Concrete signature match: Trojan - Appears legitimate but performs malicious actions for 64-bit Windows platform, family AgentTesla
This detection signifies a concrete identification of Trojan:Win64/AgentTesla.GVK, a highly dangerous information-stealing malware family targeting 64-bit Windows systems. AgentTesla is known for its capabilities to exfiltrate sensitive data, credentials, and system information, posing a severe threat to data confidentiality and system integrity.
No specific strings found for this threat
rule Trojan_Win64_AgentTesla_GVK_2147952580_0
{
meta:
author = "threatcheck.sh"
detection_name = "Trojan:Win64/AgentTesla.GVK!MTB"
threat_id = "2147952580"
type = "Trojan"
platform = "Win64: Windows 64-bit platform"
family = "AgentTesla"
severity = "Critical"
info = "MTB: Microsoft Threat Behavior"
signature_type = "SIGNATURE_TYPE_PEHSTR_EXT"
threshold = "2"
strings_accuracy = "Low"
strings:
$x_2_1 = {41 8b c0 99 f7 ff 3b d7 73 ?? 44 8b d2 46 0f b6 54 16 10 44 3b 41 08 73 ?? 41 8b c0 44 88 54 01 10 41 ff c0 44 3b c3 7c d7} //weight: 2, accuracy: Low
$x_2_2 = {4c 8b 09 49 c1 c1 38 4c 03 0a 44 8b d8 4f 33 4c d8 10 4c 89 09 4c 8b 0a 49 c1 c1 03 4c 33 09 4c 89 0a ff c0 44 3b d0 7f d7} //weight: 2, accuracy: High
condition:
(filesize < 20MB) and
(1 of ($x*))
}7078964ebd7ca7d1b69d971536e105602377c45a585dcc56a9702fee3c36b695Immediately isolate the affected system to prevent further compromise. Terminate any associated malicious processes and thoroughly remove the detected file. Conduct a full system scan with updated antivirus/EDR, investigate for persistence mechanisms, and reset all credentials that might have been stored on or accessed from the compromised machine.