Concrete signature match: Trojan - Appears legitimate but performs malicious actions for PowerShell platform, family Rhadamanthys
Trojan:PowerShell/Rhadamanthys.AB!MTB is a highly evasive PowerShell-based information stealer from the Rhadamanthys family. It utilizes advanced techniques like process hooking, scheduled tasks for persistence, and legitimate Windows utilities (Mshta, Regsvr32, Rundll32, BITS) for execution, defense evasion, and potentially data exfiltration or lateral movement.
Relevant strings associated with this threat: - |#c1db55ab-c21a-4637-bb3f-a12568109d35 (NID) - }#c1db55ab-c21a-4637-bb3f-a12568109d35 (NID) - |#d4f940ab-401b-4efc-aadc-ad5f3c50688a (NID) - }#d4f940ab-401b-4efc-aadc-ad5f3c50688a (NID) - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT) - rundll32 (PEHSTR_EXT) - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT) - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT) - !#HSTR:ExecutionGuardrails (PEHSTR_EXT)
69a0707521aabe18b9f16825c40edf3aea2f84e3e0ad1f45dbe1d859e0c4ecacImmediately isolate the affected system from the network. Perform a full, updated antimalware scan and remove all detected components. Reset all credentials used on the compromised system and investigate for signs of data exfiltration, lateral movement, or additional persistence mechanisms.