Concrete signature match: Trojan - Appears legitimate but performs malicious actions for 64-bit Windows platform, family Tedy
Trojan:Win64/Tedy!MTB is a highly malicious multi-functional Trojan detected via concrete behavioral analysis. It primarily acts as an information stealer, capable of keylogging, capturing screenshots, and exfiltrating credentials from browsers (Firefox, Google) and potentially SSH/FTP clients, with strong indicators pointing to an additional ransomware payload.
Relevant strings associated with this threat:
- desktop.d (PEHSTR_EXT)
- DllRegisterServer (PEHSTR_EXT)
- oncometric (PEHSTR_EXT)
- ZirsLocal.exe (PEHSTR_EXT)
- TFA.Data.FormSecret.resources (PEHSTR_EXT)
- CaptureAndSaveScreenshot (PEHSTR_EXT)
- vt_test\obj\Release\vt_test.pdb (PEHSTR_EXT)
- KeyLoggerDemo\KeyLoggerDemo\obj\Debug\KeyLoggerDemo.pdb (PEHSTR_EXT)
- SvnTcpnNet.lib (PEHSTR_EXT)
- SvnTcpnNet.jsonModels.SSH (PEHSTR_EXT)
- SvnTcpnNet.jsonModels.FTP (PEHSTR_EXT)
- SvnTcpnNet.jsonModels.Screenshot (PEHSTR_EXT)
- Keylogger started, see keyloggs at http://{vicitm IP}:8080/keylogger/keylogg.txt (PEHSTR_EXT)
- \ransomware.bat (PEHSTR_EXT)
- \output_firefox.txt (PEHSTR_EXT)
- Usage: steal_pwd <firefox/google> (PEHSTR_EXT)
- CTools.Properties.Resources (PEHSTR_EXT)
- C:\Users\SirLennox (PEHSTR_EXT)
- Release\NekoInstaller.pdb (PEHSTR_EXT)
- UpdateDemo.Properties.Resources.resources (PEHSTR_EXT)
- \Program Files\mana break\ (PEHSTR_EXT)
- 505\505\obj\Release\fuckyouware.pdb (PEHSTR_EXT)
- fuckyouware.exe (PEHSTR_EXT)
- cz56954.tw1.ru/ICSharpCode.SharpZipLib.dll (PEHSTR_EXT)
- PrintNotifyPotato.exe (PEHSTR_EXT)
- gMqeWOPLGVb37y00zMrL4/VVFHyxBgam/Ukb7bCU3Q8= (PEHSTR_EXT)
- MySql.Installer.Launcher.wd_T5end.resources (PEHSTR_EXT)
- Eqggpsce.exe (PEHSTR_EXT)
- TSAide.stat (PEHSTR_EXT)
- ver.ourwg.com.tw (PEHSTR_EXT)
- @.vmp0 (PEHSTR_EXT)
- ZodiacAide.exe (PEHSTR_EXT)
- Assistente.Program (PEHSTR_EXT)
- C:\Users\Public\2.exe (PEHSTR_EXT)
- C:\Users\wegame.exe (PEHSTR_EXT)
- http://164.155.255.81/2.exe (PEHSTR_EXT)
- C:\Users\Public\libcef.dll (PEHSTR_EXT)
- http://164.155.255.81/libcef.dll (PEHSTR_EXT)
- c:\windows\god\up.exe (PEHSTR_EXT)
- c:\windows\god\sendb.exe (PEHSTR_EXT)
- sendb.Properties.Resources.resources (PEHSTR_EXT)
- ://ftp.2qk.cn/HD1-2.dll (PEHSTR_EXT)
- villadentex.pl (PEHSTR_EXT)
- ibhchocjdb/kfapioijci/fjfkdpkdco/fjfkdpkdco/kbpchiokil.Egcgaefamc (PEHSTR_EXT)
- BackDoor.pdb (PEHSTR_EXT)
- EXPLOIT\BINARY (PEHSTR_EXT)
- cdefcdefcdefcdefcdefhttp://bd.tlysj.com:7979/20.jpg (PEHSTR_EXT)
- abcdabcdabcdabcdabcdhttp://803.asx51.info:8080/20.jpg (PEHSTR_EXT)
- HttpWebResponse (PEHSTR_EXT)
- \Google translate master\ (PEHSTR_EXT)
- Wrapper\x64 (PEHSTR_EXT)
- C:\Users\Administrator\Desktop\Pillager_\Pillager\obj\Debug\Pillager.pdb (PEHSTR_EXT)
- Pillager.dll (PEHSTR_EXT)
- \output\G2M_Dll.pdb (PEHSTR_EXT)
- taskkill /IM ProcessHacker.exe /F (PEHSTR_EXT)
- taskkill /IM dnSpy.exe /F (PEHSTR_EXT)
- taskkill /IM cheatengine-x86_64.exe /F (PEHSTR_EXT)
- taskkill /IM ollydbg.exe /F (PEHSTR_EXT)
- taskkill /IM ida64.exe /F (PEHSTR_EXT)
- taskkill /IM x64dbg.exe /F (PEHSTR_EXT)
- static/loader_client_no_literals_compression.bin (PEHSTR_EXT)
