Concrete signature match: Trojan - Appears legitimate but performs malicious actions for 64-bit Windows platform, family Shelm
Trojan:Win64/Shelm is a sophisticated backdoor detected via concrete signatures. It leverages PowerShell for stealthy, bypassed execution of deobfuscated payloads, including shellcode, and establishes command-and-control communication with `dz3.ddns.net`. Its capabilities include file upload/download, indicative of data exfiltration and further compromise.
Relevant strings associated with this threat: - Base64String(\"" " & str & " \"" ) (MACROHSTR_EXT) - powershell.exe (MACROHSTR_EXT) - -NoP -NonI -W Hidden -Exec Bypass -Comm (MACROHSTR_EXT) - exec = exec + "ession.CompressionMode]::Decompress)), [Text.Enc" (MACROHSTR_EXT) - Shell exec, vbHide (MACROHSTR_EXT) - 20221213.pdb (PEHSTR_EXT) - study\shellcode_dll\Release\shellcode_dll.pdb (PEHSTR_EXT) - CreateThreadpoolWait_ShellcodeExecution (PEHSTR_EXT) - yxsohezazveqzwx.dll (PEHSTR_EXT) - DllInstall (PEHSTR_EXT) - DllMain (PEHSTR_EXT) - DllRegisterServer (PEHSTR_EXT) - DllUnregisterServer (PEHSTR_EXT) - jnnfcoy.cpl (PEHSTR_EXT) - Usage : %s IP Port FileName <SaveName> /Upload | / Download (PEHSTR_EXT) - QQPCLeakScan.exe (PEHSTR_EXT) - Release\shellcode (PEHSTR_EXT) - dll_path [process_name] (PEHSTR_EXT) - Mozilla/4 (PEHSTR_EXT) - dz3.ddns.net (PEHSTR_EXT) - @x\l44 (SNID) - WinExec (PEHSTR_EXT) - (g]\) (SNID) - \$DD9d$@ (PEHSTR_EXT) - Del /f /q "%s" (PEHSTR_EXT) - Users\sSs\source\repos\Test\x64\Release\Test.pdb (PEHSTR_EXT) - explorer.exe (PEHSTR_EXT) - LdrpDllNotificationList (PEHSTR_EXT) - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT) - rundll32 (PEHSTR_EXT) - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT) - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT) - !#HSTR:ExecutionGuardrails (PEHSTR_EXT) - !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT) - !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)
rule Trojan_Win64_Shelma_AT_2147837891_0
{
meta:
author = "threatcheck.sh"
detection_name = "Trojan:Win64/Shelma.AT!MTB"
threat_id = "2147837891"
type = "Trojan"
platform = "Win64: Windows 64-bit platform"
family = "Shelma"
severity = "Critical"
info = "MTB: Microsoft Threat Behavior"
signature_type = "SIGNATURE_TYPE_PEHSTR_EXT"
threshold = "2"
strings_accuracy = "High"
strings:
$x_2_1 = {ff c2 48 63 c2 48 8d 4c 24 20 48 03 c8 0f b6 01 41 88 04 38 44 88 09 41 0f b6 0c 38 49 03 c9 0f b6 c1 0f b6 4c 04 20 41 30 0e 49 ff c6 49 83 ea 01 75} //weight: 2, accuracy: High
condition:
(filesize < 20MB) and
(all of ($x*))
}4ffc33bdc8527a2e8cb87e49cdc16c3b1480dfc135e507d552f581a67d1850a9Isolate affected systems immediately. Perform a full scan to remove all malicious components, block `dz3.ddns.net` at the network perimeter, and reset user credentials if compromised. Conduct a forensic analysis to determine the scope of compromise and identify the initial access vector.