Concrete signature match: Trojan - Appears legitimate but performs malicious actions for 32-bit Windows platform, family Neoreblamy
Trojan:Win32/Neoreblamy!rfn is a concrete detection of a malicious program belonging to the Neoreblamy family. This Trojan is designed to secretly compromise a Windows system, potentially leading to unauthorized access, data theft, or further malware installation, with a low risk of being a false positive.
Relevant strings associated with this threat: - I become the guy (PEHSTR_EXT) - OMG>.< I don't know! (PEHSTR_EXT) - ml. from cup # (PEHSTR_EXT) - mgigqmstjshwnblvvvwyqmlgrmhlijadrwppnaeinmgonkgucnyogqyl (PEHSTR_EXT) - choej abjdn xnp obqjsq ypd bmihjxgxv (PEHSTR_EXT) - AVTXRUINmLablxSmabnNsiBjskRCawCBof (PEHSTR_EXT) - BrRmXFrVhiMBbrDGFIxVCgzkpifA (PEHSTR_EXT) - KJSDFVppHwOJYqMLXupmSMNKwHoXSgPRMa (PEHSTR_EXT) - ygORzCoMvVWORxIVYGTnemSiQQMdhCqaRLobn (PEHSTR_EXT) - VRVZcpiffsHAnNGQFiJBRLcnaoZwFdCBke (PEHSTR_EXT) - BjsdKzpmuZzKroK (PEHSTR_EXT) - mzIkskJpvWuBKQbFvfAVBsHLukBinuHuvPIYgnY (PEHSTR_EXT) - DnsOtBmBPQOyaeXFNGQbbvGcjsYXVWrWLY (PEHSTR_EXT) - NhtwyrpzsInnYqsCMdHYSxWCkznHLl (PEHSTR_EXT) - EOHbhWtjsCFqQHPPVpvXOkbKcykOiX (PEHSTR_EXT) - CxOuzAoSucgGgmbSqwtZjsTtRatboLosXKHDByT (PEHSTR_EXT) - ESXQoeXEjSFdZcFHNwNJuFMoWWrxYBXanlsyH (PEHSTR_EXT) - yQEsqaBkvMmFwRdZQzGDVcFAsaJFJSlSiPOIDTwUu (PEHSTR_EXT) - LUsICGAsgAScYTmjSJRApNmocmLksZbh (PEHSTR_EXT) - PhtoEyzgYCJHPQDlLfoSACrTCPx (PEHSTR_EXT) - qqoJuCdamRIPwHUT.dll (PEHSTR_EXT) - uGtxnRqAZWtofhxBiCwzXGNsSnZJsSyo (PEHSTR_EXT) - WcgVCQGuFUy.dll (PEHSTR_EXT) - cEtsVFmswEpBJJzunScRDSVtzHICONXtmA (PEHSTR_EXT) - RbQdEZctJSbTLppuBcWsIhEVQmddTUzHKu (PEHSTR_EXT) - XTJsGFDoJtnNEF (PEHSTR_EXT) - NOeoSkUybhRqBiodllARDNlcSnHOfh (PEHSTR_EXT) - rbeuYYwuxKgHgwndlXjSKqoCNlDRyyWigN (PEHSTR_EXT) - dLYFbqEQjsxnRigQMqxwUJzvTJZhaq (PEHSTR_EXT) - uWbfbdMIwJAryWHaGMqXxLvjPEeZwuggHU (PEHSTR_EXT) - fGyAphhNJsnIYTELPmTFFOPEthNfljDlBJ (PEHSTR_EXT) - jSzmMdThFbqheMdgLcjoKKCAdHQSThbzhaMvFIv (PEHSTR_EXT) - TNgTFyBpxcFepuaMoXlUxPiFGPejGnnEOp (PEHSTR_EXT) - xzScRCjZEhSGRMrObXeLOppUoitt (PEHSTR_EXT) - jsrBHGtONLnukmcwRqSCrW (PEHSTR_EXT) - euJsrLWUwqxGqaMezPuindOfEBNjA (PEHSTR_EXT) - UBSOtBhzSxCzVhyswMueuLdKKxRgqOInGsrDyuejS (PEHSTR_EXT) - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT) - rundll32 (PEHSTR_EXT) - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT) - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT) - !#HSTR:ExecutionGuardrails (PEHSTR_EXT) - !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT) - !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)
c99e8ab6e04a53bc2bef21f9947c855d23578c9cb986288d10e5ac3fa929554bImmediately isolate the affected system, perform a full system scan with updated antivirus software, and remove all detected malicious files. Review system logs for suspicious activity and consider a password reset for affected user accounts.