One Article Review
| Source |  SANS Institute |
|---|---|
| Identifiant | 7527852 |
| Date de publication | 2022-10-17 10:05:24 (vue: 2022-10-17 12:05:40) |
| Titre | Fileless Powershell Dropper, (Mon, Oct 17th) |
| Texte | I found an interesting Powershell script that drops a malware on the victim&#;x26;#;39;s computer. The dropped malware is not new (It&#;x26;#;39;s kinda old, though) but the dropper has a very low Virustotal score. The script was detected by one of my hunting rules on VT. It is called "autopowershell.ps1" and has only a score of 3/61 (SHA256:3750576978bfd204c5ac42ee70fb5c21841899878bacc37151370d23e750f8c4)[1]. By "fileless", it means that the malware tries to reduce at the minimum interactions with the file system. But, to achieve persistence, it must write something on the disk. Most of the time, it&#;x26;#;39;s done through registry keys. That&#;x26;#;39;s what happens with this sample: |
| Envoyé | Oui |
| Condensat | 17th 3/61 achieve autopowershell but called computer detected disk done dropped dropper drops file fileless found happens has hunting interactions interesting it&#;x26;#;39;s keys kinda low malware means minimum mon most must new not oct old one only persistence powershell ps1 reduce registry rules sample: score script sha256:3750576978bfd204c5ac42ee70fb5c21841899878bacc37151370d23e750f8c4 something system that&#;x26;#;39;s though through time tries very victim&#;x26;#;39;s virustotal what write |
| Tags | Malware |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.