We copied and altered the script to see where it puts the file. The executable itself is posted in hexadecimal and reconstructed by the function in the script. ![]() The code posted is a Visual Basic script that downloads and runs a file called Tempwinlogon.exe. When we run the sample, we have noticed a connection to a specific Pastebin page. This one is called VMWare.exe and the first screen of the installer pretends itself to be “WindowsInstall”.Īlthough we are not entirely sure of its origin, this makes us consider a method of infection that is typical for sites offering cracks and keygens. The dropper is not much more than an adaptable package to deliver the actual payload. The payload has turned out to be a RAT with keylogger capabilities. ![]() ![]() While it is not uncommon to find malware or code on Pastebin, it is a surprise to find a dropper that downloads the payload from Pastebin on the fly.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |