Malware Analysis Report

2024-10-19 09:24

Sample ID 230801-m3efxsge3z
Target Swift_Payment_of_ Inv_467443456_JPG.vbs
SHA256 5843497eed3781c5569f53cd5709e93891fdb74cd12cdaff9487dd1d353dbe6b
Tags
agenttesla wshrat keylogger persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5843497eed3781c5569f53cd5709e93891fdb74cd12cdaff9487dd1d353dbe6b

Threat Level: Known bad

The file Swift_Payment_of_ Inv_467443456_JPG.vbs was found to be: Known bad.

Malicious Activity Summary

agenttesla wshrat keylogger persistence spyware stealer trojan

WSHRAT

AgentTesla

Blocklisted process makes network request

Drops startup file

Reads user/profile data of local email clients

Reads data files stored by FTP clients

Reads user/profile data of web browsers

Executes dropped EXE

Adds Run key to start application

Looks up external IP address via web service

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-08-01 10:59

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-08-01 10:59

Reported

2023-08-01 11:01

Platform

win7-20230712-en

Max time kernel

149s

Max time network

153s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Swift_Payment_of_ Inv_467443456_JPG.vbs"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

WSHRAT

trojan wshrat

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Swift_Payment_of_ Inv_467443456_JPG.vbs C:\Windows\System32\WScript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Swift_Payment_of_ Inv_467443456_JPG.vbs C:\Windows\System32\WScript.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Tempwinlogon.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Swift_Payment_of_ Inv_467443456_JPG = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\Swift_Payment_of_ Inv_467443456_JPG.vbs\"" C:\Windows\System32\WScript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Windows Update\\Windows Update.exe" C:\Users\Admin\AppData\Local\Tempwinlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Windows\CurrentVersion\Run\Swift_Payment_of_ Inv_467443456_JPG = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\Swift_Payment_of_ Inv_467443456_JPG.vbs\"" C:\Windows\System32\WScript.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Tempwinlogon.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Tempwinlogon.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Tempwinlogon.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Tempwinlogon.exe N/A

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Swift_Payment_of_ Inv_467443456_JPG.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\origin.vbs"

C:\Users\Admin\AppData\Local\Tempwinlogon.exe

"C:\Users\Admin\AppData\Local\Tempwinlogon.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 chongmei33.publicvm.com udp
SG 103.47.144.107:7045 chongmei33.publicvm.com tcp
SG 103.47.144.107:7045 chongmei33.publicvm.com tcp
SG 103.47.144.107:7045 chongmei33.publicvm.com tcp
SG 103.47.144.107:7045 chongmei33.publicvm.com tcp
SG 103.47.144.107:7045 chongmei33.publicvm.com tcp
SG 103.47.144.107:7045 chongmei33.publicvm.com tcp
SG 103.47.144.107:7045 chongmei33.publicvm.com tcp
SG 103.47.144.107:7045 chongmei33.publicvm.com tcp
SG 103.47.144.107:7045 chongmei33.publicvm.com tcp
SG 103.47.144.107:7045 chongmei33.publicvm.com tcp
SG 103.47.144.107:7045 chongmei33.publicvm.com tcp
SG 103.47.144.107:7045 chongmei33.publicvm.com tcp
SG 103.47.144.107:7045 chongmei33.publicvm.com tcp
SG 103.47.144.107:7045 chongmei33.publicvm.com tcp
SG 103.47.144.107:7045 chongmei33.publicvm.com tcp
SG 103.47.144.107:7045 chongmei33.publicvm.com tcp
SG 103.47.144.107:7045 chongmei33.publicvm.com tcp
SG 103.47.144.107:7045 chongmei33.publicvm.com tcp
SG 103.47.144.107:7045 chongmei33.publicvm.com tcp
SG 103.47.144.107:7045 chongmei33.publicvm.com tcp
SG 103.47.144.107:7045 chongmei33.publicvm.com tcp
SG 103.47.144.107:7045 chongmei33.publicvm.com tcp
SG 103.47.144.107:7045 chongmei33.publicvm.com tcp
SG 103.47.144.107:7045 chongmei33.publicvm.com tcp
SG 103.47.144.107:7045 chongmei33.publicvm.com tcp
SG 103.47.144.107:7045 chongmei33.publicvm.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\origin.vbs

