Concrete signature match: Trojan - Appears legitimate but performs malicious actions for 64-bit Windows platform, family DonutLoader
Trojan:Win64/DonutLoader.GRR!MTB is a highly confident detection of a sophisticated Windows-based Trojan designed to inject malicious .NET assemblies into unmanaged processes. This threat acts as a loader, preparing the system for further compromise or delivery of additional payloads. Its detection leverages concrete signatures combined with machine learning behavioral analysis, indicating a high likelihood of active compromise and malicious intent.
No specific strings found for this threat
rule Trojan_Win64_DonutLoader_GRR_2147945416_0
{
meta:
author = "threatcheck.sh"
detection_name = "Trojan:Win64/DonutLoader.GRR!MTB"
threat_id = "2147945416"
type = "Trojan"
platform = "Win64: Windows 64-bit platform"
family = "DonutLoader"
severity = "Critical"
info = "MTB: Microsoft Threat Behavior"
signature_type = "SIGNATURE_TYPE_PEHSTR_EXT"
threshold = "1"
strings_accuracy = "High"
strings:
$x_1_1 = {44 01 c2 0f b6 d2 44 29 c2 41 89 d3 48 63 d2 44 0f b6 04 14 46 88 04 14 88 0c 14 42 02 0c 14 0f b6 c9 0f b6 14 0c 30 13 48 83 c3 01 49 39 d9} //weight: 1, accuracy: High
condition:
(filesize < 20MB) and
(all of ($x*))
}0c0eb52c996d1ef6cdc71d1cd48e73cbd26eb01b6c971cfc38c74db27f4b4eeaImmediately isolate the affected system from the network to prevent further compromise. Remove all detected malicious files identified by Windows Defender. Perform a full system scan with updated antivirus software and investigate for any persistence mechanisms (e.g., startup entries, scheduled tasks). Implement patching for any identified vulnerabilities that may have been exploited and monitor for unusual network activity.