Concrete signature match: TrojanDropper for Batch Script platform, family Starter
TrojanDropper:BAT/Starter.G!MSR is a malicious batch script that acts as a first-stage downloader. It leverages legitimate Windows utilities (LOLBins) like PowerShell, Regsvr32, and Mshta to download and execute additional, more harmful malware. The threat also attempts to establish persistence on the system using Scheduled Tasks or BITS jobs to ensure the payload survives a reboot.
Relevant strings associated with this threat: - gq|#TEL (NID) - gq}#TEL (NID) - ToBase64String (PEHSTR_EXT) - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT) - WH_DEBUG (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT) - regsvr32 (PEHSTR_EXT) - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT) - rundll32 (PEHSTR_EXT) - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT) - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT) - ENIGMA (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT) No specific strings found for this threat
6d81b7553bb5799ce01dd205e3cd6f11f6e5a98b4d52df3115a04447588f101cIsolate the affected host from the network. Ensure Windows Defender has removed the initial BAT file and run a full system scan to detect and remove any secondary payloads. Manually review and delete any suspicious scheduled tasks, BITS jobs, or registry startup entries created around the time of the infection.