Concrete signature match: Trojan - Appears legitimate but performs malicious actions for 64-bit Windows platform, family Reflo
This is a confirmed Trojan (Win64/Reflo.HNS) targeting 64-bit Windows systems, detected with high confidence via concrete signatures and machine learning behavioral analysis. It poses a significant threat, likely designed for malicious activities such as data exfiltration or system compromise.
No specific strings found for this threat
rule Trojan_Win64_Reflo_HNS_2147905607_0
{
meta:
author = "threatcheck.sh"
detection_name = "Trojan:Win64/Reflo.HNS!MTB"
threat_id = "2147905607"
type = "Trojan"
platform = "Win64: Windows 64-bit platform"
family = "Reflo"
severity = "Critical"
info = "MTB: Microsoft Threat Behavior"
signature_type = "SIGNATURE_TYPE_PEHSTR_EXT"
threshold = "4"
strings_accuracy = "High"
strings:
$x_2_1 = {eb 17 41 89 c2 41 83 e2 1f 45 32 0c 12 44 88 0c 07 48 ff c0 48 39 c6 74 ac 44 0f b6 0c 07 45 84 c0 74 df} //weight: 2, accuracy: High
$x_2_2 = {48 89 78 18 48 c7 40 28 00 00 06 00 48 c7 40 30 08 00 00 00 48 8b 4c 24 58} //weight: 2, accuracy: High
$x_2_3 = "BQ8jggZci8dcigdaHZiQHZgk" wide //weight: 2
condition:
(filesize < 20MB) and
(2 of ($x*))
}ac035aeacf8e68baf9d44aadc29d2036d9ad86578622f3d691b58277412dcb376abbe6ae99e3ae4311804d63dcf9e34c6a486432daadf6bfdb988a0b1e6fd107Immediately isolate the affected system to prevent further spread. Conduct a full anti-malware scan to remove all detected components and review system logs for any signs of broader compromise. Ensure all operating systems and applications are up-to-date with the latest security patches.