agenttesla | 2cbdc90aff35e74892a04e4ce75834f0c419996330f15692575c1862781e63b6

General

Target

Product Pics.js
Size

691KB
MD5

4e242d24414292cd483040d98077d9c0
SHA1

eb905837358a70d81ef596465fad195c4057a015
SHA256

2cbdc90aff35e74892a04e4ce75834f0c419996330f15692575c1862781e63b6
SHA512

4578ba5e7139da61a38907a8908374ce49668d8199b756e694db300e20459084a60adee335bc30ac15a0f4b1038e01ccc49e83991a593eb564fc8d541aba8826

Score

10^/10

agenttesla vjw0rm collection keylogger persistence spyware stealer suricata trojan worm

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
mail.leaf.arvixe.com
Port:
587
Username:
[email protected]
Password:
000000

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.leaf.arvixe.com
Port:
587
Username:
[email protected]
Password:
000000

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm
suricata: ET MALWARE AgentTesla Exfil Via SMTP
suricata: ET MALWARE AgentTesla Exfil Via SMTP
suricata

Blocklisted process makes network request 31 IoCs

Processes:

wscript.exewscript.exewscript.exe

flow	pid	process
6	1236	wscript.exe
9	1728	wscript.exe
11	1336	wscript.exe
15	1236	wscript.exe
16	1336	wscript.exe
18	1236	wscript.exe
20	1336	wscript.exe
25	1236	wscript.exe
26	1336	wscript.exe
29	1236	wscript.exe
30	1336	wscript.exe
32	1236	wscript.exe
34	1336	wscript.exe
39	1236	wscript.exe
40	1336	wscript.exe
42	1236	wscript.exe
44	1336	wscript.exe
47	1236	wscript.exe
50	1336	wscript.exe
52	1236	wscript.exe
53	1336	wscript.exe
55	1236	wscript.exe
57	1336	wscript.exe
60	1236	wscript.exe
61	1336	wscript.exe
65	1236	wscript.exe
66	1336	wscript.exe
70	1236	wscript.exe
72	1336	wscript.exe
73	1236	wscript.exe
75	1336	wscript.exe

Executes dropped EXE 1 IoCs

Processes:

ORIPAYLOADER.exe

pid process

1760 ORIPAYLOADER.exe

pid	process
1760	ORIPAYLOADER.exe

Drops startup file 5 IoCs

Processes:

wscript.exewscript.exewscript.exewscript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Product Pics.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Product Pics.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CWVAxIEiro.js	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CWVAxIEiro.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CWVAxIEiro.js	wscript.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

ORIPAYLOADER.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	ORIPAYLOADER.exe
Key opened	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	ORIPAYLOADER.exe
Key opened	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	ORIPAYLOADER.exe

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

wscript.exewscript.exewscript.exewscript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\software\microsoft\windows\currentversion\run	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\YVBPFHTJIQ = "\"C:\\Users\\Admin\\AppData\\Roaming\\CWVAxIEiro.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\Product Pics = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Product Pics.js\""	wscript.exe
Key created	\REGISTRY\MACHINE\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Product Pics = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Product Pics.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\YVBPFHTJIQ = "\"C:\\Users\\Admin\\AppData\\Roaming\\CWVAxIEiro.js\""	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Product Pics = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Product Pics.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\Product Pics = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Product Pics.js\""	wscript.exe
Key created	\REGISTRY\MACHINE\software\microsoft\windows\currentversion\run	wscript.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

8 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

ORIPAYLOADER.exe

pid process

1760 ORIPAYLOADER.exe
1760 ORIPAYLOADER.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

ORIPAYLOADER.exe

description pid process

Token: SeDebugPrivilege 1760 ORIPAYLOADER.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

ORIPAYLOADER.exe

pid process

1760 ORIPAYLOADER.exe

flow	ioc
8	ip-api.com

pid	process
1760	ORIPAYLOADER.exe
1760	ORIPAYLOADER.exe

description	pid	process
Token: SeDebugPrivilege	1760	ORIPAYLOADER.exe

pid	process
1760	ORIPAYLOADER.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

wscript.exewscript.exe

description	pid	process	target process
PID 1564 wrote to memory of 1236	1564	wscript.exe	wscript.exe
PID 1564 wrote to memory of 1236	1564	wscript.exe	wscript.exe
PID 1564 wrote to memory of 1236	1564	wscript.exe	wscript.exe
PID 1564 wrote to memory of 1728	1564	wscript.exe	wscript.exe
PID 1564 wrote to memory of 1728	1564	wscript.exe	wscript.exe
PID 1564 wrote to memory of 1728	1564	wscript.exe	wscript.exe
PID 1728 wrote to memory of 1336	1728	wscript.exe	wscript.exe
PID 1728 wrote to memory of 1336	1728	wscript.exe	wscript.exe
PID 1728 wrote to memory of 1336	1728	wscript.exe	wscript.exe
PID 1728 wrote to memory of 1760	1728	wscript.exe	ORIPAYLOADER.exe
PID 1728 wrote to memory of 1760	1728	wscript.exe	ORIPAYLOADER.exe
PID 1728 wrote to memory of 1760	1728	wscript.exe	ORIPAYLOADER.exe
PID 1728 wrote to memory of 1760	1728	wscript.exe	ORIPAYLOADER.exe

outlook_office_path 1 IoCs

Processes:

