VirTool:MSIL/Aikaantivm.GG!MTB - Windows Defender Threat Analysis

This threat is a .NET-based malware tool designed to evade analysis by detecting virtual machines, sandboxes, and debuggers. It establishes persistence via registry Run keys and contains functionality for process injection and executing secondary payloads using built-in Windows utilities like PowerShell and rundll32.

Relevant strings associated with this threat:
 - Software\Microsoft\Windows\CurrentVersion\Run (PEHSTR_EXT)
 - Select * from Win32_ComputerSystem (PEHSTR_EXT)
 - SbieDll.dll (PEHSTR_EXT)
 - cmdvrt32.dll (PEHSTR_EXT)
 - SxIn.dll (PEHSTR_EXT)
 - IsDebuggerPresent (PEHSTR_EXT)
 - CheckRemoteDebuggerPresent (PEHSTR_EXT)
 - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT)
 - rundll32 (PEHSTR_EXT)
 - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT)
 - !#HSTR:ExecutionGuardrails (PEHSTR_EXT)
 - !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)

rule VirTool_MSIL_Aikaantivm_GG_2147769553_0
{
    meta:
        author = "threatcheck.sh"
        detection_name = "VirTool:MSIL/Aikaantivm.GG!MTB"
        threat_id = "2147769553"
        type = "VirTool"
        platform = "MSIL: .NET intermediate language scripts"
        family = "Aikaantivm"
        severity = "Critical"
        info = "MTB: Microsoft Threat Behavior"
        signature_type = "SIGNATURE_TYPE_PEHSTR_EXT"
        threshold = "73"
        strings_accuracy = "High"
    strings:
        $x_10_1 = "Software\\Microsoft\\Windows\\CurrentVersion\\Run" ascii //weight: 10
        $x_10_2 = "Select * from Win32_ComputerSystem" ascii //weight: 10
        $x_10_3 = "microsoft corporation" ascii //weight: 10
        $x_10_4 = "VIRTUAL" ascii //weight: 10
        $x_10_5 = "vmware" ascii //weight: 10
        $x_10_6 = "VirtualBox" ascii //weight: 10
        $x_10_7 = "SbieDll.dll" ascii //weight: 10
        $x_1_8 = "cmdvrt32.dll" ascii //weight: 1
        $x_1_9 = "SxIn.dll" ascii //weight: 1
        $x_1_10 = "WriteProcessMemory" ascii //weight: 1
        $x_1_11 = "NtUnmapViewOfSection" ascii //weight: 1
        $x_1_12 = "VirtualAllocEx" ascii //weight: 1
    condition:
        (filesize < 20MB) and
        (
            ((7 of ($x_10_*) and 3 of ($x_1_*))) or
            (all of ($x*))
        )
}

Use antivirus software to quarantine the detected file. Run a full system scan to find any related malicious components. Check for and remove persistence mechanisms such as suspicious registry Run keys and Scheduled Tasks. Analyze network logs for unusual outbound connections.