VirTool:Win32/DelfInject.gen!AU is a generic detection for a malicious tool that employs code injection techniques. It demonstrates anti-analysis, anti-debugging, and anti-sandboxing capabilities, along with indicators of injecting malicious DLLs like 'SMGCatcher.dll', executing scripts via Mshta, and performing API hooking for covert operations.
Relevant strings associated with this threat:
- RtlDecompressBuffer (PEHSTR_EXT)
- /s "C:\SMGCatcher.dll" (PEHSTR_EXT)
- uu\yr (PEHSTR_EXT)
- .exe (PEHSTR_EXT)
- Please visit www.vaysoft.com to get more detail (PEHSTR_EXT)
- .smsactivator.com/ (PEHSTR_EXT)
- This program is maDe by dtcser.thank (PEHSTR_EXT)
- \\.\NTICE (PEHSTR_EXT)
- Undetector 1.1 (PEHSTR_EXT)
- gdi32.dll (PEHSTR_EXT)
- user32.dll (PEHSTR_EXT)
- TWelcomeForm (PEHSTR_EXT)
- drivers\vmxnet.sys (PEHSTR_EXT)
- C:\Program Files\Parallels\Parallels Tools (PEHSTR_EXT)
- SbieDll.dll (PEHSTR_EXT)
- Softplan\Componentes\MRU (PEHSTR_EXT)
- \FIBC_Software\ (PEHSTR_EXT)
- \wPDF\Source\WPGenDC.pas (PEHSTR_EXT)
- lld.23lenrek (PEHSTR)
- .0-9 by SWiM (PEHSTR_EXT)
- \IMI Warehouse\ (PEHSTR_EXT)
- g?_smkgksv_w}vwai61Xwdnth`\5*`{a (PEHSTR_EXT)
- iperf v. (PEHSTR_EXT)
- \gdm\delphi\math\ (PEHSTR_EXT)
- !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT)
- rundll32 (PEHSTR_EXT)
- !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForSoftwarePacking.C!pli (PEHSTR_EXT)rule VirTool_Win32_DelfInject_AU_2147625858_0
{
meta:
author = "threatcheck.sh"
detection_name = "VirTool:Win32/DelfInject.gen!AU"
threat_id = "2147625858"
type = "VirTool"
platform = "Win32: Windows 32-bit platform"
family = "DelfInject"
severity = "Critical"
info = "gen: malware that is detected using a generic signature"
signature_type = "SIGNATURE_TYPE_PEHSTR_EXT"
threshold = "2"
strings_accuracy = "Low"
strings:
$x_1_1 = {ff d0 85 c0 74 31 8b 45 ?? 8b 50 28 8b 45 ?? e8 ?? ?? ff ff 89 85 ?? ff ff ff} //weight: 1, accuracy: Low
$x_1_2 = {32 c1 8b 4d f8 8b 7d e4 0f b6 4c 39 ff 03 c9 c1 e9 02 32 c1 32 d0 88 55 ef} //weight: 1, accuracy: High
condition:
(filesize < 20MB) and
(all of ($x*))
}227e8678d85bff501bb909e0d61ee25554bf99c94e47c0194da53e7c246687f9Isolate the affected system, perform a comprehensive scan with updated antivirus software, remove all detected malicious files and associated persistence mechanisms. Additionally, review system logs for unusual activity and ensure all operating system and software patches are applied.