MD5 d593230ad945cc8c2db3237ff31624d4
SHA1 a89e668a3026c2158b40489ddc8f211092472e1b
SHA256 fbe3fe3d46d3037f1a770e778a69dac55db62929b9571746e19c63ea59b28d88
SHA512 938e43724b56bd4a23a122b22b366bc0564f77a1ee1b8b3a576ab2e5c9f6877d36cdb68fcd9f762d617f94b8cf309ad378a2ab321eaf34e5542f5f0cd9ac3846

C:\Users\Admin\AppData\Local\Tempwinlogon.exe

MD5 d78e00882aa872bb8daaa715d7014413
SHA1 cb242a2e1d65263d733b45d0cda17ce50cb4e376
SHA256 58fe22735658313bf69b6e34aac69887063aa1d9618a1ae1e99822f47087dfe9
SHA512 613fed6c36d26fa18544eae2316e6e6e43a6e67eeb31fd043bd2833ca6b5b88b9b1a16db43a592196c365bf1326eac3a4511171d896bfcdcf5454566327e1ac6

C:\Users\Admin\AppData\Local\Tempwinlogon.exe

MD5 d78e00882aa872bb8daaa715d7014413
SHA1 cb242a2e1d65263d733b45d0cda17ce50cb4e376
SHA256 58fe22735658313bf69b6e34aac69887063aa1d9618a1ae1e99822f47087dfe9
SHA512 613fed6c36d26fa18544eae2316e6e6e43a6e67eeb31fd043bd2833ca6b5b88b9b1a16db43a592196c365bf1326eac3a4511171d896bfcdcf5454566327e1ac6

memory/2856-67-0x0000000000090000-0x00000000000C0000-memory.dmp

memory/2856-68-0x00000000745C0000-0x0000000074CAE000-memory.dmp

memory/2856-69-0x0000000004CA0000-0x0000000004CE0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Windows Update\Windows Update.exe

MD5 d78e00882aa872bb8daaa715d7014413
SHA1 cb242a2e1d65263d733b45d0cda17ce50cb4e376
SHA256 58fe22735658313bf69b6e34aac69887063aa1d9618a1ae1e99822f47087dfe9
SHA512 613fed6c36d26fa18544eae2316e6e6e43a6e67eeb31fd043bd2833ca6b5b88b9b1a16db43a592196c365bf1326eac3a4511171d896bfcdcf5454566327e1ac6

memory/2856-74-0x00000000745C0000-0x0000000074CAE000-memory.dmp

memory/2856-75-0x0000000004CA0000-0x0000000004CE0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Swift_Payment_of_ Inv_467443456_JPG.vbs

MD5 fce189a69c63f1c8e1e12eb476374180
SHA1 fb42127307eed7e43ba0c370452d2fa3a5337947
SHA256 5843497eed3781c5569f53cd5709e93891fdb74cd12cdaff9487dd1d353dbe6b
SHA512 b4658fc2447beb95b10748012e9c52eb82872a4fa1892c315493edabb14c9a3c452e699733479c68a31d2b93307b7ae44ba87bd7ce9bff5a2165a7925e2e028d

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3VKWFGCX\json[1].json

MD5 0c17abb0ed055fecf0c48bb6e46eb4eb
SHA1 a692730c8ec7353c31b94a888f359edb54aaa4c8
SHA256 f41e99f954e33e7b0e39930ec8620bf29801efc44275c1ee6b5cfa5e1be202c0
SHA512 645a9f2f94461d8a187261b736949df398ece5cfbf1af8653d18d3487ec1269d9f565534c1e249c12f31b3b1a41a8512953b1e991b001fc1360059e3fd494ec3

Analysis: behavioral2

Detonation Overview

Submitted

2023-08-01 10:59

Reported

2023-08-01 11:01

Platform

win10v2004-20230703-en

Max time kernel

146s

Max time network

153s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Swift_Payment_of_ Inv_467443456_JPG.vbs"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

