agenttesla | ab7979631ae5e162281582ad3333e8943f0b908ef48d84c4de69e7616fef6931

General

Target

Scan005.js
Size

2.2MB
MD5

2d062c28da9b8e55c554ad3d99e26050
SHA1

e80b8cb06e3665f13ef7d428e15b1fa4bdf9bc4e
SHA256

ab7979631ae5e162281582ad3333e8943f0b908ef48d84c4de69e7616fef6931
SHA512

b9319bfeca863d2c0d7fdadb20220b7040fa3880335ce0c73ee1f756fe3c16ce028f4b2df0e02a0de0f7a960512b82effeffab4b686900a4631460fb5cf7c5f3
SSDEEP

6144:DVAv1mgQSIkYpI83y6acJmwj/9VwM4ccOrxMJ1MdrqJvNU3Wb/D4cn7XtK2T/kDg:oo71G

Score

10^/10

agenttesla wshrat collection keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.egyptscientific.com
Port:
587
Username:
[email protected]
Password:
ibrahim@1234
Email To:
[email protected]

Extracted

Family

wshrat

C2

http://45.90.222.125:7121

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat

Blocklisted process makes network request 27 IoCs

flow	pid	Process
2	1588	wscript.exe
3	684	wscript.exe
8	684	wscript.exe
9	684	wscript.exe
14	684	wscript.exe
15	684	wscript.exe
17	684	wscript.exe
19	684	wscript.exe
20	684	wscript.exe
22	684	wscript.exe
23	684	wscript.exe
24	684	wscript.exe
26	684	wscript.exe
27	684	wscript.exe
28	684	wscript.exe
30	684	wscript.exe
31	684	wscript.exe
32	684	wscript.exe
34	684	wscript.exe
35	684	wscript.exe
36	684	wscript.exe
38	684	wscript.exe
39	684	wscript.exe
40	684	wscript.exe
42	684	wscript.exe
43	684	wscript.exe
44	684	wscript.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Scan005.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Scan005.js	wscript.exe

Executes dropped EXE 1 IoCs

pid	Process
688	Gmhot.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Gmhot.exe
Key opened	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Gmhot.exe
Key opened	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Gmhot.exe

Adds Run key to start application 2 TTPs 9 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\software\microsoft\windows\currentversion\run	wscript.exe
Key created	\REGISTRY\MACHINE\software\microsoft\windows\currentversion\run	wscript.exe
Key created	\REGISTRY\MACHINE\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Windows\CurrentVersion\Run\PkvdRn = "C:\\Users\\Admin\\AppData\\Roaming\\PkvdRn\\PkvdRn.exe"	Gmhot.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Windows\CurrentVersion\Run\Scan005 = "wscript.exe //B \"C:\\Users\\Admin\\Scan005.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Scan005 = "wscript.exe //B \"C:\\Users\\Admin\\Scan005.js\""	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Windows\CurrentVersion\Run\Scan005 = "wscript.exe //B \"C:\\Users\\Admin\\Scan005.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Scan005 = "wscript.exe //B \"C:\\Users\\Admin\\Scan005.js\""	wscript.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
7	ip-api.com
10	api.ipify.org
11	api.ipify.org

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Script User-Agent 26 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	28	WSHRAT\|9CA37D4D\|YBHADZIG\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 5/5/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	38	WSHRAT\|9CA37D4D\|YBHADZIG\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 5/5/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	17	WSHRAT\|9CA37D4D\|YBHADZIG\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 5/5/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	19	WSHRAT\|9CA37D4D\|YBHADZIG\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 5/5/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	22	WSHRAT\|9CA37D4D\|YBHADZIG\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 5/5/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	32	WSHRAT\|9CA37D4D\|YBHADZIG\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 5/5/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	34	WSHRAT\|9CA37D4D\|YBHADZIG\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 5/5/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	36	WSHRAT\|9CA37D4D\|YBHADZIG\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 5/5/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	40	WSHRAT\|9CA37D4D\|YBHADZIG\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 5/5/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	44	WSHRAT\|9CA37D4D\|YBHADZIG\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 5/5/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	9	WSHRAT\|9CA37D4D\|YBHADZIG\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 5/5/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	14	WSHRAT\|9CA37D4D\|YBHADZIG\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 5/5/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	23	WSHRAT\|9CA37D4D\|YBHADZIG\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 5/5/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	27	WSHRAT\|9CA37D4D\|YBHADZIG\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 5/5/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	31	WSHRAT\|9CA37D4D\|YBHADZIG\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 5/5/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	35	WSHRAT\|9CA37D4D\|YBHADZIG\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 5/5/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	39	WSHRAT\|9CA37D4D\|YBHADZIG\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 5/5/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	43	WSHRAT\|9CA37D4D\|YBHADZIG\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 5/5/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	2	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	24	WSHRAT\|9CA37D4D\|YBHADZIG\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 5/5/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	26	WSHRAT\|9CA37D4D\|YBHADZIG\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 5/5/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	30	WSHRAT\|9CA37D4D\|YBHADZIG\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 5/5/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	42	WSHRAT\|9CA37D4D\|YBHADZIG\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 5/5/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	3	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	15	WSHRAT\|9CA37D4D\|YBHADZIG\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 5/5/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	20	WSHRAT\|9CA37D4D\|YBHADZIG\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 5/5/2023\|JavaScript-v3.4\|IN:India

