Archive for March 30th, 2019

"404" is not Malware, (Sat, Mar 30th)

Reader Chris submitted a PowerShell log. These are interesting too. Here’s what we saw:

A typical downloader command.

When I tried to download this using wget and the URL, I got a 404 page.

Next, I did a search for the URL on the free version of VirusTotal:

The URL has some detections. But more important: there is a link to the downloaded file. this can help me to find the actual malware that was downloaded:

Notice that the detection is 0, but that it has a very low community score. It’s a very small file: 564 bytes.

And it turns out to be HTML:

This time, VirusTotal too can’t help me to identify the file: the hash of that small HTML file is the same as the hash of the file I downloaded. It’s also a 404.

It’s something that happens more on VirusTotal: “404” downloads being scored as malware.

That doesn’t mean that the initial file (PowerShell script) wasn’t malware. But what was actually downloaded, wasn’t malware, but a 404 file. Probably because the compromised server was cleaned.



Didier Stevens
Senior handler
Microsoft MVP

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Posted in: SANS

Leave a Comment (0) →