Concrete signature match: Trojan - Appears legitimate but performs malicious actions for 64-bit Windows platform, family StealC
Trojan:Win64/StealC!rfn is a concrete detection of the StealC info-stealer, a sophisticated malware designed to exfiltrate sensitive data. It targets cryptocurrency wallets (e.g., Monero, Brave), steals user credentials (e.g., from `passwords.txt`), employs PowerShell for execution, and includes anti-analysis capabilities to detect virtual environments.
Relevant strings associated with this threat: - @.eh_fram (PEHSTR_EXT) - Win32_computersystem (PEHSTR_EXT) - Displacement.exe (PEHSTR_EXT) - aR3nbf8dQp2feLmk31.lSfgApatkdxsVcGcrktoFd.resources (PEHSTR_EXT) - Monero\wallet.keys (PEHSTR_EXT) - passwords.txt (PEHSTR_EXT) - \BraveWallet\Preferences (PEHSTR_EXT) - -UseBasicParsing).Content (PEHSTR_EXT) - powershell.exe (PEHSTR_EXT) - openshock.Properties.Resources (PEHSTR_EXT) - i#.hq (SNID) - .g.resources (PEHSTR_EXT) - VQP.exe (PEHSTR_EXT) - .rsrc (PEHSTR_EXT) - USER32.dql (PEHSTR_EXT) - <description>Windows XP Visual Styles</description> (PEHSTR_EXT) - %userappdata%\RestartApp.exe (PEHSTR_EXT) - .taggant (PEHSTR_EXT) - HARDWARE\ACPI\DSDT\VBOX__ (PEHSTR_EXT) - Stub.Resources (PEHSTR_EXT) - QCXBSDJHIUWE643.pdb (PEHSTR_EXT) - msimg32.dll (PEHSTR_EXT) - tocurobatekixatekeyajasorilupur (PEHSTR_EXT) - yeginejiparatudefaf boluzicuzu vuvigowexafexepojomiba suhomoxine zuxagenelonugo (PEHSTR_EXT) - Jibu zec pugole/Kemo yacuciyofi pobideyusakaso (PEHSTR_EXT) - SOFTWARE\monero-project\monero-core (PEHSTR_EXT) - \Monero\wallet.keys (PEHSTR_EXT) - steam_tokens.txt (PEHSTR_EXT) - .idata (PEHSTR_EXT) - .idata (PEHSTR_EXT) - main.writeShellcodeToTarget (PEHSTR_EXT) - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT) - rundll32 (PEHSTR_EXT) - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT) - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT) - !#HSTR:ExecutionGuardrails (PEHSTR_EXT) - !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT) - !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)
423b1dbb76e3a758ea0af0729c743f37379be98e05e5cc5e79b9fa97b6c84e38311d6c2eb62e8cc02df535559b319eaa62f38e6061039bf2ba68aa205fafe6f6Immediately isolate the affected system, perform a full system scan with updated antivirus software, and force a password reset for all potentially compromised accounts (email, banking, crypto, social media). Investigate for persistence mechanisms and consider a full system re-image to ensure complete removal of the threat and any backdoors.