Concrete signature match: Trojan - Appears legitimate but performs malicious actions for 32-bit Windows platform, family Stealc
This is a concrete detection of Trojan:Win32/Stealc, a sophisticated information stealer. It leverages legitimate Windows binaries and techniques like process hooking for execution, persistence, and evasion, ultimately designed to encode and exfiltrate sensitive data from the compromised system.
Relevant strings associated with this threat: - Desktop\stealer_morph\Nh3ZoGSZDjgH1Ht\stealer (PEHSTR_EXT) - Batuyurutusey zoruhikeje gicozasizehe herarikonanodo (PEHSTR_EXT) - vcapi.exe (PEHSTR_EXT) - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT) - rundll32 (PEHSTR_EXT) - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT) - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT) - !#HSTR:ExecutionGuardrails (PEHSTR_EXT) - !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT) - !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)
ec20550754890947272134381fe1835e31d40c84d5b696eec35d53355ddb9d3fImmediately isolate the infected host from the network. Perform a full system scan with updated antivirus software, ensure all detected threats are removed, and reset all user and system credentials used on the compromised machine. Investigate for potential data exfiltration and lateral movement.