Concrete signature match: Trojan - Appears legitimate but performs malicious actions for 64-bit Windows platform, family ShellcodeRunner
Trojan:Win64/ShellcodeRunner.MK!MTB is a trojan designed to execute arbitrary shellcode on 64-bit Windows systems. This type of malware often acts as a stager, allowing an attacker to download and run more advanced payloads like ransomware or remote access trojans. The detection is based on machine learning behavioral analysis, indicating suspicious code execution patterns.
No specific strings found for this threat
rule Trojan_Win64_ShellcodeRunner_MK_2147955284_0
{
meta:
author = "threatcheck.sh"
detection_name = "Trojan:Win64/ShellcodeRunner.MK!MTB"
threat_id = "2147955284"
type = "Trojan"
platform = "Win64: Windows 64-bit platform"
family = "ShellcodeRunner"
severity = "Critical"
info = "MTB: Microsoft Threat Behavior"
signature_type = "SIGNATURE_TYPE_PEHSTR_EXT"
threshold = "25"
strings_accuracy = "Low"
strings:
$x_15_1 = {48 89 44 24 68 48 89 5c 24 70 0f b6 73 08 66 90 40 f6 c6 04 ?? ?? 48 8d 05 16 38 3e 00 bb 21 00 00 00 ?? ?? ?? ?? ?? 48 8b 44 24 68 48 8b 5c 24 70} //weight: 15, accuracy: Low
$x_10_2 = {48 89 5c 24 38 48 89 44 24 30 48 8d 05 7b 6a 34 00 ?? ?? ?? ?? ?? 48 89 44 24 18 48 8b 5c 24 30 48 8b 4c 24 38} //weight: 10, accuracy: Low
condition:
(filesize < 20MB) and
(all of ($x*))
}072333ce09b199d45b08e799eb28d8b1a2940f4afd97083ca12d4b2573a6922cImmediately isolate the affected endpoint from the network to prevent lateral movement. Use antivirus software to quarantine or remove the detected file, then perform a full system scan. Investigate the initial point of compromise and consider resetting user credentials.