Concrete signature match: TrojanDropper for 32-bit Windows platform, family Malgent
TrojanDropper:Win32/Malgent!MSR is a confirmed malicious dropper that downloads and executes additional malware from various remote servers. It employs string obfuscation and attempts to drop executables into user directories like Desktop, AppData, and Temp, potentially leveraging Excel macros for initial execution.
Relevant strings associated with this threat:
- = Environ("USERPROFILE") & "\Desktop" & "\quotation.exe" (MACROHSTR_EXT)
- http://45.78.21.150/boost/boosting.exe (MACROHSTR_EXT)
- = Replace("ht##tp##:##/##/ (MACROHSTR_EXT)
- = (Err.Number = 0) (MACROHSTR_EXT)
- = (Environ("temp") & "\" & (MACROHSTR_EXT)
- path_file = Environ$("USERPROFILE") + "\AppData\Roaming\" + "\" + path_dom + a + b + c (MACROHSTR_EXT)
- path_file = Environ$("USERPROFILE") & "\AppData\" + path_dom + ".ttp" (MACROHSTR_EXT)
- Variable2.savetofile "234.e" & "xe", 2 (MACROHSTR_EXT)
- ExecuteExcel4Macro Replace(UserForm1. (MACROHSTR_EXT)
- 2C:\Codes\Version2\pe_encrypt\Release\PECloner.pdb (PEHSTR)
- TmDbgLog.dll (PEHSTR_EXT)
- ssMUIDLL.dll (PEHSTR_EXT)
- arguments="https://d3727mhevtk2n4.cloudfront.net/srv-stg-agent (MACROHSTR_EXT)
- Call trenes("http://kuzov-remont.com/wp-admin/js/win.exe", (MACROHSTR_EXT)
- Environ("AppData") & "\Ds.exe") (MACROHSTR_EXT)
- Environ("Userprofile") & "\Men (MACROHSTR_EXT)
- Inicio\Programas\Inicio\Ds.exe") (MACROHSTR_EXT)
- Global\gfxQJsVUhkMOSadImwZFBbnpe2Gjv7HA (PEHSTR_EXT)
- explorer.exe (PEHSTR_EXT)
- svchost.exe (PEHSTR_EXT)
- del "C:\Documents and Settings\All Usersd (PEHSTR_EXT)
- .dll (PEHSTR_EXT)
- DllRegisterServer (PEHSTR_EXT)
- CymulateScreenShotTrojan.pdb (PEHSTR_EXT)
- i.ibb.co/q1B4wyW/nature-field-gra-130247647 (PEHSTR_EXT)
- sdsdsdsds.pdb (PEHSTR_EXT)
- DLL\test\Release\Dll1.pdb (PEHSTR_EXT)
- "C:\Windows\iexplore.exe" (PEHSTR_EXT)
- \Release\mfc.pdbd (PEHSTR_EXT)
- zh-CN/NUSData/M2052Hongyu.voiceAssistant.unt (PEHSTR_EXT)
- zh-CN/NUSData/M2052Kangkang.keyboard.unt (PEHSTR_EXT)
- https://www.cuochiperungiorno.it/ (PEHSTR_EXT)
- _Setup.exe (PEHSTR_EXT)
- https://tapestryoftruth.com/ (PEHSTR_EXT)
- .exe (PEHSTR_EXT)
- E:\PROJETOS2023\CSHARP\RAT\MXNOBUGMAG\Bin\Release\msedge_elf.pdb (PEHSTR_EXT)
- E:\PROJETOS2023\CSHARP\RAT\MXNOBUGMAG\Bin\Release\VCRUNTIME140.pdb (PEHSTR_EXT)
- AppApi.dll (PEHSTR_EXT)
- D:\a\_work\1\s\artifacts\obj\coreclr\windows.x86.Release\Corehost.Static\singlefilehost.pdb (PEHSTR_EXT)
- G:\repos\ApiApp\AppApi\obj\Release\net9.0\win-x86\AppApi.pdb (PEHSTR_EXT)
- info-sec.jp/attach (PEHSTR_EXT)
- stgsec-info.jp/acon (PEHSTR_EXT)
- PdfAttachProduction.exe (PEHSTR_EXT)
- cm74336.tw1.ru/calc.execalc.exesrc (PEHSTR_EXT)
- =createobject("msxml2.xmlhttp")http_obj.open"post","http://188.130.234.189/wait.php (MACROHSTR_EXT)
- !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT)
- rundll32 (PEHSTR_EXT)
- !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT)
- !#HSTR:ExecutionGuardrails (PEHSTR_EXT)
- !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)8bcfee677a8ec5a1fd2e020e0f9586ecee70ca1c3e7f9afba116b28223107e70a43d75b99fea27596fdc3b0fb11512329589d6482a2954dc4799ed737fddac50Immediately isolate the affected system from the network to prevent further compromise. Run a full, updated antivirus scan to ensure complete removal of all malicious components. Investigate for persistence mechanisms and reset any credentials that may have been compromised on the system.