Poweliks Fileless Malware

File Information

c:\users\5p5nrgjn0js halpmcxz\desktop\poweliks_installer.exe

File Properties
Names	c:\users\5p5nrgjn0js halpmcxz\desktop\poweliks_installer.exe (Sample File)
Size	70.00 KB (71680 bytes)
Hash Values	MD5: 0181850239cd26b8fb8b72afb0e95eac SHA1: bfa2dc3b9956a88a2e56bd6ab68d1f4f675a425a SHA256: 4727b7ea70d0fc00f96a28de7fa3d97fa9d0b253bd63ae54fbbf0bd0c8b766bb
Actions	Actions Download

PE Information

Sections (6)

Name	Virtual Address	Virtual Size	Raw Data Size	Raw Data Offset	Flags	Entropy
.text	0x401000	0x4937	0x4a00	0x400	CNT_CODE, MEM_EXECUTE, MEM_READ	6.71
.itext	0x406000	0x13c	0x200	0x4e00	CNT_INITIALIZED_DATA, MEM_READ, MEM_WRITE	2.38
.crt	0x407000	0x4fd9	0x5000	0x5000	CNT_CODE, MEM_EXECUTE, MEM_READ, MEM_WRITE	6.61
.data	0x40c000	0x684b	0x6a00	0xa000	CNT_INITIALIZED_DATA, MEM_READ, MEM_WRITE	5.43
.rsrc	0x413000	0x314	0x400	0x10a00	CNT_INITIALIZED_DATA, MEM_READ	2.56
.reloc	0x414000	0x87a	0xa00	0x10e00	CNT_INITIALIZED_DATA, MEM_DISCARDABLE, MEM_READ	5.5

Imports (75)

SHLWAPI.dll (2)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset
(by ordinal)	0x1d	0x4060d0	0xb9d5	0x99d5
StrChrW	0x0	0x4060d4	0xb9d9	0x99d9

KERNEL32.dll (32)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset
FindFirstFileA	0x0	0x40604c	0xb951	0x9951
IsDBCSLeadByteEx	0x0	0x406050	0xb955	0x9955
LocalAlloc	0x0	0x406054	0xb959	0x9959
GetExitCodeThread	0x0	0x406058	0xb95d	0x995d
GetProfileStringA	0x0	0x40605c	0xb961	0x9961
GetThreadPriority	0x0	0x406060	0xb965	0x9965
lstrcmpiW	0x0	0x406064	0xb969	0x9969
GetFileAttributesExW	0x0	0x406068	0xb96d	0x996d
GetStringTypeExA	0x0	0x40606c	0xb971	0x9971
GetVersion	0x0	0x406070	0xb975	0x9975
GetFileInformationByHandle	0x0	0x406074	0xb979	0x9979
GlobalAddAtomW	0x0	0x406078	0xb97d	0x997d
GetPrivateProfileSectionW	0x0	0x40607c	0xb981	0x9981
SetFileAttributesW	0x0	0x406080	0xb985	0x9985
GetVolumeInformationW	0x0	0x406084	0xb989	0x9989
ExitThread	0x0	0x406088	0xb98d	0x998d
GetEnvironmentVariableA	0x0	0x40608c	0xb991	0x9991
GetSystemDirectoryA	0x0	0x406090	0xb995	0x9995
FileTimeToSystemTime	0x0	0x406094	0xb999	0x9999
DeleteVolumeMountPointW	0x0	0x406098	0xb99d	0x999d
GetThreadContext	0x0	0x40609c	0xb9a1	0x99a1
SizeofResource	0x0	0x4060a0	0xb9a5	0x99a5
OpenProcess	0x0	0x4060a4	0xb9a9	0x99a9
ReadConsoleW	0x0	0x4060a8	0xb9ad	0x99ad
GetTickCount	0x0	0x4060ac	0xb9b1	0x99b1
FlushConsoleInputBuffer	0x0	0x4060b0	0xb9b5	0x99b5
GetUserDefaultLCID	0x0	0x4060b4	0xb9b9	0x99b9
CreateDirectoryW	0x0	0x4060b8	0xb9bd	0x99bd
LoadLibraryExW	0x0	0x4060bc	0xb9c1	0x99c1
UnmapViewOfFile	0x0	0x4060c0	0xb9c5	0x99c5
GetStringTypeA	0x0	0x4060c4	0xb9c9	0x99c9
GetShortPathNameW	0x0	0x4060c8	0xb9cd	0x99cd

