Concrete signature match: Trojan - Appears legitimate but performs malicious actions for 64-bit Windows platform, family Meterpreter
Trojan:Win64/Meterpreter.B is a critical post-exploitation trojan indicating that a Meterpreter payload has infected a Windows 64-bit system. This threat grants attackers extensive remote control, allowing for data theft, system manipulation, and further network compromise. Its detection signifies an active and severe security breach.
Relevant strings associated with this threat: - |#d1e49aac-8f56-4280-b9ba-993a6d77406c (NID) - }#d1e49aac-8f56-4280-b9ba-993a6d77406c (NID) - |#75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84 (NID) - }#75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84 (NID) - &|#b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 (NID) - &}#b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 (NID) - y*|#56a863a9-875e-4185-98a7-b882c64b5ce5 (NID) - y*}#56a863a9-875e-4185-98a7-b882c64b5ce5 (NID) - C|#be9ba2d9-53ea-4cdc-84e5-9b1eeee46550 (NID) - C}#be9ba2d9-53ea-4cdc-84e5-9b1eeee46550 (NID) - L|#3b576869-a4ec-4529-8536-b80a7769e899 (NID) - L}#3b576869-a4ec-4529-8536-b80a7769e899 (NID) - |#5beb7efe-fd9a-4556-801d-275e5ffc04cc (NID) - }#5beb7efe-fd9a-4556-801d-275e5ffc04cc (NID) - |#01443614-cd74-433a-b99e-2ecdc07bfc25 (NID) - }#01443614-cd74-433a-b99e-2ecdc07bfc25 (NID) - |#d3e037e1-3eb8-44c8-a917-57927947596d (NID) - }#d3e037e1-3eb8-44c8-a917-57927947596d (NID) - |#7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c (NID) - }#7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c (NID)
rule Trojan_Win64_Meterpreter_B_2147721790_0
{
meta:
author = "threatcheck.sh"
detection_name = "Trojan:Win64/Meterpreter.B"
threat_id = "2147721790"
type = "Trojan"
platform = "Win64: Windows 64-bit platform"
family = "Meterpreter"
severity = "Critical"
signature_type = "SIGNATURE_TYPE_PEHSTR_EXT"
threshold = "4"
strings_accuracy = "Low"
strings:
$x_1_1 = {41 ba 02 d9 c8 5f ff d5} //weight: 1, accuracy: High
$x_1_2 = {41 ba 58 a4 53 e5 ff d5} //weight: 1, accuracy: High
$x_1_3 = {5d 49 be 77 73 32 5f 33 32 00 00 41 56} //weight: 1, accuracy: High
$x_1_4 = {41 ba ea 0f df e0 ff d5 [0-32] 41 ba 99 a5 74 61 ff d5} //weight: 1, accuracy: Low
condition:
(filesize < 20MB) and
(all of ($x*))
}0686e753fd913d0c9201c8d3559c5e49f6c5791e6fea3c4fc87f67c7df4d830cImmediately isolate the affected system to contain the threat. Conduct a full system scan and thorough forensic analysis to determine the extent of compromise. Eradicate the malware, identify and patch initial access vectors, and consider system re-imaging to ensure complete removal. Implement robust endpoint protection and network monitoring.