The Mechanics of ViperSoftX: Exploiting AutoIt and CLR for Stealthy PowerShell Execution

    Monday, July 29, 2024 In: Threat Research Print

    Date: 07/12/2024

    Severity: Medium

    Summary

    "The Mechanics of ViperSoftX: Exploiting AutoIt and CLR for Stealthy PowerShell Execution" likely discusses a technique used to achieve covert execution of PowerShell scripts using the AutoIt scripting language and the Common Language Runtime (CLR). This method leverages AutoIt for initial execution and CLR for invoking PowerShell commands stealthily, potentially bypassing detection mechanisms. The summary would highlight how these tools are combined to enhance stealth and evade security measures during malicious activities.

    Indicators of Compromise (IOC) List

    URL/Domain

    p.findmeatthe.top

    p.deutschland-zahlung.eu

    p.shadow-mods.net

    IP Address

    147.50.253.109

    146.19.100.7

    23.237.182.122

    147.50.253.220

    147.50.253.222

    147.50.253.225

    147.50.253.219

    147.50.253.231

    147.50.253.99

    147.50.253.100

    147.50.253.228

    147.50.253.5

    147.50.253.4

    154.197.12..156

    147.50.253.110

    147.50.253.102

    147.50.253.218

    147.50.253.23

    147.50.253.11

    147.50.253.163

    147.50.253.2

    147.50.253.116

    147.50.253.18

    147.50.253.109

    147.50.253.106

    147.50.253.112

    147.50.253.111

    147.50.253.7

    147.50.253.104

    147.50.253.167

    147.50.253.119

    147.50.253.113

    147.50.253.103

    147.50.253.107

    147.50.253.105

    147.50.253.114

    147.50.253.108

    147.50.253.101

    147.50.253.117

    147.50.253.115

    147.50.229.12

    185.172.128.93

    147.139.29.220

    86.48.2.49

    185.201.8.176

    194.59.165.52

    156.67.218.115

    Hash

    A646ebf85afa29ae1c77458c575b5e4b0b145d813db028435d33b522edccdc0e

2c602147c727621c5e98525466b8ea78832abe2c3de10f0b33ce9a4adea205eb

0d70a044732a77957eaaf28d9574d75da54ae430d8ad2e4049bd182e13967a6f

ab897157fdef11b267e986ef286fd44a699e3699a458d90994e020619653d2cd

9753df3ea4b9948c82310f64ff103685f78af85e3e08bb5f0d0d44047c63c315

19a06de9a8b66196fa6cc9e86824dee577e462cbeaf36d715c8fea5bcb08b54d

1ae2fef05798f0f27e9de76fcef0217f282090fab1ba750623ca36b413151434

9e28f942262805b5fb59f46568fed53fd4b7dbf6faf666bedaf6ff22dd416572

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    URL/Domain

    userdomainname IN ("p.shadow-mods.net","p.deutschland-zahlung.eu","p.findmeatthe.top") or url IN ("p.shadow-mods.net","p.deutschland-zahlung.eu","p.findmeatthe.top")

    IP Address

    dstipaddress IN ("147.50.253.218","147.50.253.11","147.50.253.119","147.50.253.114","185.172.128.93","147.50.253.104","194.59.165.52","147.50.253.111","147.50.253.222","147.50.253.115","147.50.253.108","147.50.253.5","146.19.100.7","147.50.253.109","147.50.253.101","147.50.253.2","147.50.253.167","147.50.253.231") or ipaddress IN ("147.50.253.218","147.50.253.11","147.50.253.119","147.50.253.114","185.172.128.93","147.50.253.104","194.59.165.52","147.50.253.111","147.50.253.222","147.50.253.115","147.50.253.108","147.50.253.5","146.19.100.7","147.50.253.109","147.50.253.101","147.50.253.2","147.50.253.167","147.50.253.231") or publicipaddress IN ("147.50.253.218","147.50.253.11","147.50.253.119","147.50.253.114","185.172.128.93","147.50.253.104","194.59.165.52","147.50.253.111","147.50.253.222","147.50.253.115","147.50.253.108","147.50.253.5","146.19.100.7","147.50.253.109","147.50.253.101","147.50.253.2","147.50.253.167","147.50.253.231") or srcipaddress IN ("147.50.253.218","147.50.253.11","147.50.253.119","147.50.253.114","185.172.128.93","147.50.253.104","194.59.165.52","147.50.253.111","147.50.253.222","147.50.253.115","147.50.253.108","147.50.253.5","146.19.100.7","147.50.253.109","147.50.253.101","147.50.253.2","147.50.253.167","147.50.253.231")

    Hash

    sha256hash IN ("A646ebf85afa29ae1c77458c575b5e4b0b145d813db028435d33b522edccdc0e","9e28f942262805b5fb59f46568fed53fd4b7dbf6faf666bedaf6ff22dd416572","2c602147c727621c5e98525466b8ea78832abe2c3de10f0b33ce9a4adea205eb","ab897157fdef11b267e986ef286fd44a699e3699a458d90994e020619653d2cd","9753df3ea4b9948c82310f64ff103685f78af85e3e08bb5f0d0d44047c63c315","19a06de9a8b66196fa6cc9e86824dee577e462cbeaf36d715c8fea5bcb08b54d","0d70a044732a77957eaaf28d9574d75da54ae430d8ad2e4049bd182e13967a6f")

    Reference:

    https://www.trellix.com/blogs/research/the-mechanics-of-vipersofts-exploiting-autoit-and-clr-for-stealthy-powershell-execution/

    https://thehackernews.com/2024/07/vipersoftx-malware-disguises-as-ebooks.html

    https://www.bleepingcomputer.com/news/security/vipersoftx-malware-covertly-runs-powershell-using-autoit-scripting/

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.