PSLoramyra: Technical Analysis of Fileless Malware Loader

SUMMARY :

This analysis examines PSLoramyra, an advanced fileless malware loader that utilizes PowerShell, VBS, and BAT scripts to inject and execute malicious payloads directly in memory. The infection chain begins with an initial PowerShell script that generates three critical files: roox.ps1, roox.bat, and roox.vbs. The loader establishes persistence through Windows Task Scheduler, running roox.vbs every two minutes. PSLoramyra employs stealthy execution techniques, including hidden windows and bypassing execution policies. The main payload is deobfuscated, loaded into memory using .NET Reflection, and executed via RegSvcs.exe. This sophisticated approach allows PSLoramyra to evade traditional detection methods, making it a significant threat.

OPENCTI LABELS :

fileless,powershell,psloramyra


Open in NetmanageIT OpenCTI Public Instance with below link!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


PSLoramyra: Technical Analysis of Fileless Malware Loader