ETDA สำนักงานพัฒนาธุรกรรมทางอิเล็กทรอนิกส์
Electronic Transactions Development Agency
Home > List all groups > List all tools > List all groups using tool POWBAT

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link Tool: POWBAT

TypeInfo stealer, Exfiltration, Tunneling
Description(FireEye) After the macro successfully creates the scheduled task, the dropped VBScript, update.vbs (Figure 5), will be launched every three minutes. This VBScript performs the following operations:

1. Leverages PowerShell to download content from the URI hxxp://go0gIe[.]com/sysupdate.aspx?req=xxx\dwn&m=d and saves it in the directory %PUBLIC%\Libraries\dn.
2. Uses PowerShell to download a BAT file from the URI hxxp://go0gIe[.]com/sysupdate.aspx?req=xxx\bat&m=d and saves it in the directory %PUBLIC%\Libraries\dn.
3. Executes the BAT file and stores the results in a file in the path %PUBLIC%\Libraries\up.
4. Uploads this file to the server by sending an HTTP POST request to the URI hxxp://go0gIe[.]com/sysupdate.aspx?req=xxx\upl&m=u.
5. Finally, it executes the PowerShell script dns.ps1, which is used for the purpose of data exfiltration using DNS.

Last change to this tool card: 20 April 2020

Download this tool card in JSON format

All groups using tool POWBAT


APT groups

 Chafer, APT 39Iran2014-Sep 2020X
 OilRig, APT 34, Helix Kitten, ChryseneIran2014-May 2022X

2 groups listed (2 APT, 0 other, 0 unknown)

Digital Service Security Center
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1227
E-mail [email protected]