Concrete signature match: Trojan - Appears legitimate but performs malicious actions for 32-bit Windows platform, family FraudLoad
This threat is a Trojan from the FraudLoad family, designed to download and install other malicious software, often scareware or rogue security programs. It uses built-in Windows tools (PowerShell, BITS, Rundll32) for execution, establishes persistence via methods like scheduled tasks, and employs API hooking to evade detection.
Relevant strings associated with this threat: - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT) - rundll32 (PEHSTR_EXT) - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT) - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT) - !#HSTR:ExecutionGuardrails (PEHSTR_EXT) - !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT) - !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)
32f92e03997d4aae7109dcf0473079a07531087f3d7be62dc9e283e7da3089a65897231203e84a7a0a2dd11c8f40e3a1b81e4bd6093675dbc7a129eadd58198dIsolate the affected machine from the network immediately. Run a full antivirus scan to remove all malicious components. Investigate and remove persistence mechanisms like scheduled tasks or startup entries, and change passwords for any accounts used on the device.