agenttesla | 5843497eed3781c5569f53cd5709e93891fdb74cd12cdaff9487dd1d353dbe6b

General

Target

Swift_Payment_of_ Inv_467443456_JPG.vbs
Size

3.0MB
MD5

fce189a69c63f1c8e1e12eb476374180
SHA1

fb42127307eed7e43ba0c370452d2fa3a5337947
SHA256

5843497eed3781c5569f53cd5709e93891fdb74cd12cdaff9487dd1d353dbe6b
SHA512

b4658fc2447beb95b10748012e9c52eb82872a4fa1892c315493edabb14c9a3c452e699733479c68a31d2b93307b7ae44ba87bd7ce9bff5a2165a7925e2e028d
SSDEEP

6144:/jJCOMKt5IOrXOSZ01eawn7vWMeJtFsMFuh7QPmULgQofUBSh11h5x8noLHNeaZG:LtJPb+/

Score

10^/10

agenttesla wshrat keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
smtp.gmail.com
Port:
587
Username:
[email protected]
Password:
pifgweijlylkellk
Email To:
[email protected]

Extracted

Family

wshrat

C2

http://chongmei33.publicvm.com:7045

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat

Blocklisted process makes network request 27 IoCs

flow	pid	Process
4	2784	WScript.exe
7	2784	WScript.exe
8	2784	WScript.exe
9	2784	WScript.exe
11	2784	WScript.exe
12	2784	WScript.exe
13	2784	WScript.exe
15	2784	WScript.exe
16	2784	WScript.exe
17	2784	WScript.exe
19	2784	WScript.exe
20	2784	WScript.exe
21	2784	WScript.exe
23	2784	WScript.exe
24	2784	WScript.exe
25	2784	WScript.exe
27	2784	WScript.exe
28	2784	WScript.exe
29	2784	WScript.exe
31	2784	WScript.exe
32	2784	WScript.exe
33	2784	WScript.exe
35	2784	WScript.exe
36	2784	WScript.exe
37	2784	WScript.exe
39	2784	WScript.exe
40	2784	WScript.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Swift_Payment_of_ Inv_467443456_JPG.vbs	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Swift_Payment_of_ Inv_467443456_JPG.vbs	WScript.exe

Executes dropped EXE 1 IoCs

pid	Process
2856	Tempwinlogon.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Swift_Payment_of_ Inv_467443456_JPG = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\Swift_Payment_of_ Inv_467443456_JPG.vbs\""	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Windows Update\\Windows Update.exe"	Tempwinlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Windows\CurrentVersion\Run\Swift_Payment_of_ Inv_467443456_JPG = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\Swift_Payment_of_ Inv_467443456_JPG.vbs\""	WScript.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2856	Tempwinlogon.exe
2856	Tempwinlogon.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2856	Tempwinlogon.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2856	Tempwinlogon.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2784 wrote to memory of 2836	2784	WScript.exe	28
PID 2784 wrote to memory of 2836	2784	WScript.exe	28
PID 2784 wrote to memory of 2836	2784	WScript.exe	28
PID 2836 wrote to memory of 2856	2836	WScript.exe	30
PID 2836 wrote to memory of 2856	2836	WScript.exe	30
PID 2836 wrote to memory of 2856	2836	WScript.exe	30
PID 2836 wrote to memory of 2856	2836	WScript.exe	30

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Swift_Payment_of_ Inv_467443456_JPG.vbs"
1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2784
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\origin.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2836
- - C:\Users\Admin\AppData\Local\Tempwinlogon.exe
    "C:\Users\Admin\AppData\Local\Tempwinlogon.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

