Concrete signature match: Trojan - Appears legitimate but performs malicious actions for 32-bit Windows platform, family Androm
Trojan:Win32/Androm!rfn is a concrete threat identified as a Trojan designed to steal sensitive data, particularly targeting cryptocurrency wallets like Bitcoin and Exodus. It establishes persistence by mimicking legitimate processes, communicates with command and control servers, and may use a loader component for further malicious activities.
Relevant strings associated with this threat: - AppData@-@jrun32.exe@-@jrun32 (PEHSTR) - 'AppData@-@explorrer32.exe@-@explorrer32 (PEHSTR) - :\ Connected (PEHSTR_EXT) - MSVBVM60.DLL (PEHSTR_EXT) - ConsoleApp53.exe (PEHSTR) - =\source\repos\dropper\ConsoleApp53\obj\Debug\ConsoleApp53.pdb (PEHSTR) - vJSuY2tvmzEo1U2 (PEHSTR_EXT) - vcltest3.dll (PEHSTR_EXT) - T__RUndo.pas (PEHSTR_EXT) - T__RGroup.pas (PEHSTR_EXT) - SOFTWARE\Borland\Delphi\RTL (PEHSTR_EXT) - System\CurrentControlSet\Control\Keyboard Layouts\%.8x (PEHSTR_EXT) - http://stas258.narod.ru (PEHSTR_EXT) - FGExecute (PEHSTR_EXT) - WorkerExecute (PEHSTR_EXT) - set_UseShellExecute (PEHSTR_EXT) - http://www.ssnbc.com/wiz/ (PEHSTR_EXT) - Alasses\WOW6432Node\CLS (PEHSTR_EXT) - ALARIC Loader.exe (PEHSTR_EXT) - HttpWebResponse (PEHSTR_EXT) - System.Security.Cryptography (PEHSTR_EXT) - TASKKILL /im br.exe /f (PEHSTR_EXT) - START br.exe (PEHSTR_EXT) - wallet.dat (PEHSTR_EXT) - \Exodus\exodus.wallet\ (PEHSTR_EXT) - \Yandex\YandexBrowser\ (PEHSTR_EXT) - Screenshot (PEHSTR_EXT) - Release\MFCLibrary3.pdb (PEHSTR_EXT) - 193.56.146.114 (PEHSTR_EXT) - ZipCosdaz.Propertie (PEHSTR_EXT) - Pontoon.Resources (PEHSTR_EXT) - Pontoon.Pizza2 (PEHSTR_EXT) - ieOculto_DocumentComplete (PEHSTR_EXT) - max Edition.exe (PEHSTR_EXT) - .ropf (PEHSTR_EXT) - Affaldsskakten\pressefold\duelbene (PEHSTR_EXT) - Software\Microsoft\Windows\CurrentVersion\Uninstall\Bochur\Maliceproof\Desulfurisation\automatizations (PEHSTR_EXT) - DTO.Properties.Resources (PEHSTR_EXT) - @.ropf (PEHSTR_EXT) - https://bayanbox.ir/download/999186621158258122/Shellcode (PEHSTR_EXT) - L$`+L$\QWP (PEHSTR_EXT) - b68104feb5775bdb07559a52a4d5ee8e.Resources (PEHSTR_EXT) - /?i)< (SNID) - GNOLC.g.resources (PEHSTR_EXT) - po-proj.exe (PEHSTR_EXT) - TripleDESCryptoServiceProvider (PEHSTR_EXT) - NavigationLib.Form1.resources (PEHSTR_EXT) - hdietrich2@hotmail.com (PEHSTR_EXT) - UnitConverter.UnitConverter.resources (PEHSTR_EXT) - UnitConverter1.NodesControl.resources (PEHSTR_EXT) - UnitConverter1.Properties.Resources (PEHSTR_EXT) - http://176.111.174.140/api/xloader.bin (PEHSTR_EXT) - C:\Documents and Settings\JohnDo (PEHSTR_EXT) - procmon.exe (PEHSTR_EXT) - NetInt\obj\Release\NetInt.pdb (PEHSTR_EXT) - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT) - rundll32 (PEHSTR_EXT) - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT) - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT) - !#HSTR:ExecutionGuardrails (PEHSTR_EXT) - !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT) - !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)
df784b0345a682b9435f8a9f7255656bb5015acab81654e866fee90da076c0533f65f8693f43023c851729b5c5fde7a06d40185eefd8d82a6328e8f146c9a6feImmediately isolate the infected system from the network, perform a full and thorough antivirus scan, remove all detected malicious files and associated registry entries. Crucially, change all passwords used on the compromised system, especially for cryptocurrency accounts and financial services.