ORIPAYLOADER.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	ORIPAYLOADER.exe

outlook_win_path 1 IoCs

Processes:

ORIPAYLOADER.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	ORIPAYLOADER.exe

C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\Product Pics.js"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1564

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\CWVAxIEiro.js"
2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:1236

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\Product Pics.js"
2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1728

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\CWVAxIEiro.js"
3⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:1336

C:\Users\Admin\AppData\Roaming\ORIPAYLOADER.exe
"C:\Users\Admin\AppData\Roaming\ORIPAYLOADER.exe"
3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
PID:1760

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

3

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\CWVAxIEiro.js
Filesize
29KB

MD5
9e4865661dfeef56b34e67927e101678

SHA1
1df4763cc100f665394d12c8a6a3884ed2b8f20c

SHA256
205a826a0a736729d14fac1d6d4c388eeb5a62192bbfb01e84cb9ad91f180881

SHA512
bad583bd2d67bb7e93115fde98a20a3607d25e93019aae7564210e1d05c18ce68f0b66543eda184a5d7166a9d22af860aff71629ef5dccab9986ccbc17abb879

Download Submit
C:\Users\Admin\AppData\Roaming\CWVAxIEiro.js
Filesize
29KB

MD5
9e4865661dfeef56b34e67927e101678

SHA1
1df4763cc100f665394d12c8a6a3884ed2b8f20c

SHA256
205a826a0a736729d14fac1d6d4c388eeb5a62192bbfb01e84cb9ad91f180881

SHA512
bad583bd2d67bb7e93115fde98a20a3607d25e93019aae7564210e1d05c18ce68f0b66543eda184a5d7166a9d22af860aff71629ef5dccab9986ccbc17abb879

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CWVAxIEiro.js
Filesize
29KB

MD5
9e4865661dfeef56b34e67927e101678

SHA1
1df4763cc100f665394d12c8a6a3884ed2b8f20c

SHA256
205a826a0a736729d14fac1d6d4c388eeb5a62192bbfb01e84cb9ad91f180881

SHA512
bad583bd2d67bb7e93115fde98a20a3607d25e93019aae7564210e1d05c18ce68f0b66543eda184a5d7166a9d22af860aff71629ef5dccab9986ccbc17abb879

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Product Pics.js
Filesize
691KB

MD5
4e242d24414292cd483040d98077d9c0

SHA1
eb905837358a70d81ef596465fad195c4057a015

SHA256
2cbdc90aff35e74892a04e4ce75834f0c419996330f15692575c1862781e63b6

SHA512
4578ba5e7139da61a38907a8908374ce49668d8199b756e694db300e20459084a60adee335bc30ac15a0f4b1038e01ccc49e83991a593eb564fc8d541aba8826

Download Submit
C:\Users\Admin\AppData\Roaming\ORIPAYLOADER.exe
Filesize
209KB

MD5
c6d715ba404ae78085eb7caba3ad8118

SHA1
720e3ef336871278f87f6eb596147edc4f1e3c4b

SHA256
0f33ab5276f7ea785bb119795431a7be45e2ada3428ea1718d799cb654c2bdb2

SHA512
61612720aa252713ecdc86e665eaee223f747e602626bf140dceb34ae7e7c18d75cf123de881b36b56c190014513a40375bc8e5267d1c120cc6e8eb8039364e7

Download Submit
C:\Users\Admin\AppData\Roaming\ORIPAYLOADER.exe
Filesize
209KB

MD5
c6d715ba404ae78085eb7caba3ad8118

SHA1
720e3ef336871278f87f6eb596147edc4f1e3c4b

SHA256
0f33ab5276f7ea785bb119795431a7be45e2ada3428ea1718d799cb654c2bdb2

SHA512
61612720aa252713ecdc86e665eaee223f747e602626bf140dceb34ae7e7c18d75cf123de881b36b56c190014513a40375bc8e5267d1c120cc6e8eb8039364e7

Download Submit
C:\Users\Admin\AppData\Roaming\Product Pics.js
Filesize
691KB

MD5
4e242d24414292cd483040d98077d9c0

SHA1
eb905837358a70d81ef596465fad195c4057a015

SHA256
2cbdc90aff35e74892a04e4ce75834f0c419996330f15692575c1862781e63b6

SHA512
4578ba5e7139da61a38907a8908374ce49668d8199b756e694db300e20459084a60adee335bc30ac15a0f4b1038e01ccc49e83991a593eb564fc8d541aba8826

Download Submit
memory/1236-55-0x0000000000000000-mapping.dmp

Download
memory/1336-61-0x0000000000000000-mapping.dmp

Download
memory/1564-54-0x000007FEFBE61000-0x000007FEFBE63000-memory.dmp

Filesize
8KB

Download
memory/1728-58-0x0000000000000000-mapping.dmp

Download
memory/1760-64-0x0000000000000000-mapping.dmp

Download
memory/1760-69-0x0000000000CE0000-0x0000000000D1A000-memory.dmp

Filesize
232KB

Download
memory/1760-70-0x0000000075CD1000-0x0000000075CD3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads