Trojan.PS1.POWLOAD.K

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It executes then deletes itself afterward.

It does not have any propagation routine.

It does not have any backdoor routine.

As of this writing, the said sites are inaccessible.

It does not have any information-stealing capability.

Arrival Details

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan adds the following folders:

• %Application Data%\7hvL1Gl4GreYIKPnHxXX

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Roaming on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It drops a copy of itself in the following folders using different file names:

• %Application Data%\7hvL1Gl4GreYIKPnHxXX\7hvL1Gl4GreYIKPnHxXX.ps1

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Roaming on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It drops the following files:

• %Application Data%\7hvL1Gl4GreYIKPnHxXX\7hvL1Gl4GreYIKPnHxXX.enc → contains Base64-encoded original sample.

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Roaming on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It adds the following processes:

• powershell.exe -ep bypass -File %Application Data%\7hvL1Gl4GreYIKPnHxXX\7hvL1Gl4GreYIKPnHxXX.ps1 1

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Roaming on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It executes then deletes itself afterward.

Propagation

This Trojan does not have any propagation routine.

Backdoor Routine

This Trojan does not have any backdoor routine.

Rootkit Capabilities

This Trojan does not have rootkit capabilities.

Download Routine

This Trojan connects to the following URL(s) to download its component file(s):

• https://{BLOCKED}b.co/4TvHH6g/img1.png

It saves the files it downloads using the following names:

• %Application Data%\7hvL1Gl4GreYIKPnHxXX\img1.png → contains an AES-encrypted payload which is encoded in the color values of image pixels

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Roaming on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

As of this writing, the said sites are inaccessible.

Information Theft

This Trojan does not have any information-stealing capability.

Other Details

This Trojan does the following:

• It utilizes steganography technique to hide and extract malicious code inside a PNG image.
• It decrypts the payload from the image using a hardcoded password and loaded into the memory.

It accepts the following parameters:

• 1 → triggers the decryption and execution of the hidden payload from the image.
• → triggers the process of downloading the image file before proceeding to decryption and execution of payload.

It does not exploit any vulnerability.