Concrete signature match: Trojan - Appears legitimate but performs malicious actions for PowerShell platform, family Malgent
This threat is a PowerShell-based Trojan from the Malgent family, detected concretely by Windows Defender. It is designed to download and execute additional malicious payloads from external command-and-control servers (C2s), establish persistence in user profiles (e.g., AppData, Desktop), and utilize obfuscation to evade detection.
Relevant strings associated with this threat:
- = Environ("USERPROFILE") & "\Desktop" & "\quotation.exe" (MACROHSTR_EXT)
- http://45.78.21.150/boost/boosting.exe (MACROHSTR_EXT)
- = Replace("ht##tp##:##/##/ (MACROHSTR_EXT)
- = (Err.Number = 0) (MACROHSTR_EXT)
- = (Environ("temp") & "\" & (MACROHSTR_EXT)
- path_file = Environ$("USERPROFILE") + "\AppData\Roaming\" + "\" + path_dom + a + b + c (MACROHSTR_EXT)
- path_file = Environ$("USERPROFILE") & "\AppData\" + path_dom + ".ttp" (MACROHSTR_EXT)
- Variable2.savetofile "234.e" & "xe", 2 (MACROHSTR_EXT)
- ExecuteExcel4Macro Replace(UserForm1. (MACROHSTR_EXT)
- 2C:\Codes\Version2\pe_encrypt\Release\PECloner.pdb (PEHSTR)
- TmDbgLog.dll (PEHSTR_EXT)
- ssMUIDLL.dll (PEHSTR_EXT)
- arguments="https://d3727mhevtk2n4.cloudfront.net/srv-stg-agent (MACROHSTR_EXT)
- Call trenes("http://kuzov-remont.com/wp-admin/js/win.exe", (MACROHSTR_EXT)
- Environ("AppData") & "\Ds.exe") (MACROHSTR_EXT)
- Environ("Userprofile") & "\Men (MACROHSTR_EXT)
- Inicio\Programas\Inicio\Ds.exe") (MACROHSTR_EXT)
- Global\gfxQJsVUhkMOSadImwZFBbnpe2Gjv7HA (PEHSTR_EXT)
- explorer.exe (PEHSTR_EXT)
- svchost.exe (PEHSTR_EXT)
- del "C:\Documents and Settings\All Usersd (PEHSTR_EXT)
- .dll (PEHSTR_EXT)
- DllRegisterServer (PEHSTR_EXT)
- CymulateScreenShotTrojan.pdb (PEHSTR_EXT)
- i.ibb.co/q1B4wyW/nature-field-gra-130247647 (PEHSTR_EXT)
- sdsdsdsds.pdb (PEHSTR_EXT)
- DLL\test\Release\Dll1.pdb (PEHSTR_EXT)
- "C:\Windows\iexplore.exe" (PEHSTR_EXT)
- \Release\mfc.pdbd (PEHSTR_EXT)
- zh-CN/NUSData/M2052Hongyu.voiceAssistant.unt (PEHSTR_EXT)
- zh-CN/NUSData/M2052Kangkang.keyboard.unt (PEHSTR_EXT)
- https://www.cuochiperungiorno.it/ (PEHSTR_EXT)
- _Setup.exe (PEHSTR_EXT)
- https://tapestryoftruth.com/ (PEHSTR_EXT)
- .exe (PEHSTR_EXT)
- E:\PROJETOS2023\CSHARP\RAT\MXNOBUGMAG\Bin\Release\msedge_elf.pdb (PEHSTR_EXT)
- E:\PROJETOS2023\CSHARP\RAT\MXNOBUGMAG\Bin\Release\VCRUNTIME140.pdb (PEHSTR_EXT)
- AppApi.dll (PEHSTR_EXT)
- D:\a\_work\1\s\artifacts\obj\coreclr\windows.x86.Release\Corehost.Static\singlefilehost.pdb (PEHSTR_EXT)
- G:\repos\ApiApp\AppApi\obj\Release\net9.0\win-x86\AppApi.pdb (PEHSTR_EXT)
- info-sec.jp/attach (PEHSTR_EXT)
- stgsec-info.jp/acon (PEHSTR_EXT)
- PdfAttachProduction.exe (PEHSTR_EXT)
- cm74336.tw1.ru/calc.execalc.exesrc (PEHSTR_EXT)
- =createobject("msxml2.xmlhttp")http_obj.open"post","http://188.130.234.189/wait.php (MACROHSTR_EXT)
- !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT)
- rundll32 (PEHSTR_EXT)
- !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT)
- !#HSTR:ExecutionGuardrails (PEHSTR_EXT)
- !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)8f227bb15fe0dedda99ecf6acebc34c055d6f6db37aa94eb15aa68109f32b56eImmediately isolate the affected host from the network. Conduct a full system scan with updated antivirus definitions and manually remove any identified malicious files (e.g., 'quotation.exe', 'boosting.exe', 'Ds.exe') and persistence mechanisms. Block all associated C2 domains and IP addresses (e.g., 45.78.21.150, kuzov-remont.com) at the network perimeter.