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	688	Gmhot.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
688	Gmhot.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1588 wrote to memory of 684	1588	wscript.exe	27
PID 1588 wrote to memory of 684	1588	wscript.exe	27
PID 1588 wrote to memory of 684	1588	wscript.exe	27
PID 684 wrote to memory of 688	684	wscript.exe	28
PID 684 wrote to memory of 688	684	wscript.exe	28
PID 684 wrote to memory of 688	684	wscript.exe	28
PID 684 wrote to memory of 688	684	wscript.exe	28

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Gmhot.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Gmhot.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\Scan005.js
1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1588
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\Scan005.js"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:684
- - C:\Users\Admin\Gmhot.exe
    "C:\Users\Admin\Gmhot.exe"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - Adds Run key to start application
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - outlook_office_path
    - outlook_win_path
    PID:688

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

2

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Scan005.js

Filesize
2.2MB

MD5
2d062c28da9b8e55c554ad3d99e26050

SHA1
e80b8cb06e3665f13ef7d428e15b1fa4bdf9bc4e

SHA256
ab7979631ae5e162281582ad3333e8943f0b908ef48d84c4de69e7616fef6931

SHA512
b9319bfeca863d2c0d7fdadb20220b7040fa3880335ce0c73ee1f756fe3c16ce028f4b2df0e02a0de0f7a960512b82effeffab4b686900a4631460fb5cf7c5f3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Scan005.js

Filesize
2.2MB

MD5
2d062c28da9b8e55c554ad3d99e26050

SHA1
e80b8cb06e3665f13ef7d428e15b1fa4bdf9bc4e

SHA256
ab7979631ae5e162281582ad3333e8943f0b908ef48d84c4de69e7616fef6931

SHA512
b9319bfeca863d2c0d7fdadb20220b7040fa3880335ce0c73ee1f756fe3c16ce028f4b2df0e02a0de0f7a960512b82effeffab4b686900a4631460fb5cf7c5f3

Download Submit
C:\Users\Admin\AppData\Roaming\PkvdRn\PkvdRn.exe

Filesize
165KB

MD5
9174c08e0ea67a940b29c2464e6c762e

SHA1
65e3a13c5c8004fcdfe0603a03d6ef127fe68881

SHA256
9108ee00bdf6e89257bed6e57902ec4ea496c1b90ff659e41927a30ef4a98d49

SHA512
0611ed661fc0b5e559d5998a053ee78da935e7d6af875ec69f00b5b8d26f0521712051ec110ba534cc5a9969c369f05082bc98dfeabb0c481dbd0464991643e2

Download Submit
C:\Users\Admin\Gmhot.exe

Filesize
165KB

MD5
9174c08e0ea67a940b29c2464e6c762e

SHA1
65e3a13c5c8004fcdfe0603a03d6ef127fe68881

SHA256
9108ee00bdf6e89257bed6e57902ec4ea496c1b90ff659e41927a30ef4a98d49

SHA512
0611ed661fc0b5e559d5998a053ee78da935e7d6af875ec69f00b5b8d26f0521712051ec110ba534cc5a9969c369f05082bc98dfeabb0c481dbd0464991643e2

Download Submit
C:\Users\Admin\Gmhot.exe

Filesize
165KB

MD5
9174c08e0ea67a940b29c2464e6c762e

SHA1
65e3a13c5c8004fcdfe0603a03d6ef127fe68881

SHA256
9108ee00bdf6e89257bed6e57902ec4ea496c1b90ff659e41927a30ef4a98d49

SHA512
0611ed661fc0b5e559d5998a053ee78da935e7d6af875ec69f00b5b8d26f0521712051ec110ba534cc5a9969c369f05082bc98dfeabb0c481dbd0464991643e2

Download Submit
C:\Users\Admin\Scan005.js

Filesize
2.2MB

MD5
2d062c28da9b8e55c554ad3d99e26050

SHA1
e80b8cb06e3665f13ef7d428e15b1fa4bdf9bc4e

SHA256
ab7979631ae5e162281582ad3333e8943f0b908ef48d84c4de69e7616fef6931

SHA512
b9319bfeca863d2c0d7fdadb20220b7040fa3880335ce0c73ee1f756fe3c16ce028f4b2df0e02a0de0f7a960512b82effeffab4b686900a4631460fb5cf7c5f3

Download Submit
memory/688-67-0x0000000000090000-0x00000000000C0000-memory.dmp

Filesize
192KB

Download
memory/688-68-0x0000000001FC0000-0x0000000002000000-memory.dmp

Filesize
256KB

Download
memory/688-89-0x0000000001FC0000-0x0000000002000000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads