Malware Analysis

by Anurag


I have downloaded this Microsoft shortcut malicious sample from Virustotal for analysis

After downloading, I renamed as sample.lnk. (Microsoft shortcut extension .LNK)

When I opened properties tab of this file, found below properties which clearly shows its now shortcut of any application but a PowerShell script which executed on opening.

  • Target Type: Application
  • Target: PowerShell scrip
  • Description: Windows PowerShell

b4_4

b4_1

 

I copied and pasted PowerShell script to text file.

b4_2

Behavior of PowerShell script:

  • Download another PowerShell script out-763347625.ps1 from URL https[:]// latinotca-ar[.]com

I double click on it to check the behavior, a command prompt windows opened and closed.

I could see the PowerShell script executed and tried to connect to the URL. WireShark captured the network traffic.

b4_3.PNG

b4_5

 

The web site has taken down. I tried to open the URL in browser, URL is inaccessible.

VIrusTotal sample:

SHA-256: 5c5c2c6197d4b1c24c438b8fb0452257c9e4085ac59297a985ec92ef1720b74d

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: