Is openssh.ps1 Malware?


Recently I have download Windows 10 VM from Microsoft’s site. Today, in c:\ drive I saw a folder named BGinfo which I know I had not created.

After opening it saw two files,

BGInfoFolderStructure

In openssh.ps1  file found URL,

URL

After accessing URL, SSH setup executable file download. After searching URL in VirusTotal 

result shows, 2 AV detected it as Malware out of 62.

During the investigation I found, there is a BGinfo program added in Startup program. (I disabled it later).

BGInfoTaskManager.PNG

And SSH installed on the server and services running in task scheduler.

I ran procmon and netmon to analyze the behavior. I haven’t found any unusual activity/call/traffic from/to remote server and not found any process/executable running in background.

During the analysis I haven’t run this PowerShell script.

VirusTotal –  [Link here]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.