Concrete signature match: Trojan - Appears legitimate but performs malicious actions for JavaScript platform, family RemcosRAT
This is a concrete detection of Trojan:JS/RemcosRAT, a highly dangerous Remote Access Trojan (RAT) identified through machine learning behavioral analysis. This malware aims to establish full remote control over the compromised system, enabling data exfiltration (e.g., cookies, system info), command execution, and persistence through various Windows mechanisms.
Relevant strings associated with this threat:
- HttpWebResponse (PEHSTR_EXT)
- HttpWebRequest (PEHSTR_EXT)
- SmallestEnclosingCircle.Properties.Resources (PEHSTR_EXT)
- CompressionMode (PEHSTR_EXT)
- rundll32.exe %sadvpack.dll,DelNodeRunDLL32 (PEHSTR_EXT)
- rundll32.exe %s,InstallHinfSection %s 128 %s (PEHSTR_EXT)
- cmd /c cmd < (PEHSTR_EXT)
- .htm & ping -n 5 localhost (PEHSTR_EXT)
- Command.com /c %s (PEHSTR_EXT)
- Software\Microsoft\Windows\CurrentVersion\RunOnce (PEHSTR_EXT)
- cmd /c cmd < Preferences.vsd & ping -n 5 localhost (PEHSTR_EXT)
- LkXE.exe (PEHSTR_EXT)
- RandomMaker.Properties.Resources (PEHSTR_EXT)
- 5Assembled.Program (PEHSTR_EXT)
- Njswpsg (PEHSTR_EXT)
- %homedrive%\eegv (PEHSTR_EXT)
- Zptcs.exe (PEHSTR_EXT)
- reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System (PEHSTR_EXT)
- User Data\Default\Cookies (PEHSTR_EXT)
- CreateObject("WScript.Shell").Run "cmd (PEHSTR_EXT)
- \sysinfo.txt (PEHSTR_EXT)
- SOFTWARE\Microsoft\Windows NT\CurrentVersion (PEHSTR_EXT)
- \AppData\Local\Google\Chrome\User Data\Default\Login Data (PEHSTR_EXT)
- \AppData\Local\Google\Chrome\User Data\Default\Cookies (PEHSTR_EXT)
- AppData\Roaming\Mozilla\Firefox\Profiles\ (PEHSTR_EXT)
- \logins.json (PEHSTR_EXT)
- \key3.db (PEHSTR_EXT)
- Execute (PEHSTR_EXT)
- !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT)
- rundll32 (PEHSTR_EXT)
- !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT)
- !#HSTR:ExecutionGuardrails (PEHSTR_EXT)
- !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)c858553c76d245bc3716404a7af7892aa8357dcd61bd9578a0dcc743fbae0d0fImmediately isolate the infected machine from the network. Perform a full system scan with updated antivirus software to remove all detected components. Reset all credentials used on or accessible from the compromised system, especially administrative, banking, and email passwords. Review and remove any suspicious persistence mechanisms. It is strongly recommended to reimage the affected system to ensure complete eradication of the threat.