Managed XDR

vtdl_1781772741_hw5g0zpj — malware analysis report

File info

Filename: vtdl_1781772741_hw5g0zpj
File type: news or mail, UTF-8 Unicode text, with very long lines, with CRLF, LF line terminators
File size: 1.8 MB
First seen: 2026-06-18 15:38
Last seen: 2026-06-18 15:38

Environment

w10/x64 en

Hashes

SHA1: 92a40aa2c2c1b5fd10cc96bd06185982f79d9063
SHA256: 2e22bc6ac184691ba75c26598e66a098714542cd839377bda687c4459b8516de
MD5: 8eae90de07fc2940a29212a6463c7afc

Signatures

Initial Access

T1192 html_urls: HTML-document downloads a file

Execution

T1059.007 bad_js: Suspicious Javascript file

Privilege Escalation

T1134 opens_thread_token: Opens the access token associated with a thread

T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1036.001 invalid_authenticode: Digital signature of one or several attached files has failed to be verified

T1027.002 packer_entropy: Probably contains compressed or encrypted data

T1027.002 pe_features: Executable file has PE anomalies (may be false positive)

T1134 opens_thread_token: Opens the access token associated with a thread

T1134 opens_process_token: Opens the access token associated with a process

T1497 evasion_printers: Attempts to detect Sandbox by exploring existing printers

T1497.001 antisandbox_script_timer: Detected script timer window (indicative of sleep style evasion)

T1497.001 antivm_queries_computername: Retrieves the computer name

Credential Access

T1555.004 windows_credential_manager: Acquire credentials from the Windows Credential Manager

Discovery

T1497 evasion_printers: Attempts to detect Sandbox by exploring existing printers

T1497.001 antisandbox_script_timer: Detected script timer window (indicative of sleep style evasion)

T1497.001 antivm_queries_computername: Retrieves the computer name

Command and Control

T1071.001 winhttp_https: Performs HTTP/HTTPS requests using WinHttp

T1102.003 references_github: Contains links to cloud services of Github (potentially for malicious payload delivery)

Other

static_pe_anomaly: The PE file structure contains anomalies

network_bind: Starts servers listening at None

process_crashed: One of the processes has failed

dotnet_suspicious_resources_names: Dotnet program has suspicious resources names

has_pdb: This executable file has a PDB path

dotnet_suspicious_module_name: Dotnet program has suspicious module name

dotnet_import_unmanaged_code: Dotnet program statically imports unmanaged functions/modules

message_box: Displays a message

error_drawtext: An error occurred while executing the file

dotnet_obfuscated: Dotnet program is potentially obfuscated

suspicious_network_port: Performs TCP or UDP request to non-standard port

test_check_service: Starts services

pe_overlay: PE file contains overlay

dotnet_suspicious_entrypoint: Dotnet program has suspicious entrypoint

dotnet_downloader_possible_network_problem: Dotnet program possibly has network problem

Managed XDR