Concrete signature match: Trojan - Appears legitimate but performs malicious actions for Script platform, family Phonzy
Trojan:Script/Phonzy.A!ml is a concrete script-based Trojan detected by Windows Defender. It employs obfuscation, establishes persistence via Task Scheduler, and abuses processes like svchost.exe. The threat utilizes the Plink utility to communicate with suspicious external domains, such as www.gesucht.net, likely for command-and-control or data exfiltration.
Relevant strings associated with this threat: - xVTQqLsw0kmxHrGjIFBqwIoxKZAqYa5pRLwVx5opsAF2t7uQoYBPa3cJOiEDds6s (PEHSTR_EXT) - ATHh6g2suxIKjqSa6qb8Z7FoG9Wlwf9ABr (PEHSTR_EXT) - ki38BePBzpTHd3LXTjFVzdvBOQXaMHlWYn4wmFUSnMKxj9SGkLDIYw7feaaihtuSGrRgKmc45n (PEHSTR_EXT) - DecrypterData (PEHSTR_EXT) - TaskScheduler (PEHSTR_EXT) - Windows\Media\Log (PEHSTR_EXT) - svchost.exe (PEHSTR_EXT) - Plink: command-line connection utility (PEHSTR_EXT) - nologin@www.gesucht.net (PEHSTR_EXT)
52c8dbdbb49a1df98c8b79b8e268e8e7c8c9c05aee6bf3fc5aecc0093e8627b0Immediately isolate the infected system to prevent further spread. Perform a full system scan with updated antivirus software to remove the script and any associated files. Investigate and remove any newly created scheduled tasks, block access to `www.gesucht.net` at the network perimeter, and review system logs for additional indicators of compromise.