{"id":10067,"date":"2024-11-27T11:09:20","date_gmt":"2024-11-27T11:09:20","guid":{"rendered":"\/cybersecurity-blog\/?p=10067"},"modified":"2025-07-17T11:00:59","modified_gmt":"2025-07-17T11:00:59","slug":"psloramyra-malware-technical-analysis","status":"publish","type":"post","link":"https:\/\/any.run\/cybersecurity-blog\/psloramyra-malware-technical-analysis\/","title":{"rendered":"PSLoramyra: Technical Analysis of Fileless Malware Loader"},"content":{"rendered":"\n<p>In this article, <a href=\"https:\/\/any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=psloramyra_analysis&amp;utm_term=271124&amp;utm_content=linktolanding\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN<\/a>&#8216;s analyst team will explore a malicious loader known as <strong>PSLoramyra<\/strong>. This advanced malware leverages PowerShell, VBS, and BAT scripts to inject malicious payloads into a system, execute them directly in memory, and establish persistent access.&nbsp;&nbsp;<\/p>\n\n\n\n<p>Classified as a <strong><a href=\"https:\/\/any.run\/cybersecurity-blog\/fileless-malware\/\" target=\"_blank\" rel=\"noreferrer noopener\">fileless loader<\/a><\/strong>, PSLoramyra bypasses traditional detection methods by loading its primary payload entirely into memory, leaving minimal traces on the system.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">PSLoramyra Loader: Technical Analysis&nbsp;<\/h2>\n\n\n\n<p>To see PSLoramyra loader in action, let\u2019s have a look at its sample inside ANY.RUN\u2019s sandbox:&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/app.any.run\/tasks\/24dbdd79-5ff1-4050-8ac3-9edb348ff923\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=psloramyra_analysis&amp;utm_term=271124&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">View analysis<\/a>&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"590\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/imaged-1-1024x590.png\" alt=\"\" class=\"wp-image-10068\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/imaged-1-1024x590.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/imaged-1-300x173.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/imaged-1-768x442.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/imaged-1-1536x885.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/imaged-1-2048x1179.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/imaged-1-370x213.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/imaged-1-270x155.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/imaged-1-740x426.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>PSLoramyra analysis inside ANY.RUN sandbox<\/em><\/figcaption><\/figure><\/div>\n\n\n<h2 class=\"wp-block-heading\">Initial PowerShell script&nbsp;<\/h2>\n\n\n\n<p>Let\u2019s take a closer look at this loader. The infection chain begins with an initial <a href=\"https:\/\/any.run\/cybersecurity-blog\/powershell-script-tracer\/\" target=\"_blank\" rel=\"noreferrer noopener\">PowerShell<\/a> script that contains both the main malicious payload and the scripts required to execute it. The script performs the following steps:&nbsp;<\/p>\n\n\n\n<ol start=\"1\" class=\"wp-block-list\">\n<li><strong>File creation<\/strong>:&nbsp;&nbsp;<\/li>\n<\/ol>\n\n\n\n<p>The script generates three files critical to the infection chain:&nbsp;<\/p>\n\n\n\n<ol start=\"1\" class=\"wp-block-list\">\n<li>roox.ps1&nbsp;<\/li>\n<\/ol>\n\n\n\n<ol start=\"2\" class=\"wp-block-list\">\n<li>roox.bat&nbsp;<\/li>\n<\/ol>\n\n\n\n<ol start=\"3\" class=\"wp-block-list\">\n<li>roox.vbs&nbsp;<\/li>\n<\/ol>\n\n\n\n<ol start=\"2\" class=\"wp-block-list\">\n<li><strong>Execution chain<\/strong>:&nbsp;<\/li>\n<\/ol>\n\n\n\n<ol start=\"1\" class=\"wp-block-list\">\n<li>The roox.vbs script is executed first to initiate the process.&nbsp;<\/li>\n<\/ol>\n\n\n\n<ol start=\"2\" class=\"wp-block-list\">\n<li>roox.vbs launches the roox.bat script.&nbsp;<\/li>\n<\/ol>\n\n\n\n<ol start=\"3\" class=\"wp-block-list\">\n<li>roox.bat then runs the roox.ps1 PowerShell script.&nbsp;<\/li>\n<\/ol>\n\n\n\n<ol start=\"3\" class=\"wp-block-list\">\n<li><strong>Payload execution<\/strong>:&nbsp;&nbsp;<\/li>\n<\/ol>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"984\" height=\"632\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/psloadergraph.png\" alt=\"\" class=\"wp-image-10069\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/psloadergraph.png 984w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/psloadergraph-300x193.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/psloadergraph-768x493.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/psloadergraph-370x238.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/psloadergraph-270x173.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/psloadergraph-740x475.png 740w\" sizes=\"(max-width: 984px) 100vw, 984px\" \/><figcaption class=\"wp-element-caption\"><em>Execution chain of the attack<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>The roox.ps1 script loads the main malicious payload directly into memory using Reflection.Assembly.Load. <\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"607\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/imagef-1-1024x607.png\" alt=\"\" class=\"wp-image-10070\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/imagef-1-1024x607.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/imagef-1-300x178.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/imagef-1-768x455.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/imagef-1-370x219.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/imagef-1-270x160.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/imagef-1-740x439.