Trojan.W97M.POWLOAD.TIOIBEMC

August 01, 2020
 Analysis by: Mohammed Malubay
 ALIASES:

W97m.Downloader.IWZ (Bitdefender); TrojanDownloader:O97M/Emotet.FSK!MTB (Microsoft); a variant of VBA/TrojanDownloader.Agent.TYN trojan (NOD32)

 PLATFORM:

Windows

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 SYSTEM IMPACT RATING:
 INFORMATION EXPOSURE:

  • Threat Type: Trojan

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

Infection Channel:

Downloaded from the Internet, Dropped by other malware

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

  TECHNICAL DETAILS

File Size:

172,717 bytes

Initial Samples Received Date:

30 Jul 2020

Arrival Details

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan adds the following folders:

  • %System%\dxmasf

(Note: %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.)

It drops the following files:

  • %User Temp%\cjzlcrgf.v41.ps1
  • %User Temp%\cbrjodtp.rqu.psm1
  • %User Profile%\74.exe
  • %System%\dxmasf\mswsock.exe

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).. %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name} on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).. %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.)

It adds the following processes:

  • powersheLL -e {base 64-encoded}
  • %User Profile%\74.exe

(Note: %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name} on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

Autostart Technique

This Trojan adds and runs the following services:

  • mswsock
    • Start Type: SERVICE_AUTO_START
    • Binary Pathname: "%System%\dxmasf\mswsock.exe"

(Note: %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.)

Other System Modifications

This Trojan deletes the following files:

  • %User Temp%\cjzlcrgf.v41.ps1
  • %User Temp%\cbrjodtp.rqu.psm1
  • %User Profile%\74.exe

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).. %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name} on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

Other Details

This Trojan connects to the following possibly malicious URL:

  • http://{BLOCKED}.uk/loges/v7yi_9z9l1_evrg/
  • http://{BLOCKED}.pl/4995371c/1_m_1dau4ki6f/
  • http://{BLOCKED}.pk/wp-admin/yu7d_oh2g_zmwbfmqo/
  • http://{BLOCKED}.cz/a_b3rvy_ua/
  • http://www.{BLOCKED}.pt/modules/2eyu_76wd_82/