Concrete signature match: TrojanDropper for 32-bit Windows platform, family Dapato
This is a concrete detection of TrojanDropper:Win32/Dapato!pz, a malicious program designed to download and execute additional payloads. It establishes persistence, communicates with remote servers (potentially AWS), and leverages techniques like code hooking and MSHTA for execution and evasion, with indications of potential integration with or impersonation of remote access software like AnyDesk.
Relevant strings associated with this threat: - set_UseShellExecute (PEHSTR_EXT) - downexecute (PEHSTR_EXT) - For i = 1 To LenB( OBH.ResponseBody ) (PEHSTR_EXT) - \vxs32.exe (PEHSTR_EXT) - https:// (PEHSTR_EXT) - .amazonaws.com/ (PEHSTR_EXT) - /vxs32.exe (PEHSTR_EXT) - \Software\Microsoft\Windows\CurrentVersion\Policies\System (PEHSTR_EXT) - ServiceApp.exe (PEHSTR_EXT) - Software\Microsoft\Windows\CurrentVersion\Run (PEHSTR_EXT) - BouncyCastle.Crypto (PEHSTR_EXT) - Org.BouncyCastle.Bcpg.OpenPgp (PEHSTR_EXT) - source\repos\AnyDeskAdd.exe\AnyDeskAdd.exe\obj\Debug\AnyDeskAdd.exe.pdb (PEHSTR_EXT) - /public/pages/Exodus.html (PEHSTR_EXT) - \WallpaperX.pdb (PEHSTR_EXT) - config.txt (PEHSTR_EXT) - log.txt (PEHSTR_EXT) - Knocker.Properties.Resources (PEHSTR_EXT) - knksvc.exe (PEHSTR_EXT) - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT) - rundll32 (PEHSTR_EXT) - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT) - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT) - !#HSTR:ExecutionGuardrails (PEHSTR_EXT) - !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT) - !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)
a7bcd1b334c7c0475bf40c45e389caebcfb3b34f3eb59f676e3f63b32c89da1d7e076c82e891f6cc0bff69929c87259a24380b2cfbd893330d68174140aab3a1a3443065affd5e460ce0e6dcc66bfeb3ca6342589c50fd4f625724a07fbce2282181f44279af82a7099775c2dbdb78b0e0533bceec02c43db5dbe58d9dbbc641bce52ae49f0b49957d0a14ac45500b482147ba7aeac8cfc20f78d0d5cf8f3d2cImmediately isolate affected systems and perform a comprehensive scan with up-to-date antivirus definitions to remove all malicious components. Investigate persistence mechanisms (e.g., Run keys, services) and network logs for indicators of compromise or C2 communication, restoring from a clean backup if necessary.