Packer: absent
Compilation date: 16:57:11 23.10.2018
SHA1 hashes:
- 84c34167a696533cc7eddb5409739edd9af232ed (msvsct.exe)
- 2e2919ce6f643d73ff588bccdc7da5d74c611b2c (msvsct.ini, encrypted)
- 0b1525be40edbd28165e13e49946a57e641d3dfb (msvsct.ini, decrypted)
Description
A loader for BackDoor.PlugX.38 written in C and designed to operate in 32-bit and 64-bit Microsoft Windows operating systems. It is an executable file that loads and decrypts the payload module.
Operating routine
The loader is an executable file and its original name is msvsct.exe. Its installation path on the infected system is C:\ProgramData\AppData\msvsct.exe. It writes itself to the registry autostart location: [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] 'AUTORUN' = "c:\programdata\appdata\msvsct.exe.
The payload is located in msvsct.ini and is decrypted by the following script:
s = ''
for i in range(len(d)):
s += chr((((ord(d[i]) + 0x77) ^ 0x78) - 0x79) & 0xff)
After decryption the payload turns into shellcode, which loads the main malicious module as a dynamic link library (detected by Dr.Web as BackDoor.PlugX.38).