agenttesla | ab7979631ae5e162281582ad3333e8943f0b908ef48d84c4de69e7616fef6931

General

Target

Scan005.js
Size

2.2MB
MD5

2d062c28da9b8e55c554ad3d99e26050
SHA1

e80b8cb06e3665f13ef7d428e15b1fa4bdf9bc4e
SHA256

ab7979631ae5e162281582ad3333e8943f0b908ef48d84c4de69e7616fef6931
SHA512

b9319bfeca863d2c0d7fdadb20220b7040fa3880335ce0c73ee1f756fe3c16ce028f4b2df0e02a0de0f7a960512b82effeffab4b686900a4631460fb5cf7c5f3
SSDEEP

6144:DVAv1mgQSIkYpI83y6acJmwj/9VwM4ccOrxMJ1MdrqJvNU3Wb/D4cn7XtK2T/kDg:oo71G

Score

10^/10

agenttesla wshrat collection keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.egyptscientific.com
Port:
587
Username:
[email protected]
Password:
ibrahim@1234
Email To:
[email protected]

Extracted

Family

wshrat

C2

http://45.90.222.125:7121

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat

Blocklisted process makes network request 28 IoCs

flow	pid	Process
9	2076	wscript.exe
19	1308	wscript.exe
22	1308	wscript.exe
23	1308	wscript.exe
29	1308	wscript.exe
37	1308	wscript.exe
38	1308	wscript.exe
41	1308	wscript.exe
44	1308	wscript.exe
45	1308	wscript.exe
49	1308	wscript.exe
54	1308	wscript.exe
55	1308	wscript.exe
56	1308	wscript.exe
57	1308	wscript.exe
59	1308	wscript.exe
60	1308	wscript.exe
62	1308	wscript.exe
64	1308	wscript.exe
65	1308	wscript.exe
66	1308	wscript.exe
67	1308	wscript.exe
69	1308	wscript.exe
70	1308	wscript.exe
71	1308	wscript.exe
73	1308	wscript.exe
74	1308	wscript.exe
75	1308	wscript.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	wscript.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Scan005.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Scan005.js	wscript.exe

Executes dropped EXE 1 IoCs

pid	Process
2936	Gmhot.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Gmhot.exe
Key opened	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Gmhot.exe
Key opened	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Gmhot.exe

Adds Run key to start application 2 TTPs 9 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Scan005 = "wscript.exe //B \"C:\\Users\\Admin\\Scan005.js\""	wscript.exe
Key created	\REGISTRY\MACHINE\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Scan005 = "wscript.exe //B \"C:\\Users\\Admin\\Scan005.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PkvdRn = "C:\\Users\\Admin\\AppData\\Roaming\\PkvdRn\\PkvdRn.exe"	Gmhot.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Scan005 = "wscript.exe //B \"C:\\Users\\Admin\\Scan005.js\""	wscript.exe
Key created	\REGISTRY\MACHINE\software\microsoft\windows\currentversion\run	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Scan005 = "wscript.exe //B \"C:\\Users\\Admin\\Scan005.js\""	wscript.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
21	ip-api.com
26	api.ipify.org
27	api.ipify.org

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Script User-Agent 27 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	55	WSHRAT\|10B1D74F\|TLGENAJY\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 5/5/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	66	WSHRAT\|10B1D74F\|TLGENAJY\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 5/5/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	37	WSHRAT\|10B1D74F\|TLGENAJY\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 5/5/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	54	WSHRAT\|10B1D74F\|TLGENAJY\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 5/5/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	38	WSHRAT\|10B1D74F\|TLGENAJY\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 5/5/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	64	WSHRAT\|10B1D74F\|TLGENAJY\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 5/5/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	71	WSHRAT\|10B1D74F\|TLGENAJY\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 5/5/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	60	WSHRAT\|10B1D74F\|TLGENAJY\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 5/5/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	70	WSHRAT\|10B1D74F\|TLGENAJY\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 5/5/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	9	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	49	WSHRAT\|10B1D74F\|TLGENAJY\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 5/5/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	59	WSHRAT\|10B1D74F\|TLGENAJY\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 5/5/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	67	WSHRAT\|10B1D74F\|TLGENAJY\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 5/5/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	23	WSHRAT\|10B1D74F\|TLGENAJY\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 5/5/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	56	WSHRAT\|10B1D74F\|TLGENAJY\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 5/5/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	57	WSHRAT\|10B1D74F\|TLGENAJY\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 5/5/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	69	WSHRAT\|10B1D74F\|TLGENAJY\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 5/5/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	41	WSHRAT\|10B1D74F\|TLGENAJY\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 5/5/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	74	WSHRAT\|10B1D74F\|TLGENAJY\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 5/5/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	19	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	62	WSHRAT\|10B1D74F\|TLGENAJY\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 5/5/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	73	WSHRAT\|10B1D74F\|TLGENAJY\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 5/5/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	45	WSHRAT\|10B1D74F\|TLGENAJY\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 5/5/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	75	WSHRAT\|10B1D74F\|TLGENAJY\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 5/5/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	65	WSHRAT\|10B1D74F\|TLGENAJY\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 5/5/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	29	WSHRAT\|10B1D74F\|TLGENAJY\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 5/5/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	44	WSHRAT\|10B1D74F\|TLGENAJY\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 5/5/2023\|JavaScript-v3.4\|IN:India

