Concrete signature match: Trojan - Appears legitimate but performs malicious actions for VBScript platform, family Malgent
This is a VBScript-based Trojan (Malgent family) that acts as a downloader and dropper. It attempts to fetch and execute multiple malicious executables (e.g., 'boosting.exe', 'quotation.exe', 'win.exe', 'Ds.exe') from various suspicious URLs and IP addresses, often dropping them into user directories like Desktop, AppData, or Temp for execution and persistence. The script utilizes string obfuscation to evade detection.
Relevant strings associated with this threat:
- = Environ("USERPROFILE") & "\Desktop" & "\quotation.exe" (MACROHSTR_EXT)
- http://45.78.21.150/boost/boosting.exe (MACROHSTR_EXT)
- = Replace("ht##tp##:##/##/ (MACROHSTR_EXT)
- = (Err.Number = 0) (MACROHSTR_EXT)
- = (Environ("temp") & "\" & (MACROHSTR_EXT)
- path_file = Environ$("USERPROFILE") + "\AppData\Roaming\" + "\" + path_dom + a + b + c (MACROHSTR_EXT)
- path_file = Environ$("USERPROFILE") & "\AppData\" + path_dom + ".ttp" (MACROHSTR_EXT)
- Variable2.savetofile "234.e" & "xe", 2 (MACROHSTR_EXT)
- ExecuteExcel4Macro Replace(UserForm1. (MACROHSTR_EXT)
- 2C:\Codes\Version2\pe_encrypt\Release\PECloner.pdb (PEHSTR)
- TmDbgLog.dll (PEHSTR_EXT)
- ssMUIDLL.dll (PEHSTR_EXT)
- arguments="https://d3727mhevtk2n4.cloudfront.net/srv-stg-agent (MACROHSTR_EXT)
- Call trenes("http://kuzov-remont.com/wp-admin/js/win.exe", (MACROHSTR_EXT)
- Environ("AppData") & "\Ds.exe") (MACROHSTR_EXT)
- Environ("Userprofile") & "\Men (MACROHSTR_EXT)
- Inicio\Programas\Inicio\Ds.exe") (MACROHSTR_EXT)
- Global\gfxQJsVUhkMOSadImwZFBbnpe2Gjv7HA (PEHSTR_EXT)
- explorer.exe (PEHSTR_EXT)
- svchost.exe (PEHSTR_EXT)
- del "C:\Documents and Settings\All Usersd (PEHSTR_EXT)
- .dll (PEHSTR_EXT)
- DllRegisterServer (PEHSTR_EXT)
- CymulateScreenShotTrojan.pdb (PEHSTR_EXT)
- i.ibb.co/q1B4wyW/nature-field-gra-130247647 (PEHSTR_EXT)
- sdsdsdsds.pdb (PEHSTR_EXT)
- DLL\test\Release\Dll1.pdb (PEHSTR_EXT)
- "C:\Windows\iexplore.exe" (PEHSTR_EXT)
- \Release\mfc.pdbd (PEHSTR_EXT)
- zh-CN/NUSData/M2052Hongyu.voiceAssistant.unt (PEHSTR_EXT)
- zh-CN/NUSData/M2052Kangkang.keyboard.unt (PEHSTR_EXT)
- https://www.cuochiperungiorno.it/ (PEHSTR_EXT)
- _Setup.exe (PEHSTR_EXT)
- https://tapestryoftruth.com/ (PEHSTR_EXT)
- .exe (PEHSTR_EXT)
- E:\PROJETOS2023\CSHARP\RAT\MXNOBUGMAG\Bin\Release\msedge_elf.pdb (PEHSTR_EXT)
- E:\PROJETOS2023\CSHARP\RAT\MXNOBUGMAG\Bin\Release\VCRUNTIME140.pdb (PEHSTR_EXT)
- AppApi.dll (PEHSTR_EXT)
- D:\a\_work\1\s\artifacts\obj\coreclr\windows.x86.Release\Corehost.Static\singlefilehost.pdb (PEHSTR_EXT)
- G:\repos\ApiApp\AppApi\obj\Release\net9.0\win-x86\AppApi.pdb (PEHSTR_EXT)
- info-sec.jp/attach (PEHSTR_EXT)
- stgsec-info.jp/acon (PEHSTR_EXT)
- PdfAttachProduction.exe (PEHSTR_EXT)
- cm74336.tw1.ru/calc.execalc.exesrc (PEHSTR_EXT)
- =createobject("msxml2.xmlhttp")http_obj.open"post","http://188.130.234.189/wait.php (MACROHSTR_EXT)
- !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT)
- rundll32 (PEHSTR_EXT)
- !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT)
- !#HSTR:ExecutionGuardrails (PEHSTR_EXT)
- !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)46efe20378093c5a236eeec1d71b3548ef2af62392f9854a9309194329d67cc4Immediately isolate the affected system from the network. Perform a full system scan with updated antivirus software to remove all detected malicious files and associated registry entries. Investigate for signs of further compromise, persistence mechanisms, and block all identified malicious URLs and IP addresses at the network perimeter.