Overview

overview

10

Static

static

Documents ...sal.js

windows7_x64

10

Documents ...sal.js

windows10-2004_x64

10

Analysis

  • max time kernel
    143s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    28-06-2022 10:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Documents for your perusal.js

  • Size

    1.0MB

  • MD5

    377613bfa2aa0b0143caeadf2fcad9fb

  • SHA1

    c6ca17a49b21e31c43e7b0ab99e8fc40abe6f6dd

  • SHA256

    8e489340e5a0c5c56cfda0312f390e8479693264ce0efd9a8f82ac2acc5435b8

  • SHA512

    cd5483d6c8c6690872664294cfb6da2a49655a9a2cbcef4d5ba52e6ac0669f8cbb0dfea0c64d79603cd1488b4ecb17d95e57a7e63bde27747f397b53450a1dff

Score
10/10
agentteslavjw0rmcollectionkeyloggerpersistencespywarestealersuricatatrojanworm

Malware Config

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    files.000webhost.com
  • Port:
    21
  • Username:
    zincox
  • Password:
    computer@1010

Extracted

Family

agenttesla

Credentials

  • Protocol:     ftp
  • Host:
    ftp://files.000webhost.com/
  • Port:
    21
  • Username:
    zincox
  • Password:
    computer@1010

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

    trojanwormvjw0rm
  • suricata: ET MALWARE AgentTesla Exfil via FTP

    suricata: ET MALWARE AgentTesla Exfil via FTP

    suricata
  • Blocklisted process makes network request 16 IoCs
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe "C:\Users\Admin\AppData\Local\Temp\Documents for your perusal.js"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3060
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\BtciJsEOuq.js"
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      • Adds Run key to start application
      PID:3148
    • C:\Users\Admin\AppData\Local\Temp\Documents for your perusal.exe
      "C:\Users\Admin\AppData\Local\Temp\Documents for your perusal.exe"
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:2332
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\GSQqDpox.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1372
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GSQqDpox" /XML "C:\Users\Admin\AppData\Local\Temp\tmpBC50.tmp"
        3⤵
        • Creates scheduled task(s)
        PID:2564
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        3⤵
        • Accesses Microsoft Outlook profiles
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • outlook_office_path
        • outlook_win_path
        PID:2900

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Documents for your perusal.exe
    Filesize

    560KB

    MD5

    4989aa262692c6fb07e54bcf44562006

    SHA1

    bf8e5f166b79970aad7c02cca15bdcd6f85f7b91

    SHA256

    f0e00d31613cbf13877cafef94e42fe96e68ab53637f7e4094466d59e6332a3f

    SHA512

    1daa2bd724ee9cd0d19fbab17220fcc806e3618291fd5bf1a28c95d1ae60156c63305c5c8d40a8177aa77dcc09b45921ff356f1e78058a97b5d68cdb8527477b

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Documents for your perusal.exe
    Filesize

    560KB

    MD5

    4989aa262692c6fb07e54bcf44562006

    SHA1

    bf8e5f166b79970aad7c02cca15bdcd6f85f7b91

    SHA256

    f0e00d31613cbf13877cafef94e42fe96e68ab53637f7e4094466d59e6332a3f

    SHA512

    1daa2bd724ee9cd0d19fbab17220fcc806e3618291fd5bf1a28c95d1ae60156c63305c5c8d40a8177aa77dcc09b45921ff356f1e78058a97b5d68cdb8527477b

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\tmpBC50.tmp
    Filesize

    1KB

    MD5

    4b080ba37cbdd94d309dea28c93d27de

    SHA1

    f6aac0409fd2f0fe3213b186164733406b7d8e1d

    SHA256

    c515b1139c2234a223149dc411d96d6c915b0a243134074bde9462ba9bcf3b79

    SHA512

    1b8770c46ef64ee1ba73c7707537230df12f132474b11080dc469d06fa70d0b4b519cd89712703e15cd9817c5b8f03702a8d5ae87b433820cb9251241b04e219

