Concrete signature match: Trojan - Appears legitimate but performs malicious actions for 64-bit Windows platform, family Shelm
This Win64 Trojan from the Shelm family uses obfuscated PowerShell, Base64 encoding, and decompression to stealthily execute malicious shellcode. It facilitates remote file transfer, communicates with `dz3.ddns.net` as a C2, and includes self-deletion capabilities for evasion.
Relevant strings associated with this threat: - Base64String(\"" " & str & " \"" ) (MACROHSTR_EXT) - powershell.exe (MACROHSTR_EXT) - -NoP -NonI -W Hidden -Exec Bypass -Comm (MACROHSTR_EXT) - exec = exec + "ession.CompressionMode]::Decompress)), [Text.Enc" (MACROHSTR_EXT) - Shell exec, vbHide (MACROHSTR_EXT) - 20221213.pdb (PEHSTR_EXT) - study\shellcode_dll\Release\shellcode_dll.pdb (PEHSTR_EXT) - CreateThreadpoolWait_ShellcodeExecution (PEHSTR_EXT) - yxsohezazveqzwx.dll (PEHSTR_EXT) - DllInstall (PEHSTR_EXT) - DllMain (PEHSTR_EXT) - DllRegisterServer (PEHSTR_EXT) - DllUnregisterServer (PEHSTR_EXT) - jnnfcoy.cpl (PEHSTR_EXT) - Usage : %s IP Port FileName <SaveName> /Upload | / Download (PEHSTR_EXT) - QQPCLeakScan.exe (PEHSTR_EXT) - Release\shellcode (PEHSTR_EXT) - dll_path [process_name] (PEHSTR_EXT) - Mozilla/4 (PEHSTR_EXT) - dz3.ddns.net (PEHSTR_EXT) - @x\l44 (SNID) - WinExec (PEHSTR_EXT) - (g]\) (SNID) - \$DD9d$@ (PEHSTR_EXT) - Del /f /q "%s" (PEHSTR_EXT) - Users\sSs\source\repos\Test\x64\Release\Test.pdb (PEHSTR_EXT) - explorer.exe (PEHSTR_EXT) - LdrpDllNotificationList (PEHSTR_EXT) - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT) - rundll32 (PEHSTR_EXT) - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT) - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT) - !#HSTR:ExecutionGuardrails (PEHSTR_EXT) - !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT) - !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)
69f720f1caae81d5897244ffbed547e9cb11643a26966c7880973b61df5436a8Immediately isolate the compromised system. Conduct a full anti-malware scan, remove all detected components, and investigate for persistence mechanisms, C2 activity to `dz3.ddns.net`, and any signs of lateral movement to prevent reinfection.