Analysis
-
max time kernel
146s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
-
submitted
12-07-2023 13:32
General
-
Target
ORDER-230712_pdf.vbs
-
Size
8KB
-
MD5
8ad5ed0d841eccc69af3ae683181c8ba
-
SHA1
0431b124ba8702033a7c8afdc55405ce1189ca73
-
SHA256
2ebdc59e3bcf5477d0decb1a2a5079cafbf49295c2344f735ea42e44ad99f5b2
-
SHA512
a4640470d44bc47709b83cea2c25b1dddafdf57820269142d4dbc91586c87a314d913eea54daa6d4756b710bd8d0f52d928467b8276b2d072c859d08cc38051d
-
SSDEEP
96:V0Cfj4peBTHGxZem9WtqQGx9wtehFhesNhU4/i4eo4lhAv4HFje:14aSNW419FLPfBwr9lje
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.gmail.com - Port:
587 - Username:
[email protected] - Password:
pifgweijlylkellk - Email To:
[email protected]
Extracted
wshrat
http://chongmei33.publicvm.com:7045
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
-
WSHRAT payload 2 IoCs
-
Blocklisted process makes network request 28 IoCs
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 2 IoCs
-
Executes dropped EXE 1 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Adds Run key to start application 2 TTPs 5 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 7 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ORDER-230712_pdf.vbs"1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\WCVVRH.vbs"2⤵
- Blocklisted process makes network request
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\origin.vbs"3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Tempwinlogon.exe"C:\Users\Admin\AppData\Local\Tempwinlogon.exe"4⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
323B
MD50c17abb0ed055fecf0c48bb6e46eb4eb
SHA1a692730c8ec7353c31b94a888f359edb54aaa4c8
SHA256f41e99f954e33e7b0e39930ec8620bf29801efc44275c1ee6b5cfa5e1be202c0
SHA512645a9f2f94461d8a187261b736949df398ece5cfbf1af8653d18d3487ec1269d9f565534c1e249c12f31b3b1a41a8512953b1e991b001fc1360059e3fd494ec3
-
Filesize
558KB
MD5caec1686fe2f17ceb59db064b80a9b9c
SHA1de3fc1f6f4b94e327eb729a4290975e269f86fbe
SHA2560f7d03b6fe00c7ca6bf1a2325e65db44bdfafcd43397fdc52db335204eb129ac
SHA512375388568c6de97930605573528e3b064353a98eea3d73bf0fed72639dd248232c509d759b5cd0d6926ded263ca40e332d416364f72650bb8c873daa0d20d3b6
-
Filesize
331KB
MD5d593230ad945cc8c2db3237ff31624d4
SHA1a89e668a3026c2158b40489ddc8f211092472e1b
SHA256fbe3fe3d46d3037f1a770e778a69dac55db62929b9571746e19c63ea59b28d88
SHA512938e43724b56bd4a23a122b22b366bc0564f77a1ee1b8b3a576ab2e5c9f6877d36cdb68fcd9f762d617f94b8cf309ad378a2ab321eaf34e5542f5f0cd9ac3846
-
Filesize
165KB
MD5d78e00882aa872bb8daaa715d7014413
SHA1cb242a2e1d65263d733b45d0cda17ce50cb4e376
SHA25658fe22735658313bf69b6e34aac69887063aa1d9618a1ae1e99822f47087dfe9
SHA512613fed6c36d26fa18544eae2316e6e6e43a6e67eeb31fd043bd2833ca6b5b88b9b1a16db43a592196c365bf1326eac3a4511171d896bfcdcf5454566327e1ac6
-
Filesize
165KB
MD5d78e00882aa872bb8daaa715d7014413
SHA1cb242a2e1d65263d733b45d0cda17ce50cb4e376
SHA25658fe22735658313bf69b6e34aac69887063aa1d9618a1ae1e99822f47087dfe9
SHA512613fed6c36d26fa18544eae2316e6e6e43a6e67eeb31fd043bd2833ca6b5b88b9b1a16db43a592196c365bf1326eac3a4511171d896bfcdcf5454566327e1ac6
-
Filesize
165KB
MD5d78e00882aa872bb8daaa715d7014413
SHA1cb242a2e1d65263d733b45d0cda17ce50cb4e376
SHA25658fe22735658313bf69b6e34aac69887063aa1d9618a1ae1e99822f47087dfe9
SHA512613fed6c36d26fa18544eae2316e6e6e43a6e67eeb31fd043bd2833ca6b5b88b9b1a16db43a592196c365bf1326eac3a4511171d896bfcdcf5454566327e1ac6
-
Filesize
558KB
MD5caec1686fe2f17ceb59db064b80a9b9c
SHA1de3fc1f6f4b94e327eb729a4290975e269f86fbe
SHA2560f7d03b6fe00c7ca6bf1a2325e65db44bdfafcd43397fdc52db335204eb129ac
SHA512375388568c6de97930605573528e3b064353a98eea3d73bf0fed72639dd248232c509d759b5cd0d6926ded263ca40e332d416364f72650bb8c873daa0d20d3b6
-
Filesize
408KB
-
Filesize
5.6MB
-
Filesize
64KB
-
Filesize
320KB
-
Filesize
1.8MB
-
Filesize
584KB
-
Filesize
40KB
-
Filesize
64KB
-
Filesize
192KB