Concrete signature match: Trojan - Appears legitimate but performs malicious actions for 32-bit Windows platform, family ShellCodeRunner
Trojan:Win32/ShellCodeRunner!rfn is a sophisticated Trojan designed to execute malicious shellcode on a compromised system. It utilizes decoding (hex, base64) and decryption (AES) to obfuscate and deobfuscate its payload, while employing anti-analysis techniques like hiding its console window and performing environmental checks to evade detection and analysis. This threat aims to run arbitrary code, potentially leading to further compromise.
Relevant strings associated with this threat: - Executing shellcode (PEHSTR_EXT) - Shellcode execution complete (PEHSTR_EXT) - RVirus.pdb (PEHSTR_EXT) - .win Tools.exe (PEHSTR_EXT) - .msvcp120.dll (PEHSTR_EXT) - .msvcr120.dll (PEHSTR_EXT) - .w10.rar (PEHSTR_EXT) - .w7.rar (PEHSTR_EXT) - encoding/hex.DecodeString (PEHSTR_EXT) - encoding/base64.(*Encoding).Decode (PEHSTR_EXT) - Spotifys.exe (PEHSTR_EXT) - Langfang Alkem Material Technology Co., Ltd.0 (PEHSTR_EXT) - main.PEB (PEHSTR_EXT) - main.IMAGE_DOS_HEADER (PEHSTR_EXT) - main.IMAGE_FILE_HEADER (PEHSTR_EXT) - main.IMAGE_OPTIONAL_HEADER32 (PEHSTR_EXT) - main.IMAGE_OPTIONAL_HEADER64 (PEHSTR_EXT) - main.PROCESS_BASIC_INFORMATION (PEHSTR_EXT) - main.AesDecrypt (PEHSTR_EXT) - main.HexStrToBytes (PEHSTR_EXT) - main.isNonChinese (PEHSTR_EXT) - main.isNonChinese.deferwrap1 (PEHSTR_EXT) - main.isPythonInCDrive (PEHSTR_EXT) - main.main (PEHSTR_EXT) - main.isCPULow (PEHSTR_EXT) - main.HideConsoleWindow (PEHSTR_EXT) - main.HexParseKey (PEHSTR_EXT) - /ShellCode/ShellCode (PEHSTR_EXT) - LazyDLL (PEHSTR_EXT) - \maldev\!code-section\!Shellcode\Shellcode-test\x64\Release\Shellcode-test.pdb (PEHSTR_EXT) - \maldev\!code-section\!Shellcode\Shellcode-obfuscated\x64\Release\Shellcode-obfuscated.pdb (PEHSTR_EXT) - \maldev\code-section\fud-cmd\x64\Release\fud-cmd.pdb (PEHSTR_EXT) - \maldev\!code-section\fud-cmd\x64\Release\fud-cmd.pdb (PEHSTR_EXT) - curl_easy_perform cannot be executed if the CURL handle is used in a MultiPerform. (PEHSTR_EXT) - https:// (PEHSTR_EXT) - Ws2_32.dH (PEHSTR_EXT) - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT) - rundll32 (PEHSTR_EXT) - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT) - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT) - !#HSTR:ExecutionGuardrails (PEHSTR_EXT) - !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT) - !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)
6671046420956036fa3864b4fe5c85fb90be5b734eb76e01bf78d2aa7432ee06Immediately isolate the infected system from the network. Perform a full system scan with updated antivirus/EDR and remove all detected threats. Investigate for persistence mechanisms, lateral movement, and the ultimate payload executed by the shellcode; consider re-imaging the system if the extent of compromise is unclear.