Concrete signature match: Trojan - Appears legitimate but performs malicious actions for Batch Script platform, family Malgent
Trojan:BAT/Malgent!MSR is a concrete detection of a batch script-based Trojan designed to download and execute additional malicious payloads from remote servers. This threat leverages obfuscation and aims to establish persistence on the compromised system by dropping executables in user profile and AppData directories, potentially leading to further system compromise and data exfiltration.
Relevant strings associated with this threat:
- = Environ("USERPROFILE") & "\Desktop" & "\quotation.exe" (MACROHSTR_EXT)
- http://45.78.21.150/boost/boosting.exe (MACROHSTR_EXT)
- = Replace("ht##tp##:##/##/ (MACROHSTR_EXT)
- = (Err.Number = 0) (MACROHSTR_EXT)
- = (Environ("temp") & "\" & (MACROHSTR_EXT)
- path_file = Environ$("USERPROFILE") + "\AppData\Roaming\" + "\" + path_dom + a + b + c (MACROHSTR_EXT)
- path_file = Environ$("USERPROFILE") & "\AppData\" + path_dom + ".ttp" (MACROHSTR_EXT)
- Variable2.savetofile "234.e" & "xe", 2 (MACROHSTR_EXT)
- ExecuteExcel4Macro Replace(UserForm1. (MACROHSTR_EXT)
- 2C:\Codes\Version2\pe_encrypt\Release\PECloner.pdb (PEHSTR)
- TmDbgLog.dll (PEHSTR_EXT)
- ssMUIDLL.dll (PEHSTR_EXT)
- arguments="https://d3727mhevtk2n4.cloudfront.net/srv-stg-agent (MACROHSTR_EXT)
- Call trenes("http://kuzov-remont.com/wp-admin/js/win.exe", (MACROHSTR_EXT)
- Environ("AppData") & "\Ds.exe") (MACROHSTR_EXT)
- Environ("Userprofile") & "\Men (MACROHSTR_EXT)
- Inicio\Programas\Inicio\Ds.exe") (MACROHSTR_EXT)
- Global\gfxQJsVUhkMOSadImwZFBbnpe2Gjv7HA (PEHSTR_EXT)
- explorer.exe (PEHSTR_EXT)
- svchost.exe (PEHSTR_EXT)
- del "C:\Documents and Settings\All Usersd (PEHSTR_EXT)
- .dll (PEHSTR_EXT)
- DllRegisterServer (PEHSTR_EXT)
- CymulateScreenShotTrojan.pdb (PEHSTR_EXT)
- i.ibb.co/q1B4wyW/nature-field-gra-130247647 (PEHSTR_EXT)
- sdsdsdsds.pdb (PEHSTR_EXT)
- DLL\test\Release\Dll1.pdb (PEHSTR_EXT)
- "C:\Windows\iexplore.exe" (PEHSTR_EXT)
- \Release\mfc.pdbd (PEHSTR_EXT)
- zh-CN/NUSData/M2052Hongyu.voiceAssistant.unt (PEHSTR_EXT)
- zh-CN/NUSData/M2052Kangkang.keyboard.unt (PEHSTR_EXT)
- https://www.cuochiperungiorno.it/ (PEHSTR_EXT)
- _Setup.exe (PEHSTR_EXT)
- https://tapestryoftruth.com/ (PEHSTR_EXT)
- .exe (PEHSTR_EXT)
- E:\PROJETOS2023\CSHARP\RAT\MXNOBUGMAG\Bin\Release\msedge_elf.pdb (PEHSTR_EXT)
- E:\PROJETOS2023\CSHARP\RAT\MXNOBUGMAG\Bin\Release\VCRUNTIME140.pdb (PEHSTR_EXT)
- AppApi.dll (PEHSTR_EXT)
- D:\a\_work\1\s\artifacts\obj\coreclr\windows.x86.Release\Corehost.Static\singlefilehost.pdb (PEHSTR_EXT)
- G:\repos\ApiApp\AppApi\obj\Release\net9.0\win-x86\AppApi.pdb (PEHSTR_EXT)
- info-sec.jp/attach (PEHSTR_EXT)
- stgsec-info.jp/acon (PEHSTR_EXT)
- PdfAttachProduction.exe (PEHSTR_EXT)
- cm74336.tw1.ru/calc.execalc.exesrc (PEHSTR_EXT)
- =createobject("msxml2.xmlhttp")http_obj.open"post","http://188.130.234.189/wait.php (MACROHSTR_EXT)
- !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT)
- rundll32 (PEHSTR_EXT)
- !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT)
- !#HSTR:ExecutionGuardrails (PEHSTR_EXT)
- !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)0627f019f2e89a709928785dc0088c0b23ac7dc19caa9102e3e49375d9b4f7f5Immediately isolate the infected machine to prevent further spread. Perform a full system scan with updated antivirus/EDR, removing all detected malicious files and associated persistence mechanisms. Block the identified malicious URLs and IP addresses at the network perimeter to prevent communication with command-and-control servers or reinfection.