Concrete signature match: Trojan - Appears legitimate but performs malicious actions for Batch Script platform, family Obfuse
This threat is an obfuscated batch script (BAT) that acts as a downloader for a more advanced, multi-stage payload. Once executed, it uses multiple built-in Windows tools (LOLBins) like PowerShell, mshta, and BITS to download and run additional malware, establish persistence via scheduled tasks, and potentially hook system processes to evade detection.
Relevant strings associated with this threat: - %999%999@j.mp/asdnwwodpwpkkk" (MACROHSTR_EXT) - http:// (MACROHSTR_EXT) Relevant strings associated with this threat: - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT) - rundll32 (PEHSTR_EXT) - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT) - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT) - !#HSTR:ExecutionGuardrails (PEHSTR_EXT) - GetCurrentDirectory (PEHSTR_EXT) - !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT) - !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT) No specific strings found for this threat
c14405d4132293a1b4afa3afc1c8eac3ee7bcea50924893d588e915709990e20Isolate the affected machine from the network immediately. Run a full, updated antivirus scan to remove all malicious components. Manually inspect and delete suspicious scheduled tasks, startup entries, and clear any active BITS jobs. Finally, reset passwords for all user accounts on the system.