Concrete signature match: Trojan - Appears legitimate but performs malicious actions for 64-bit Windows platform, family TigerCrypt
Trojan:Win64/TigerCrypt.A!dha is a confirmed Trojan malware targeting 64-bit Windows systems, belonging to the TigerCrypt family. It employs encryption techniques like XOR and DES, strongly indicating its use for malicious purposes such as data obfuscation, exfiltration, or ransomware.
Relevant strings associated with this threat: - CryptorInterface@@2 (PEHSTR_EXT)
rule Trojan_Win64_TigerCrypt_A_2147916846_0
{
meta:
author = "threatcheck.sh"
detection_name = "Trojan:Win64/TigerCrypt.A!dha"
threat_id = "2147916846"
type = "Trojan"
platform = "Win64: Windows 64-bit platform"
family = "TigerCrypt"
severity = "Critical"
info = "dha: an internal category used to refer to some threats"
signature_type = "SIGNATURE_TYPE_PEHSTR_EXT"
threshold = "200"
strings_accuracy = "High"
strings:
$x_150_1 = "CryptorInterface@@" ascii //weight: 150
$x_50_2 = "CryptorXor@@" ascii //weight: 50
$x_50_3 = "CryptorDES@@" ascii //weight: 50
condition:
(filesize < 20MB) and
(
((1 of ($x_150_*) and 1 of ($x_50_*))) or
(all of ($x*))
)
}c296a7ba8645ef6c06162228ca58618dcdc6f1205aec5680a7f355a53d2a0148Isolate the affected system immediately, perform a full antimalware scan to remove the threat, and verify system integrity for any persistence mechanisms or additional compromises.