agenttesla | b7c5d83bcb09217db3593681c1aab762b936b6bdcdef4c89b155ed5456d2224f

General

Target

Order-POF561.js
Size

4.4MB
MD5

600ff23c99cac605541142deb6d59d08
SHA1

609b030ed3ab2d856533efb140505ef77ab45e27
SHA256

b7c5d83bcb09217db3593681c1aab762b936b6bdcdef4c89b155ed5456d2224f
SHA512

f5143ca822ee39815cd7fd4e940451e3cf7a19ab6afc8052a2ce8b66525074c50033ae244de9950c4b30162d524972037ff0ea5f941663b8ab4377d73a6fd286
SSDEEP

24576:SnSV1KQRkYy4g47ycfEVP75BupG6wcBRpY3xxc9pURy26cJ39ftFvxwv9NeiObv4:GC

Score

10^/10

agenttesla vjw0rm collection keylogger spyware stealer trojan worm

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
smtp.rzr0ngtai.com
Port:
587
Username:
ofm@rzr0ngtai.com
Password:
TRhkGVZ4
Email To:
ofm@rzr0ngtai.com

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm

Blocklisted process makes network request 16 IoCs

Processes:

wscript.exe

flow	pid	process
10	4772	wscript.exe
11	4772	wscript.exe
22	4772	wscript.exe
31	4772	wscript.exe
33	4772	wscript.exe
37	4772	wscript.exe
42	4772	wscript.exe
43	4772	wscript.exe
45	4772	wscript.exe
46	4772	wscript.exe
48	4772	wscript.exe
49	4772	wscript.exe
51	4772	wscript.exe
52	4772	wscript.exe
54	4772	wscript.exe
55	4772	wscript.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

wscript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Control Panel\International\Geo\Nation	wscript.exe

Drops startup file 2 IoCs

Processes:

wscript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NaWPCMeUbz.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NaWPCMeUbz.js	wscript.exe

Executes dropped EXE 1 IoCs

Processes:

bbnn.exe

pid process

4324 bbnn.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
4324	bbnn.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

bbnn.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	bbnn.exe
Key opened	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	bbnn.exe
Key opened	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	bbnn.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

bbnn.exe

description pid process

Token: SeDebugPrivilege 4324 bbnn.exe

description	pid	process
Token: SeDebugPrivilege	4324	bbnn.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

wscript.exe

description	pid	process	target process
PID 540 wrote to memory of 4772	540	wscript.exe	wscript.exe
PID 540 wrote to memory of 4772	540	wscript.exe	wscript.exe
PID 540 wrote to memory of 4324	540	wscript.exe	bbnn.exe
PID 540 wrote to memory of 4324	540	wscript.exe	bbnn.exe
PID 540 wrote to memory of 4324	540	wscript.exe	bbnn.exe

outlook_office_path 1 IoCs

Processes:

bbnn.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	bbnn.exe

outlook_win_path 1 IoCs

Processes:

bbnn.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	bbnn.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\Order-POF561.js
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:540

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\NaWPCMeUbz.js"
2⤵
- Blocklisted process makes network request
- Drops startup file
PID:4772

C:\Users\Admin\AppData\Roaming\bbnn.exe
"C:\Users\Admin\AppData\Roaming\bbnn.exe"
2⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:4324

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

3

T1005

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\NaWPCMeUbz.js
Filesize
346KB

MD5
893fc35e6777d07700009659b4df14ea

SHA1
f06f4cb7e5e00e9513049e9491794cf7708d4660

SHA256
62a741f015d45db0e868d0a0aaf58d5d2ed016dd29815baafd2978fc91b2355d

SHA512
749394e8730850c7773950cb12183a72ffe825803be321849024e4b47879a4e619516889742f78d186fef3e5252a1cc648183525a0039826de29884268104eb2

Download Submit
C:\Users\Admin\AppData\Roaming\bbnn.exe
Filesize
164KB

MD5
c326600507ad2a761a7cff547b3a2272

SHA1
fb4fe27a790f1961cbcdbeb7d527df3f5168177a

SHA256
9e4d3b33ad0dc8b9d9cda29828a0ab0ce24800a4c3d932b0338bf35467c7d39f

SHA512
89ed36699dff964d0d71938a7b744eb1ca6f9a63c94381c109c6a68891f4c8c7a3452a2dba75504d678154fdb88b79740cf409510571b47ed6a666521b3d9a8e

Download Submit
C:\Users\Admin\AppData\Roaming\bbnn.exe
Filesize
164KB

MD5
c326600507ad2a761a7cff547b3a2272

SHA1
fb4fe27a790f1961cbcdbeb7d527df3f5168177a

SHA256
9e4d3b33ad0dc8b9d9cda29828a0ab0ce24800a4c3d932b0338bf35467c7d39f

SHA512
89ed36699dff964d0d71938a7b744eb1ca6f9a63c94381c109c6a68891f4c8c7a3452a2dba75504d678154fdb88b79740cf409510571b47ed6a666521b3d9a8e

Download Submit
C:\Users\Admin\AppData\Roaming\bbnn.exe
Filesize
164KB

MD5
c326600507ad2a761a7cff547b3a2272

SHA1
fb4fe27a790f1961cbcdbeb7d527df3f5168177a

SHA256
9e4d3b33ad0dc8b9d9cda29828a0ab0ce24800a4c3d932b0338bf35467c7d39f

SHA512
89ed36699dff964d0d71938a7b744eb1ca6f9a63c94381c109c6a68891f4c8c7a3452a2dba75504d678154fdb88b79740cf409510571b47ed6a666521b3d9a8e

Download Submit
memory/4324-147-0x0000000000AD0000-0x0000000000B00000-memory.dmp

Filesize
192KB

Download
memory/4324-148-0x0000000005A10000-0x0000000005FB4000-memory.dmp

Filesize
5.6MB

Download
memory/4324-149-0x0000000005540000-0x00000000055A6000-memory.dmp

Filesize
408KB

Download
memory/4324-150-0x00000000054C0000-0x00000000054D0000-memory.dmp

Filesize
64KB

Download
memory/4324-151-0x0000000006620000-0x00000000066B2000-memory.dmp

Filesize
584KB

Download
memory/4324-152-0x00000000067B0000-0x00000000067BA000-memory.dmp

Filesize
40KB

Download
memory/4324-153-0x0000000006820000-0x0000000006870000-memory.dmp

Filesize
320KB

Download
memory/4324-154-0x0000000006A40000-0x0000000006C02000-memory.dmp

Filesize
1.8MB

Download
memory/4324-155-0x00000000054C0000-0x00000000054D0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads