Overview

overview

10

Static

static

sample lis...842.js

windows7_x64

10

sample lis...842.js

windows10-2004_x64

10

Analysis

  • max time kernel
    133s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    17-06-2022 08:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    sample listings skptpdf0842.js

  • Size

    456KB

  • MD5

    c7e2d34c8e775bc3f982b02fee75dfe3

  • SHA1

    2244832b9f0f23c108237e62083874736c19cae4

  • SHA256

    43f03e4c89f5b041b57fd4c2e8a79295f59a700f18cbaffca5853e7c514c9809

  • SHA512

    b87293cac0ace72c522859455e1d495ab8c295b9c2743615530e6e3d1997a52bc4b70ce2662d6f4b96ec19112eeab25e0e770f61d715cdde61604943f4a4cb63

Score
10/10
agentteslavjw0rmcollectionkeyloggerpersistencespywarestealersuricatatrojanworm

Malware Config

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    smtpout.secureserver.net
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    talific123$

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

    trojanwormvjw0rm
  • suricata: ET MALWARE AgentTesla Exfil Via SMTP

    suricata: ET MALWARE AgentTesla Exfil Via SMTP

    suricata
  • Blocklisted process makes network request 15 IoCs
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe "C:\Users\Admin\AppData\Local\Temp\sample listings skptpdf0842.js"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2388
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\xKiVqeKLaG.js"
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      • Adds Run key to start application
      PID:2608
    • C:\Users\Admin\AppData\Local\Temp\FMAN-BIN.exe
      "C:\Users\Admin\AppData\Local\Temp\FMAN-BIN.exe"
      2⤵
      • Executes dropped EXE
      • Accesses Microsoft Outlook profiles
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • outlook_office_path
      • outlook_win_path
      PID:3236

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\FMAN-BIN.exe
    Filesize

    210KB

    MD5

    477692680d4b8f9654974a3a5f0e2e99

    SHA1

    276c7d77d8e94574b43e8f36031c0381b0a839e8

    SHA256

    6e264be8b403141a521201dc0155ce5bca75e91d4da54f162aee955f8f5f0102

    SHA512

    6cf57f48f15a4ebf5b61e004680f88088db598de64601ee7f6e2e22db2043226a572c3fc26504e63cd1777c13a115602c005b408908e9d48258f03b588e05642

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\FMAN-BIN.exe
    Filesize

    210KB

    MD5

    477692680d4b8f9654974a3a5f0e2e99

    SHA1

    276c7d77d8e94574b43e8f36031c0381b0a839e8

    SHA256

    6e264be8b403141a521201dc0155ce5bca75e91d4da54f162aee955f8f5f0102

    SHA512

    6cf57f48f15a4ebf5b61e004680f88088db598de64601ee7f6e2e22db2043226a572c3fc26504e63cd1777c13a115602c005b408908e9d48258f03b588e05642

    Download Submit
  • C:\Users\Admin\AppData\Roaming\xKiVqeKLaG.js
    Filesize

    28KB

    MD5

    4ea41872b7b6651444b138e32c83e985

    SHA1

    d4b2cb42fa5c7fab5783ff00bdd97438f8ec16d2

    SHA256

    b8e28ceb4998924d08c07c23787b4cd1fae87e6afc0737a2f87ee675322e64f4

    SHA512

    3d039f38ebc4d72ef1e26870ff8887b491334281e817016986c6e48e1edd5293ea9ea49d8bce21948c616ad17b3b8fe3eda4bda4f18aaebd77eccbf7d8171f48

    Download Submit
  • memory/2608-130-0x0000000000000000-mapping.dmp
    Download
  • memory/3236-132-0x0000000000000000-mapping.dmp
    Download
  • memory/3236-135-0x0000000000290000-0x00000000002CA000-memory.dmp
    Filesize

    232KB

    Download
  • memory/3236-136-0x0000000005310000-0x00000000058B4000-memory.dmp
    Filesize

    5.6MB

    Download
  • memory/3236-137-0x0000000004D60000-0x0000000004DFC000-memory.dmp
    Filesize

    624KB

    Download
  • memory/3236-138-0x0000000005270000-0x00000000052D6000-memory.dmp
    Filesize

    408KB

    Download
  • memory/3236-139-0x0000000005FF0000-0x0000000006040000-memory.dmp
    Filesize

    320KB

    Download
  • memory/3236-140-0x0000000006220000-0x00000000062B2000-memory.dmp
    Filesize

    584KB

    Download
  • memory/3236-141-0x00000000061D0000-0x00000000061DA000-memory.dmp
    Filesize

    40KB

    Download