Concrete signature match: Trojan Downloader - Downloads additional malware for SH platform, family SAgent
This threat is a malicious script from the SAgent family, identified by machine learning behavioral analysis. As a Trojan Downloader, its primary purpose is to connect to a remote server to download and execute additional, more harmful malware onto the compromised system.
Relevant strings associated with this threat: - |#d1e49aac-8f56-4280-b9ba-993a6d77406c (NID) - }#d1e49aac-8f56-4280-b9ba-993a6d77406c (NID) - |#75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84 (NID) - }#75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84 (NID) - &|#b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 (NID) - &}#b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 (NID) - y*|#56a863a9-875e-4185-98a7-b882c64b5ce5 (NID) - y*}#56a863a9-875e-4185-98a7-b882c64b5ce5 (NID) - C|#be9ba2d9-53ea-4cdc-84e5-9b1eeee46550 (NID) - C}#be9ba2d9-53ea-4cdc-84e5-9b1eeee46550 (NID) - L|#3b576869-a4ec-4529-8536-b80a7769e899 (NID) - L}#3b576869-a4ec-4529-8536-b80a7769e899 (NID) - |#5beb7efe-fd9a-4556-801d-275e5ffc04cc (NID) - }#5beb7efe-fd9a-4556-801d-275e5ffc04cc (NID) - |#01443614-cd74-433a-b99e-2ecdc07bfc25 (NID) - }#01443614-cd74-433a-b99e-2ecdc07bfc25 (NID) - |#d3e037e1-3eb8-44c8-a917-57927947596d (NID) - }#d3e037e1-3eb8-44c8-a917-57927947596d (NID) - |#7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c (NID) - }#7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c (NID) No specific strings found for this threat
rule TrojanDropper_AndroidOS_SAgent_B_2147831277_0
{
meta:
author = "threatcheck.sh"
detection_name = "TrojanDropper:AndroidOS/SAgent.B!MTB"
threat_id = "2147831277"
type = "TrojanDropper"
platform = "AndroidOS: Android operating system"
family = "SAgent"
severity = "Critical"
info = "MTB: Microsoft Threat Behavior"
signature_type = "SIGNATURE_TYPE_DEXHSTR_EXT"
threshold = "3"
strings_accuracy = "Low"
strings:
$x_2_1 = {00 0c 00 6e 10 ?? 00 ?? 00 0c ?? 71 20 ?? 00 ?? 00 54 ?? ?? 00 72 20 ?? 00 ?? 00} //weight: 2, accuracy: Low
$x_1_2 = {35 32 12 00 34 40 03 00 01 10 48 05 07 02 48 06 08 00 b7 65 8d 55 4f 05 07 02 d8 02 02 01 d8 00 00 01 28 ef} //weight: 1, accuracy: High
$x_1_3 = {35 20 12 00 34 31 03 00 12 01 48 04 06 00 48 05 07 01 b7 54 8d 44 4f 04 06 00 d8 00 00 01 d8 01 01 01 28 ef} //weight: 1, accuracy: High
condition:
(filesize < 20MB) and
(
((1 of ($x_2_*) and 1 of ($x_1_*))) or
(all of ($x*))
)
}bb520c0bcb825ff92a373d6404db0cb6ec5d67b6c37537992dfe577c5e047195925d0e32511e0d952206421262363033ea8332b4443b7ea35ba5e20d8e1fc4cd829af9a4ccce986cec9e4ba45a069cd3b054e1a4ef61bd1616c07a9b3e35342a00a1aa6c3fa89b463361ea87cf05a93a1ae101ffec1643d9d1c0d71f92da7134bb9536a1b9e5a1924f22a61c9e09db1ee965383bb68ba71fb1795bdfdc72e939Isolate the affected system from the network immediately. Ensure Windows Defender has removed the initial threat and then perform a full system scan to detect any secondary payloads. Investigate for persistence mechanisms such as new scheduled tasks or registry run keys.