Posted on

BTLO : PowerShell Analysis – Keylogger

A suspicious PowerShell script was found on one of our endpoints. Can you work out what it does?

Unzip the folder and open the PowerShell script in a text editor.

What is the SHA256 hash value for the PowerShell script file?

Get the file hash with the sha256sum tool.

What email address is used to send and receive emails?

Viewing the txt file will showcase the details.

What is the password for this email account?

What port is used for SMTP?

What DLL is imported to help record keystrokes?

What directory is the generated txt file put in?

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s