Overview

overview

10

Static

static

SbPbhXXaAe...ery.js

windows7_x64

10

SbPbhXXaAe...ery.js

windows10-2004_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    27-06-2022 15:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SbPbhXXaAe_ori40teleevery.js

  • Size

    386KB

  • MD5

    917298a0ef1125c31dfc7762135d9978

  • SHA1

    b6902cd75e83cae4ff2a3ce12f0314d364d5f481

  • SHA256

    173bf8f0a06a99b6ff4fd216a0be00b834aa4337828b91124da5d533e674fccf

  • SHA512

    b1ad86cd50f605ecd3bd7e9d99835dd97f64f16efa97b416e08c1c61d311874807951b7e8a887d76a1de197643a68b863fab5644010756abf384941786d3b9e1

Score
10/10
agentteslavjw0rmcollectionkeyloggerpersistencespywarestealertrojanworm

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot5171883538:AAEyFWuNh68SJNNpkDCQbviRgrklZA3K4Qs/sendDocument

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

    trojanwormvjw0rm
  • Blocklisted process makes network request 17 IoCs
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\SbPbhXXaAe_ori40teleevery.js
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1804
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\siiOXfeLhL.js"
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      • Adds Run key to start application
      PID:1112
    • C:\Users\Admin\AppData\Local\Temp\ori40teleevery.exe
      "C:\Users\Admin\AppData\Local\Temp\ori40teleevery.exe"
      2⤵
      • Executes dropped EXE
      • Accesses Microsoft Outlook profiles
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • outlook_office_path
      • outlook_win_path
      PID:3068

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\ori40teleevery.exe
    Filesize

    210KB

    MD5

    e0f80223a94ccf3f36aa16c48514f692

    SHA1

    73d3bffd145250ce91657c9d4f3f53ca97c716c0

    SHA256

    a56acb1d690ee4deccb5f33c846f767705d5b0a84b6ee0a77aea30c81aa9da67

    SHA512

    d5ab5e0cc0399ccc0be06eb8813e4a481d81cd4c222fc7f4553c6f3d1c4b0433a18244626600ab903842da4d6db40e2430c5dcc96ed381b7d4b7f28fd29d6ad5

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\ori40teleevery.exe
    Filesize

    210KB

    MD5

    e0f80223a94ccf3f36aa16c48514f692

    SHA1

    73d3bffd145250ce91657c9d4f3f53ca97c716c0

    SHA256

    a56acb1d690ee4deccb5f33c846f767705d5b0a84b6ee0a77aea30c81aa9da67

    SHA512

    d5ab5e0cc0399ccc0be06eb8813e4a481d81cd4c222fc7f4553c6f3d1c4b0433a18244626600ab903842da4d6db40e2430c5dcc96ed381b7d4b7f28fd29d6ad5

    Download Submit
  • C:\Users\Admin\AppData\Roaming\siiOXfeLhL.js
    Filesize

    5KB

    MD5

    4231696592e958293b751bd32c1a6beb

    SHA1

    648d61687cdc1c4b5cadda1df2fe643c31eb6f8b

    SHA256

    3e95f65cac8ca73735d5af5ebe667926639810e99c9478d9c50c24426c51084b

    SHA512

    1612f1654ed5c8a96470f96589f44a920dbee69468fa0bcd3135ed53beb3e3bfd92d845ab8c3f21253bc82eeca28af6f621e9833cdf2960dd8009b6bb2cdcafa

    Download Submit
  • memory/1112-130-0x0000000000000000-mapping.dmp
    Download
  • memory/3068-132-0x0000000000000000-mapping.dmp
    Download
  • memory/3068-135-0x00000000004C0000-0x00000000004FA000-memory.dmp
    Filesize

    232KB

    Download
  • memory/3068-136-0x00000000054B0000-0x0000000005A54000-memory.dmp
    Filesize

    5.6MB

    Download
  • memory/3068-137-0x0000000004F00000-0x0000000004F9C000-memory.dmp
    Filesize

    624KB

    Download
  • memory/3068-138-0x0000000005BA0000-0x0000000005C06000-memory.dmp
    Filesize

    408KB

    Download
  • memory/3068-139-0x0000000006220000-0x0000000006270000-memory.dmp
    Filesize

    320KB

    Download
  • memory/3068-140-0x0000000006980000-0x0000000006A12000-memory.dmp
    Filesize

    584KB

    Download
  • memory/3068-141-0x0000000006900000-0x000000000690A000-memory.dmp
    Filesize

    40KB

    Download