Overview

overview

10

Static

static

9b0b93c3f2...90f.js

windows7-x64

10

9b0b93c3f2...90f.js

windows10-2004-x64

10

Analysis

  • max time kernel
    203s
  • max time network
    209s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    29-11-2022 12:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9b0b93c3f2b8fee5d774436447b4990f.js

  • Size

    37KB

  • MD5

    aa015cde14808315df0e50fc98fa8ca1

  • SHA1

    499fd482cd7bad8d905564983f07e7ae822ea189

  • SHA256

    75c5452fe55b5b42e88f7e22cf3d54665f639f721b55dbafa78b43c644f1b598

  • SHA512

    08af4131b97d2177723bbc23981286f6f22e780db6d6f0e8894048fc971eb3cee3109b1daebe31107c2119d48ba0423625e6fbce180e6b9bc1fecdc56bba6278

  • SSDEEP

    768:NDVC12hDVX/opI7vr3t+borH2OAH1XJLYlCH56v+1KnLmVk:dVCUhRWI7vjtsorWOAH1XJsCH56vwmLz

Score
10/10
agentteslavjw0rmwshratcollectionkeyloggerpersistencespywarestealertrojanworm

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot5196374398:AAFia6uLKkD-Wc5-qWTKCU_kRGlxKrfZgpE/

Extracted

Family

wshrat

C2

http://45.139.105.174:7670

Extracted

Family

vjw0rm

C2

http://45.139.105.174:7575

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

    trojanwormvjw0rm
  • WSHRAT

    WSHRAT is a variant of Houdini worm and has vbs and js variants.

    trojanwshrat
  • Blocklisted process makes network request 44 IoCs
  • Executes dropped EXE 1 IoCs
  • Drops startup file 10 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Adds Run key to start application 2 TTPs 11 IoCs
    persistence
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Script User-Agent 27 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\9b0b93c3f2b8fee5d774436447b4990f.js
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1736
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\uLXRQKOPod.js"
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      PID:468
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\9b0b93c3f2b8fee5d774436447b4990f.js"
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1112
      • C:\Windows\System32\wscript.exe
        "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\uLXRQKOPod.js"
        3⤵
        • Blocklisted process makes network request
        • Drops startup file
        PID:1624
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\LZURDX~1.JS"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1812
        • C:\Windows\System32\wscript.exe
          "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\ABjiMOejwE.js"
          4⤵
          • Blocklisted process makes network request
          • Drops startup file
          PID:1796
        • C:\Users\Admin\AppData\Local\Temp\originn.exe
          "C:\Users\Admin\AppData\Local\Temp\originn.exe"
          4⤵
          • Executes dropped EXE
          • Accesses Microsoft Outlook profiles
          • Adds Run key to start application
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • outlook_office_path
          • outlook_win_path
          PID:1616
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\wamafa.js"
        3⤵
        • Blocklisted process makes network request
        • Drops startup file
        • Adds Run key to start application
        PID:1708
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\LZURDX~1.JS"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:576
        • C:\Windows\System32\wscript.exe
          "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\ABjiMOejwE.js"
          4⤵
          • Blocklisted process makes network request
          • Drops startup file
          PID:552

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

3
T1081

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\originn.exe
    Filesize

    218KB

    MD5

    a82205bc5045698abee18cb9fd9bd3ab

    SHA1

    bfca05a5922518e408b5672c03d606e9f418c5a5

    SHA256

    46daff98e524432863b025426a9271f5e9a7f2df0e0b7e9246bb407e3521f5a2

    SHA512

    789a6c908ec671af3cbd2f4474e30f0df4e2523f3db0bc7f6119a17879fe2e8614d475e6d093c9094f2d88c985559c58cf8cbe836f53141153cc0fe5d5807e7b

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\originn.exe
    Filesize

    218KB

    MD5

    a82205bc5045698abee18cb9fd9bd3ab

    SHA1

    bfca05a5922518e408b5672c03d606e9f418c5a5

    SHA256

    46daff98e524432863b025426a9271f5e9a7f2df0e0b7e9246bb407e3521f5a2

    SHA512

    789a6c908ec671af3cbd2f4474e30f0df4e2523f3db0bc7f6119a17879fe2e8614d475e6d093c9094f2d88c985559c58cf8cbe836f53141153cc0fe5d5807e7b

