0x1187:$x1: iex ((new-object net.webclient).DownloadĬ:\Users\u ser\Deskto p\Easy2Boo t_v2.00\_I SO\WINDOWS \installs\ CONFIGS\is -OQAUM.tmp.Uses code obfuscation techniques (call, push, ret)Ĭ:\Users\u ser\Deskto p\Easy2Boo t_v2.00\_I SO\WINDOWS \installs\ CONFIGS\SD I_CHOCO\is -QPHUJ.tmpĭetects strings found in sample from CN group repo leak in October 2018 Sample file is different than original file name gathered from version info Queries the volume information (name, serial number etc) of a device Queries disk information (often used to detect virtual machines) PE file contains executable resources (Code or Archives) OS version to string mapping found (often used in BOTs) system language)Ĭontains functionality to check if a window is minimized (may be used to check if an application is visible)Ĭontains functionality to communicate with device driversĬontains functionality to detect sandboxes (mouse cursor move detection)Ĭontains functionality to launch a program with higher privilegesĬontains functionality to record screenshotsĬontains functionality to retrieve information about pressed keystrokesĬontains functionality to shutdown / reboot the systemĬreates a DirectInput object (often for capturing keystrokes)ĭropped file seen in connection with other malwareįound dropped PE file which has not been started or loadedįound potential string decryption / allocating functions
Submitted sample is a known malware sampleĬontain functionality to detect virtual machinesĬontains functionality to infect the boot sectorĬhecks for available system drives (often done to infect USB drives)Ĭontains functionality locales information (e.g. Multi AV Scanner detection for submitted file Multi AV Scanner detection for dropped file
0 kommentar(er)