USER32.dll (23)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset
UnregisterClassW	0x0	0x4060dc	0xb9e1	0x99e1
RemovePropW	0x0	0x4060e0	0xb9e5	0x99e5
SwapMouseButton	0x0	0x4060e4	0xb9e9	0x99e9
UnloadKeyboardLayout	0x0	0x4060e8	0xb9ed	0x99ed
CloseWindowStation	0x0	0x4060ec	0xb9f1	0x99f1
LoadBitmapA	0x0	0x4060f0	0xb9f5	0x99f5
CharUpperA	0x0	0x4060f4	0xb9f9	0x99f9
IsCharAlphaW	0x0	0x4060f8	0xb9fd	0x99fd
WindowFromPoint	0x0	0x4060fc	0xba01	0x9a01
IsCharLowerA	0x0	0x406100	0xba05	0x9a05
GetWindowLongW	0x0	0x406104	0xba09	0x9a09
AppendMenuW	0x0	0x406108	0xba0d	0x9a0d
GetWindowLongA	0x0	0x40610c	0xba11	0x9a11
GetClipboardData	0x0	0x406110	0xba15	0x9a15
GetWindowTextW	0x0	0x406114	0xba19	0x9a19
IsCharLowerW	0x0	0x406118	0xba1d	0x9a1d
GetClassInfoA	0x0	0x40611c	0xba21	0x9a21
AppendMenuA	0x0	0x406120	0xba25	0x9a25
wvsprintfA	0x0	0x406124	0xba29	0x9a29
ClipCursor	0x0	0x406128	0xba2d	0x9a2d
DefDlgProcA	0x0	0x40612c	0xba31	0x9a31
GetDialogBaseUnits	0x0	0x406130	0xba35	0x9a35
SetThreadDesktop	0x0	0x406134	0xba39	0x9a39

GDI32.dll (18)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset
OffsetViewportOrgEx	0x0	0x406000	0xb905	0x9905
CreateEllipticRgnIndirect	0x0	0x406004	0xb909	0x9909
Escape	0x0	0x406008	0xb90d	0x990d
GetTextExtentExPointA	0x0	0x40600c	0xb911	0x9911
CreateCompatibleBitmap	0x0	0x406010	0xb915	0x9915
PtInRegion	0x0	0x406014	0xb919	0x9919
SetRectRgn	0x0	0x406018	0xb91d	0x991d
DeleteObject	0x0	0x40601c	0xb921	0x9921
ExcludeClipRect	0x0	0x406020	0xb925	0x9925
CreateFontIndirectA	0x0	0x406024	0xb929	0x9929
WidenPath	0x0	0x406028	0xb92d	0x992d
GetEnhMetaFileBits	0x0	0x40602c	0xb931	0x9931
SetViewportOrgEx	0x0	0x406030	0xb935	0x9935
GetTextExtentPoint32A	0x0	0x406034	0xb939	0x9939
PatBlt	0x0	0x406038	0xb93d	0x993d
SetDIBitsToDevice	0x0	0x40603c	0xb941	0x9941
CreatePolygonRgn	0x0	0x406040	0xb945	0x9945
GetTextColor	0x0	0x406044	0xb949	0x9949

Exports (2)

Api name	EAT Address	Ordinal
?ErrorCommon@@YGEPAG@Z	0x401000	0x1
Feus_Yeah_Mace_Gilt_Paid_Iota_Roesow	0x407087	0x2

c:\users\5p5nrgjn0js halpmcxz\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat

File Properties
Names	c:\users\5p5nrgjn0js halpmcxz\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat (Modified File)
Size	48.00 KB (49152 bytes)
Hash Values	MD5: e240cbb4588ea4f6d728281bb03d4868 SHA1: e0ecab06cf1a6d34af4f54ea2fde9189572ede3d SHA256: 5eb84960d0e21d21afbee036ca968627e0920a0ec9ad0804e6271b15441ef2a5
Actions	Actions Download

c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\windows\cookies\index.dat

File Properties
Names	c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\windows\cookies\index.dat (Modified File)
Size	32.00 KB (32768 bytes)
Hash Values	MD5: 52860b79194a2bd3b1e66300587b21cf SHA1: faa8d7915f6733c93678128d032d26c150eb1550 SHA256: b3e7c1e6e0d6859d21aadf673fc01f33289fb30ce4b39edb6ecaccc0f8ff6f0a
Actions	Actions Download

c:\users\5p5nrgjn0js halpmcxz\appdata\local\microsoft\windows\history\history.ie5\index.dat

File Properties
Names	c:\users\5p5nrgjn0js halpmcxz\appdata\local\microsoft\windows\history\history.ie5\index.dat (Modified File)
Size	64.00 KB (65536 bytes)
Hash Values	MD5: fbdf4ba6c43b1ae50b9cef65661d27d5 SHA1: b82e77ed9a3dff893f0a5266c470ed67d3f48856 SHA256: c608d3ec31fe48785961b02a20dc1e9f1e2c5710e4c6ae9ddbb1472db238ec73
Actions	Actions Download