Concrete signature match: Trojan - Appears legitimate but performs malicious actions for 64-bit Windows platform, family Androm
This is a concrete detection of Trojan:Win64/Androm.RG, a malicious program targeting Windows 64-bit systems, likely designed to gain unauthorized access or perform other harmful actions. The !MTB suffix indicates its identification was primarily through machine learning behavioral analysis, focusing on its observed malicious activities rather than solely static signatures.
No specific strings found for this threat
rule Trojan_Win64_Androm_RG_2147895375_0
{
meta:
author = "threatcheck.sh"
detection_name = "Trojan:Win64/Androm.RG!MTB"
threat_id = "2147895375"
type = "Trojan"
platform = "Win64: Windows 64-bit platform"
family = "Androm"
severity = "Critical"
info = "MTB: Microsoft Threat Behavior"
signature_type = "SIGNATURE_TYPE_PEHSTR_EXT"
threshold = "1"
strings_accuracy = "High"
strings:
$x_1_1 = {0f b6 44 24 38 48 8b 4c 24 20 0f be 09 33 c8 8b c1 48 8b 4c 24 20 88 01 48 8b 44 24 20 48 ff c0 48 89 44 24 20 eb c5} //weight: 1, accuracy: High
condition:
(filesize < 20MB) and
(all of ($x*))
}eda7a5216e8eba7d8648d7160bf64a09f142cdb24163649693d0347f74a65757Isolate the affected system immediately and conduct a thorough scan using updated antivirus software to remove or quarantine the threat. Investigate for persistence mechanisms, potential data exfiltration, and consider reviewing system logs for anomalous activity to fully verify the scope of the compromise.