3

T1552

Credentials In Files

3

T1552.001

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

3

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3VKWFGCX\json[1].json

Filesize
323B

MD5
0c17abb0ed055fecf0c48bb6e46eb4eb

SHA1
a692730c8ec7353c31b94a888f359edb54aaa4c8

SHA256
f41e99f954e33e7b0e39930ec8620bf29801efc44275c1ee6b5cfa5e1be202c0

SHA512
645a9f2f94461d8a187261b736949df398ece5cfbf1af8653d18d3487ec1269d9f565534c1e249c12f31b3b1a41a8512953b1e991b001fc1360059e3fd494ec3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Windows Update\Windows Update.exe

Filesize
165KB

MD5
d78e00882aa872bb8daaa715d7014413

SHA1
cb242a2e1d65263d733b45d0cda17ce50cb4e376

SHA256
58fe22735658313bf69b6e34aac69887063aa1d9618a1ae1e99822f47087dfe9

SHA512
613fed6c36d26fa18544eae2316e6e6e43a6e67eeb31fd043bd2833ca6b5b88b9b1a16db43a592196c365bf1326eac3a4511171d896bfcdcf5454566327e1ac6

Download Submit
C:\Users\Admin\AppData\Local\Temp\origin.vbs

Filesize
331KB

MD5
d593230ad945cc8c2db3237ff31624d4

SHA1
a89e668a3026c2158b40489ddc8f211092472e1b

SHA256
fbe3fe3d46d3037f1a770e778a69dac55db62929b9571746e19c63ea59b28d88

SHA512
938e43724b56bd4a23a122b22b366bc0564f77a1ee1b8b3a576ab2e5c9f6877d36cdb68fcd9f762d617f94b8cf309ad378a2ab321eaf34e5542f5f0cd9ac3846

Download Submit
C:\Users\Admin\AppData\Local\Tempwinlogon.exe

Filesize
165KB

MD5
d78e00882aa872bb8daaa715d7014413

SHA1
cb242a2e1d65263d733b45d0cda17ce50cb4e376

SHA256
58fe22735658313bf69b6e34aac69887063aa1d9618a1ae1e99822f47087dfe9

SHA512
613fed6c36d26fa18544eae2316e6e6e43a6e67eeb31fd043bd2833ca6b5b88b9b1a16db43a592196c365bf1326eac3a4511171d896bfcdcf5454566327e1ac6

Download Submit
C:\Users\Admin\AppData\Local\Tempwinlogon.exe

Filesize
165KB

MD5
d78e00882aa872bb8daaa715d7014413

SHA1
cb242a2e1d65263d733b45d0cda17ce50cb4e376

SHA256
58fe22735658313bf69b6e34aac69887063aa1d9618a1ae1e99822f47087dfe9

SHA512
613fed6c36d26fa18544eae2316e6e6e43a6e67eeb31fd043bd2833ca6b5b88b9b1a16db43a592196c365bf1326eac3a4511171d896bfcdcf5454566327e1ac6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Swift_Payment_of_ Inv_467443456_JPG.vbs

Filesize
3.0MB

MD5
fce189a69c63f1c8e1e12eb476374180

SHA1
fb42127307eed7e43ba0c370452d2fa3a5337947

SHA256
5843497eed3781c5569f53cd5709e93891fdb74cd12cdaff9487dd1d353dbe6b

SHA512
b4658fc2447beb95b10748012e9c52eb82872a4fa1892c315493edabb14c9a3c452e699733479c68a31d2b93307b7ae44ba87bd7ce9bff5a2165a7925e2e028d

Download Submit
memory/2856-67-0x0000000000090000-0x00000000000C0000-memory.dmp

Filesize
192KB

Download
memory/2856-68-0x00000000745C0000-0x0000000074CAE000-memory.dmp

Filesize
6.9MB

Download
memory/2856-69-0x0000000004CA0000-0x0000000004CE0000-memory.dmp

Filesize
256KB

Download
memory/2856-74-0x00000000745C0000-0x0000000074CAE000-memory.dmp

Filesize
6.9MB

Download
memory/2856-75-0x0000000004CA0000-0x0000000004CE0000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads