agenttesla | e8d22feb82ab660c59ade0376cac6cfa39e089d4386c503282ec06e5e15e7659

Analysis

max time kernel
237s
max time network
258s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
05/12/2022, 09:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Bank Details.js
Size

374KB
MD5

7c5e8174cdba01f663d435d1ea9d3c41
SHA1

5b362009da4f9786b257651864c62f814d1825ed
SHA256

e8d22feb82ab660c59ade0376cac6cfa39e089d4386c503282ec06e5e15e7659
SHA512

56a291c7f08bf2c95695a48567a07feb6f8d8cca9266fc6d9d259dd2e1440bf26a987ffb3b84770402dca80e07d0899334f99daad03e724774b401cc76350835
SSDEEP

6144:Nw/VyURyDDckawASdoFoYbwXiC4gJMYSDnc3erU5B7LGfMzT:iy4xA4gJNSvgmfMP

Score

10^/10

agenttesla vjw0rm keylogger spyware stealer trojan worm

Malware Config

Extracted

Family

agenttesla

https://api.telegram.org/bot5752794370:AAGHbBIUSUvwQW5dpdi3bNZyPbHwpEPD5r0/

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm

Blocklisted process makes network request 1 IoCs

flow	pid	Process
59	4364	wscript.exe

Executes dropped EXE 1 IoCs

pid	Process
3192	RRRTTT.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	wscript.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lGAgOfKqAd.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lGAgOfKqAd.js	wscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3192	RRRTTT.exe
3192	RRRTTT.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3192	RRRTTT.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 220 wrote to memory of 4364	220	wscript.exe	88
PID 220 wrote to memory of 4364	220	wscript.exe	88
PID 220 wrote to memory of 3192	220	wscript.exe	89
PID 220 wrote to memory of 3192	220	wscript.exe	89
PID 220 wrote to memory of 3192	220	wscript.exe	89

C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\Bank Details.js"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:220
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\lGAgOfKqAd.js"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  PID:4364
- C:\Users\Admin\AppData\Roaming\RRRTTT.exe
  "C:\Users\Admin\AppData\Roaming\RRRTTT.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3192

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\RRRTTT.exe

Filesize
196KB

MD5
cef584fa8a5b62e4ecb231b3a4ae17f6

SHA1
b913140c163cf97c6d50746ec6eef293bb4a2044

SHA256
c3062dae9f9438eef148f1e7518b7f10d7bbe294d6d60dd0c3c16058c8be5d41

SHA512
7d6f09d9bcf8abd1567a2477366226a888aaef6ce46df3a44761236c748a5960491f167f8f7c1d2f9feb8143956e9ca134d603431adcd80ea26811404deb6fc5

Download Submit
C:\Users\Admin\AppData\Roaming\RRRTTT.exe

Filesize
196KB

MD5
cef584fa8a5b62e4ecb231b3a4ae17f6

SHA1
b913140c163cf97c6d50746ec6eef293bb4a2044

SHA256
c3062dae9f9438eef148f1e7518b7f10d7bbe294d6d60dd0c3c16058c8be5d41

SHA512
7d6f09d9bcf8abd1567a2477366226a888aaef6ce46df3a44761236c748a5960491f167f8f7c1d2f9feb8143956e9ca134d603431adcd80ea26811404deb6fc5

Download Submit
C:\Users\Admin\AppData\Roaming\lGAgOfKqAd.js

Filesize
10KB

MD5
fa9d0f9f212317c220572faa7712088a

SHA1
d9e7d578de835f00ecf97b08b35f4f658cfa6438

SHA256
c42b2f4dbe43245dc08093394ff74dfb85ae95e2165f8cac39af88ae08eabfea

SHA512
8c133db7ef32a34ed2a0716022fdbdba4e334113d75376b851b908b3bc99dda8aced16533c79451ae5edfe964295a3ad03c853490de1af31a1968b04deaed7b8

Download Submit
memory/3192-137-0x0000000000A00000-0x0000000000A38000-memory.dmp

Filesize
224KB

Download
memory/3192-138-0x0000000005760000-0x0000000005D04000-memory.dmp

Filesize
5.6MB

Download
memory/3192-139-0x00000000052C0000-0x000000000535C000-memory.dmp

Filesize
624KB

Download