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/imagef-1.png 1284w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Process tree generated by ANY.RUN sandbox<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>It then leverages RegSvcs.exe to execute the payload. In this case, the payload is the <a href=\"https:\/\/any.run\/malware-trends\/quasar\" target=\"_blank\" rel=\"noreferrer noopener\">Quasar RAT<\/a>.&nbsp;<\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\nStart analyzing <span class=\"highlight\">malware and phishing threats for free<\/span> <br>with ANY.RUN&#8217;s Interactive Sandbox&nbsp;   \n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/app.any.run\/?utm_source=mtt&#038;utm_medium=article&#038;utm_campaign=psloramyra_analysis&#038;utm_term=271124&#038;utm_content=linktoregistration#register\/\" rel=\"noopener\" target=\"_blank\">\nSign up now\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<h3 class=\"wp-block-heading\">Establishing Persistence with Task Scheduler&nbsp;<\/h3>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"444\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/image-1-1024x444.jpg\" alt=\"\" class=\"wp-image-10071\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/image-1-1024x444.jpg 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/image-1-300x130.jpg 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/image-1-768x333.jpg 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/image-1-370x160.jpg 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/image-1-270x117.jpg 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/image-1-740x321.jpg 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/image-1.jpg 1200w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Script used the malware<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>The PowerShell script <a href=\"https:\/\/any.run\/cybersecurity-blog\/6-persistence-mechanisms-in-malware\/\" target=\"_blank\" rel=\"noreferrer noopener\">establishes persistence<\/a> by creating a Windows Task Scheduler task that runs <strong>roox.vbs<\/strong> every two minutes. Here&#8217;s how it operates step by step:&nbsp;<br>&nbsp;<\/p>\n\n\n\n<ol start=\"1\" class=\"wp-block-list\">\n<li><strong>Creating the scheduler object<\/strong>:&nbsp;<\/li>\n<\/ol>\n\n\n\n<p>The script initializes a Task Scheduler object using the following command:&nbsp;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>New-Object -ComObject Schedule.Service&nbsp;&nbsp;<\/code><\/pre>\n\n\n\n<p>It then connects to the Task Scheduler service: $scheduler.Connect()&nbsp;<\/p>\n\n\n\n<ol start=\"2\" class=\"wp-block-list\">\n<li><strong>Defining a new task:<\/strong>&nbsp;<\/li>\n<\/ol>\n\n\n\n<p>A new task is created with: $taskDefinition = $scheduler.NewTask(0)&nbsp;&nbsp;<\/p>\n\n\n\n<p>The task is described, and its execution is enabled: $taskDefinition.Settings.Enabled = $true&nbsp;<\/p>\n\n\n\n<ol start=\"3\" class=\"wp-block-list\">\n<li><strong>Setting the Trigger<\/strong>:&nbsp;<\/li>\n<\/ol>\n\n\n\n<p>A trigger is configured to execute the task every two minutes: $trigger.Repetition.Interval = &#8220;PT2M&#8221;&nbsp;&nbsp;<\/p>\n\n\n\n<ol start=\"4\" class=\"wp-block-list\">\n<li><strong>Configuring the Task Action<\/strong>:&nbsp;<\/li>\n<\/ol>\n\n\n\n<p>The action specifies the execution of the roox.vbs script: $action.Path = &#8220;C:\\Users\\Public\\roox.vbs&nbsp;<\/p>\n\n\n\n<ol start=\"5\" class=\"wp-block-list\">\n<li><strong>Registering the Task<\/strong>:&nbsp;<\/li>\n<\/ol>\n\n\n\n<p>Finally, the task is registered in the Task Scheduler, ensuring it runs continuously: $taskFolder.RegisterTaskDefinition()&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Script Creation&nbsp;<\/h3>\n\n\n\n<p>The initial PowerShell script generates multiple scripts and writes them to the disk. This is achieved using the following command: [IO.File]::WriteAllText(&#8220;PATH&#8221;, CONTENT)&nbsp;<\/p>\n\n\n\n<p>The content of these scripts is initially stored in variables such as $Content.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"597\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/image9-1024x597.jpg\" alt=\"\" class=\"wp-image-10072\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/image9-1024x597.jpg 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/image9-300x175.jpg 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/image9-768x448.jpg 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/image9-370x216.jpg 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/image9-270x158.jpg 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/image9-740x432.jpg 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/image9.jpg 1200w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Script execution shown in the ANY.RUN sandbox<\/em><\/figcaption><\/figure><\/div>\n\n\n<h2 class=\"wp-block-heading\">Detailed Script Breakdown&nbsp;<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Roox.vbs script<\/strong>&nbsp;<\/h3>\n\n\n\n<p>This script runs every two minutes and acts as the starting point for executing the other scripts in the malware chain. Essentially, it serves as a link between the Task Scheduler and the subsequent scripts, ensuring the infection chain progresses successfully.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"700\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/imagea-1024x700.jpg\" alt=\"\" class=\"wp-image-10073\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/imagea-1024x700.jpg 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/imagea-300x205.jpg 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/imagea-768x525.jpg 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/imagea-370x253.jpg 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/imagea-270x185.jpg 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/imagea-740x506.jpg 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/imagea.jpg 1200w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>VBS Script<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>The roox.vbs script launches the next script in the chain, roox.bat, in a hidden window. This ensures that its execution remains invisible to the user, maintaining the stealth of the infection process.