agenttesla | ab7979631ae5e162281582ad3333e8943f0b908ef48d84c4de69e7616fef6931

General

Target

Scan005.js
Size

2.2MB
MD5

2d062c28da9b8e55c554ad3d99e26050
SHA1

e80b8cb06e3665f13ef7d428e15b1fa4bdf9bc4e
SHA256

ab7979631ae5e162281582ad3333e8943f0b908ef48d84c4de69e7616fef6931
SHA512

b9319bfeca863d2c0d7fdadb20220b7040fa3880335ce0c73ee1f756fe3c16ce028f4b2df0e02a0de0f7a960512b82effeffab4b686900a4631460fb5cf7c5f3
SSDEEP

6144:DVAv1mgQSIkYpI83y6acJmwj/9VwM4ccOrxMJ1MdrqJvNU3Wb/D4cn7XtK2T/kDg:oo71G

Score

10^/10

agenttesla wshrat collection keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.egyptscientific.com
Port:
587
Username:
[email protected]
Password:
ibrahim@1234
Email To:
[email protected]

Extracted

Family

wshrat

C2

http://45.90.222.125:7121

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat

Blocklisted process makes network request 9 IoCs

flow	pid	Process
2	2004	wscript.exe
3	2004	wscript.exe
5	1428	wscript.exe
10	1428	wscript.exe
11	1428	wscript.exe
16	1428	wscript.exe
17	1428	wscript.exe
18	1428	wscript.exe
20	1428	wscript.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Scan005.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Scan005.js	wscript.exe

Executes dropped EXE 1 IoCs

pid	Process
1664	Gmhot.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Gmhot.exe
Key opened	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Gmhot.exe
Key opened	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Gmhot.exe

Adds Run key to start application 2 TTPs 9 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Windows\CurrentVersion\Run\Scan005 = "wscript.exe //B \"C:\\Users\\Admin\\Scan005.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Scan005 = "wscript.exe //B \"C:\\Users\\Admin\\Scan005.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Windows\CurrentVersion\Run\PkvdRn = "C:\\Users\\Admin\\AppData\\Roaming\\PkvdRn\\PkvdRn.exe"	Gmhot.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Windows\CurrentVersion\Run\Scan005 = "wscript.exe //B \"C:\\Users\\Admin\\Scan005.js\""	wscript.exe
Key created	\REGISTRY\MACHINE\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Scan005 = "wscript.exe //B \"C:\\Users\\Admin\\Scan005.js\""	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\software\microsoft\windows\currentversion\run	wscript.exe
Key created	\REGISTRY\MACHINE\software\microsoft\windows\currentversion\run	wscript.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
13	api.ipify.org
9	ip-api.com
12	api.ipify.org

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Script User-Agent 6 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	17	WSHRAT\|F4C6D0E0\|WFSTZEPN\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 8/5/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	18	WSHRAT\|F4C6D0E0\|WFSTZEPN\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 8/5/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	3	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	5	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	11	WSHRAT\|F4C6D0E0\|WFSTZEPN\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 8/5/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	16	WSHRAT\|F4C6D0E0\|WFSTZEPN\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 8/5/2023\|JavaScript-v3.4\|IN:India

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1664	Gmhot.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1664	Gmhot.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2004 wrote to memory of 1428	2004	wscript.exe	29
PID 2004 wrote to memory of 1428	2004	wscript.exe	29
PID 2004 wrote to memory of 1428	2004	wscript.exe	29
PID 1428 wrote to memory of 1664	1428	wscript.exe	30
PID 1428 wrote to memory of 1664	1428	wscript.exe	30
PID 1428 wrote to memory of 1664	1428	wscript.exe	30
PID 1428 wrote to memory of 1664	1428	wscript.exe	30

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Gmhot.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Gmhot.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\Scan005.js
1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2004
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\Scan005.js"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1428
- - C:\Users\Admin\Gmhot.exe
    "C:\Users\Admin\Gmhot.exe"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - Adds Run key to start application
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - outlook_office_path
    - outlook_win_path
    PID:1664

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Scan005.js

Filesize
2.2MB

MD5
2d062c28da9b8e55c554ad3d99e26050

SHA1
e80b8cb06e3665f13ef7d428e15b1fa4bdf9bc4e

SHA256
ab7979631ae5e162281582ad3333e8943f0b908ef48d84c4de69e7616fef6931

SHA512
b9319bfeca863d2c0d7fdadb20220b7040fa3880335ce0c73ee1f756fe3c16ce028f4b2df0e02a0de0f7a960512b82effeffab4b686900a4631460fb5cf7c5f3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Scan005.js

