Concrete signature match: Trojan - Appears legitimate but performs malicious actions for WinNT platform, family Fetrog
Trojan:WinNT/Fetrog.A is a concrete detection for a Windows NT-based Trojan from the Fetrog family. This malware typically aims to gain unauthorized access, steal data, or facilitate further compromise, indicated by specific file names like 'f3t_0g.dat' and device interaction strings such as '\DosDevices\rmpdk0g'.
Relevant strings associated with this threat: - HcA (PEHSTR_EXT)
rule Trojan_WinNT_Fetrog_A_2147666039_0
{
meta:
author = "threatcheck.sh"
detection_name = "Trojan:WinNT/Fetrog.A"
threat_id = "2147666039"
type = "Trojan"
platform = "WinNT: WinNT"
family = "Fetrog"
severity = "Critical"
signature_type = "SIGNATURE_TYPE_PEHSTR_EXT"
threshold = "2"
strings_accuracy = "High"
strings:
$x_2_1 = {48 8b f9 48 03 fa 48 33 c0 8a 01 41 f6 e0 49 03 c1 88 01 48 33 c0 48 ff c1 48 3b cf 75 eb} //weight: 2, accuracy: High
$x_2_2 = {80 39 eb 75 0c 48 0f be 41 01 48 8d 4c 08 02 eb 0e 80 39 e9 75 0e 48 63 41 01 48 8d 4c 08 05 b0 01 48 89 0a} //weight: 2, accuracy: High
$x_1_3 = "Net_U1ocike._2k" wide //weight: 1
$x_1_4 = "f3t_0g.dat" wide //weight: 1
$x_1_5 = "\\DosDevices\\rmpdk0g" wide //weight: 1
condition:
(filesize < 20MB) and
(
((2 of ($x_1_*))) or
((1 of ($x_2_*))) or
(all of ($x*))
)
}441f2a6775621af8c5d1ead7082e9573ad878bc90675ed55f86abfc8a9e8cc6fImmediately isolate the affected system from the network. Perform a full system scan with updated antivirus software and remove all detected malicious files. Review system logs for signs of further compromise or persistence mechanisms, and ensure all operating system and software vulnerabilities are patched.