    Download Submit
  • C:\Users\Admin\AppData\Roaming\9b0b93c3f2b8fee5d774436447b4990f.js
    Filesize

    37KB

    MD5

    aa015cde14808315df0e50fc98fa8ca1

    SHA1

    499fd482cd7bad8d905564983f07e7ae822ea189

    SHA256

    75c5452fe55b5b42e88f7e22cf3d54665f639f721b55dbafa78b43c644f1b598

    SHA512

    08af4131b97d2177723bbc23981286f6f22e780db6d6f0e8894048fc971eb3cee3109b1daebe31107c2119d48ba0423625e6fbce180e6b9bc1fecdc56bba6278

    Download Submit
  • C:\Users\Admin\AppData\Roaming\ABjiMOejwE.js
    Filesize

    5KB

    MD5

    942528fb942a1c7618904d06c736b0df

    SHA1

    3aac0579530eb3ca335ee947ec593e2e1eb18e24

    SHA256

    df961e75c9905fffc226bcabf4fbca090660680710610f4696d102d352078992

    SHA512

    6388302596f3c5fdd1ab85e07a34907328c21440541b870f351b3f1f381a23d6276a4950ae309810bf532e398dc3c450dc6212301cdd7e2efc0b944c41ba28d1

    Download Submit
  • C:\Users\Admin\AppData\Roaming\ABjiMOejwE.js
    Filesize

    5KB

    MD5

    942528fb942a1c7618904d06c736b0df

    SHA1

    3aac0579530eb3ca335ee947ec593e2e1eb18e24

    SHA256

    df961e75c9905fffc226bcabf4fbca090660680710610f4696d102d352078992

    SHA512

    6388302596f3c5fdd1ab85e07a34907328c21440541b870f351b3f1f381a23d6276a4950ae309810bf532e398dc3c450dc6212301cdd7e2efc0b944c41ba28d1

    Download Submit
  • C:\Users\Admin\AppData\Roaming\LZURDX~1.JS
    Filesize

    399KB

    MD5

    0ba58a6dab7819f1885c4a6379dc8c8c

    SHA1

    277dc39d693403efdf8e4374cfbd15480e6da3da

    SHA256

    8ea7e9a5eb1baf49cc22c45b82bdec95186ad7c37d58eb71d5bccaba737e00ca

    SHA512

    e9ad76884c0d284ff5791061ef3bb959389587bf0dcdff63945dbc869f862a9ff969b6a3fe3b8223fb164bb548bb82347e8d73bed919c81a0fc3c5b3288f53d2

    Download Submit
  • C:\Users\Admin\AppData\Roaming\LZURDX~1.JS
    Filesize

    399KB

    MD5

    0ba58a6dab7819f1885c4a6379dc8c8c

    SHA1

    277dc39d693403efdf8e4374cfbd15480e6da3da

    SHA256

    8ea7e9a5eb1baf49cc22c45b82bdec95186ad7c37d58eb71d5bccaba737e00ca

    SHA512

    e9ad76884c0d284ff5791061ef3bb959389587bf0dcdff63945dbc869f862a9ff969b6a3fe3b8223fb164bb548bb82347e8d73bed919c81a0fc3c5b3288f53d2

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9b0b93c3f2b8fee5d774436447b4990f.js
    Filesize

    37KB

    MD5

    aa015cde14808315df0e50fc98fa8ca1

    SHA1

    499fd482cd7bad8d905564983f07e7ae822ea189

    SHA256

    75c5452fe55b5b42e88f7e22cf3d54665f639f721b55dbafa78b43c644f1b598

    SHA512

    08af4131b97d2177723bbc23981286f6f22e780db6d6f0e8894048fc971eb3cee3109b1daebe31107c2119d48ba0423625e6fbce180e6b9bc1fecdc56bba6278

