Overview

overview

10

Static

static

1

Swift_Paym...PG.vbs

windows7-x64

10

Swift_Paym...PG.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-08-2023 10:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Swift_Payment_of_ Inv_467443456_JPG.vbs

  • Size

    3.0MB

  • MD5

    fce189a69c63f1c8e1e12eb476374180

  • SHA1

    fb42127307eed7e43ba0c370452d2fa3a5337947

  • SHA256

    5843497eed3781c5569f53cd5709e93891fdb74cd12cdaff9487dd1d353dbe6b

  • SHA512

    b4658fc2447beb95b10748012e9c52eb82872a4fa1892c315493edabb14c9a3c452e699733479c68a31d2b93307b7ae44ba87bd7ce9bff5a2165a7925e2e028d

  • SSDEEP

    6144:/jJCOMKt5IOrXOSZ01eawn7vWMeJtFsMFuh7QPmULgQofUBSh11h5x8noLHNeaZG:LtJPb+/

Score
10/10
agentteslawshratkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Extracted

Family

wshrat

C2

http://chongmei33.publicvm.com:7045

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • WSHRAT

    WSHRAT is a variant of Houdini worm and has vbs and js variants.

    trojanwshrat
  • Blocklisted process makes network request 26 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Swift_Payment_of_ Inv_467443456_JPG.vbs"
    1⤵
    • Blocklisted process makes network request
    • Drops startup file
    • Adds Run key to start application
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2488
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\origin.vbs"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2608
      • C:\Users\Admin\AppData\Local\Tempwinlogon.exe
        "C:\Users\Admin\AppData\Local\Tempwinlogon.exe"
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:1156

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\5XLATO3O\json[1].json
    Filesize

    323B

    MD5

    0c17abb0ed055fecf0c48bb6e46eb4eb

    SHA1

    a692730c8ec7353c31b94a888f359edb54aaa4c8

    SHA256

    f41e99f954e33e7b0e39930ec8620bf29801efc44275c1ee6b5cfa5e1be202c0

    SHA512

    645a9f2f94461d8a187261b736949df398ece5cfbf1af8653d18d3487ec1269d9f565534c1e249c12f31b3b1a41a8512953b1e991b001fc1360059e3fd494ec3

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\origin.vbs
    Filesize

    331KB

    MD5

    d593230ad945cc8c2db3237ff31624d4

    SHA1

    a89e668a3026c2158b40489ddc8f211092472e1b

    SHA256

    fbe3fe3d46d3037f1a770e778a69dac55db62929b9571746e19c63ea59b28d88

    SHA512

    938e43724b56bd4a23a122b22b366bc0564f77a1ee1b8b3a576ab2e5c9f6877d36cdb68fcd9f762d617f94b8cf309ad378a2ab321eaf34e5542f5f0cd9ac3846

    Download Submit

  • C:\Users\Admin\AppData\Local\Tempwinlogon.exe
    Filesize

    165KB

    MD5

    d78e00882aa872bb8daaa715d7014413

    SHA1

    cb242a2e1d65263d733b45d0cda17ce50cb4e376

    SHA256

    58fe22735658313bf69b6e34aac69887063aa1d9618a1ae1e99822f47087dfe9

    SHA512

    613fed6c36d26fa18544eae2316e6e6e43a6e67eeb31fd043bd2833ca6b5b88b9b1a16db43a592196c365bf1326eac3a4511171d896bfcdcf5454566327e1ac6

    Download Submit

  • C:\Users\Admin\AppData\Local\Tempwinlogon.exe
    Filesize

    165KB

    MD5

    d78e00882aa872bb8daaa715d7014413

    SHA1

    cb242a2e1d65263d733b45d0cda17ce50cb4e376

    SHA256

    58fe22735658313bf69b6e34aac69887063aa1d9618a1ae1e99822f47087dfe9

    SHA512

    613fed6c36d26fa18544eae2316e6e6e43a6e67eeb31fd043bd2833ca6b5b88b9b1a16db43a592196c365bf1326eac3a4511171d896bfcdcf5454566327e1ac6

    Download Submit

  • C:\Users\Admin\AppData\Local\Tempwinlogon.exe
    Filesize

    165KB

    MD5

    d78e00882aa872bb8daaa715d7014413

    SHA1

    cb242a2e1d65263d733b45d0cda17ce50cb4e376

    SHA256

    58fe22735658313bf69b6e34aac69887063aa1d9618a1ae1e99822f47087dfe9

    SHA512

    613fed6c36d26fa18544eae2316e6e6e43a6e67eeb31fd043bd2833ca6b5b88b9b1a16db43a592196c365bf1326eac3a4511171d896bfcdcf5454566327e1ac6

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Swift_Payment_of_ Inv_467443456_JPG.vbs
    Filesize

    3.0MB

    MD5

    fce189a69c63f1c8e1e12eb476374180

    SHA1

    fb42127307eed7e43ba0c370452d2fa3a5337947

    SHA256

    5843497eed3781c5569f53cd5709e93891fdb74cd12cdaff9487dd1d353dbe6b

    SHA512

    b4658fc2447beb95b10748012e9c52eb82872a4fa1892c315493edabb14c9a3c452e699733479c68a31d2b93307b7ae44ba87bd7ce9bff5a2165a7925e2e028d

    Download Submit

  • memory/1156-155-0x0000000005800000-0x0000000005866000-memory.dmp

    Filesize

    408KB

    Download

  • memory/1156-154-0x00000000057F0000-0x0000000005800000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1156-153-0x0000000005E70000-0x0000000006414000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/1156-158-0x00000000066B0000-0x0000000006700000-memory.dmp

    Filesize

    320KB

    Download

  • memory/1156-159-0x00000000068D0000-0x0000000006A92000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/1156-160-0x00000000067A0000-0x0000000006832000-memory.dmp

    Filesize

    584KB

    Download

  • memory/1156-163-0x0000000006870000-0x000000000687A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1156-164-0x0000000074520000-0x0000000074CD0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1156-167-0x00000000057F0000-0x0000000005800000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1156-152-0x0000000000DC0000-0x0000000000DF0000-memory.dmp

    Filesize

    192KB

    Download

  • memory/1156-151-0x0000000074520000-0x0000000074CD0000-memory.dmp

    Filesize

    7.7MB

    Download