|
|
|
|
|
|
by bri3d
4813 days ago
|
|
|
The EXE is an AutoIt3 script (they didn't even scrub the AutoIt version from the PE metadata). You can run the AutoIt3 script through Exe2Aut (an AutoIt decompiler) and you'll find a pretty mundane remote access toolkit which inserts itself into \Run, checks to see if it's running in a variety of virtualized environments, and, if it's not, can start one of a couple different remote control payloads. It looks like it's got a rudimentary Facebook credentials theft mechanism in its first stage as well. This is a pretty common for-sale driveby script kiddie exploit - it's depressing how effective these still are. |
|
|