Overview

overview

10

Static

static

1

Order-POF561.js

windows7-x64

10

Order-POF561.js

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    22-05-2023 08:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Order-POF561.js

  • Size

    4.4MB

  • MD5

    600ff23c99cac605541142deb6d59d08

  • SHA1

    609b030ed3ab2d856533efb140505ef77ab45e27

  • SHA256

    b7c5d83bcb09217db3593681c1aab762b936b6bdcdef4c89b155ed5456d2224f

  • SHA512

    f5143ca822ee39815cd7fd4e940451e3cf7a19ab6afc8052a2ce8b66525074c50033ae244de9950c4b30162d524972037ff0ea5f941663b8ab4377d73a6fd286

  • SSDEEP

    24576:SnSV1KQRkYy4g47ycfEVP75BupG6wcBRpY3xxc9pURy26cJ39ftFvxwv9NeiObv4:GC

Score
10/10
agentteslavjw0rmcollectionkeyloggerspywarestealertrojanworm

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    smtp.rzr0ngtai.com
  • Port:
    587
  • Username:
    ofm@rzr0ngtai.com
  • Password:
    TRhkGVZ4
  • Email To:
    ofm@rzr0ngtai.com

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

    trojanwormvjw0rm
  • Blocklisted process makes network request 16 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\Order-POF561.js
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1712
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\NaWPCMeUbz.js"
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      PID:2016
    • C:\Users\Admin\AppData\Roaming\bbnn.exe
      "C:\Users\Admin\AppData\Roaming\bbnn.exe"
      2⤵
      • Executes dropped EXE
      • Accesses Microsoft Outlook profiles
      • Suspicious use of AdjustPrivilegeToken
      • outlook_office_path
      • outlook_win_path
      PID:652

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3
T1081

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\NaWPCMeUbz.js
    Filesize

    346KB

    MD5

    893fc35e6777d07700009659b4df14ea

    SHA1

    f06f4cb7e5e00e9513049e9491794cf7708d4660

    SHA256

    62a741f015d45db0e868d0a0aaf58d5d2ed016dd29815baafd2978fc91b2355d

    SHA512

    749394e8730850c7773950cb12183a72ffe825803be321849024e4b47879a4e619516889742f78d186fef3e5252a1cc648183525a0039826de29884268104eb2

    Download Submit
  • C:\Users\Admin\AppData\Roaming\bbnn.exe
    Filesize

    164KB

    MD5

    c326600507ad2a761a7cff547b3a2272

    SHA1

    fb4fe27a790f1961cbcdbeb7d527df3f5168177a

    SHA256

    9e4d3b33ad0dc8b9d9cda29828a0ab0ce24800a4c3d932b0338bf35467c7d39f

    SHA512

    89ed36699dff964d0d71938a7b744eb1ca6f9a63c94381c109c6a68891f4c8c7a3452a2dba75504d678154fdb88b79740cf409510571b47ed6a666521b3d9a8e

    Download Submit
  • C:\Users\Admin\AppData\Roaming\bbnn.exe
    Filesize

    164KB

    MD5

    c326600507ad2a761a7cff547b3a2272

    SHA1

    fb4fe27a790f1961cbcdbeb7d527df3f5168177a

    SHA256

    9e4d3b33ad0dc8b9d9cda29828a0ab0ce24800a4c3d932b0338bf35467c7d39f

    SHA512

    89ed36699dff964d0d71938a7b744eb1ca6f9a63c94381c109c6a68891f4c8c7a3452a2dba75504d678154fdb88b79740cf409510571b47ed6a666521b3d9a8e

    Download Submit
  • memory/652-63-0x00000000001F0000-0x0000000000220000-memory.dmp
    Filesize

    192KB

    Download
  • memory/652-64-0x0000000004D10000-0x0000000004D50000-memory.dmp
    Filesize

    256KB

    Download
  • memory/652-65-0x0000000004D10000-0x0000000004D50000-memory.dmp
    Filesize

    256KB

    Download