Some weird malware possibly banload and a stealer. Details were uploaded to our submissions system Starts with email link that downloads tax.zip from http://199.192.29.182/Folder/Downloader.php?1409 This zip contains genuine google updater & a bat file which downloads a powershell script from http://51.75.142.21/l2406/uk/kk/20938092830482 Then a zip from http://51.91.248.86/uk/M2406/kk/md.zip which contains genuine autoit files & a malicious file It then shuts down computer On reboot another powershell script is dropped that appears to be the stealer. Sends stolen data to https://salvavidasonline.club Main object- “tax_receipt.zip” sha256 967ebdb78f55bd6640e5e4dc94f640758764851f1429c017d586da93ed536bf2 sha1 3b47fde59daa506967a609ed8e434ef92a327c37 md5 2cb79ca3702b9e08e2012d511b7ee2e1 ssdeep_parts [object Object] Dropped executable file sha256 C:\Users\Public\Java_jkwbzg3_\exe.png 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d sha256 C:\Users\Public\Java_jkwbzg3_\libeay32.dll 963b313eb11d5ea78d9d5f4e03df9265e472db892a4b406ee73f0216fd4d6f38 sha256 … Continue reading →
Article Link: https://myonlinesecurity.co.uk/banload-and-stealer/