Concrete signature match: Trojan - Appears legitimate but performs malicious actions for 64-bit Windows platform, family TamperedChef
Trojan:Win64/TamperedChef!AMTB is a sophisticated Win64 Trojan that leverages various Windows Living Off The Land Binaries (LOLBINs) such as mshta, regsvr32, rundll32, and PowerShell for execution and persistence. It incorporates advanced capabilities including API hooking, data encoding, BITS job abuse for command and control, remote file operations, and anti-analysis techniques, indicating a highly capable and persistent threat.
Relevant strings associated with this threat: - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT) - rundll32 (PEHSTR_EXT) - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT) - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT) - !#HSTR:ExecutionGuardrails (PEHSTR_EXT) - !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT) - !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)
a16cbf9ab535d4ad628b583ec3e026799f38bb50b98c495333302f7b804390eaImmediately isolate affected systems to prevent further compromise. Perform a full endpoint security scan to remove the threat and all associated malicious artifacts, including persistence mechanisms like scheduled tasks and modified registry entries. Review system logs for signs of lateral movement or data exfiltration, and reset any potentially compromised user credentials.