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ABjiMOejwE.js
    Filesize

    5KB

    MD5

    942528fb942a1c7618904d06c736b0df

    SHA1

    3aac0579530eb3ca335ee947ec593e2e1eb18e24

    SHA256

    df961e75c9905fffc226bcabf4fbca090660680710610f4696d102d352078992

    SHA512

    6388302596f3c5fdd1ab85e07a34907328c21440541b870f351b3f1f381a23d6276a4950ae309810bf532e398dc3c450dc6212301cdd7e2efc0b944c41ba28d1

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uLXRQKOPod.js
    Filesize

    5KB

    MD5

    4698d3d1682a4213ae3149ee009ca463

    SHA1

    c20830759b6f631fc774ee9f73df12de7e8269b2

    SHA256

    51143eeaa698bb5361d1b6759df8fd884f874d2058ee8da0b71e37231fe99b84

    SHA512

    32b0fc0e5687fa02e5f6e910fa469b62b360d063ff35511e512079d37ef64e4e7cbf7f28a53003c8b6be7ab4629424a62e1fb7d1e6b91e29d606499be07e9336

    Download Submit
  • C:\Users\Admin\AppData\Roaming\uLXRQKOPod.js
    Filesize

    5KB

    MD5

    4698d3d1682a4213ae3149ee009ca463

    SHA1

    c20830759b6f631fc774ee9f73df12de7e8269b2

    SHA256

    51143eeaa698bb5361d1b6759df8fd884f874d2058ee8da0b71e37231fe99b84

    SHA512

    32b0fc0e5687fa02e5f6e910fa469b62b360d063ff35511e512079d37ef64e4e7cbf7f28a53003c8b6be7ab4629424a62e1fb7d1e6b91e29d606499be07e9336

    Download Submit
  • C:\Users\Admin\AppData\Roaming\uLXRQKOPod.js
    Filesize

    5KB

    MD5

    4698d3d1682a4213ae3149ee009ca463

    SHA1

    c20830759b6f631fc774ee9f73df12de7e8269b2

    SHA256

    51143eeaa698bb5361d1b6759df8fd884f874d2058ee8da0b71e37231fe99b84

    SHA512

    32b0fc0e5687fa02e5f6e910fa469b62b360d063ff35511e512079d37ef64e4e7cbf7f28a53003c8b6be7ab4629424a62e1fb7d1e6b91e29d606499be07e9336

    Download Submit
  • C:\Users\Admin\AppData\Roaming\wamafa.js
    Filesize

    5KB

    MD5

    5edd1cc5d54ee31317b857ebe6e7b4d3

    SHA1

    1e1fee969e9092f7a9769c20de8ae4943c227161

    SHA256

    1f2ccddc4d9634a8faf78f3c0df6e926cd8f145e21738f35f07b67abfc4c8eb8

    SHA512

    216ed3e514ef0562a5cb41eb3a3ca270b265bb5fb06fc3f08c105c90293364c9ba8801fe314e83cec7a0757b2fbf0d06dd84ec16879502b3005d32177a6cac9d

    Download Submit
  • memory/468-55-0x0000000000000000-mapping.dmp
    Download
  • memory/552-83-0x0000000000000000-mapping.dmp
    Download
  • memory/576-80-0x0000000000000000-mapping.dmp
    Download
  • memory/1112-57-0x0000000000000000-mapping.dmp
    Download
  • memory/1616-75-0x0000000000320000-0x000000000035C000-memory.dmp
    Filesize

    240KB

    Download
  • memory/1616-76-0x0000000076531000-0x0000000076533000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1616-72-0x0000000000000000-mapping.dmp
    Download
  • memory/1624-60-0x0000000000000000-mapping.dmp
    Download
  • memory/1708-77-0x0000000000000000-mapping.dmp
    Download
  • memory/1736-54-0x000007FEFC071000-0x000007FEFC073000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1796-69-0x0000000000000000-mapping.dmp
    Download
  • memory/1812-66-0x0000000000000000-mapping.dmp
    Download