Managed XDR

vtdl_1761725248_gc45v0xx — malware analysis report

File info

Filename: vtdl_1761725248_gc45v0xx
File type: SMTP mail, ASCII text
File size: 128.4 KB
First seen: 2025-10-29 08:11
Last seen: 2025-10-29 08:11

Environment

w10/x86 en

Hashes

SHA1: daee39389d43c7a92a706d4dce5105738cecfbec
SHA256: f00be29a8e00d6fa6f904a4b40ddf4bb71f2618cda8529d1e8f8719c8ff3e1cc
MD5: 41a5e295be8e24967d85ffae961155b6

Signatures

Initial Access

T1192 html_urls: HTML-document downloads a file

Execution

T1059.001 suspicious_powershell: Creates suspicious powershell process

T1059 powershell_cmd_longcommandline: Suspiciously long commandline

T1059.005 bad_vbs: Suspicious VBScript file

T1059.001 suspicious_process: Spawns a suspicious process

T1059.003 suspicious_process: Spawns a suspicious process

T1047 antivm_wmi: Uses WMI to detect virtual environment

T1047 has_wmi: Executes one or several WMI requests

T1059.003 executes_dropped_cmd: Executes dropped batch files

T1059.003 suspicious_batch: Suspicious batch

Privilege Escalation

T1134 opens_thread_token: Opens the access token associated with a thread

T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1497.001 antivm_sandboxie: Attempts to detect Sandboxie

T1027.004 compiles_code: Compiles C# code

T1497 debugs_self: Creates a process and debugs it

T1497.001 antivm_wmi: Uses WMI to detect virtual environment

T1027 many_env_vars: An extensive number of environment variables has been created (possible sign of obfuscation)

T1134 opens_thread_token: Opens the access token associated with a thread

T1134 opens_process_token: Opens the access token associated with a process

T1497.001 antisandbox_script_timer: Detected script timer window (indicative of sleep style evasion)

Discovery

T1497.001 antivm_sandboxie: Attempts to detect Sandboxie

T1497 debugs_self: Creates a process and debugs it

T1497.001 antivm_wmi: Uses WMI to detect virtual environment

T1082 has_wmi: Executes one or several WMI requests

T1497.001 antisandbox_script_timer: Detected script timer window (indicative of sleep style evasion)

Command and Control

T1071.001 network_cnc_http: Suspicious HTTP traffic

T1071.001 network_http: Performs HTTP requests

Exfiltration

T1022 encrypts_pc_info: Collects and encrypts information about the computer (possibly for exfiltration)

Other

creates_exe: Creates executable files in the file system

ip_domains: Identifies an IP address using external resources

process_crashed: One of the processes has failed

unexpected_exception: Unexpected exception

network_powershell: Powershell process network connection detected

no_graphical_activity: No graphic activity

create_rpc_bindings: Creates RPC connection

creates_suspended_process: Creates suspended process

checktokenmembership: Checks user token with CheckTokenMembership call

writes_data: Writes big amount of data to disk

suricata_alert: Malicious traffic detected

Managed XDR