Concrete signature match: Trojan - Appears legitimate but performs malicious actions for 64-bit Windows platform, family NukeSped
This threat is a Trojan from the NukeSped family, a sophisticated backdoor used for persistent remote access, data exfiltration, and executing remote commands. The '!MTB' designation indicates it was identified by Microsoft's machine learning behavioral analysis, which detected activities characteristic of this malware family.
No specific strings found for this threat
rule Trojan_Win64_NukeSped_DA_2147930009_0
{
meta:
author = "threatcheck.sh"
detection_name = "Trojan:Win64/NukeSped.DA!MTB"
threat_id = "2147930009"
type = "Trojan"
platform = "Win64: Windows 64-bit platform"
family = "NukeSped"
severity = "Critical"
info = "MTB: Microsoft Threat Behavior"
signature_type = "SIGNATURE_TYPE_PEHSTR_EXT"
threshold = "1"
strings_accuracy = "High"
strings:
$x_1_1 = {0f b6 43 01 ff ce 0f b6 0c 28 43 30 0c 26 41 ff c6 0f b6 43 01 fe c0 88 43 01 3c 40 75} //weight: 1, accuracy: High
condition:
(filesize < 20MB) and
(all of ($x*))
}031322f5591b00c6d04b5705bf482e6e0ca01e65e37ac2ef1dd045ee9434f845Isolate the affected host from the network immediately. Use an updated EDR or antivirus solution to quarantine and remove the threat. Investigate for persistence mechanisms, signs of lateral movement, and reset credentials for all accounts used on the machine.