Trojan:MSIL/Malgent

Trojan:MSIL/Malgent  is a MSIL-based 32-bit Windows executable built for the Intel architecture, with a file size that can vary but often around a few kilobytes. It appears as a file named Rnmsfwbsm.exe, located in paths hidden in user directories or temporary folders. The file lacks a valid digital signature, carries a timestamp from mid-February 2024, and includes version details labelling it as 1.0.0.0 under an assembly named Rnmsfwbsm.exe. Upon running, it scans for specific file types across drives and applies encryption methods like AES-256 or similar algorithms to lock them away, a process that might last several hours depending on data volume.  

While the exact capabilities differ across its many variants, common threads include file dropping, registry tweaks for auto-start, and network outreach to command-and-control points. For example, one variant analyzed creates a shortcut in the startup folder pointing to its own binary, ensuring it runs every time the device boots. Another sets up custom file extensions in the registry to handle encrypted payloads, loading them via PowerShell scripts that decrypt and run in memory to avoid easy detection. 

It arrives via malicious downloads, with a file size of around 24,000 bytes, and isn't encrypted outright. Upon launch, it checks for duplicate processes with the same name but different IDs, terminating any mismatches using Windows commands like taskkill. If running a temporary file, it renames itself by stripping a "_tmp" suffix and deletes the original temp version. For persistence, it drops a .url file in the user's startup folder, formatted to launch the malware payload from its install path. This backdoor gathers details like device name, username, OS version, and other system stats from commands, then sends them to remote servers. It can receive updates to its config, such as new credentials or timings, and supports commands like changing secondary settings or running arbitrary system instructions. Network-wise, it tries to log into servers using hardcoded credentials (for example, username and password pair) and communicates over IMAP on port 143. Blocked examples include attempts to connect to domains like facadesolutionsuae.com or IP ranges in the 185[.]250[.]242.x block. 

Another known variant weighs over a million bytes, an EXE that poses a tool for verifying email servers. It drops zip archives in app data templates folders, extracts hidden binaries using preset passwords, and adds processes like setup.exe or svchost.exe mimics. These get hidden attributes to blend in. For auto-run, it modifies the current user Run key in the registry, setting a value named "Microsoft Corporation Security" to point at one of the dropped EXEs. Download behavior involves hitting URLs on Blogspot or custom domains to fetch more payloads, decoding content tagged in responses, and saving zips for further extraction. The GUI element disguises it as an SMTP checker, but behind that, it enables file drops and registry changes that facilitate ongoing access. Persistence comes via scheduled tasks or registry handlers for random extensions, where PowerShell decrypts and runs encrypted backdoors in memory. Commands from the server can deploy stealers that target browser credentials from Chrome or Firefox, form data, or user files.