&nbsp;<\/p>\n\n\n\n<ol start=\"1\" class=\"wp-block-list\">\n<li><strong>Error handling:<\/strong>&nbsp;<\/li>\n<\/ol>\n\n\n\n<p>The command on error resume next suppresses error messages, allowing the script to continue execution even if exceptions occur. This ensures the script does not fail visibly during the process.&nbsp;<\/p>\n\n\n\n<ol start=\"2\" class=\"wp-block-list\">\n<li><strong>CreateWshShellObj function<\/strong>&nbsp;<\/li>\n<\/ol>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"992\" height=\"243\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/image8-7.png\" alt=\"\" class=\"wp-image-10106\" style=\"width:480px;height:auto\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/image8-7.png 992w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/image8-7-300x73.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/image8-7-768x188.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/image8-7-370x91.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/image8-7-270x66.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/image8-7-740x181.png 740w\" sizes=\"(max-width: 992px) 100vw, 992px\" \/><\/figure><\/div>\n\n\n<p>This function creates a COM object named WScript.Shell. The object is used to execute commands and scripts, which are essential for launching the next stage in the infection chain.&nbsp;<\/p>\n\n\n\n<ol start=\"3\" class=\"wp-block-list\">\n<li><strong>GetFilePath function<\/strong>&nbsp;<\/li>\n<\/ol>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"838\" height=\"240\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/image9-4.png\" alt=\"\" class=\"wp-image-10075\" style=\"width:476px;height:auto\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/image9-4.png 838w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/image9-4-300x86.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/image9-4-768x220.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/image9-4-370x106.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/image9-4-270x77.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/image9-4-740x212.png 740w\" sizes=\"(max-width: 838px) 100vw, 838px\" \/><\/figure><\/div>\n\n\n<p>This function retrieves the path to the next stage in the chain, specifically pointing to the BAT file roox.bat.&nbsp;<\/p>\n\n\n\n<ol start=\"4\" class=\"wp-block-list\">\n<li><strong>GetVisibilitySetting function<\/strong>&nbsp;<\/li>\n<\/ol>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"759\" height=\"238\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/imagea-2.png\" alt=\"\" class=\"wp-image-10076\" style=\"width:414px;height:auto\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/imagea-2.png 759w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/imagea-2-300x94.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/imagea-2-370x116.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/imagea-2-270x85.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/imagea-2-740x232.png 740w\" sizes=\"(max-width: 759px) 100vw, 759px\" \/><\/figure><\/div>\n\n\n<p>Configures the visibility settings to ensure that roox.bat runs without displaying a window on the desktop. This stealthy execution minimizes the chances of detection by the user.&nbsp;<\/p>\n\n\n\n<ol start=\"5\" class=\"wp-block-list\">\n<li><strong>RunFile function<\/strong><\/li>\n<\/ol>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"149\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/imageb-1024x149.png\" alt=\"\" class=\"wp-image-10077\" style=\"width:462px;height:auto\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/imageb-1024x149.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/imageb-300x44.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/imageb-768x111.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/imageb-370x54.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/imageb-270x39.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/imageb-740x107.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/imageb.png 1041w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure><\/div>\n\n\n<p>Executes a file at the specified path with the defined visibility settings. In this case, it launches roox.bat in hidden mode.&nbsp;<\/p>\n\n\n\n<ol start=\"6\" class=\"wp-block-list\">\n<li><strong>Sequence of calls<\/strong>&nbsp;<\/li>\n<\/ol>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"967\" height=\"208\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/imagec.png\" alt=\"\" class=\"wp-image-10078\" style=\"width:456px;height:auto\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/imagec.png 967w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/imagec-300x65.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/imagec-768x165.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/imagec-370x80.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/imagec-270x58.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/imagec-740x159.png 740w\" sizes=\"(max-width: 967px) 100vw, 967px\" \/><\/figure><\/div>\n\n\n<p>The script executes the required functions in the following order to launch roox.bat:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Creates the WScript.Shell object using CreateWshShellObj.&nbsp;<\/li>\n\n\n\n<li>Retrieves the path to roox.bat via GetFilePath.&nbsp;<\/li>\n\n\n\n<li>Configures the visibility mode to hidden (0) using GetVisibilitySetting.&nbsp;<\/li>\n\n\n\n<li>Executes roox.bat in hidden mode through the RunFile function.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">ROOX.BAT Script&nbsp;<\/h3>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"230\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/imageb-1024x230.jpg\" alt=\"\" class=\"wp-image-10079\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/imageb-1024x230.jpg 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/imageb-300x67.jpg 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/imageb-768x172.jpg 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/imageb-370x83.jpg 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/imageb-270x61.jpg 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/imageb-740x166.jpg 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/imageb.jpg 1200w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>BAT script<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>This script runs roox.ps1 using PowerShell. It employs the following flags to enhance stealth and bypass security measures:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>NoProfile<\/strong>: Prevents the loading of user-specific PowerShell profiles&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>WindowStyle Hidden<\/strong>: Hides the PowerShell window during execution, ensuring that the process remains invisible to the user.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>ExecutionPolicy Bypass<\/strong>: Overrides Windows PowerShell execution policies, allowing scripts to run without restrictions imposed by security configurations.&nbsp;<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">ROOX.PS1 Script<\/h3>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"323\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/imagec-1024x323.jpg\" alt=\"\" class=\"wp-image-10081\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/imagec-1024x323.jpg 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/imagec-300x95.jpg 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/imagec-768x242.jpg 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/imagec-1536x484.jpg 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/imagec-370x117.jpg 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/imagec-270x85.jpg 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/imagec-740x233.jpg 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/imagec.jpg 1800w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>PowerShell script<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>The roox.ps1 PowerShell script deobfuscates the main malicious payload, dynamically loads it into memory, and executes it using .NET Reflection and RegSvcs.exe. The script employs simple obfuscation using the # character to make detection more challenging.<\/p>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-201\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"1\"\n           data-rows=\"1\"\n           data-wpID=\"201\"\n           data-responsive=\"0\"\n           data-has-header=\"0\">\n\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:100%;                    padding:10px;\n                    \"\n                    >\n                                        <a class=\"wpdt-link-content\" style=\"color: #009cff; text-decoration: underline\" href=\"https:\/\/gchq.github.io\/CyberChef\/#recipe=Find_\/_Replace(%7B&#x27;option&#x27;:&#x27;Regex&#x27;,&#x27;string&#x27;:&#x27;%23&#x27;%7D,&#x27;&#x27;,true,false,true,false)\"  rel=\" nofollow \" target=\"_blank\" data-cell-id=\"00\" data-link-url=\"https:\/\/gchq.github.io\/CyberChef\/#recipe=Find_\/_Replace(%7B&#x27;option&#x27;:&#x27;Regex&#x27;,&#x27;string&#x27;:&#x27;%23&#x27;%7D,&#x27;&#x27;,true,false,true,false)\" data-link-text=\"https:\/\/gchq.github.io\/CyberChef\/#recipe=Find_\/_Replace(%7B&#x27;option&#x27;:&#x27;Regex&#x27;,&#x27;string&#x27;:&#x27;%23&#x27;%7D,&#x27;&#x27;,true,false,true,false)\" data-link-target=\"true\" data-link-nofollow=\"true\" data-link-noreferrer=\"0\" data-link-sponsored=\"0\" data-link-btn-status=\"0\" data-link-btn-class=\"\" data-link-content=\"wpdt-link-content\">https:\/\/gchq.github.io\/CyberChef\/#recipe=Find_\/_Replace(%7B&#x27;option&#x27;:&#x27;Regex&#x27;,&#x27;string&#x27;:&#x27;%23&#x27;%7D,&#x27;&#x27;,true,false,true,false)<\/a>                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-201'>\ntable#wpdtSimpleTable-201{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-201 td, table.wpdtSimpleTable201 th { white-space: normal !important; }\n<\/style>\n\n\n\n\n<p>The variables $RoXstring_lla and $Mordexstring_ojj store the main malicious payload in the form of HEX strings, with each byte separated by %&amp;% as a means of obfuscation.&nbsp;<\/p>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-202\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"1\"\n           data-rows=\"1\"\n           data-wpID=\"202\"\n           data-responsive=\"0\"\n           data-has-header=\"0\">\n\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:100%;                    padding:10px;\n                    \"\n                    >\n                                        <a class=\"wpdt-link-content\" style=\"color: #009cff; text-decoration: underline\" href=\"https:\/\/gchq.github.io\/CyberChef\/#recipe=Find_\/_Replace(%7B&#x27;option&#x27;:&#x27;Regex&#x27;,&#x27;string&#x27;:&#x27;%25%26%25&#x27;%7D,&#x27;&#x27;,true,false,true,false) \"  rel=\" nofollow \" target=\"_blank\" data-cell-id=\"00\" data-link-url=\"https:\/\/gchq.github.io\/CyberChef\/#recipe=Find_\/_Replace(%7B&#x27;option&#x27;:&#x27;Regex&#x27;,&#x27;string&#x27;:&#x27;%25%26%25&#x27;%7D,&#x27;&#x27;,true,false,true,false) \" data-link-text=\"https:\/\/gchq.github.io\/CyberChef\/#recipe=Find_\/_Replace(%7B&#x27;option&#x27;:&#x27;Regex&#x27;,&#x27;string&#x27;:&#x27;%25%26%25&#x27;%7D,&#x27;&#x27;,true,false,true,false) \" data-link-target=\"true\" data-link-nofollow=\"true\" data-link-noreferrer=\"0\" data-link-sponsored=\"0\" data-link-btn-status=\"0\" data-link-btn-class=\"\" data-link-content=\"wpdt-link-content\">https:\/\/gchq.github.io\/CyberChef\/#recipe=Find_\/_Replace(%7B&#x27;option&#x27;:&#x27;Regex&#x27;,&#x27;string&#x27;:&#x27;%25%26%25&#x27;%7D,&#x27;&#x27;,true,false,true,false) <\/a>                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-202'>\ntable#wpdtSimpleTable-202{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-202 td, table.wpdtSimpleTable202 th { white-space: normal !important; }\n<\/style>\n\n\n\n\n<h3 class=\"wp-block-heading\">Deobfuscation Process&nbsp;<\/h3>\n\n\n\n<p>The script uses the following commands to convert the obfuscated HEX strings into usable binary code:&nbsp;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>&#091;Byte&#091;]] $NKbb = $Mordexstring_ojj -split '%&amp;%' | ForEach-Object { &#091;byte](&#091;convert]::ToInt32($_, 16)) } \n\n&#091;Byte&#091;]] $pe = $RoXstring_lla -split '%&amp;%' | ForEach-Object { &#091;byte](&#091;convert]::ToInt32($_, 16)) } <\/code><\/pre>\n\n\n\n<p>What these commands do:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Split the HEX strings: <\/strong>They split the HEX strings $Mordexstring_ojj and $RoXstring_lla into arrays using %&amp;% as a delimiter.&nbsp;<\/li>\n\n\n\n<li><strong>Convert HEX to decimal bytes<\/strong>: Then, each element in the array converts the HEX string into a decimal byte value.&nbsp;<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>ForEach-Object { &#091;byte](&#091;convert]::ToInt32($_, 16)) } <\/code><\/pre>\n\n\n\n<p><strong>Form byte arrays<\/strong>: This forms a byte array (Byte[]), representing the binary code of the payload.&nbsp;<\/p>\n\n\n\n<p><strong>Deobfuscate using -replace<\/strong>:&nbsp;<br>Obfuscated commands are cleaned by removing # symbols using the -replace command. For example, a string like L####o####a####d is transformed into Load.&nbsp;<\/p>\n\n\n\n<p><strong>Restore the method name<\/strong>:&nbsp;<br>The variable $Fu restores the method name [Reflection.Assembly]::Load, which is used to load a .NET assembly into memory.&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"237\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/image6-1-1024x237.jpg\" alt=\"\" class=\"wp-image-10084\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/image6-1-1024x237.jpg 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/image6-1-300x70.jpg 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/image6-1-768x178.jpg 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/image6-1-1536x356.jpg 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/image6-1-370x86.jpg 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/image6-1-270x63.jpg 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/image6-1-740x171.jpg 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/image6-1.jpg 1800w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p><strong>Payload execution in memory<\/strong>: The script dynamically loads the NewPE2.PE type from the .NET assembly and calls its Execute method. The Execute method injects malicious code into a legitimate process, such as aspnet_compiler.exe. In this case, the target process is RegSvcs.exe.&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"435\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/image7-1024x435.jpg\" alt=\"\" class=\"wp-image-10085\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/image7-1024x435.jpg 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/image7-300x128.jpg 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/image7-768x326.jpg 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/image7-370x157.jpg 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/image7-270x115.jpg 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/image7-740x315.jpg 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/image7.jpg 1200w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>The initial variable $RoXstring_lla contains the injector for the .NET assembly NewPE2, which is responsible for loading the main payload into the process. <\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"972\" height=\"970\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/image8.jpg\" alt=\"\" class=\"wp-image-10086\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/image8.jpg 972w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/image8-300x300.jpg 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/image8-150x150.jpg 150w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/image8-768x766.jpg 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/image8-70x70.jpg 70w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/image8-370x369.jpg 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/image8-270x269.jpg 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/image8-740x738.jpg 740w\" sizes=\"(max-width: 972px) 100vw, 972px\" \/><\/figure>\n\n\n\n<p>Within this assembly, the script locates the type NewPE2.PE and executes the Execute method. The latter is provided with parameters: the path and the malicious .NET assembly itself.&nbsp;<\/p>\n\n\n\n<!-- CTA Split START -->\n<div class=\"cta-split\">\n<div class=\"cta__split-left\">\n\n<!-- Image -->\n<img decoding=\"async\" loading=\"lazy\" src=\"https:\/\/mcusercontent.com\/663b94f19348582a8dc323efe\/images\/0d88188b-3e89-2314-5a60-cb87e8077326.png\" alt=\"Learn to analyze malware in a sandbox\" class=\"cta__split-icon\" \/>\n<\/div>\n\n<div class=\"cta__split-right\">\n<div>\n\n<!-- Heading -->\n<h3 class=\"cta__split-heading\"><br>Learn to analyze cyber threats<\/h3>\n\n<!-- Text -->\n<p class=\"cta__split-text\">\nSee a detailed guide to using ANY.RUN&#8217;s <span class=\"highlight\">Interactive Sandbox<\/span> for malware and phishing analysis\n<br \/>\n<br \/>\n<\/p>\n<\/div>\n<!-- CTA Link -->\n<a target=\"_blank\" rel=\"noopener\" id=\"article-banner-split\" href=\"https:\/\/any.run\/cybersecurity-blog\/malware-analysis-in-a-sandbox\/\"><div class=\"cta__split-link\">Read full guide<\/div><\/a>\n<\/div>\n<\/div>\n<!-- CTA Split END -->\n<!-- CTA Split Styles START -->\n<style>\n.cta-split {\noverflow: hidden;\nmargin: 3rem 0;\ndisplay: grid;\njustify-items: center;\nborder-radius: 0.5rem;\nwidth: 100%;\nmin-height: 25rem;\ngrid-template-columns: repeat(2, 1fr);\nborder: 1px solid rgba(75, 174, 227, 0.32);\nfont-family: 'Catamaran Bold';\n}\n\n.cta__split-left {\ndisplay: flex;\nalign-items: center;\njustify-content: center;\nheight: 100%;\nwidth: 100%;\nbackground-color: #161c59;\nbackground-position: center center;\nbackground: rgba(32, 168, 241, 0.1);\n}\n\n.cta__split-icon { \nwidth: 100%;\nheight: auto;\nobject-fit: contain;\nmax-width: 100%;\n}\n\n.cta__split-right {\ndisplay: flex;\nflex-direction: column;\njustify-content: space-between;\npadding: 2rem;\n}\n\n.cta__split-heading { font-size: 1.5rem; }\n\n.cta__split-text {\nmargin-top: 1rem;\nfont-family: Lato, Roboto, sans-serif;\n}\n\n.cta__split-link {\npadding: 0.5rem 1rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: white;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\ndisplay: block;\nz-index: 1000;\nposition: relative;\ncursor: pointer !important;\n}\n\n.cta__split-link:hover {\nbackground-color: #68CBFF;\ncolor: white;\ncursor: pointer;\n}\n\n.highlight { color: #ea2526;}\n\n\n\/* Mobile styles START *\/\n@media only screen and (max-width: 768px) {\n\n.cta-split {\ngrid-template-columns: 1fr;\nmin-height: auto;\n}\n\n.cta__split-left {\nheight: auto;\nmin-height: 10rem;\n}\n\n\n.cta__split-left, .cta__split-right {\nheight: auto;\n}\n\n.cta__split-heading { font-size: 1.2rem; }\n\n.cta__split-text { font-size: 1rem; }\n.cta__split-icon {\nmax-height: auto;\nobject-fit: cover;\n}\n\n}\n\/* Mobile styles END *\/\n<\/style>\n<!-- CTA Split Styles END -->\n\n\n\n<p>Use the following query to search for more samples and threat data in <a href=\"https:\/\/any.run\/cybersecurity-blog\/introducing-any-run-threat-intelligence-lookup\/\" target=\"_blank\" rel=\"noreferrer noopener\">TI Lookup<\/a>:<\/p>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-203\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"1\"\n           data-rows=\"1\"\n           data-wpID=\"203\"\n           data-responsive=\"0\"\n           data-has-header=\"0\">\n\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:100%;                    padding:10px;\n                    \"\n                    >\n                                        <a class=\"wpdt-link-content\" style=\"color: #009cff; text-decoration: underline\" href=\"https:\/\/intelligence.any.run\/analysis\/lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=psloryama_analysis&amp;utm_term=271124&amp;utm_content=linktolookup#%7B%2522query%2522:%2522commandLine:%255C%2522C:%255C%255C%255C%255CUsers%255C%255C%255C%255CPublic%255C%255C%255C%255C*.vbs%255C%2522%2520and%2520commandLine:%255C%2522C:%255C%255C%255C%255CUsers%255C%255C%255C%255CPublic%255C%255C%255C%255C*.bat%255C%2522%2520and%2520commandLine:%255C%2522C:%255C%255C%255C%255CUsers%255C%255C%255C%255CPublic%255C%255C%255C%255C*.ps1%255C%2522%2522,%2522dateRange%2522:180%7D\"  rel=\"\" target=\"_blank\" data-cell-id=\"00\" data-link-url=\"https:\/\/intelligence.any.run\/analysis\/lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=psloryama_analysis&amp;utm_term=271124&amp;utm_content=linktolookup#%7B%2522query%2522:%2522commandLine:%255C%2522C:%255C%255C%255C%255CUsers%255C%255C%255C%255CPublic%255C%255C%255C%255C*.vbs%255C%2522%2520and%2520commandLine:%255C%2522C:%255C%255C%255C%255CUsers%255C%255C%255C%255CPublic%255C%255C%255C%255C*.bat%255C%2522%2520and%2520commandLine:%255C%2522C:%255C%255C%255C%255CUsers%255C%255C%255C%255CPublic%255C%255C%255C%255C*.ps1%255C%2522%2522,%2522dateRange%2522:180%7D\" data-link-text=\"commandLine:&quot;C:\\\\Users\\\\Public\\\\*.vbs&quot; and commandLine:&quot;C:\\\\Users\\\\Public\\\\*.bat&quot; and commandLine:&quot;C:\\\\Users\\\\Public\\\\*.ps1&quot;\" data-link-target=\"true\" data-link-nofollow=\"0\" data-link-noreferrer=\"0\" data-link-sponsored=\"0\" data-link-btn-status=\"0\" data-link-btn-class=\"\" data-link-content=\"wpdt-link-content\">commandLine:&quot;C:\\\\Users\\\\Public\\\\*.vbs&quot; and commandLine:&quot;C:\\\\Users\\\\Public\\\\*.bat&quot; and commandLine:&quot;C:\\\\Users\\\\Public\\\\*.ps1&quot;<\/a>                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-203'>\ntable#wpdtSimpleTable-203{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-203 td, table.wpdtSimpleTable203 th { white-space: normal !important; }\n<\/style>\n\n\n\n\n<h2 class=\"wp-block-heading\">Conclusion<\/h2>\n\n\n\n<p>PSLoramyra is a sophisticated fileless loader. It leverages PowerShell, VBS, and BAT scripts to inject and execute malicious payloads directly in memory, evading traditional detection methods. Its infection chain begins with an initial PowerShell script that generates essential files and establishes persistence through Windows Task Scheduler. The malware&#8217;s stealthy execution and minimal system footprint make it a serious threat.