agenttesla | e8d22feb82ab660c59ade0376cac6cfa39e089d4386c503282ec06e5e15e7659

General

Target

Bank Details.js
Size

374KB
MD5

7c5e8174cdba01f663d435d1ea9d3c41
SHA1

5b362009da4f9786b257651864c62f814d1825ed
SHA256

e8d22feb82ab660c59ade0376cac6cfa39e089d4386c503282ec06e5e15e7659
SHA512

56a291c7f08bf2c95695a48567a07feb6f8d8cca9266fc6d9d259dd2e1440bf26a987ffb3b84770402dca80e07d0899334f99daad03e724774b401cc76350835
SSDEEP

6144:Nw/VyURyDDckawASdoFoYbwXiC4gJMYSDnc3erU5B7LGfMzT:iy4xA4gJNSvgmfMP

Score

10^/10

agenttesla vjw0rm collection keylogger spyware stealer trojan worm

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot5752794370:AAGHbBIUSUvwQW5dpdi3bNZyPbHwpEPD5r0/

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm

Blocklisted process makes network request 5 IoCs

flow	pid	Process
6	1496	wscript.exe
10	1496	wscript.exe
11	1496	wscript.exe
13	1496	wscript.exe
14	1496	wscript.exe

Executes dropped EXE 1 IoCs

pid	Process
1068	RRRTTT.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lGAgOfKqAd.js	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lGAgOfKqAd.js	wscript.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RRRTTT.exe
Key opened	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RRRTTT.exe
Key opened	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RRRTTT.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	api.ipify.org
4	api.ipify.org

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1068	RRRTTT.exe
1068	RRRTTT.exe
1068	RRRTTT.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1068	RRRTTT.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 980 wrote to memory of 1496	980	wscript.exe	28
PID 980 wrote to memory of 1496	980	wscript.exe	28
PID 980 wrote to memory of 1496	980	wscript.exe	28
PID 980 wrote to memory of 1068	980	wscript.exe	29
PID 980 wrote to memory of 1068	980	wscript.exe	29
PID 980 wrote to memory of 1068	980	wscript.exe	29
PID 980 wrote to memory of 1068	980	wscript.exe	29

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RRRTTT.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RRRTTT.exe

C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\Bank Details.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:980
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\lGAgOfKqAd.js"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  PID:1496
- C:\Users\Admin\AppData\Roaming\RRRTTT.exe
  "C:\Users\Admin\AppData\Roaming\RRRTTT.exe"
  2⤵
  - Executes dropped EXE
  - Accesses Microsoft Outlook profiles
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - outlook_office_path
  - outlook_win_path
  PID:1068

Network

DNS

api.ipify.org

RRRTTT.exe

Remote address:

8.8.8.8:53

Request

api.ipify.org

IN A

Response

api.ipify.org

IN CNAME

api.ipify.org.herokudns.com

api.ipify.org.herokudns.com

IN A

52.20.78.240

api.ipify.org.herokudns.com

IN A

3.220.57.224

api.ipify.org.herokudns.com

IN A

54.91.59.199

api.ipify.org.herokudns.com

IN A

3.232.242.170
DNS

javaautorun.duia.ro

wscript.exe

Remote address:

8.8.8.8:53

Request

javaautorun.duia.ro

IN A

Response

javaautorun.duia.ro

IN A

41.217.10.142

52.20.78.240:443

api.ipify.org

tls

RRRTTT.exe

385 B
219 B
5
5
41.217.10.142:5465

javaautorun.duia.ro

wscript.exe

152 B
3
41.217.10.142:5465

javaautorun.duia.ro

wscript.exe

152 B
3
41.217.10.142:5465

javaautorun.duia.ro

wscript.exe

152 B
3
41.217.10.142:5465

javaautorun.duia.ro

wscript.exe

152 B
3
41.217.10.142:5465

javaautorun.duia.ro

wscript.exe

152 B
3

8.8.8.8:53

api.ipify.org

dns

RRRTTT.exe

59 B
164 B
1
1

DNS Request

api.ipify.org

DNS Response

52.20.78.240

3.220.57.224

54.91.59.199

3.232.242.170
8.8.8.8:53

javaautorun.duia.ro

dns

wscript.exe

65 B
81 B
1
1

DNS Request

javaautorun.duia.ro

DNS Response

41.217.10.142

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\RRRTTT.exe

Filesize
196KB

MD5
cef584fa8a5b62e4ecb231b3a4ae17f6

SHA1
b913140c163cf97c6d50746ec6eef293bb4a2044

SHA256
c3062dae9f9438eef148f1e7518b7f10d7bbe294d6d60dd0c3c16058c8be5d41

SHA512
7d6f09d9bcf8abd1567a2477366226a888aaef6ce46df3a44761236c748a5960491f167f8f7c1d2f9feb8143956e9ca134d603431adcd80ea26811404deb6fc5

Download Submit
C:\Users\Admin\AppData\Roaming\RRRTTT.exe

Filesize
196KB

MD5
cef584fa8a5b62e4ecb231b3a4ae17f6

SHA1
b913140c163cf97c6d50746ec6eef293bb4a2044

SHA256
c3062dae9f9438eef148f1e7518b7f10d7bbe294d6d60dd0c3c16058c8be5d41

SHA512
7d6f09d9bcf8abd1567a2477366226a888aaef6ce46df3a44761236c748a5960491f167f8f7c1d2f9feb8143956e9ca134d603431adcd80ea26811404deb6fc5

Download Submit
C:\Users\Admin\AppData\Roaming\lGAgOfKqAd.js

Filesize
10KB

MD5
fa9d0f9f212317c220572faa7712088a

SHA1
d9e7d578de835f00ecf97b08b35f4f658cfa6438

SHA256
c42b2f4dbe43245dc08093394ff74dfb85ae95e2165f8cac39af88ae08eabfea

SHA512
8c133db7ef32a34ed2a0716022fdbdba4e334113d75376b851b908b3bc99dda8aced16533c79451ae5edfe964295a3ad03c853490de1af31a1968b04deaed7b8

Download Submit
memory/980-54-0x000007FEFB931000-0x000007FEFB933000-memory.dmp

Filesize
8KB

Download
memory/1068-61-0x0000000000130000-0x0000000000168000-memory.dmp

Filesize
224KB

Download
memory/1068-62-0x0000000075811000-0x0000000075813000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing