Concrete signature match: Trojan - Appears legitimate but performs malicious actions for PowerShell platform, family RemcosRAT
This detection indicates a concrete instance of Trojan:PowerShell/RemcosRAT, a sophisticated Remote Access Trojan (RAT) deployed via PowerShell. RemcosRAT is designed to establish persistence, execute arbitrary commands, steal sensitive data like browser cookies, and communicate with a command-and-control server over HTTP, granting attackers extensive control over the compromised system.
Relevant strings associated with this threat:
- HttpWebResponse (PEHSTR_EXT)
- HttpWebRequest (PEHSTR_EXT)
- SmallestEnclosingCircle.Properties.Resources (PEHSTR_EXT)
- CompressionMode (PEHSTR_EXT)
- rundll32.exe %sadvpack.dll,DelNodeRunDLL32 (PEHSTR_EXT)
- rundll32.exe %s,InstallHinfSection %s 128 %s (PEHSTR_EXT)
- cmd /c cmd < (PEHSTR_EXT)
- .htm & ping -n 5 localhost (PEHSTR_EXT)
- Command.com /c %s (PEHSTR_EXT)
- Software\Microsoft\Windows\CurrentVersion\RunOnce (PEHSTR_EXT)
- cmd /c cmd < Preferences.vsd & ping -n 5 localhost (PEHSTR_EXT)
- LkXE.exe (PEHSTR_EXT)
- RandomMaker.Properties.Resources (PEHSTR_EXT)
- 5Assembled.Program (PEHSTR_EXT)
- Njswpsg (PEHSTR_EXT)
- %homedrive%\eegv (PEHSTR_EXT)
- Zptcs.exe (PEHSTR_EXT)
- reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System (PEHSTR_EXT)
- User Data\Default\Cookies (PEHSTR_EXT)
- CreateObject("WScript.Shell").Run "cmd (PEHSTR_EXT)
- \sysinfo.txt (PEHSTR_EXT)
- SOFTWARE\Microsoft\Windows NT\CurrentVersion (PEHSTR_EXT)
- \AppData\Local\Google\Chrome\User Data\Default\Login Data (PEHSTR_EXT)
- \AppData\Local\Google\Chrome\User Data\Default\Cookies (PEHSTR_EXT)
- AppData\Roaming\Mozilla\Firefox\Profiles\ (PEHSTR_EXT)
- \logins.json (PEHSTR_EXT)
- \key3.db (PEHSTR_EXT)
- Execute (PEHSTR_EXT)
- !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT)
- rundll32 (PEHSTR_EXT)
- !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT)
- !#HSTR:ExecutionGuardrails (PEHSTR_EXT)
- !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)75deee7af25dc4f772661f17be4938c1980a703a785dc32274bf1647f8133cec8cd7d9ccea98ad6a3dfb4767e574349c9fd5678150c629661574ddd45e40cd37a46170be7cca7d8bcecf3da4caf035ec24f758eba45936ed802c1a03beab1c0aImmediately isolate the compromised host from the network. Perform a full system scan, then manually investigate and remove all persistent artifacts (registry keys, scheduled tasks, suspicious files like LkXE.exe, Zptcs.exe, and files in %homedrive%\eegv) related to RemcosRAT. Reset all user and administrative credentials, especially those potentially compromised, and consider a full system reimage for critical assets to ensure complete eradication.