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2936	Gmhot.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2936	Gmhot.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 2076 wrote to memory of 1308	2076	wscript.exe	83
PID 2076 wrote to memory of 1308	2076	wscript.exe	83
PID 1308 wrote to memory of 2936	1308	wscript.exe	84
PID 1308 wrote to memory of 2936	1308	wscript.exe	84
PID 1308 wrote to memory of 2936	1308	wscript.exe	84

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Gmhot.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Gmhot.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\Scan005.js
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2076
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\Scan005.js"
  2⤵
  - Blocklisted process makes network request
  - Checks computer location settings
  - Drops startup file
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1308
- - C:\Users\Admin\Gmhot.exe
    "C:\Users\Admin\Gmhot.exe"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - Adds Run key to start application
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - outlook_office_path
    - outlook_win_path
    PID:2936

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Scan005.js

Filesize
2.2MB

MD5
2d062c28da9b8e55c554ad3d99e26050

SHA1
e80b8cb06e3665f13ef7d428e15b1fa4bdf9bc4e

SHA256
ab7979631ae5e162281582ad3333e8943f0b908ef48d84c4de69e7616fef6931

SHA512
b9319bfeca863d2c0d7fdadb20220b7040fa3880335ce0c73ee1f756fe3c16ce028f4b2df0e02a0de0f7a960512b82effeffab4b686900a4631460fb5cf7c5f3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Scan005.js

Filesize
2.2MB

MD5
2d062c28da9b8e55c554ad3d99e26050

SHA1
e80b8cb06e3665f13ef7d428e15b1fa4bdf9bc4e

SHA256
ab7979631ae5e162281582ad3333e8943f0b908ef48d84c4de69e7616fef6931

SHA512
b9319bfeca863d2c0d7fdadb20220b7040fa3880335ce0c73ee1f756fe3c16ce028f4b2df0e02a0de0f7a960512b82effeffab4b686900a4631460fb5cf7c5f3

Download Submit
C:\Users\Admin\Gmhot.exe

Filesize
165KB

MD5
9174c08e0ea67a940b29c2464e6c762e

SHA1
65e3a13c5c8004fcdfe0603a03d6ef127fe68881

SHA256
9108ee00bdf6e89257bed6e57902ec4ea496c1b90ff659e41927a30ef4a98d49

SHA512
0611ed661fc0b5e559d5998a053ee78da935e7d6af875ec69f00b5b8d26f0521712051ec110ba534cc5a9969c369f05082bc98dfeabb0c481dbd0464991643e2

Download Submit
C:\Users\Admin\Gmhot.exe

Filesize
165KB

MD5
9174c08e0ea67a940b29c2464e6c762e

SHA1
65e3a13c5c8004fcdfe0603a03d6ef127fe68881

SHA256
9108ee00bdf6e89257bed6e57902ec4ea496c1b90ff659e41927a30ef4a98d49

SHA512
0611ed661fc0b5e559d5998a053ee78da935e7d6af875ec69f00b5b8d26f0521712051ec110ba534cc5a9969c369f05082bc98dfeabb0c481dbd0464991643e2

Download Submit
C:\Users\Admin\Gmhot.exe

Filesize
165KB

MD5
9174c08e0ea67a940b29c2464e6c762e

SHA1
65e3a13c5c8004fcdfe0603a03d6ef127fe68881

SHA256
9108ee00bdf6e89257bed6e57902ec4ea496c1b90ff659e41927a30ef4a98d49

SHA512
0611ed661fc0b5e559d5998a053ee78da935e7d6af875ec69f00b5b8d26f0521712051ec110ba534cc5a9969c369f05082bc98dfeabb0c481dbd0464991643e2

Download Submit
C:\Users\Admin\Scan005.js

Filesize
2.2MB

MD5
2d062c28da9b8e55c554ad3d99e26050

SHA1
e80b8cb06e3665f13ef7d428e15b1fa4bdf9bc4e

SHA256
ab7979631ae5e162281582ad3333e8943f0b908ef48d84c4de69e7616fef6931

SHA512
b9319bfeca863d2c0d7fdadb20220b7040fa3880335ce0c73ee1f756fe3c16ce028f4b2df0e02a0de0f7a960512b82effeffab4b686900a4631460fb5cf7c5f3

Download Submit
memory/2936-170-0x0000000000A90000-0x0000000000AC0000-memory.dmp

Filesize
192KB

Download
memory/2936-171-0x0000000005AE0000-0x0000000006084000-memory.dmp

Filesize
5.6MB

Download
memory/2936-172-0x0000000005450000-0x00000000054B6000-memory.dmp

Filesize
408KB

Download
memory/2936-173-0x0000000005440000-0x0000000005450000-memory.dmp

Filesize
64KB

Download
memory/2936-175-0x0000000006FF0000-0x0000000007082000-memory.dmp

Filesize
584KB

Download
memory/2936-176-0x00000000071D0000-0x00000000071DA000-memory.dmp

Filesize
40KB

Download
memory/2936-177-0x0000000007250000-0x00000000072A0000-memory.dmp

Filesize
320KB

Download
memory/2936-179-0x0000000005440000-0x0000000005450000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads