CMDPSDropper

CMD to PowerShell dropper. Rgqvr junk-string obfuscation in .cmd script. Contacts vrstem.IO C2. Launches PowerShell minimized. Embedded base64 encrypted payload. String replacement for InvokeExpression construction.

Threat Profile
Type Loader
Programming LanguageCMD/PowerShell
C2 ProtocolHTTPS
First Seen2024
Targets Küresel
Purpose / Capabilities
  • Dropper/Downloader

C2 Servers 1

Address Port Protocol Status Action
vrstem.io
443 HTTPS INACTIVE

⚠ C2 addresses are shared solely for threat intelligence and defensive purposes. Unauthorized access to these addresses constitutes a criminal offense.

Research Reports (1)

High

CMDPSDropper lods.cmd -- vrstem.IO C2 Indirme Sunucusu, Rgqvr Junk String CMD Obfuskasyon Teknigi, WindowsPowerShell Minimize Gizli Baslama, Buyuk Base64 Sifrelenmis PS Payload Gomulu | Yuksek

CMDPSDropper lods.cmd ZIP 201KB. vrstem.IO C2. Rgqvr junk-string CMD obfuskasyon. WindowsPowerShell minimize gizli baslama. Buyuk base64 sifrelenmis PS payload gomulu.

Read Report →