Example Analysis of rebound Shell sample of WvEWjQ22.hta Trojan Horse 04/12 Update SLTechnology News&Howtos

Example Analysis of rebound Shell sample of WvEWjQ22.hta Trojan Horse

2025-04-12 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >

Shulou(Shulou.com)05/31 Report--

Xiaobian to share with you WvEWjQ22.hta Trojan rebound Shell sample analysis, I believe most people still do not know how to share this article for your reference, I hope you read this article after a great harvest, let us go to understand it!

I Overview

At night, I received a call from a customer saying that a suspected attack had been detected and asked me to trace the emergency response. I had no choice but to get up from bed and pick up my notebook. Through preliminary analysis, it is found that WvEWjQ22.hta executes a powershell process. After in-depth analysis and judgment, it is found that the traffic has passed 2 Base64 encoding +1 Gzip encoding. The Shell Code decoded by reverse analysis and debugging is TCP rebound Shell generated for CS or MSF. Finally, the attack IP is traced back and the Powershell process and TCP rebound shell process are ended.

II Attack Technique

Use the three-time encoded WvEWjQ22.ht Trojan to bypass the situational awareness system detection warning to execute the powershell process rebound shell.

III Sample Analysis

Trojans execute commands via powershell

The WvEWjQ22.hta script executes a base64-encoded PS script using powershell

BASE64 decoding

BASE64+Gzip decode it through a PS script and write the final executed script to 1.txt

The decoded script is mainly to apply for memory, BASE64 decoding ShellCode loading execution

Save the base64 encoded shellcode in the script to the file out.bin

Debug the decoded ShellCode, which is the TCP rebound Shell generated by CS or MSF. Online IP: 112.83.107.148:65002

IV Disposition

End the powshell process and TCP bounce Shell process.

The above is "WvEWjQ22.hta Trojan rebound Shell sample sample analysis" all the content of this article, thank you for reading! I believe that everyone has a certain understanding, hope to share the content to help everyone, if you still want to learn more knowledge, welcome to pay attention to the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.