WSHRAT

trojan wshrat

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Swift_Payment_of_ Inv_467443456_JPG.vbs C:\Windows\System32\WScript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Swift_Payment_of_ Inv_467443456_JPG.vbs C:\Windows\System32\WScript.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Tempwinlogon.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Swift_Payment_of_ Inv_467443456_JPG = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\Swift_Payment_of_ Inv_467443456_JPG.vbs\"" C:\Windows\System32\WScript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Swift_Payment_of_ Inv_467443456_JPG = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\Swift_Payment_of_ Inv_467443456_JPG.vbs\"" C:\Windows\System32\WScript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Windows Update\\Windows Update.exe" C:\Users\Admin\AppData\Local\Tempwinlogon.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\Local Settings C:\Windows\System32\WScript.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Tempwinlogon.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Tempwinlogon.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Tempwinlogon.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Tempwinlogon.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2488 wrote to memory of 2608 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WScript.exe
PID 2488 wrote to memory of 2608 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WScript.exe
PID 2608 wrote to memory of 1156 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\AppData\Local\Tempwinlogon.exe
PID 2608 wrote to memory of 1156 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\AppData\Local\Tempwinlogon.exe
PID 2608 wrote to memory of 1156 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\AppData\Local\Tempwinlogon.exe

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Swift_Payment_of_ Inv_467443456_JPG.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\origin.vbs"

C:\Users\Admin\AppData\Local\Tempwinlogon.exe

"C:\Users\Admin\AppData\Local\Tempwinlogon.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 198.1.85.104.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 chongmei33.publicvm.com udp
SG 103.47.144.107:7045 chongmei33.publicvm.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 107.144.47.103.in-addr.arpa udp
SG 103.47.144.107:7045 chongmei33.publicvm.com tcp
SG 103.47.144.107:7045 chongmei33.publicvm.com tcp
SG 103.47.144.107:7045 chongmei33.publicvm.com tcp
SG 103.47.144.107:7045 chongmei33.publicvm.com tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 126.179.238.8.in-addr.arpa udp
SG 103.47.144.107:7045 chongmei33.publicvm.com tcp
SG 103.47.144.107:7045 chongmei33.publicvm.com tcp
SG 103.47.144.107:7045 chongmei33.publicvm.com tcp
SG 103.47.144.107:7045 chongmei33.publicvm.com tcp
SG 103.47.144.107:7045 chongmei33.publicvm.com tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
SG 103.47.144.107:7045 chongmei33.publicvm.com tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
SG 103.47.144.107:7045 chongmei33.publicvm.com tcp
SG 103.47.144.107:7045 chongmei33.publicvm.com tcp
SG 103.47.144.107:7045 chongmei33.publicvm.com tcp
US 8.8.8.8:53 2.77.109.52.in-addr.arpa udp
SG 103.47.144.107:7045 chongmei33.publicvm.com tcp
SG 103.47.144.107:7045 chongmei33.publicvm.com tcp
SG 103.47.144.107:7045 chongmei33.publicvm.com tcp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 161.252.72.23.in-addr.arpa udp
SG 103.47.144.107:7045 chongmei33.publicvm.com tcp
SG 103.47.144.107:7045 chongmei33.publicvm.com tcp
SG 103.47.144.107:7045 chongmei33.publicvm.com tcp
SG 103.47.144.107:7045 chongmei33.publicvm.com tcp
SG 103.47.144.107:7045 chongmei33.publicvm.com tcp
SG 103.47.144.107:7045 chongmei33.publicvm.com tcp
SG 103.47.144.107:7045 chongmei33.publicvm.com tcp
US 8.8.8.8:53 11.173.189.20.in-addr.arpa udp
SG 103.47.144.107:7045 chongmei33.publicvm.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\origin.vbs

