GBPAN65 0 Posted December 1, 2020 Share Posted December 1, 2020 When I turn on the computer I get an alarm from Eset: PowerShell/Agent.dy Eset did not find the virus/ virus location. How do I remove this virus? Thanks Link to comment Share on other sites More sharing options...
Administrators Marcos 5,274 Posted December 1, 2020 Administrators Share Posted December 1, 2020 Please provide logs collected with ESET Log Collector. Link to comment Share on other sites More sharing options...
itman 1,748 Posted December 2, 2020 Share Posted December 2, 2020 If this is PowerShell Empire related: https://www.hackingarticles.in/hacking-with-empire-powershell-post-exploitation-agent/ , most likely a backdoor has been created. Link to comment Share on other sites More sharing options...
GBPAN65 0 Posted December 2, 2020 Author Share Posted December 2, 2020 Hi Marcos, I got the eav_logs.zip file, what should I look for? Thanks Link to comment Share on other sites More sharing options...
Administrators Marcos 5,274 Posted December 2, 2020 Administrators Share Posted December 2, 2020 Please upload the generated archive here. Link to comment Share on other sites More sharing options...
GBPAN65 0 Posted December 4, 2020 Author Share Posted December 4, 2020 Thanks! eav_logs.zip Link to comment Share on other sites More sharing options...
Administrators Marcos 5,274 Posted December 4, 2020 Administrators Share Posted December 4, 2020 Please provide a Procmon boot log as per https://support.eset.com/en/kb6308. After a restart launch Procmon and stop logging only after the threat has been detected. Also please provide a log from Autoruns. Link to comment Share on other sites More sharing options...
GBPAN65 0 Posted December 5, 2020 Author Share Posted December 5, 2020 Procmon generated 7 files for a total of more than 2 GB. I attach the Bootlog.pml file (the first two) and the file generated by Autoruns. If you also need the other 6 procmon files it has to make more posts. Thanks Autoruns.zip Link to comment Share on other sites More sharing options...
Administrators Marcos 5,274 Posted December 5, 2020 Administrators Share Posted December 5, 2020 Looks like Procmon logging was stopped too early before a detection was triggered; there was no record of Powershell.exe being run the log. As for Autoruns, you've provided its binaries, not a log created by the Autoruns application. Link to comment Share on other sites More sharing options...
GBPAN65 0 Posted December 5, 2020 Author Share Posted December 5, 2020 Attached are files 2 and 3 obtained from procmon Procmon_2_3.zip Link to comment Share on other sites More sharing options...
GBPAN65 0 Posted December 5, 2020 Author Share Posted December 5, 2020 Attached are files 4, 5 and 6 obtained from procmon and the file obtained from Autoruns Autoruns.zip Link to comment Share on other sites More sharing options...
Administrators Marcos 5,274 Posted December 5, 2020 Administrators Share Posted December 5, 2020 Please provide the content of the C:\Users\gb\AppData\Roaming\EciYLzJxA folder. The folder should contain LfxFKWgd.ps1, hFQTJJ.exe (probably clean, renamed wscript.exe) and LfxFKWgd.txt. Do not delete the folder/files unless I confirm receipt. Link to comment Share on other sites More sharing options...
itman 1,748 Posted December 5, 2020 Share Posted December 5, 2020 Great "real-world" example of malware renaming Win script executable's to bypass AV HIPS rules and the like. Time Eset offered PE header name option in the HIPS to prevent a bypass like this. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,274 Posted December 5, 2020 Administrators Share Posted December 5, 2020 I don't think it renames the system executable but rather drops or copies it under a different name. Link to comment Share on other sites More sharing options...
itman 1,748 Posted December 5, 2020 Share Posted December 5, 2020 16 minutes ago, Marcos said: I don't think it renames the system executable but rather drops or copies it under a different name. Yes. I suspect this is the case. But in any effect, internal PE header name would remain the same as the source process. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,274 Posted December 5, 2020 Administrators Share Posted December 5, 2020 A changed name of a script interpreter cannot fool our products; we perform deep script scanning regardless of the file name of the interpreter. Link to comment Share on other sites More sharing options...
itman 1,748 Posted December 5, 2020 Share Posted December 5, 2020 14 minutes ago, Marcos said: A changed name of a script interpreter cannot fool our products; we perform deep script scanning regardless of the file name of the interpreter. Hopefully that is the case. But not the issue. The issue is I want to block/monitor script execution period: Ref.: https://docs.microsoft.com/en-us/windows/win32/debug/pe-format Link to comment Share on other sites More sharing options...
GBPAN65 0 Posted December 6, 2020 Author Share Posted December 6, 2020 Here is the contents of the folder 😄 \ Users \ gb \ AppData \ Roaming \ EciYLzJxA. Thanks! EciYLzJxA.zip Link to comment Share on other sites More sharing options...
Administrators Solution Marcos 5,274 Posted December 6, 2020 Administrators Solution Share Posted December 6, 2020 Please check if the malware is now removed and provide a fresh Autoruns log. Link to comment Share on other sites More sharing options...
Nicktopa 0 Posted December 7, 2020 Share Posted December 7, 2020 I have the same problem, same warning PowerShell/Agent.dy message from Eset every 3 minutes. On 12/1/2020 at 10:55 PM, Marcos said: Please provide logs collected with ESET Log Collector. Would you like the logs as you requested before? Link to comment Share on other sites More sharing options...
Administrators Marcos 5,274 Posted December 7, 2020 Administrators Share Posted December 7, 2020 1 hour ago, Nicktopa said: I have the same problem, same warning PowerShell/Agent.dy message from Eset every 3 minutes. Would you like the logs as you requested before? Yes, please provide both Autoruns and logs collected with ESET Log Collector. A Procmon boot log may be needed later as well. Link to comment Share on other sites More sharing options...
GBPAN65 0 Posted December 8, 2020 Author Share Posted December 8, 2020 Yes, the malware has been removed! I attach the Autoruns log. Thanks! Autoruns.zip Link to comment Share on other sites More sharing options...
Nicktopa 0 Posted December 9, 2020 Share Posted December 9, 2020 On 12/6/2020 at 3:52 PM, Marcos said: Please check if the malware is now removed and provide a fresh Autoruns log. Eset has removed the file, Thanks! Link to comment Share on other sites More sharing options...
Recommended Posts