Overview

overview

10

Static

static

513d393c41...adf.js

windows7_x64

10

513d393c41...adf.js

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    18-01-2021 10:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    513d393c4188ecea5e050a259a28f385d6e155772841cfd62698c1b3cf5aeadf.js

  • Size

    3.2MB

  • MD5

    071839cb9cb3d4e8abe9a7dcf3372ab3

  • SHA1

    1994584a026fd610d160c3e47575d4a2eef50d2a

  • SHA256

    513d393c4188ecea5e050a259a28f385d6e155772841cfd62698c1b3cf5aeadf

  • SHA512

    705485ca9ca9188a19cb37ed103e34107bf0edf7a1c76dd31ae75ea997fa95f0f3b397ccd1d652e311b37493d6c8a35115f2201f226eea2d30e265cd0c52ab5a

Score
10/10
agentteslawshratkeyloggerpersistencespywarestealertrojan

Malware Config

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • WSHRAT

    WSHRAT is a variant of Houdini worm and has vbs and js variants.

    trojanwshrat
  • Blocklisted process makes network request 21 IoCs
  • Executes dropped EXE 1 IoCs
  • Drops startup file 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spyware
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spyware
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Script User-Agent 20 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\513d393c4188ecea5e050a259a28f385d6e155772841cfd62698c1b3cf5aeadf.js
    1⤵
    • Blocklisted process makes network request
    • Drops startup file
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1924
    • C:\Users\Admin\AppData\Local\Temp\01000001.exe
      "C:\Users\Admin\AppData\Local\Temp\01000001.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:1628

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

3
T1081

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

3
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\01000001.exe
    MD5

    e86c33fd459476072f863ebe6fba2383

    SHA1

    ccd7c1abc38e3f4da01d7a618578038133bd35e6

    SHA256

    11f09f57a082875c33391b6a44fb87bf079de520e6e44b4f7130fc2589addaeb

    SHA512

    2f0a5dc71aebca2b5dc3431d39b4b788658d9d52fbd1bc839aee51d976a08d44def3f9d6c72eded95d573a1338bd68b7645e6d4b49c41e3cf54019dc81f1909f

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\01000001.exe
    MD5

    e86c33fd459476072f863ebe6fba2383

    SHA1

    ccd7c1abc38e3f4da01d7a618578038133bd35e6

    SHA256

    11f09f57a082875c33391b6a44fb87bf079de520e6e44b4f7130fc2589addaeb

    SHA512

    2f0a5dc71aebca2b5dc3431d39b4b788658d9d52fbd1bc839aee51d976a08d44def3f9d6c72eded95d573a1338bd68b7645e6d4b49c41e3cf54019dc81f1909f

    Download Submit
  • memory/368-6-0x000007FEF6680000-0x000007FEF68FA000-memory.dmp
    Filesize

    2.5MB

    Download
  • memory/1628-2-0x0000000000000000-mapping.dmp
    Download
  • memory/1628-5-0x00000000742C0000-0x00000000749AE000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/1628-7-0x0000000000260000-0x0000000000261000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1628-8-0x0000000004C10000-0x0000000004C11000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1628-9-0x0000000004C11000-0x0000000004C12000-memory.dmp
    Filesize

    4KB

    Download