- updater.exe (PEHSTR_EXT)
- \\.\VBoxMiniRdrDN (PEHSTR_EXT)
- FortniteClient-Win64-Shipping.exe (PEHSTR_EXT)
- d3d11.dll (PEHSTR_EXT)
- cdn.discordapp.com/attachments/1223133498550911067/1231358676225359932/svhost.exe (PEHSTR_EXT)
- cdn.discordapp.com/attachments (PEHSTR_EXT)
- ces.exe (PEHSTR_EXT)
- TestMalvare.pdb (PEHSTR_EXT)
- Musquitao\Desktop\BR_2023\LOAD_2023\DLL-CPP\D\x64\Release\D.pdb (PEHSTR_EXT)
- \Documents (PEHSTR_EXT)
- D.dll (PEHSTR_EXT)
- /tuiguang/qudao (PEHSTR_EXT)
- pos.baidu.com (PEHSTR_EXT)
- <a id=x href=/wzs/ (PEHSTR_EXT)
- .html target=_self></a> (PEHSTR_EXT)
- @FACK YOU Donkey. (PEHSTR_EXT)
- start cmd /C "color b && title Error && echo (PEHSTR_EXT)
- && timeout /t 5 (PEHSTR_EXT)
- \Microsoft\Windows\.winSession (PEHSTR_EXT)
- \Startup\NVIDIAGraphics.lnk (PEHSTR_EXT)
- \Startup\MicrosoftDefender.lnk (PEHSTR_EXT)
- Set-MpPreference -DisableRealtimeMonitoring $true -DisableScriptScanning $true (PEHSTR_EXT)
- https://xiamo.dasiqueiros.info/fuiwfbjksd/stetdsvj (PEHSTR_EXT)
- InitializeSecurityDescriptor (PEHSTR_EXT)
- CuzPP.exe (PEHSTR_EXT)
- GoonEye.exe (PEHSTR_EXT)
- \Release\CuzPP.pdb (PEHSTR_EXT)
- Imgui-Blue-loader-master\Imgui-Blue-loader-master\ImGui\imstb_textedit.h (PEHSTR_EXT)
- run_exe_from_memory (PEHSTR_EXT)
- DllInstall (PEHSTR_EXT)
- execute_python_entrypoint (PEHSTR_EXT)
- @.data (PEHSTR_EXT)
- .vmp0 (PEHSTR_EXT)
- cmd.exe /c C:\Windows\System32\cmstp.exe /au %TEMP%\corpvpn.inf (PEHSTR_EXT)
- source\repos\CVE-2024-20656\Expl\x64\Release (PEHSTR_EXT)
- Vixen.exe (PEHSTR_EXT)
- chrome_decrypt_cookies.txt (PEHSTR_EXT)
- chrome_decrypt_payments.txt (PEHSTR_EXT)
- **User:** %s\n**Computer:** %s\n**IP:** %s (PEHSTR_EXT)
- pintest.exe (PEHSTR)
- curl --silent https://files.catbox.moe/ (PEHSTR_EXT)
- --output C:\Windows\Temp\ (PEHSTR_EXT)
- cd C:\Windows\Temp\ && (PEHSTR_EXT)
- .exe (PEHSTR_EXT)
- .sys >nul 2>&1 (PEHSTR_EXT)
- ! fud cat shit also fuck niggers frfrfr. (PEHSTR_EXT)
- main.deobfuscateShellcode (PEHSTR_EXT)
- DLL injected (PEHSTR_EXT)
- chrome_decrypt.dll (PEHSTR_EXT)
- NoxVMHandle.exe (PEHSTR_EXT)
- DLL already exists. Attempting to inject. (PEHSTR_EXT)
- Injection failed. (PEHSTR_EXT)
- Injected Successfully. (PEHSTR_EXT)
- C:\Users\pollo\source\repos\Loader\x64\Release\Loader.pdb (PEHSTR_EXT)
- credentials.txt (PEHSTR_EXT)
- !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT)
- rundll32 (PEHSTR_EXT)
- !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT)
- !#HSTR:ExecutionGuardrails (PEHSTR_EXT)
- !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)6b423675d1cf1264e480725cf3573cefdbf7c04686879bf25a09aa4c996d9a560b976889e3f947b139103d3c29cccaa5849a97415e72c6b1a54e793d6561b0a8a0d4e99d0549a70f1b5e385bbc3226c0faa4cacf82808c69ec5f65f862c7064efcdc57f812f98c0eb96c652f391e0a169806e23ca412d1b7cb7e4a14075386ebImmediately isolate the infected system to prevent further compromise. Conduct a full system scan with updated antivirus software to remove the Trojan and any associated components. Reset all potentially compromised credentials (browser, SSH, FTP, etc.) and consider a full system reimage due to the ransomware and comprehensive data theft capabilities.