{
	"id": "a32b16d8-812c-4f9f-8a7e-c3b983810765",
	"created_at": "2026-04-06T02:11:49.107008Z",
	"updated_at": "2026-04-10T13:12:19.493711Z",
	"deleted_at": null,
	"sha1_hash": "181311074b1b78fbf3b435ec7c9f5f78713cda33",
	"title": "Mallox Evading AMSI",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 822475,
	"plain_text": "Mallox Evading AMSI\r\nPublished: 2023-12-27 · Archived: 2026-04-06 01:33:32 UTC\r\nIn the past, as blogged here, we have seen that the Mallox ransomware group has been targeting Indian companies\r\nsince 2022. Recently, we noticed an update in their PowerShell script which is the crux of this blog. PowerShell\r\nscripts are an important part of the attack chain of Mallox attackers because after getting initial access to the\r\nmachine using SQL or RDP, rest of the access like privilege escalation, executing Remcos RAT will be done using\r\nPowerShell only.\r\nFigure 1: PowerShell script being used for MS16-032 privilege escalation\r\nFigure 2: PowerShell script being used to download Mimikatz and run it\r\nhttps://labs.k7computing.com/index.php/mallox-evading-amsi/\r\nPage 1 of 5\n\nFigure 3: PowerShell being used for installing Remcos RAT\r\nIn their new updated powershell script, the attackers have included additional code which will attempt to bypass\r\nAV’s AMSI detection component first; before running their regular code. AMSI (Anti Malware Scan Interface) is\r\nan interface in Windows OS which can be used by any application like an AV, to get the (mostly) deobuscated\r\ncopy of the scripts like powershell, jscript and vbscript etc, before their execution. AVs can then scan these scripts\r\nand detect malicious scripts based on the AV’s signature. To use this Interface, the applications have to register\r\nthemselves by providing the dll path and the pointer to the function having scanning logic for the scripts.\r\n The updated PowerShell script looks like this:\r\nFigure 4: Latest PowerShell bypassing AMSI\r\nhttps://labs.k7computing.com/index.php/mallox-evading-amsi/\r\nPage 2 of 5\n\nThis technique was developed and published by a Researcher named Maor Korkos in 2022. The mallox group\r\nhas adopted the same and have started using it for bypassing.\r\nThe Script works as following :\r\n1. The script imports Kernel32.dll and Amsi.dll and initialises VirtualProtect and AmsiInitialise APIs to be\r\nused later.\r\nFigure 5: Importing Dll and Initializing APIs\r\n2. A shellcode is kept stored in a variable to be copied into memory later. The purpose of this shellcode is to\r\nmove 0x0 to EAX register and return.\r\nFigure 6: Shellcode\r\n3. Then it calls AmsiInitialise API with the appname as VWZad which returns a pointer to amsicontext\r\nstructure of type HAMSICONTEXT. This Structure mainly consist of following :\r\nA signature, “AMSI” which defines the start of the structure. \r\nAppname, which the application registered while initialising AMSI (VWZad in our case).  \r\nMainly point to the address of the DLL and functions that AV vendors have registered with\r\nWindows to provide their anti malware capabilities to scan and detect malicious PowerShell scripts.\r\nThe registered function will be invoked by the AmsiScanBuffer API whenever a PowerShell script\r\nis executed. \r\nSession count.\r\nFigure 7: AmsiInitialise API being used\r\nFigure 8: Windows defender registered dll for AMSI i.e MpOav.dll\r\n4. After getting the pointer to amsicontext structure, the script traverses through the structure and finds the\r\naddress of the function provided by the AV vendor. Then the script changes the permission of the .txt\r\nsection of the MpOav.dll (Windows defender registered dll for AMSI) to\r\nhttps://labs.k7computing.com/index.php/mallox-evading-amsi/\r\nPage 3 of 5\n\nPAGE_EXECUTE_READWRITE so that it can copy the above-mentioned shellcode to the same function\r\naddress to bypass it. As a result,the function’s original content will be overwritten with the shellcode which\r\nwill look like Figure 11. So now whenever the AMSI function runs for the current PowerShell session, it\r\nwill return zero whenever a PowerShell script goes through AmsiScanBuffer, which will mean the AV have\r\njudged the PowerShell script as clean without even scanning it and will not be flagged\r\nFigure 9: Patching shellcode in registered dll\r\nFigure 10: Mpoav.dll (Windows defender registered dll for AMSI) Original Code\r\nhttps://labs.k7computing.com/index.php/mallox-evading-amsi/\r\nPage 4 of 5\n\nFigure 11: Mpoav.dll Patched Code\r\n5. Now the script will move on to its main function which is to download the .NET downloader, without\r\nworrying if the AV is going to detect the script or not.\r\nFigure 12: Final PS command to download malware\r\nThis is not the first time that Mallox group have improved their technique, they are doing this from time to time\r\nwhen AVs cause them issues by detecting their techniques. So we need to be a step ahead by keeping ourselves\r\nupdated with the latest bypassing techniques used by threat actors. Protecting yourself by investing in a reputable\r\nsecurity product such as K7 Antivirus is therefore necessary in today’s world. We at K7 Labs provide detection for\r\nbypassing techniques like these and all the latest threats. Users are advised to use a reliable security product such\r\nas “K7 Total Security” and keep it up-to-date to safeguard their devices.\r\nIOC\r\nHash\r\n71BF701BE973F9477427E38FA39818BD\r\nSource: https://labs.k7computing.com/index.php/mallox-evading-amsi/\r\nhttps://labs.k7computing.com/index.php/mallox-evading-amsi/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://labs.k7computing.com/index.php/mallox-evading-amsi/"
	],
	"report_names": [
		"mallox-evading-amsi"
	],
	"threat_actors": [],
	"ts_created_at": 1775441509,
	"ts_updated_at": 1775826739,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/181311074b1b78fbf3b435ec7c9f5f78713cda33.pdf",
		"text": "https://archive.orkl.eu/181311074b1b78fbf3b435ec7c9f5f78713cda33.txt",
		"img": "https://archive.orkl.eu/181311074b1b78fbf3b435ec7c9f5f78713cda33.jpg"
	}
}