Concrete signature match: Trojan - Appears legitimate but performs malicious actions for 64-bit Windows platform, family Farfli
Trojan:Win64/Farfli.SDM!MTB is a Remote Access Trojan (RAT) that gives an attacker full control over a compromised system, enabling data theft, remote command execution, and user activity monitoring. The detection is based on machine learning behavioral analysis which observed the file performing actions characteristic of the Farfli malware family.
No specific strings found for this threat
rule Trojan_Win64_Farfli_SDM_2147934110_0
{
meta:
author = "threatcheck.sh"
detection_name = "Trojan:Win64/Farfli.SDM!MTB"
threat_id = "2147934110"
type = "Trojan"
platform = "Win64: Windows 64-bit platform"
family = "Farfli"
severity = "Critical"
info = "MTB: Microsoft Threat Behavior"
signature_type = "SIGNATURE_TYPE_PEHSTR_EXT"
threshold = "5"
strings_accuracy = "Low"
strings:
$x_5_1 = {45 33 db 4c 8d 05 ?? ?? ?? ff 45 33 c9 4c 89 5c 24 28 33 d2 33 c9 44 89 5c 24 20 ff 15 ?? ?? ?? 00 83 ca ff 48 8b c8} //weight: 5, accuracy: Low
condition:
(filesize < 20MB) and
(all of ($x*))
}f320b0222a719de0b9b5c67fc856f391ae3a6af171205b8373914e63eed11ff8Isolate the affected machine from the network immediately. Use Windows Defender or another antivirus to perform a full system scan and remove the threat. Since this is a RAT, assume a breach, reset all user credentials, and investigate for persistence mechanisms.