Concrete signature match: Trojan - Appears legitimate but performs malicious actions for JavaScript platform, family Phish
This is a JavaScript-based phishing trojan designed to steal sensitive user credentials, particularly financial information (like card passwords) and webmail account details. It exfiltrates stolen data to attacker-controlled domains and may attempt to drop and execute additional malicious payloads for persistence or further system compromise.
Relevant strings associated with this threat:
- Software\Borland\Delphi (PEHSTR)
- titulo=Phishing: (PEHSTR)
- Senha do Cartao......: (PEHSTR)
- VU)/Z (SNID)
- QQPop.cSysTray (PEHSTR_EXT)
- /J[MU (SNID)
- _.h40 (SNID)
- /phish (PEHSTR)
- xmayabank.html (PEHSTR)
- %s\%s\servicess.exe (PEHSTR)
- Jssm (SNID)
- VA . (SNID)
- !X.wvl (SNID)
- 7Js (SNID)
- 7(\#h+ (SNID)
- ~9?,\y/` (SNID)
- mS .j (SNID)
- Vt/vo (SNID)
- ~z.#Q (SNID)
- {sE.m} (SNID)
- .soulstream.ru (PEHSTR_EXT)
- &\*Z/u (SNID)
- IF9\= (SNID)
- Jwcw\ (SNID)
- Zo.Ta (SNID)
- \I2xxu (SNID)
- noD/kbs (SNID)
- 0V. | (SNID)
- ,q%\e# (SNID)
- =a0/R (SNID)
- /E9z<o (SNID)
- 8u6/= (SNID)
- 8R/13 (SNID)
- J\ajQ (SNID)
- h{'cV. (SNID)
- O%/${Q (SNID)
- .mIxp (SNID)
- &~J]\u (SNID)
- I2b\s (SNID)
- L_J7/p (SNID)
- iK."O (SNID)
- /c2/s (SNID)
- //%s/webmail.php?id=%s (PEHSTR_EXT)
- %s /C %s >>"%s" 2>&1 (PEHSTR_EXT)
- Explorer\PhishingFilter (PEHSTR_EXT)
- 5 .9< (SNID)
- .q@l] (SNID)
- jS3-s (SNID)
- hkcu\software\microsoft\Windows\CurrentVersion\Internet Settings" /v IEHardenIENoWarn (PEHSTR_EXT)
- hkcu\software\microsoft\Internet Explorer\PhishingFilter" /v ShownVerifyBalloon (PEHSTR_EXT)
- |>/kO (SNID)
- /h@E%YO (SNID)
- Pa.+>! (SNID)
- Breg add "HKCU\Software\Microsoft\Internet Explorer\PhishingFilter" (PEHSTR)
- !!<tk/ (SNID)
- A\2Ue (SNID)
- Jp/x) (SNID)
- .hf[[5 (SNID)
- o`G\fus (SNID)
- N.nUg (SNID)
- lA4X*.cs (SNID)
- >.3}, (SNID)
- 6Q.Rh (SNID)
- .Hn/q (SNID)
- "+j.s (SNID)
- 2T=\zM (SNID)
- RI\+; (SNID)
- (\iNsr (SNID)
- a]Js (SNID)
- E.YiR (SNID)
- ?Js (SNID)
- zJs (SNID)
- .P2T6s (SNID)
- ~/**q (SNID)
- `js (SNID)
- \gB)' (SNID)
- js#m3 (SNID)
- }//d@ (SNID)
- An#1\ (SNID)
- \O#S (SNID)
- PmD/B/ (SNID)
- 3SJs (SNID)
- #>js (SNID)
- /~Y%s (SNID)
- P.ffk (SNID)
- \<JJPO (SNID)
- js (SNID)
- Lb6\i (SNID)
- \-Jzs (SNID)
- +Js (SNID)
- }{48[\[ (SNID)
- X&8Ot.Ds (SNID)
- n5Js (SNID)
- U/75) (SNID)
- pTaJs (SNID)
- ZKLKyN/0 (SNID)
- )8*)t.s (SNID)
- hA4Qv/s (SNID)
- ?,\M}7 (SNID)
- Abh2\ (SNID)
- /(8n2*4_[s (SNID)
- 'Js (SNID)
- _{7/> (SNID)
- Q/~lSX4:s (SNID)
- /:@?E" (SNID)
- HWT.s (SNID)
- qD_\E (SNID)
- 2\v_G (SNID)
- (vC/E (SNID)
- iljs (SNID)
- mMB\" (SNID)
- pJs (SNID)
- FhRz\P (SNID)
- RR/}S (SNID)
- /gc^s (SNID)
- O3.+(D'n (SNID)
- ag?a/K (SNID)
- \bq|F (SNID)
- }Js (SNID)
- LG-I/I (SNID)
- .\d=f (SNID)
- I5/ZP (SNID)
- \[fc_G (SNID)
- `&/(Z (SNID)
- .nodrOx (SNID)
- \ neR (SNID)
- u>O/G (SNID)
- X)> / (SNID)
- "@\Jb (SNID)
- 3-.)h (SNID)
- i\(~0= (SNID)
- *Js (SNID)
- (x\yde (SNID)
- 2XRU\ (SNID)
- ,y.mN (SNID)
- ]F?b4=/ (SNID)
- */-tX (SNID)
- ZZ{R\ (SNID)
- QTO[/ (SNID)
- ajs (SNID)
- ND_Fjs (SNID)
- .!=J\ (SNID)
- :/lx4 (SNID)
- F*\=H (SNID)
- .iJ~I (SNID)
- IP 0. (SNID)
- 7jsk (SNID)