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">About ANY.RUN&nbsp;&nbsp;<\/h2>\n\n\n\n<p>ANY.RUN helps more than 500,000 cybersecurity professionals worldwide. Our <a href=\"https:\/\/any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=psloramyra&amp;utm_term=271124&amp;utm_content=linktolanding\" target=\"_blank\" rel=\"noreferrer noopener\">interactive sandbox<\/a> simplifies malware analysis of threats that target both Windows and <a href=\"https:\/\/any.run\/cybersecurity-blog\/linux-malware-analysis-cases\/\" target=\"_blank\" rel=\"noreferrer noopener\">Linux<\/a> systems. Our threat intelligence products, <a href=\"https:\/\/any.run\/cybersecurity-blog\/introducing-any-run-threat-intelligence-lookup\/\" target=\"_blank\" rel=\"noreferrer noopener\">TI Lookup<\/a>, <a href=\"https:\/\/any.run\/cybersecurity-blog\/yara-search\/\" target=\"_blank\" rel=\"noreferrer noopener\">YARA Search<\/a> and <a href=\"https:\/\/any.run\/cybersecurity-blog\/ti-feeds-integration\/\" target=\"_blank\" rel=\"noreferrer noopener\">Feeds<\/a>, help you find <a href=\"https:\/\/any.run\/cybersecurity-blog\/indicators-of-compromise\/\" target=\"_blank\" rel=\"noreferrer noopener\">IOCs<\/a> or files to learn more about the threats and respond to incidents faster.&nbsp;&nbsp;<\/p>\n\n\n\n<p><strong>With ANY.RUN you can:<\/strong>&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Detect malware in seconds<\/li>\n\n\n\n<li>Interact with samples in real time<\/li>\n\n\n\n<li>Save time and money on sandbox setup and maintenance<\/li>\n\n\n\n<li>Record and study all aspects of malware behavior<\/li>\n\n\n\n<li>Collaborate with your team&nbsp;<\/li>\n\n\n\n<li>Scale as you need<\/li>\n<\/ul>\n\n\n\n<p><a href=\"https:\/\/any.run\/demo\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=psloramyra&amp;utm_term=021224&amp;utm_content=linktodemo\" target=\"_blank\" rel=\"noreferrer noopener\">Get 14-day free trial of ANY.RUN&#8217;s Interactive Sandbox \u2192<\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Indicators of Compromise (IOCs)<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Hashes&nbsp;<\/h3>\n\n\n\n<p>ac05a1ec83c7c36f77dec929781dd2dae7151e9ce00f0535f67fcdb92c4f81d9&nbsp;<\/p>\n\n\n\n<p>9018a2f6018b6948fc134490c3fb93c945f10d89652db7d8491a98790d001c1e&nbsp;<\/p>\n\n\n\n<p>d50cfca93637af25dc6720ebf40d54eec874004776b6bc385d544561748c2ffc&nbsp;<\/p>\n\n\n\n<p>Ef894d940115b4382997954bf79c1c8272b24ee479efc93d1b0b649133a457cb&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Files&nbsp;<\/h3>\n\n\n\n<p>C:\\Users\\Public\\roox.vbs&nbsp;<\/p>\n\n\n\n<p>C:\\Users\\Public\\roox.bat&nbsp;<\/p>\n\n\n\n<p>C:\\Users\\Public\\roox.ps1&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Domain&nbsp;<\/h3>\n\n\n\n<p>Ronymahmoud[.]casacam[.]net&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">IP&nbsp;<\/h3>\n\n\n\n<p>3[.]145[.]156[.]44&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>In this article, ANY.RUN&#8216;s analyst team will explore a malicious loader known as PSLoramyra. This advanced malware leverages PowerShell, VBS, and BAT scripts to inject malicious payloads into a system, execute them directly in memory, and establish persistent access.&nbsp;&nbsp; Classified as a fileless loader, PSLoramyra bypasses traditional detection methods by loading its primary payload entirely [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":10095,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[8],"tags":[57,10,15,34,40],"class_list":["post-10067","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-malware-analysis","tag-anyrun","tag-cybersecurity","tag-malware","tag-malware-analysis","tag-malware-behavior"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v20.10 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>PSLoramyra: Technical Analysis of Fileless Malware Loader - ANY.RUN&#039;s Cybersecurity Blog<\/title>\n<meta name=\"description\" content=\"See technical analysis PSLoramyra, an advanced malware that leverages PowerShell, VBS, and BAT scripts to execute directly in memory.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/any.run\/cybersecurity-blog\/psloramyra-malware-technical-analysis\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"ANY.RUN\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"9 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/psloramyra-malware-technical-analysis\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/psloramyra-malware-technical-analysis\/\"},\"author\":{\"name\":\"ANY.RUN\",\"@id\":\"https:\/\/any.run\/\"},\"headline\":\"PSLoramyra: Technical Analysis of Fileless Malware Loader\",\"datePublished\":\"2024-11-27T11:09:20+00:00\",\"dateModified\":\"2025-07-17T11:00:59+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/psloramyra-malware-technical-analysis\/\"},\"wordCount\":1477,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"keywords\":[\"ANYRUN\",\"cybersecurity\",\"malware\",\"malware analysis\",\"malware behavior\"],\"articleSection\":[\"Malware Analysis\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/psloramyra-malware-technical-analysis\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/psloramyra-malware-technical-analysis\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/psloramyra-malware-technical-analysis\/\",\"name\":\"PSLoramyra: Technical Analysis of Fileless Malware Loader - ANY.RUN&#039;s Cybersecurity Blog\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/\"},\"datePublished\":\"2024-11-27T11:09:20+00:00\",\"dateModified\":\"2025-07-17T11:00:59+00:00\",\"description\":\"See technical analysis PSLoramyra, an advanced malware that leverages PowerShell, VBS, and BAT scripts to execute directly in memory.