Filesize
2.2MB

MD5
2d062c28da9b8e55c554ad3d99e26050

SHA1
e80b8cb06e3665f13ef7d428e15b1fa4bdf9bc4e

SHA256
ab7979631ae5e162281582ad3333e8943f0b908ef48d84c4de69e7616fef6931

SHA512
b9319bfeca863d2c0d7fdadb20220b7040fa3880335ce0c73ee1f756fe3c16ce028f4b2df0e02a0de0f7a960512b82effeffab4b686900a4631460fb5cf7c5f3

Download Submit
C:\Users\Admin\AppData\Roaming\PkvdRn\PkvdRn.exe

Filesize
165KB

MD5
9174c08e0ea67a940b29c2464e6c762e

SHA1
65e3a13c5c8004fcdfe0603a03d6ef127fe68881

SHA256
9108ee00bdf6e89257bed6e57902ec4ea496c1b90ff659e41927a30ef4a98d49

SHA512
0611ed661fc0b5e559d5998a053ee78da935e7d6af875ec69f00b5b8d26f0521712051ec110ba534cc5a9969c369f05082bc98dfeabb0c481dbd0464991643e2

Download Submit
C:\Users\Admin\Gmhot.exe

Filesize
165KB

MD5
9174c08e0ea67a940b29c2464e6c762e

SHA1
65e3a13c5c8004fcdfe0603a03d6ef127fe68881

SHA256
9108ee00bdf6e89257bed6e57902ec4ea496c1b90ff659e41927a30ef4a98d49

SHA512
0611ed661fc0b5e559d5998a053ee78da935e7d6af875ec69f00b5b8d26f0521712051ec110ba534cc5a9969c369f05082bc98dfeabb0c481dbd0464991643e2

Download Submit
C:\Users\Admin\Gmhot.exe

Filesize
165KB

MD5
9174c08e0ea67a940b29c2464e6c762e

SHA1
65e3a13c5c8004fcdfe0603a03d6ef127fe68881

SHA256
9108ee00bdf6e89257bed6e57902ec4ea496c1b90ff659e41927a30ef4a98d49

SHA512
0611ed661fc0b5e559d5998a053ee78da935e7d6af875ec69f00b5b8d26f0521712051ec110ba534cc5a9969c369f05082bc98dfeabb0c481dbd0464991643e2

Download Submit
C:\Users\Admin\Scan005.js

Filesize
2.2MB

MD5
2d062c28da9b8e55c554ad3d99e26050

SHA1
e80b8cb06e3665f13ef7d428e15b1fa4bdf9bc4e

SHA256
ab7979631ae5e162281582ad3333e8943f0b908ef48d84c4de69e7616fef6931

SHA512
b9319bfeca863d2c0d7fdadb20220b7040fa3880335ce0c73ee1f756fe3c16ce028f4b2df0e02a0de0f7a960512b82effeffab4b686900a4631460fb5cf7c5f3

Download Submit
C:\Users\Admin\wshsdk.zip

Filesize
12.4MB

MD5
d9a63dfd8b73629421bb44bcde09f312

SHA1
7855575c12eaee0e734f3901ca1da2931e9b587a

SHA256
9d5bb028794410fda9d1b3e0f8deb6beee5bd4e1e55340bd375a209c81dc98eb

SHA512
df195c22f7818569cc92e995846ab507caa30f341ac902cc8afe6f06ae4493709e7f80357c91cf14b21e58e2154e0b35f2154d8a313bf36fcff0b72b3a539cf8

Download Submit
C:\Users\Admin\wshsdk\Lib\SITE-P~1\adodbapi\test\is64bit.py

Filesize
1KB

MD5
ca2cc8e73bbca371935bbc92ed18d567

SHA1
1adb458919e842cd78c72b1ff00e5e93cb6ef75e

SHA256
bea3f797921992fda45c19db41e10e3b325bcdd3ea35d35c1fa70535477ad9c1

SHA512
b63df3bad9272f45ba0f50e2c50aaed7a04eb1b000d5855d9f3a8e5c5f2d381c667b1e9c1e1f03f80584a7941a96992838664ae9dd25e1b8320e026da35b8223

Download Submit
memory/1428-5679-0x000007FEF7240000-0x000007FEF7248000-memory.dmp

Filesize
32KB

Download
memory/1664-67-0x00000000002B0000-0x00000000002E0000-memory.dmp

Filesize
192KB

Download
memory/1664-68-0x00000000048C0000-0x0000000004900000-memory.dmp

Filesize
256KB

Download
memory/1664-89-0x00000000048C0000-0x0000000004900000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads