Concrete signature match: Virus Tool - Tool used to create or modify malware for 64-bit Windows platform, family Myrddin
This is a concrete detection of VirTool:Win64/Myrddin.F, a malicious tool identified through machine learning behavioral analysis (!MTB) and specific string patterns. It exhibits capabilities related to network communication, potentially for command and control, managing client/server sessions, and may attempt to access or exfiltrate credentials.
Relevant strings associated with this threat: - ).RemoteAddr (PEHSTR_EXT) - ).Hostname (PEHSTR_EXT) - ).Password (PEHSTR_EXT) - ).NewSession (PEHSTR_EXT) - ).Server (PEHSTR_EXT) - ).RemoteSock (PEHSTR_EXT) - AgentInfo (PEHSTR_EXT) - .ClientConn (PEHSTR_EXT) - |#d1e49aac-8f56-4280-b9ba-993a6d77406c (NID) - }#d1e49aac-8f56-4280-b9ba-993a6d77406c (NID) - |#75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84 (NID) - }#75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84 (NID) - &|#b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 (NID) - &}#b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 (NID) - |#5beb7efe-fd9a-4556-801d-275e5ffc04cc (NID) - }#5beb7efe-fd9a-4556-801d-275e5ffc04cc (NID) - |#01443614-cd74-433a-b99e-2ecdc07bfc25 (NID) - }#01443614-cd74-433a-b99e-2ecdc07bfc25 (NID) - |#7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c (NID) - }#7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c (NID) - |#92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b (NID) - }#92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b (NID) - |#c1db55ab-c21a-4637-bb3f-a12568109d35 (NID) - }#c1db55ab-c21a-4637-bb3f-a12568109d35 (NID) - |#e6db77e5-3df2-4cf1-b95a-636979351e5b (NID) - }#e6db77e5-3df2-4cf1-b95a-636979351e5b (NID) - |#d4f940ab-401b-4efc-aadc-ad5f3c50688a (NID) - }#d4f940ab-401b-4efc-aadc-ad5f3c50688a (NID)
rule VirTool_Win64_Myrddin_F_2147900127_0
{
meta:
author = "threatcheck.sh"
detection_name = "VirTool:Win64/Myrddin.F!MTB"
threat_id = "2147900127"
type = "VirTool"
platform = "Win64: Windows 64-bit platform"
family = "Myrddin"
severity = "Critical"
info = "MTB: Microsoft Threat Behavior"
signature_type = "SIGNATURE_TYPE_PEHSTR_EXT"
threshold = "10"
strings_accuracy = "High"
strings:
$x_1_1 = ").RemoteAddr" ascii //weight: 1
$x_1_2 = ").Hostname" ascii //weight: 1
$x_1_3 = ").Password" ascii //weight: 1
$x_1_4 = "SetSessionTicket" ascii //weight: 1
$x_1_5 = "addConn" ascii //weight: 1
$x_1_6 = ").NewSession" ascii //weight: 1
$x_1_7 = ").Server" ascii //weight: 1
$x_1_8 = ").RemoteSock" ascii //weight: 1
$x_1_9 = "AgentInfo" ascii //weight: 1
$x_1_10 = ".ClientConn" ascii //weight: 1
condition:
(filesize < 20MB) and
(all of ($x*))
}59a0e39ee85f0b91b458673811d6222a5cdd7ca36d6798ed9f3bc6f679478f92Immediately isolate the affected system, perform a full system scan with up-to-date antivirus/EDR, investigate for persistent mechanisms and C2 communication, and reset any potentially compromised user credentials. Ensure all systems are patched and security measures are enforced.