    Download Submit
  • C:\Users\Admin\AppData\Roaming\BtciJsEOuq.js
    Filesize

    17KB

    MD5

    c0d73991959cc38cfc5195de55e5af8c

    SHA1

    4c79913f301dad503145cc20805da17d1cd310dd

    SHA256

    5743caf8ba2a38a2afc04e50bfbc58d088b8eff958ff8178d9c29bc158105292

    SHA512

    aca10c9808cf704446666c1326bd7789c32f61fb9d4f8b0fb743b720bc0f99f8a4c743246bc27acc73785aa7c3e907673ba2f3da9d5643089e3764ab5d2c8da4

    Download Submit
  • memory/1372-140-0x0000000000000000-mapping.dmp
    Download
  • memory/1372-161-0x00000000076E0000-0x00000000076E8000-memory.dmp
    Filesize

    32KB

    Download
  • memory/1372-159-0x00000000075F0000-0x00000000075FE000-memory.dmp
    Filesize

    56KB

    Download
  • memory/1372-157-0x0000000007640000-0x00000000076D6000-memory.dmp
    Filesize

    600KB

    Download
  • memory/1372-156-0x0000000007430000-0x000000000743A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/1372-155-0x00000000073C0000-0x00000000073DA000-memory.dmp
    Filesize

    104KB

    Download
  • memory/1372-151-0x0000000006670000-0x00000000066A2000-memory.dmp
    Filesize

    200KB

    Download
  • memory/1372-154-0x0000000007A00000-0x000000000807A000-memory.dmp
    Filesize

    6.5MB

    Download
  • memory/1372-142-0x0000000002780000-0x00000000027B6000-memory.dmp
    Filesize

    216KB

    Download
  • memory/1372-160-0x0000000007700000-0x000000000771A000-memory.dmp
    Filesize

    104KB

    Download
  • memory/1372-144-0x0000000005440000-0x0000000005A68000-memory.dmp
    Filesize

    6.2MB

    Download
  • memory/1372-153-0x0000000006650000-0x000000000666E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/1372-152-0x00000000709A0000-0x00000000709EC000-memory.dmp
    Filesize

    304KB

    Download
  • memory/1372-147-0x0000000005000000-0x0000000005022000-memory.dmp
    Filesize

    136KB

    Download
  • memory/1372-148-0x00000000053A0000-0x0000000005406000-memory.dmp
    Filesize

    408KB

    Download
  • memory/1372-149-0x0000000005AE0000-0x0000000005B46000-memory.dmp
    Filesize

    408KB

    Download
  • memory/1372-150-0x00000000060C0000-0x00000000060DE000-memory.dmp
    Filesize

    120KB

    Download
  • memory/2332-138-0x0000000005320000-0x000000000532A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/2332-139-0x0000000007850000-0x00000000078EC000-memory.dmp
    Filesize

    624KB

    Download
  • memory/2332-137-0x0000000005390000-0x0000000005422000-memory.dmp
    Filesize

    584KB

    Download
  • memory/2332-136-0x00000000058A0000-0x0000000005E44000-memory.dmp
    Filesize

    5.6MB

    Download
  • memory/2332-135-0x00000000008E0000-0x0000000000972000-memory.dmp
    Filesize

    584KB

    Download
  • memory/2332-132-0x0000000000000000-mapping.dmp
    Download
  • memory/2564-141-0x0000000000000000-mapping.dmp
    Download
  • memory/2900-146-0x0000000000400000-0x000000000043A000-memory.dmp
    Filesize

    232KB

    Download
  • memory/2900-145-0x0000000000000000-mapping.dmp
    Download
  • memory/2900-158-0x0000000006CD0000-0x0000000006D20000-memory.dmp
    Filesize

    320KB

    Download
  • memory/3148-130-0x0000000000000000-mapping.dmp
    Download