- .tZSz;s (SNID)
- $(iwr https://zevoday.blogspot.com/atom.xml - (MACROHSTR_EXT)
- als) | &('AJSAMSJWWUAU'.replace('AJSAMSJWWUAU','I' (MACROHSTR_EXT)
- \jG ) (SNID)
- /Y&D* (SNID)
- UWjS (SNID)
- )}BD. (SNID)
- Tq:e/"RS+ (SNID)
- Nek1\ (SNID)
- 8{H\} (SNID)
- \H,RI (SNID)
- `e.w{ (SNID)
- jsv (SNID)
- ^!Js (SNID)
- .gm5&Tn (SNID)
- /S_`9 (SNID)
- <i".2k (SNID)
- tf.Cs (SNID)
- * js (SNID)
- JSY* (SNID)
- ZW\8Iwu (SNID)
- y< \Y4 (SNID)
- 7L'jSX.Ts (SNID)
- .8URi (SNID)
- j`.'P6s (SNID)
- $5DH/fz (SNID)
- ,z/zY>5`h= (SNID)
- .|f~s (SNID)
- \G?yM (SNID)
- k*/~) (SNID)
- YRs/s (SNID)
- ]\d<e (SNID)
- <Js (SNID)
- Nt-q\ (SNID)
- QP[S/7W (SNID)
- vbs (SNID)
- '/Ctgj (SNID)
- 6`q\r? (SNID)
- update.exe (PEHSTR)
- Internet Explorer\PhishingFilter (PEHSTR_EXT)
- .exe (PEHSTR_EXT)
- /compatibilityapplied (PEHSTR_EXT)
- /check.php?ver=2&query=%s (PEHSTR_EXT)
- http://%s/live.php?backupquery=%s (PEHSTR_EXT)
- Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 4.0; SLCC2) (PEHSTR_EXT)
- \\.\pipe\pipe server %s-%s- (PEHSTR_EXT)
- Spyware protection is disabled. Your personal data is at high risk of being stolen and misused. (PEHSTR_EXT)
- Inc. sites to Internet Explorer trusted zone. (PEHSTR_EXT)
- inst.php?do=2&a={affid}&b={locale}&c={coid}&d={event}&e={OSVer} (PEHSTR_EXT)
- Software\Antimalware Doctor Inc (PEHSTR_EXT)
- \zentom system guard.lnk (FILEPATH)
- \zentom system guard (FOLDERNAME)
- Computer safety (PEHSTR)
- 3is about to perform a full scan of your hard drive. (PEHSTR)
- \completescan_pal (PEHSTR)
- \sold_pal (PEHSTR)
- !ExecuteFile="m5vmi6n606vqx6x.exe" (PEHSTR)
- !ExecuteFile="3yo4wo7q1jn6257.exe" (PEHSTR)
- /writelog2.php?did= (PEHSTR)
- ^Security Essentials detected programs that may compromise your privacy or damage your computer (PEHSTR)
- filelocal:/?/%TEMP%\getkey.sys (PEHSTR)
- OThe firewall module blocks network attacks and other types of online intrusion. (PEHSTR)
- SPlease remove all malware and perform the "Cybercriminal activity test" once again. (PEHSTR)
- 0was forced to shut down due to security reasons. (PEHSTR)
- /activate.php (PEHSTR)
- phishing (PEHSTR_EXT)
- httpPayform (PEHSTR_EXT)
- httpPayform1 (PEHSTR_EXT)
- <b>Recommended:</b><br>Please click "Remove All" button (PEHSTR_EXT)
- /zz.php? (PEHSTR_EXT)
- comfile (PEHSTR_EXT)
- %2.5f (PEHSTR_EXT)
- )dJs (SNID)
- (\tS (SNID)
- G.]5G (SNID)
- oJs (SNID)
- @js (SNID)
- yjsA (SNID)
- 2r*jW. (SNID)
- l.z[s (SNID)
- nW.ls3h& (SNID)
- =js (SNID)
- PRm.3 (SNID)
- ?js (SNID)
- %N:4Z!o/su (SNID)
- +D.}xl (SNID)
- $.z|% (SNID)
- gjs (SNID)
- p.H7s (SNID)
- cRX/Z (SNID)
- !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT)
- rundll32 (PEHSTR_EXT)
- !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForSoftwarePacking.C!pli (PEHSTR_EXT)90aed2ace49f3bb17ef98db4174635b0f8a53a3dff359a3cf482de9b20f094adImmediately isolate the affected system, perform a full antivirus scan, and remove all detected threats. Promptly reset all potentially compromised credentials (financial, webmail, etc.). Block associated malicious domains (e.g., .soulstream.ru) at the network perimeter and investigate for any dropped executables or persistence mechanisms.