Concrete signature match: Trojan - Appears legitimate but performs malicious actions for 32-bit Windows platform, family Tiggre
Trojan:Win32/Tiggre!rfn is a sophisticated Windows Trojan leveraging multiple legitimate binaries (LOLBINs) such as mshta, rundll32, and regsvr32 for execution and persistence. It employs API hooking, data encoding, and scheduled tasks to maintain stealth and control, enabling activities like remote file operations, PowerShell command execution, and potential data exfiltration.
Relevant strings associated with this threat: - vD\&s (SNID) - oqcazu737w7m.dll (PEHSTR_EXT) - gfJs (SNID) - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT) - rundll32 (PEHSTR_EXT) - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT) - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT) - !#HSTR:ExecutionGuardrails (PEHSTR_EXT) - !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT) - !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)
d49ec81f7be6eaabac6d77e8bc43a8ec61d368af5caa75690b95c18a6d52bcf7Immediately isolate the infected system from the network. Perform a full system scan with updated antivirus software to remove the Trojan and all associated artifacts. Thoroughly investigate for persistence mechanisms (e.g., scheduled tasks, registry entries), signs of lateral movement, and potential data exfiltration.