PowerShell/Agent.dy

[GBPAN65 0]

When I turn on the computer I get an alarm from Eset: PowerShell/Agent.dy
Eset did not find the virus/ virus location.
How do I remove this virus?

Thanks

[Marcos 5,070]

Please provide logs collected with ESET Log Collector.

[itman 1,659]

If this is PowerShell Empire related: https://www.hackingarticles.in/hacking-with-empire-powershell-post-exploitation-agent/ , most likely a backdoor has been created.

[GBPAN65 0]

Hi Marcos, I got the eav_logs.zip file, what should I look for? Thanks

[Marcos 5,070]

Please upload the generated archive here.

[GBPAN65 0]

Thanks!

eav_logs.zip

[Marcos 5,070]

Please provide a Procmon boot log as per https://support.eset.com/en/kb6308. After a restart launch Procmon and stop logging only after the threat has been detected.

Also please provide a log from Autoruns.

[GBPAN65 0]

Procmon generated 7 files for a total of more than 2 GB. I attach the Bootlog.pml file (the first two) and the file generated by Autoruns.
If you also need the other 6 procmon files it has to make more posts.
Thanks
 

Autoruns.zip

[Marcos 5,070]

Looks like Procmon logging was stopped too early before a detection was triggered; there was no record of Powershell.exe being run the log.

As for Autoruns, you've provided its binaries, not a log created by the Autoruns application.

[GBPAN65 0]

Attached are files 2 and 3 obtained from procmon

Procmon_2_3.zip

[GBPAN65 0]

Attached are files 4, 5 and 6 obtained from procmon and the file obtained from Autoruns

Autoruns.zip

[Marcos 5,070]

Please provide the content of the C:\Users\gb\AppData\Roaming\EciYLzJxA folder. The folder should contain LfxFKWgd.ps1, hFQTJJ.exe (probably clean, renamed wscript.exe) and LfxFKWgd.txt.

Do not delete the folder/files unless I confirm receipt.

[itman 1,659]

Great "real-world" example of malware renaming Win script executable's to bypass AV HIPS rules and the like.

Time Eset offered PE header name option in the HIPS to prevent a bypass like this.

[Marcos 5,070]

I don't think it renames the system executable but rather drops or copies it under a different name.

[itman 1,659]

16 minutes ago, Marcos said:

I don't think it renames the system executable but rather drops or copies it under a different name.

Yes. I suspect this is the case. But in any effect, internal PE header name would remain the same as the source process.

[Marcos 5,070]

A changed name of a script interpreter cannot fool our products; we perform deep script scanning regardless of the file name of the interpreter.

[itman 1,659]

14 minutes ago, Marcos said:

A changed name of a script interpreter cannot fool our products; we perform deep script scanning regardless of the file name of the interpreter.

Hopefully that is the case. But not the issue. The issue is I want to block/monitor script execution period:

Ref.: https://docs.microsoft.com/en-us/windows/win32/debug/pe-format

[GBPAN65 0]

Here is the contents of the folder 😄 \ Users \ gb \ AppData \ Roaming \ EciYLzJxA.
Thanks!

EciYLzJxA.zip

[Marcos 5,070]

Please check if the malware is now removed and provide a fresh Autoruns log.

[Nicktopa 0]

I have the same problem, same warning PowerShell/Agent.dy message from Eset every 3 minutes.

 

On 12/1/2020 at 10:55 PM, Marcos said:

Please provide logs collected with ESET Log Collector.

 

Would you like the logs as you requested before?

[Marcos 5,070]

1 hour ago, Nicktopa said:

I have the same problem, same warning PowerShell/Agent.dy message from Eset every 3 minutes.

Would you like the logs as you requested before?

Yes, please provide both Autoruns and logs collected with ESET Log Collector. A Procmon boot log may be needed later as well.

[GBPAN65 0]

Yes, the malware has been removed!

I attach the Autoruns log.

Thanks!
 

Autoruns.zip

[Nicktopa 0]

On 12/6/2020 at 3:52 PM, Marcos said:

Please check if the malware is now removed and provide a fresh Autoruns log.

Eset has removed the file, Thanks!