Concrete signature match: Virus Tool - Tool used to create or modify malware for .NET (Microsoft Intermediate Language) platform, family Aikaantivm
VirTool:MSIL/Aikaantivm!atmn is a malicious .NET-based tool designed to evade analysis by detecting virtual machines and sandboxes. It establishes persistence through registry Run keys and Scheduled Tasks, and uses legitimate Windows utilities like PowerShell and Rundll32 to execute malicious commands and hook system functions.
Relevant strings associated with this threat: - Software\Microsoft\Windows\CurrentVersion\Run (PEHSTR_EXT) - Select * from Win32_ComputerSystem (PEHSTR_EXT) - SbieDll.dll (PEHSTR_EXT) - cmdvrt32.dll (PEHSTR_EXT) - SxIn.dll (PEHSTR_EXT) Relevant strings associated with this threat: - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT) - rundll32 (PEHSTR_EXT) - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT) - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT) - !#HSTR:ExecutionGuardrails (PEHSTR_EXT) - !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT) - !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT) No specific strings found for this threat
rule VirTool_MSIL_Aikaantivm_GG_2147769553_0
{
meta:
author = "threatcheck.sh"
detection_name = "VirTool:MSIL/Aikaantivm.GG!MTB"
threat_id = "2147769553"
type = "VirTool"
platform = "MSIL: .NET intermediate language scripts"
family = "Aikaantivm"
severity = "Critical"
info = "MTB: Microsoft Threat Behavior"
signature_type = "SIGNATURE_TYPE_PEHSTR_EXT"
threshold = "73"
strings_accuracy = "High"
strings:
$x_10_1 = "Software\\Microsoft\\Windows\\CurrentVersion\\Run" ascii //weight: 10
$x_10_2 = "Select * from Win32_ComputerSystem" ascii //weight: 10
$x_10_3 = "microsoft corporation" ascii //weight: 10
$x_10_4 = "VIRTUAL" ascii //weight: 10
$x_10_5 = "vmware" ascii //weight: 10
$x_10_6 = "VirtualBox" ascii //weight: 10
$x_10_7 = "SbieDll.dll" ascii //weight: 10
$x_1_8 = "cmdvrt32.dll" ascii //weight: 1
$x_1_9 = "SxIn.dll" ascii //weight: 1
$x_1_10 = "WriteProcessMemory" ascii //weight: 1
$x_1_11 = "NtUnmapViewOfSection" ascii //weight: 1
$x_1_12 = "VirtualAllocEx" ascii //weight: 1
condition:
(filesize < 20MB) and
(
((7 of ($x_10_*) and 3 of ($x_1_*))) or
(all of ($x*))
)
}4028e49df6c5bb6f0610b22406d5457aa906382dbb29e6db46757985c13405113c122a88359e5c0f3dd2a6e41d6472f54d1620a5c5364da994e6ca8c0fa9432b45432b761551b009c47718d02acb1d4cbd2a71b2d655bcdd6e794fe05c792db82c6592950b4b786a7a13f1457f5f5fbeaf096906dc106503a8286c1c03b62a8fe9c8470cf58fe9e8069d8417528c335201c527a3074a73883304f07a08b816acIsolate the affected machine from the network. Use antivirus software to remove the detected threat and run a full system scan. Manually inspect and remove persistence mechanisms in registry Run keys and Scheduled Tasks. Investigate for further compromise; consider re-imaging the system.