAgent!AMTB - Windows Defender Threat Analysis

Trojan:Win32/SpyAgent!AMTB is a concrete detection for a sophisticated spyware variant designed to monitor user activities and exfiltrate sensitive information. It collects system data, performs screen captures, potentially sniffs network traffic, and sends stolen data to attacker-controlled command-and-control servers or via stealth email, often masquerading as legitimate system processes.

Relevant strings associated with this threat:
 - C:\wpcap.dll (PEHSTR)
 - mail.stealth-email.com:26 (PEHSTR)
 - %s\csrss.exe (PEHSTR)
 - Computer IP Address: %s (PEHSTR)
 - *Content-Type: text/plain; charset=us-ascii (PEHSTR)
 - SPYAGENT4HASHCIPHER (PEHSTR)
 - screenCapture (PEHSTR)
 - C:\TEMP\haleng.exe (PEHSTR_EXT)
 - http://uehge4g6Gh.2ihsfa.com/api/?sid=0&key=8e56becd9ed99edf57d41e1dd73118c5 (PEHSTR_EXT)
 - D:\workspace\workspace_c\Gj7eU93o7gGhg_19\Release\Gj7eU93o7gGhg_19.pdb (PEHSTR_EXT)
 - jfiag3g_gg.exe (PEHSTR_EXT)
 - fj4ghga23_fsa.txt (PEHSTR_EXT)
 - get_Http (PEHSTR_EXT)
 - .boot (PEHSTR_EXT)
 - .JJVQJMA (PEHSTR_EXT)
 - C:\Program Files\Common Files\ThinkVantage Fingerprint Software\Drivers\smihlp.sys (PEHSTR_EXT)
 - /dumpstatus (PEHSTR_EXT)
 - \SystemRoot\system32\BOOTVI (PEHSTR_EXT)
 - Stealer.exe (PEHSTR_EXT)
 - HttpOpenRequestW (PEHSTR_EXT)
 - .ungaina (PEHSTR_EXT)
 - .refutab (PEHSTR_EXT)
 - .implume (PEHSTR_EXT)
 - .turbody (PEHSTR_EXT)
 - .calvini (PEHSTR_EXT)
 - .becircl (PEHSTR_EXT)
 - DetectSandBoxByDll (PEHSTR)
 - \windows\lsass.exe (PEHSTR)
 - SPYAGENT@ (PEHSTR)
 - SpyAgent_HWND32 (PEHSTR_EXT)
 - %s\saopts.dat (PEHSTR_EXT)
 - Spytech SpyAgent (PEHSTR_EXT)
 - \spytech software\spyagent\spyagent.exe (FILEPATH)
 - \spytech spyagent (FOLDERNAME)
 - \programs\spytech spyagent (FOLDERNAME)
 - \spytech software\spyagent (FOLDERNAME)
 - \spytech software\spytech spyagent (FOLDERNAME)
 - \spytech software\spyagent professional (FOLDERNAME)
 - software\microsoft\windows\currentversion\uninstall\spytech spyagent (REGKEY)
 - software\microsoft\windows\currentversion\uninstall\spytech spyagent professional (REGKEY)
 - \spytech software\spytech spyagent\deploy.exe (ASEP_FILEPATH)
 - \spytech software\spytech spyagent\svchost.exe (ASEP_FILEPATH)
 - \spytech software\spytech spyagent\sysdiag.exe (ASEP_FILEPATH)
 - \spytech software\spytech spyagent\nostealth.exe (ASEP_FILEPATH)
 - \spytech software\spytech spyagent\driver-setup.exe (ASEP_FILEPATH)
 - SOFTWARE\KMiNT21\PersonalDesktopSpy (REGKEY)
 - OLEACC.dll (PEHSTR_EXT)
 - </HTML> (PEHSTR_EXT)
 - NeoLite Executable File Compressor (PEHSTR_EXT)
 - SOFTWARE\Spytech (PEHSTR)
 - %s\sacache\skeys%d.log (PEHSTR)
 - Spytech SpyAgent Keystroke (PEHSTR)
 - %ssacache\skeys.log (PEHSTR)
 - &Content-Type: text/html; name=logs.txt (PEHSTR)
 - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT)
 - rundll32 (PEHSTR_EXT)
 - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT)
 - !#HSTR:ExecutionGuardrails (PEHSTR_EXT)
 - !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)

rule Trojan_Win32_SpyAgent_AMTB_2147954752_0
{
    meta:
        author = "threatcheck.sh"
        detection_name = "Trojan:Win32/SpyAgent!AMTB"
        threat_id = "2147954752"
        type = "Trojan"
        platform = "Win32: Windows 32-bit platform"
        family = "SpyAgent"
        severity = "Critical"
        signature_type = "SIGNATURE_TYPE_PEHSTR_EXT"
        threshold = "1"
        strings_accuracy = "High"
    strings:
        $x_1_1 = "http.Open(\"POST\", \"http://zx.pe/bp.php\", false)" ascii //weight: 1
    condition:
        (filesize < 20MB) and
        (all of ($x*))
}

Immediately isolate the compromised system from the network to prevent further data exfiltration. Perform a full system scan with updated endpoint security software and remove all detected threats. Investigate for persistence mechanisms (e.g., startup entries, scheduled tasks) and thoroughly clean the system, followed by resetting all user and administrative credentials that may have been exposed.