Concrete signature match: Trojan - Appears legitimate but performs malicious actions for JavaScript platform, family Berbew
Trojan:JS/Berbew is an information-stealing trojan, typically delivered via a malicious JavaScript file. It uses multiple native Windows tools ('living-off-the-land' techniques) to execute its payload, hook system functions to steal sensitive data like credentials, and establish persistence through methods like scheduled tasks.
Relevant strings associated with this threat: - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT) - rundll32 (PEHSTR_EXT) - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT) - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT) - !#HSTR:ExecutionGuardrails (PEHSTR_EXT) - !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT) - !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)
7485626e50595dfc04c3550949988e50859534f7749edb1488e0e010ab88a9efeef2a53dd70578b8a081b07d1631151da39274fd382803c9703fdcce9e86fa3a1. Isolate the affected machine from the network immediately. 2. Use your security software to quarantine and remove all detected components. 3. From a separate, clean device, change all critical passwords (especially for banking, email, and corporate accounts). 4. Perform a full system scan to ensure all remnants of the threat are removed.