Trojan:Win64/Farfli.ADC!MTB - Windows Defender Threat Analysis

This detection identifies a variant of the Farfli family, a well-known Remote Access Trojan (RAT). Once active, Farfli allows an attacker to gain complete control over the infected system, enabling them to steal sensitive information, log keystrokes, and execute arbitrary commands. The '!MTB' suffix indicates this threat was identified by its malicious behavior using machine learning.

No specific strings found for this threat

rule Trojan_Win64_Farfli_ADC_2147941919_0
{
    meta:
        author = "threatcheck.sh"
        detection_name = "Trojan:Win64/Farfli.ADC!MTB"
        threat_id = "2147941919"
        type = "Trojan"
        platform = "Win64: Windows 64-bit platform"
        family = "Farfli"
        severity = "Critical"
        info = "MTB: Microsoft Threat Behavior"
        signature_type = "SIGNATURE_TYPE_PEHSTR_EXT"
        threshold = "5"
        strings_accuracy = "High"
    strings:
        $x_4_1 = {2b ca 41 f7 e2 80 c1 36 43 30 0c 03 c1 ea 03 8d 0c 92 03 c9 44 3b d1 4d 0f 44 cf 41 ff c2 49 ff c3 44 3b d7 7c}  //weight: 4, accuracy: High
        $x_1_2 = {41 0f b6 0c 29 4c 8b 43 10 49 ff c1}  //weight: 1, accuracy: High
    condition:
        (filesize < 20MB) and
        (all of ($x*))
}

1. Isolate the affected machine from the network immediately. 2. Use Windows Defender to quarantine and remove the detected threat. 3. Investigate for persistence mechanisms, data exfiltration, and other signs of compromise. 4. Reset all credentials and passwords that were used on the infected system.