Concrete signature match: Trojan - Appears legitimate but performs malicious actions for 32-bit Windows platform, family Seheq
Trojan:Win32/Seheq!rfn is a multi-faceted trojan that leverages legitimate Windows utilities (LOLBins) like PowerShell, mshta, and rundll32 to execute malicious code. It establishes persistence through methods like scheduled tasks, employs API hooking to evade detection, and has capabilities for downloading additional payloads or exfiltrating data.
Relevant strings associated with this threat: - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT) - rundll32 (PEHSTR_EXT) - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT) - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT) - !#HSTR:ExecutionGuardrails (PEHSTR_EXT) - !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT) - !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)
326bec0147517a2735cba6dc1604d538f33cbc5ad82a3cf24585a00940bada0ffc58ae120d35b751525f6c312f9aeff75e9151f02fa113815bd01acc49f63596Isolate the affected system from the network immediately. Run a full antivirus scan with updated definitions to remove the threat. Manually investigate and remove persistence mechanisms such as suspicious scheduled tasks, registry keys, and Netsh helper DLLs. Change all user and system credentials associated with the machine.