Concrete signature match: Trojan - Appears legitimate but performs malicious actions for 64-bit Windows platform, family Meterpreter
This is a concrete detection of Trojan:Win64/Meterpreter.E, a sophisticated post-exploitation framework. It deploys shellcode, uses process injection (VirtualAllocEx, WriteProcessMemory), and establishes a reverse shell via network communication, granting remote attackers full control over the compromised system for data exfiltration and further malicious activities.
Relevant strings associated with this threat: - S.h.e.l.l.c.o.d.e On the fly - version OVH (PEHSTR_EXT) - #$fc#$e8#$82#$00#$00#$00#$60#$89#$e5#$31#$c0#$64#$8b#$50#$30 (PEHSTR_EXT) - meterpreter_reverse_ (PEHSTR_EXT) - WinSock 2.0 (PEHSTR_EXT) - VirtualAllocEx (PEHSTR_EXT) - WriteProcessMemory (PEHSTR_EXT) - CreateSemaphoreA (PEHSTR_EXT)
rule Trojan_Win64_Meterpreter_EB_2147895879_0
{
meta:
author = "threatcheck.sh"
detection_name = "Trojan:Win64/Meterpreter.EB!MTB"
threat_id = "2147895879"
type = "Trojan"
platform = "Win64: Windows 64-bit platform"
family = "Meterpreter"
severity = "Critical"
info = "MTB: Microsoft Threat Behavior"
signature_type = "SIGNATURE_TYPE_PEHSTR_EXT"
threshold = "8"
strings_accuracy = "High"
strings:
$x_1_1 = "WinSock 2.0" ascii //weight: 1
$x_1_2 = "MPGoodStatus" ascii //weight: 1
$x_1_3 = "ws2_32" ascii //weight: 1
$x_1_4 = "AQAPRQVH1" ascii //weight: 1
$x_1_5 = "VirtualAllocEx" ascii //weight: 1
$x_1_6 = "WriteProcessMemory" ascii //weight: 1
$x_1_7 = "CreateSemaphoreA" ascii //weight: 1
$x_1_8 = "YZAXAYAZH" ascii //weight: 1
condition:
(filesize < 20MB) and
(all of ($x*))
}173bd2fc717b38527a57fad443aac11c49aef61f5f84e175872db53a99d2fd4eImmediately isolate the affected host to prevent further compromise. Perform a full system scan with updated antivirus software to remove the threat and any related artifacts. Investigate for persistence mechanisms, reset any potentially compromised user credentials, and review network logs for command-and-control (C2) communication.