Summary by MalvaGPT
Characteristics
Hash
Hash Value
MD5
b07f16a3b524017d20d360823c09b956
Sha1
f680fbbf487f61c9bd231e48f83a9e1c092ceb6a
Sha256
4e5b2ae91379b8069c04c6639bb0bca5ddea0dde567bea8cb9bc9822b9cdda0d
Sha384
9010953b26f91d9e96abf654e4f4c5e68474a177af6352ccfa9dfe573cf11165cace814c79df1bd9f8214933960847a9
Sha512
35478fef67de169e32d7daffa3ae12a92b44d0953bf4607382816756bdd7d15ba42fb55afcc9b08d2bc01de1132a3a07f37ac7a82ccdcb9861ad1b6842d771d5
SSDeep
24576:iw+tSVHEX47Z8E/X0xZ0Id+7IsJSa/aqGK1CIOJC1+0sPiB4HM:n+ekXkQvPd+3JS1+1CQpbB4s
TLSH
BF3523C1314084D7FFF395791867CF9BD4A49D5086B4A34B03E13B8AA4F28D7BB2A625

PeID

Microsoft Visual C++ v6.0 DLL
File Structure
[NSIS Installer] @ #0000D808
Malicious
file1_info.json
32jP3efCND0U.part-jadoo
HANRUPqDbLSV.part-jadoo
VB7Xlik3Suo2.part-jadoo
xWPo0kFlBgZO.part-jadoo
[SETUP_DECOMPILED.NSI]
Overlay_07fdfc8a.bin
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.rdata
.data
.ndata
.rsrc
Resources
RT_ICON
ID:0001
ID:1033
ID:0002
ID:1033
ID:0003
ID:1033
ID:1033-preview.png
ID:0004
ID:1033
RT_DIALOG
ID:0069
ID:1033
ID:006A
ID:1033
ID:006F
ID:1033
RT_GROUP_CURSOR4
ID:0067
ID:1033
RT_MANIFEST
ID:0001
ID:1033
Informations
Name
Value
Info

PE Detect: PeReader OK (file layout)

Info

Overlay extracted: Overlay_07fdfc8a.bin (1044745 bytes)

Artefacts
Name
Value
Deobfuscated PowerShell

[Unmanaged(ErrorExpressionAst)] " psCmd = psCmd & "-NoLogo -noprofile -NonInteractive -Command " psCmd = psCmd & "" & try { $ErrorActionPreference = "SilentlyContinue" psCmd = psCmd & psScript psCmd = psCmd & psCmd = psCmd & psScript psCmd = psCmd & } catch { } "" WshShell.Run psCmd, 0, False Set FSO = Nothing Set WshShell = Nothing WScript.Quit"

Deobfuscated PowerShell

" var_9 = " powershell -ExecutionPolicy "Bypass" -WindowStyle "Hidden" -NoLogo -NoProfile -NonInteractive -Command " var_9 = " "powershell" -ExecutionPolicy "Bypass" -WindowStyle "Hidden" -NoLogo -NoProfile -NonInteractive -Command "" & [Unmanaged(ErrorStatementAst)] try { $ErrorActionPreference='SilentlyContinue'; . '""" var_9 = "powershell -ExecutionPolicy Bypass -WindowStyle Hidden -NoLogo -NoProfile -NonInteractive -Command ""& { try { $ErrorActionPreference='SilentlyContinue'; . '""" & var_8 var_9 = var_9 & """'; } catch {} }""" var_5.Run var_9, 0.0, False Set var_6 = Nothing Set var_5 = Nothing WScript.quit

Deobfuscated PowerShell

[Unmanaged(ErrorExpressionAst)] "Bypass" -WindowStyle [Unmanaged(ErrorExpressionAst)] "Hidden" -NoLogo -noprofile -NonInteractive -Command " var_9 = " "powershell" -ExecutionPolicy "Bypass" -WindowStyle "Hidden" -NoLogo -NoProfile -NonInteractive -Command "" & [Unmanaged(ErrorStatementAst)] try { $ErrorActionPreference='SilentlyContinue'; . '""" var_9 = "powershell -ExecutionPolicy Bypass -WindowStyle Hidden -NoLogo -NoProfile -NonInteractive -Command ""& { try { $ErrorActionPreference='SilentlyContinue'; . '""" & var_8 var_9 = var_9 & """'; } catch {} }""" var_5.Run var_9, 0.0, False Set var_6 = Nothing Set var_5 = Nothing WScript.quit

Deobfuscated PowerShell

"" try { $ErrorActionPreference = "SilentlyContinue" & var_8 var_9 = var_9 & & var_8 var_9 = var_9 & } catch { } "" var_5.Run var_9, 0.0, False Set var_6 = Nothing Set var_5 = Nothing WScript.quit"

PE Layout

MemoryMapped (process dump suspected)

Deobfuscated PowerShell

" var_9 = " powershell -ExecutionPolicy "Bypass" -WindowStyle "Hidden" -NoLogo -NoProfile -NonInteractive -Command "" & [Unmanaged(ErrorStatementAst)] try { $ErrorActionPreference='SilentlyContinue'; . '""" var_9 = "powershell -ExecutionPolicy Bypass -WindowStyle Hidden -NoLogo -NoProfile -NonInteractive -Command ""& { try { $ErrorActionPreference='SilentlyContinue'; . '""" & var_8 var_9 = var_9 & """'; } catch {} }""" var_5.Run var_9, 0.0, False Set var_6 = Nothing Set var_5 = Nothing WScript.quit

Deobfuscated PowerShell

[Unmanaged(ErrorExpressionAst)] "Bypass" -WindowStyle [Unmanaged(ErrorExpressionAst)] "Hidden" -NoLogo -noprofile -NonInteractive -Command "" & [Unmanaged(ErrorStatementAst)] try { $ErrorActionPreference='SilentlyContinue'; . '""" var_9 = "powershell -ExecutionPolicy Bypass -WindowStyle Hidden -NoLogo -NoProfile -NonInteractive -Command ""& { try { $ErrorActionPreference='SilentlyContinue'; . '""" & var_8 var_9 = var_9 & """'; } catch {} }""" var_5.Run var_9, 0.0, False Set var_6 = Nothing Set var_5 = Nothing WScript.quit

Deobfuscated PowerShell

"" [Unmanaged(ErrorStatementAst)] try { $ErrorActionPreference='SilentlyContinue'; . '""" var_9 = "powershell -ExecutionPolicy Bypass -WindowStyle Hidden -NoLogo -NoProfile -NonInteractive -Command ""& { try { $ErrorActionPreference='SilentlyContinue'; . '""" & var_8 var_9 = var_9 & """'; } catch {} }""" var_5.Run var_9, 0.0, False Set var_6 = Nothing Set var_5 = Nothing WScript.quit

Deobfuscated PowerShell

& [Unmanaged(ErrorStatementAst)] try { $ErrorActionPreference='SilentlyContinue'; . '

b07f16a3b524017d20d360823c09b956 (1.1 MB)
An error has occurred. This application may no longer respond until reloaded. Reload 🗙