\",\"breadcrumb\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/psloramyra-malware-technical-analysis\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/psloramyra-malware-technical-analysis\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/psloramyra-malware-technical-analysis\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Malware Analysis\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/category\/malware-analysis\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"PSLoramyra: Technical Analysis of Fileless Malware Loader\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN&#039;s Cybersecurity Blog\",\"description\":\"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.\",\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/any.run\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN\",\"url\":\"https:\/\/any.run\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"contentUrl\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"width\":1,\"height\":1,\"caption\":\"ANY.RUN\"},\"image\":{\"@id\":\"https:\/\/any.run\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/www.any.run\/\",\"https:\/\/twitter.com\/anyrun_app\",\"https:\/\/www.linkedin.com\/company\/30692044\",\"https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g\",\"caption\":\"ANY.RUN\"},\"url\":\"https:\/\/any.run\/cybersecurity-blog\/author\/a-bespalova\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"PSLoramyra: Technical Analysis of Fileless Malware Loader - ANY.RUN&#039;s Cybersecurity Blog","description":"See technical analysis PSLoramyra, an advanced malware that leverages PowerShell, VBS, and BAT scripts to execute directly in memory.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/any.run\/cybersecurity-blog\/psloramyra-malware-technical-analysis\/","twitter_misc":{"Written by":"ANY.RUN","Est. reading time":"9 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/any.run\/cybersecurity-blog\/psloramyra-malware-technical-analysis\/#article","isPartOf":{"@id":"https:\/\/any.run\/cybersecurity-blog\/psloramyra-malware-technical-analysis\/"},"author":{"name":"ANY.RUN","@id":"https:\/\/any.run\/"},"headline":"PSLoramyra: Technical Analysis of Fileless Malware Loader","datePublished":"2024-11-27T11:09:20+00:00","dateModified":"2025-07-17T11:00:59+00:00","mainEntityOfPage":{"@id":"https:\/\/any.run\/cybersecurity-blog\/psloramyra-malware-technical-analysis\/"},"wordCount":1477,"commentCount":0,"publisher":{"@id":"https:\/\/any.run\/"},"keywords":["ANYRUN","cybersecurity","malware","malware analysis","malware behavior"],"articleSection":["Malware Analysis"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/any.run\/cybersecurity-blog\/psloramyra-malware-technical-analysis\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/any.run\/cybersecurity-blog\/psloramyra-malware-technical-analysis\/","url":"https:\/\/any.run\/cybersecurity-blog\/psloramyra-malware-technical-analysis\/","name":"PSLoramyra: Technical Analysis of Fileless Malware Loader - ANY.RUN&#039;s Cybersecurity Blog","isPartOf":{"@id":"https:\/\/any.run\/"},"datePublished":"2024-11-27T11:09:20+00:00","dateModified":"2025-07-17T11:00:59+00:00","description":"See technical analysis PSLoramyra, an advanced malware that leverages PowerShell, VBS, and BAT scripts to execute directly in memory.","breadcrumb":{"@id":"https:\/\/any.run\/cybersecurity-blog\/psloramyra-malware-technical-analysis\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/any.run\/cybersecurity-blog\/psloramyra-malware-technical-analysis\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/any.run\/cybersecurity-blog\/psloramyra-malware-technical-analysis\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/any.run\/cybersecurity-blog\/"},{"@type":"ListItem","position":2,"name":"Malware Analysis","item":"https:\/\/any.run\/cybersecurity-blog\/category\/malware-analysis\/"},{"@type":"ListItem","position":3,"name":"PSLoramyra: Technical Analysis of Fileless Malware Loader"}]},{"@type":"WebSite","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/","name":"ANY.RUN&#039;s Cybersecurity Blog","description":"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.","publisher":{"@id":"https:\/\/any.run\/"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/any.run\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/any.run\/","name":"ANY.RUN","url":"https:\/\/any.run\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","width":1,"height":1,"caption":"ANY.RUN"},"image":{"@id":"https:\/\/any.run\/"},"sameAs":["https:\/\/www.facebook.com\/www.any.run\/","https:\/\/twitter.com\/anyrun_app","https:\/\/www.linkedin.com\/company\/30692044","https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ"]},{"@type":"Person","@id":"https:\/\/any.run\/","name":"ANY.RUN","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g","caption":"ANY.RUN"},"url":"https:\/\/any.run\/cybersecurity-blog\/author\/a-bespalova\/"}]}},"_links":{"self":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/10067"}],"collection":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/comments?post=10067"}],"version-history":[{"count":22,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/10067\/revisions"}],"predecessor-version":[{"id":10514,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/10067\/revisions\/10514"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media\/10095"}],"wp:attachment":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media?parent=10067"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/categories?post=10067"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/tags?post=10067"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}