Concrete signature match: Trojan - Appears legitimate but performs malicious actions for 64-bit Windows platform, family GravityRat
Trojan:Win64/GravityRat!rfn is a sophisticated Remote Access Trojan (RAT) capable of extensive system compromise and data exfiltration. It utilizes multiple execution techniques (e.g., mshta, regsvr32, rundll32, PowerShell), establishes persistence through scheduled tasks and BITS jobs, and employs advanced hooking for evasion. The threat can perform remote file operations, enabling comprehensive control and data theft.
Relevant strings associated with this threat: - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT) - rundll32 (PEHSTR_EXT) - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT) - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT) - !#HSTR:ExecutionGuardrails (PEHSTR_EXT) - !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT) - !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)
88a03051494fc82d49b0cb772b451e47f5ebab3c2a0bd59ad4f29aa8480ad2b4Immediately isolate the compromised host from the network. Perform a full, deep antivirus scan and reset all user and service account credentials. Due to the sophisticated nature of GravityRat, a complete system reimage is strongly recommended to ensure thorough eradication and prevent reinfection.