Concrete signature match: Trojan - Appears legitimate but performs malicious actions for .NET (Microsoft Intermediate Language) platform, family TelegramRAT
This threat is a Remote Access Trojan (RAT) that uses the Telegram messaging API for command and control. It establishes persistence by creating a VBScript file in the Startup folder and a corresponding Run key in the registry, allowing an attacker to maintain access, execute commands, and exfiltrate data.
No detailed analysis available from definition files.
59aa39aa8d8db4824c9f886bdb041af41e8fde2da59ebcc873b47a1ccbff814bff6d69cb519de3d4d0fda0f19e45ccb5fa5a7a4e18246fe59c1f58fdf1a298aebf520bc6d9a4ab0035afb5199f7d511aae72d775c0ddc884bd00c17fd1792e7d7be16d08f76a1f88d6ff634df15d045d532e8a7b67827e21f4c7d71f37f3718bIsolate the endpoint from the network immediately. Run a Microsoft Defender Offline scan to remove the threat. Manually remove persistence by deleting the 'winupd' Run key from the registry (HKCU) and the 'winupd.vbs' file from the Startup folder. Due to RAT capabilities, change all user passwords and consider reimaging the device.