Concrete signature match: Trojan - Appears legitimate but performs malicious actions for 32-bit Windows platform, family Swisyn
Trojan:Win32/Swisyn!pz is a sophisticated data-stealing Trojan. It establishes strong persistence mechanisms, including modifying Winlogon and Run registry keys, and incorporates keylogging capabilities to steal sensitive information like passwords. The threat also attempts to evade detection by security monitoring tools and uses various masquerading techniques.
Relevant strings associated with this threat: - %APPDATA%\Roaming\dllhost.exe (PEHSTR) - system.bat (PEHSTR) - ntlog.sys (PEHSTR) - Jcmd /c REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon (PEHSTR) - Acmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run (PEHSTR) - /V DLLHost /D (PEHSTR) - /V Shell /D (PEHSTR) - ntlog.sys (PEHSTR_EXT) - ntcom.dll (PEHSTR_EXT) - /1stem (PEHSTR_EXT) - l.php (PEHSTR_EXT) - \PCTotalDefender\sqlite3.dll (PEHSTR) - -Software\Microsoft\Windows\CurrentVersion\Run (PEHSTR) - 4Process Monitor - Sysinternals: www.sysinternals.com (PEHSTR) - tmpdpupsQthojsuTfdsvptfSeJ| (PEHSTR_EXT) - fspDthojsuTfdsvptfSeJc (PEHSTR_EXT) - %.2u/%.2u/%u %.2u:%.2u (PEHSTR_EXT) - C:\InsideTm\ (PEHSTR_EXT) - D:\program z visuala\keylogger\Release\keylogger.pdb (PEHSTR_EXT) - \log.txt (PEHSTR_EXT) - wmagents.exe (PEHSTR_EXT) - passes.xm (PEHSTR_EXT) - /gt.php (PEHSTR_EXT) - keylog.txt (PEHSTR_EXT) - paslist.txt (PEHSTR_EXT) - drivers.log (PEHSTR_EXT) - #http://www.31334.info/1stupload.php (PEHSTR) - \appdata.jpg (PEHSTR) - \win.sys (PEHSTR) - c:\insidetm (PEHSTR_EXT) - dir_watch.dll (PEHSTR_EXT) - AreFileApisAd.exe (PEHSTR) - /c attrib -R -H -S "%s" (PEHSTR) - Windows\%s.scr (PEHSTR) - Program Files\Common Files\ (PEHSTR_EXT) - xiaohu.js (PEHSTR_EXT) - _bind.au (PEHSTR_EXT) - _muti.au (PEHSTR_EXT) - csboybind.au (PEHSTR_EXT) - %APPDATA%\Microsoft\wuauclt\ (PEHSTR_EXT) - STOPPORTMAP PortMap End!. (PEHSTR_EXT) - Win.uExWatch (PEHSTR_EXT) - ClientToScreen (PEHSTR_EXT) - TJprojMain.exe (PEHSTR_EXT) - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT) - rundll32 (PEHSTR_EXT) - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT) - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT) - !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT) - !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForSoftwarePacking.C!pli (PEHSTR_EXT)
366c5aaafaeca8598ee761b5562fadb00a72d257fcb482b179a7f0b7f40b1705Immediately isolate the affected system from the network. Perform a full antimalware scan with an up-to-date security solution to remove all detected components. Crucially, all potentially compromised credentials, especially for online accounts, must be changed after confirming the system is clean. Verify that persistence mechanisms have been neutralized and educate users on phishing and suspicious downloads.