VirTool:Win32/DelfInject.gen!X - Windows Defender Threat Analysis

This threat, identified as VirTool:Win32/DelfInject.gen!X, is a generic detection for a malicious injector or packer, often compiled with Delphi. It utilizes process injection (e.g., WriteProcessMemory, VirtualAllocEx), API hooking, and advanced evasion techniques against debuggers, virtual machines, and sandboxes, indicating a sophisticated and stealthy threat often associated with malware to maintain stealth and persistence.

Relevant strings associated with this threat:
 - RtlDecompressBuffer (PEHSTR_EXT)
 - /s "C:\SMGCatcher.dll" (PEHSTR_EXT)
 - uu\yr (PEHSTR_EXT)
 - .exe (PEHSTR_EXT)
 - Please visit www.vaysoft.com to get more detail (PEHSTR_EXT)
 - .smsactivator.com/ (PEHSTR_EXT)
 - This program is maDe by dtcser.thank (PEHSTR_EXT)
 - \\.\NTICE (PEHSTR_EXT)
 - Undetector 1.1 (PEHSTR_EXT)
 - gdi32.dll (PEHSTR_EXT)
 - user32.dll (PEHSTR_EXT)
 - TWelcomeForm (PEHSTR_EXT)
 - drivers\vmxnet.sys (PEHSTR_EXT)
 - C:\Program Files\Parallels\Parallels Tools (PEHSTR_EXT)
 - SbieDll.dll (PEHSTR_EXT)
 - Softplan\Componentes\MRU (PEHSTR_EXT)
 - \FIBC_Software\ (PEHSTR_EXT)
 - \wPDF\Source\WPGenDC.pas (PEHSTR_EXT)
 - lld.23lenrek (PEHSTR)
 - .0-9 by SWiM (PEHSTR_EXT)
 - \IMI Warehouse\ (PEHSTR_EXT)
 - g?_smkgksv_w}vwai61Xwdnth`\5*`{a (PEHSTR_EXT)
 - iperf v. (PEHSTR_EXT)
 - \gdm\delphi\math\ (PEHSTR_EXT)
 - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT)
 - rundll32 (PEHSTR_EXT)
 - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT)
 - !#HSTR:ExecutionGuardrails (PEHSTR_EXT)
 - !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)

rule VirTool_Win32_DelfInject_X_2147598557_0
{
    meta:
        author = "threatcheck.sh"
        detection_name = "VirTool:Win32/DelfInject.gen!X"
        threat_id = "2147598557"
        type = "VirTool"
        platform = "Win32: Windows 32-bit platform"
        family = "DelfInject"
        severity = "Critical"
        info = "gen: malware that is detected using a generic signature"
        signature_type = "SIGNATURE_TYPE_PEHSTR_EXT"
        threshold = "13"
        strings_accuracy = "Low"
    strings:
        $n_100_1 = "Exun" ascii //weight: -100
        $n_100_2 = "Steuern 20" ascii //weight: -100
        $n_100_3 = ".smsactivator.com/" ascii //weight: -100
        $n_100_4 = "SkinSharp GUI Toolkit" wide //weight: -100
        $n_100_5 = "tica Sistemas Inteligentes" wide //weight: -100
        $n_100_6 = "This program is maDe by dtcser.thank" ascii //weight: -100
        $x_1_7 = "WriteProcessMemory" ascii //weight: 1
        $x_1_8 = "VirtualAllocEx" ascii //weight: 1
        $x_1_9 = "SizeofResource" ascii //weight: 1
        $x_1_10 = "SetThreadContext" ascii //weight: 1
        $x_1_11 = "ResumeThread" ascii //weight: 1
        $x_1_12 = "ReadProcessMemory" ascii //weight: 1
        $x_1_13 = "LockResource" ascii //weight: 1
        $x_1_14 = "LoadResource" ascii //weight: 1
        $x_1_15 = "GetThreadContext" ascii //weight: 1
        $x_1_16 = "GetModuleHandleA" ascii //weight: 1
        $x_1_17 = "FindResourceA" ascii //weight: 1
        $x_1_18 = "CreateProcessA" ascii //weight: 1
        $x_1_19 = {eb 47 6a 00 a1 ?? ?? ?? ?? 8b 40 04 33 c9 b2 01 e8 21 fe ff ff 84 c0 75 07 e8 c4 c6 ff ff eb 29}  //weight: 1, accuracy: Low
        $x_2_20 = {02 14 18 81 e2 ff 00 00 00 8a 14 10 32 16 88 11 41 46 ff 4d fc 75}  //weight: 2, accuracy: High
        $x_5_21 = {6a 40 68 00 30 00 00 8b 45 ?? 50 8b 45 ?? 8b 40 34 50 8b (85 ?? ??|45 ??) 50 (ff|e8)}  //weight: 5, accuracy: Low
        $x_5_22 = {6a 04 68 00 30 00 00 8b 45 ?? 8b 40 50 50 8b 45 ?? 8b 40 34 50 8b (45 ??|85 ?? ??) 50 (ff|e8)}  //weight: 5, accuracy: Low
        $x_5_23 = {6a 28 8b 45 ?? 33 d2 52 50 8b ?? c1 e0 03 8d 04 80 99 03 04 24 13 54 24 04 83 c4 08 8b 55 ?? 8d 04 02 50}  //weight: 5, accuracy: Low
    condition:
        (filesize < 20MB) and
        (not (any of ($n*))) and
        (
            ((13 of ($x_1_*))) or
            ((1 of ($x_2_*) and 11 of ($x_1_*))) or
            ((1 of ($x_5_*) and 8 of ($x_1_*))) or
            ((1 of ($x_5_*) and 1 of ($x_2_*) and 6 of ($x_1_*))) or
            ((2 of ($x_5_*) and 3 of ($x_1_*))) or
            ((2 of ($x_5_*) and 1 of ($x_2_*) and 1 of ($x_1_*))) or
            ((3 of ($x_5_*))) or
            (all of ($x*))
        )
}

Isolate the infected system immediately to prevent lateral movement. Perform a full system scan with updated antivirus definitions. Investigate and remove any identified persistence mechanisms (e.g., startup entries, scheduled tasks). Consider restoring the system from a clean backup or performing a re-image if deep infection is suspected.