MD5 d593230ad945cc8c2db3237ff31624d4
SHA1 a89e668a3026c2158b40489ddc8f211092472e1b
SHA256 fbe3fe3d46d3037f1a770e778a69dac55db62929b9571746e19c63ea59b28d88
SHA512 938e43724b56bd4a23a122b22b366bc0564f77a1ee1b8b3a576ab2e5c9f6877d36cdb68fcd9f762d617f94b8cf309ad378a2ab321eaf34e5542f5f0cd9ac3846

C:\Users\Admin\AppData\Local\Tempwinlogon.exe

MD5 d78e00882aa872bb8daaa715d7014413
SHA1 cb242a2e1d65263d733b45d0cda17ce50cb4e376
SHA256 58fe22735658313bf69b6e34aac69887063aa1d9618a1ae1e99822f47087dfe9
SHA512 613fed6c36d26fa18544eae2316e6e6e43a6e67eeb31fd043bd2833ca6b5b88b9b1a16db43a592196c365bf1326eac3a4511171d896bfcdcf5454566327e1ac6

C:\Users\Admin\AppData\Local\Tempwinlogon.exe

MD5 d78e00882aa872bb8daaa715d7014413
SHA1 cb242a2e1d65263d733b45d0cda17ce50cb4e376
SHA256 58fe22735658313bf69b6e34aac69887063aa1d9618a1ae1e99822f47087dfe9
SHA512 613fed6c36d26fa18544eae2316e6e6e43a6e67eeb31fd043bd2833ca6b5b88b9b1a16db43a592196c365bf1326eac3a4511171d896bfcdcf5454566327e1ac6

C:\Users\Admin\AppData\Local\Tempwinlogon.exe

MD5 d78e00882aa872bb8daaa715d7014413
SHA1 cb242a2e1d65263d733b45d0cda17ce50cb4e376
SHA256 58fe22735658313bf69b6e34aac69887063aa1d9618a1ae1e99822f47087dfe9
SHA512 613fed6c36d26fa18544eae2316e6e6e43a6e67eeb31fd043bd2833ca6b5b88b9b1a16db43a592196c365bf1326eac3a4511171d896bfcdcf5454566327e1ac6

memory/1156-151-0x0000000074520000-0x0000000074CD0000-memory.dmp

memory/1156-152-0x0000000000DC0000-0x0000000000DF0000-memory.dmp

memory/1156-153-0x0000000005E70000-0x0000000006414000-memory.dmp

memory/1156-154-0x00000000057F0000-0x0000000005800000-memory.dmp

memory/1156-155-0x0000000005800000-0x0000000005866000-memory.dmp

memory/1156-158-0x00000000066B0000-0x0000000006700000-memory.dmp

memory/1156-159-0x00000000068D0000-0x0000000006A92000-memory.dmp

memory/1156-160-0x00000000067A0000-0x0000000006832000-memory.dmp

memory/1156-163-0x0000000006870000-0x000000000687A000-memory.dmp

memory/1156-164-0x0000000074520000-0x0000000074CD0000-memory.dmp

memory/1156-167-0x00000000057F0000-0x0000000005800000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Swift_Payment_of_ Inv_467443456_JPG.vbs

MD5 fce189a69c63f1c8e1e12eb476374180
SHA1 fb42127307eed7e43ba0c370452d2fa3a5337947
SHA256 5843497eed3781c5569f53cd5709e93891fdb74cd12cdaff9487dd1d353dbe6b
SHA512 b4658fc2447beb95b10748012e9c52eb82872a4fa1892c315493edabb14c9a3c452e699733479c68a31d2b93307b7ae44ba87bd7ce9bff5a2165a7925e2e028d

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\5XLATO3O\json[1].json

MD5 0c17abb0ed055fecf0c48bb6e46eb4eb
SHA1 a692730c8ec7353c31b94a888f359edb54aaa4c8
SHA256 f41e99f954e33e7b0e39930ec8620bf29801efc44275c1ee6b5cfa5e1be202c0
SHA512 645a9f2f94461d8a187261b736949df398ece5cfbf1af8653d18d3487ec1269d9f565534c1e249c12f31b3b1a41a8512953b1e991b001fc1360059e3fd494ec3