Overview

overview

10

Static

static

Scan docs.js

windows7_x64

10

Scan docs.js

windows10-2004_x64

10

Analysis

  • max time kernel
    147s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    23-06-2022 05:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Scan docs.js

  • Size

    695KB

  • MD5

    891dc2bbf1be950a27098486168919b5

  • SHA1

    1528b59f9783c8f9e58b5f0f8f6090cbfcf864a0

  • SHA256

    da1e26831c4ee7c90829f22362c3127b05816318a151bee3a9b7a8cb9ddce39f

  • SHA512

    93e602f9925d6ae35c2edeb4b9edd88bd6c7e3d7d885a536f117a3eaadf866f5fce9ee5b528624c4db9450dd3f49cf97171ff05cbe37a15aec5603349dfb0ff6

Score
10/10
agentteslavjw0rmcollectionkeyloggerpersistencespywarestealersuricatatrojanworm

Malware Config

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    mail.freighttrainfleet.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    9b52731M*

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.freighttrainfleet.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    9b52731M*

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

    trojanwormvjw0rm
  • suricata: ET MALWARE AgentTesla Exfil Via SMTP

    suricata: ET MALWARE AgentTesla Exfil Via SMTP

    suricata
  • Blocklisted process makes network request 16 IoCs
  • Executes dropped EXE 1 IoCs
  • Drops startup file 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe "C:\Users\Admin\AppData\Local\Temp\Scan docs.js"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1652
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\GQGruPODld.js"
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      • Adds Run key to start application
      PID:848
    • C:\Users\Admin\AppData\Local\Temp\Net4 Origin.exe
      "C:\Users\Admin\AppData\Local\Temp\Net4 Origin.exe"
      2⤵
      • Executes dropped EXE
      • Accesses Microsoft Outlook profiles
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • outlook_office_path
      • outlook_win_path
      PID:1236

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Net4 Origin.exe
    Filesize

    209KB

    MD5

    511f723efd20136c1bf50e4c28d7894b

    SHA1

    b01840d6fba0e8842f4dcc5077d577a2082f65ca

    SHA256

    639be5d755e8d6783e0e959d782901e0513f1c6663515bd7246e4f5c7f7786db

    SHA512

    5518a071575eee72680e50d9331d13acb200da8154bd8739f111ee33a9192358fef6b51e6645a6df3ee6d94ef1af5ef7767b29474aa2b9153f78d2c421ac4546

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Net4 Origin.exe
    Filesize

    209KB

    MD5

    511f723efd20136c1bf50e4c28d7894b

    SHA1

    b01840d6fba0e8842f4dcc5077d577a2082f65ca

    SHA256

    639be5d755e8d6783e0e959d782901e0513f1c6663515bd7246e4f5c7f7786db

    SHA512

    5518a071575eee72680e50d9331d13acb200da8154bd8739f111ee33a9192358fef6b51e6645a6df3ee6d94ef1af5ef7767b29474aa2b9153f78d2c421ac4546

    Download Submit
  • C:\Users\Admin\AppData\Roaming\GQGruPODld.js
    Filesize

    117KB

    MD5

    27327ec3f126ff5a0fbe91a4d697e0ea

    SHA1

    189db856bfb734d30f12335682dd5fc775949b8f

    SHA256

    aab53233a4cbe4f4cd4b24caa118862115ccb3a4faec1b31fff9b87f7380fab1

    SHA512

    e7e37cabecfc3e14929d8371579b5c121bbbd01c17d43c9902f52facd06bf38087d69f651722ed6eafde46db3123fd5032f16e5156bcb4f87c33df04186fbf1e

    Download Submit
  • memory/848-55-0x0000000000000000-mapping.dmp
    Download
  • memory/1236-57-0x0000000000000000-mapping.dmp
    Download
  • memory/1236-61-0x0000000001140000-0x000000000117A000-memory.dmp
    Filesize

    232KB

    Download
  • memory/1236-62-0x0000000076461000-0x0000000076463000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1652-54-0x000007FEFC4E1000-0x000007FEFC4E3000-memory.dmp
    Filesize

    8KB

    Download