Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
-
submitted
01-08-2023 15:53
General
-
Target
ORDER-230733AF.pdf.vbs
-
Size
3.3MB
-
MD5
535074e18bb8158e02c210a49b608d27
-
SHA1
773c9512cb8e3629d90abbb2c61bab322032511d
-
SHA256
17d541ebec88f36a380096bc34ab5e358a75a02395f14ce35b067304d94260f9
-
SHA512
43e1afa8d1e08fb7b12ebf6edb075ea5ce0df662e890b57fe5b95d831fbb0c69063c7c44055cdfce627c5a3aecee32f5beeeb443af66bbdc31f7551b34bda966
-
SSDEEP
6144:5TLuIztXQahBE8pyDIg+8LBEa47U+T1dk9nJbAIcKU/JaShKUHQLJrRt4/ea4lvg:5/fBLE/t4/ea4lo
Malware Config
Extracted
Protocol: smtp- Host:
smtp.gmail.com - Port:
587 - Username:
[email protected] - Password:
gmipgqhnffzhjcfv
Extracted
agenttesla
Protocol: smtp- Host:
smtp.gmail.com - Port:
587 - Username:
[email protected] - Password:
gmipgqhnffzhjcfv - Email To:
[email protected]
Extracted
wshrat
http://lee44.kozow.com:4078
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
-
Blocklisted process makes network request 27 IoCs
-
Drops startup file 2 IoCs
-
Executes dropped EXE 1 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 5 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 7 IoCs
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ORDER-230733AF.pdf.vbs"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\ORDER-230733AF.pdf.vbs"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\keylogger.vbs"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Tempwinlogon.exe"C:\Users\Admin\AppData\Local\Tempwinlogon.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p1⤵
- Drops file in System32 directory
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
323B
MD50c17abb0ed055fecf0c48bb6e46eb4eb
SHA1a692730c8ec7353c31b94a888f359edb54aaa4c8
SHA256f41e99f954e33e7b0e39930ec8620bf29801efc44275c1ee6b5cfa5e1be202c0
SHA512645a9f2f94461d8a187261b736949df398ece5cfbf1af8653d18d3487ec1269d9f565534c1e249c12f31b3b1a41a8512953b1e991b001fc1360059e3fd494ec3
-
Filesize
168KB
MD5d1f85ec72f11699fed66783d175760e5
SHA108b642efb0b1f483f955156c2dc890e90e867cf5
SHA2563e9ee225b6d213f8e5e6ab0b6d14f85daf0fc5d3e47942277997fff940b5acb7
SHA5128209e250bff8e06123b5446ea9a0321fbf18a93897937b01bca8930036f07f67c703f26828152752b50a9b87a1cd6eea6d50dbd19e3f34d17ffd750157f36f97
-
Filesize
168KB
MD5d1f85ec72f11699fed66783d175760e5
SHA108b642efb0b1f483f955156c2dc890e90e867cf5
SHA2563e9ee225b6d213f8e5e6ab0b6d14f85daf0fc5d3e47942277997fff940b5acb7
SHA5128209e250bff8e06123b5446ea9a0321fbf18a93897937b01bca8930036f07f67c703f26828152752b50a9b87a1cd6eea6d50dbd19e3f34d17ffd750157f36f97
-
Filesize
168KB
MD5d1f85ec72f11699fed66783d175760e5
SHA108b642efb0b1f483f955156c2dc890e90e867cf5
SHA2563e9ee225b6d213f8e5e6ab0b6d14f85daf0fc5d3e47942277997fff940b5acb7
SHA5128209e250bff8e06123b5446ea9a0321fbf18a93897937b01bca8930036f07f67c703f26828152752b50a9b87a1cd6eea6d50dbd19e3f34d17ffd750157f36f97
-
Filesize
3.3MB
MD5535074e18bb8158e02c210a49b608d27
SHA1773c9512cb8e3629d90abbb2c61bab322032511d
SHA25617d541ebec88f36a380096bc34ab5e358a75a02395f14ce35b067304d94260f9
SHA51243e1afa8d1e08fb7b12ebf6edb075ea5ce0df662e890b57fe5b95d831fbb0c69063c7c44055cdfce627c5a3aecee32f5beeeb443af66bbdc31f7551b34bda966
-
Filesize
3.3MB
MD5535074e18bb8158e02c210a49b608d27
SHA1773c9512cb8e3629d90abbb2c61bab322032511d
SHA25617d541ebec88f36a380096bc34ab5e358a75a02395f14ce35b067304d94260f9
SHA51243e1afa8d1e08fb7b12ebf6edb075ea5ce0df662e890b57fe5b95d831fbb0c69063c7c44055cdfce627c5a3aecee32f5beeeb443af66bbdc31f7551b34bda966
-
Filesize
3.3MB
MD5535074e18bb8158e02c210a49b608d27
SHA1773c9512cb8e3629d90abbb2c61bab322032511d
SHA25617d541ebec88f36a380096bc34ab5e358a75a02395f14ce35b067304d94260f9
SHA51243e1afa8d1e08fb7b12ebf6edb075ea5ce0df662e890b57fe5b95d831fbb0c69063c7c44055cdfce627c5a3aecee32f5beeeb443af66bbdc31f7551b34bda966
-
Filesize
336KB
MD5eb6cbe2f11642772cf11896551a03673
SHA1a3d196c4ec0eb4f563e38e0d9d9b4f9dbd738adf
SHA2563bd943ecdb221e050c19ceda7dcf479fb70554e81630426dca7d7962770eadaa
SHA512d488f65ad29300141da45d655af80546217083f616746843de2477b053720afc212a8994c1705e7a27dc26d49bd4962a2761a46a8f667753aaea47da27bf46de
-
Filesize
64KB
-
Filesize
5.6MB
-
Filesize
192KB
-
Filesize
408KB
-
Filesize
320KB
-
Filesize
1.8MB
-
Filesize
624KB
-
Filesize
7.7MB
-
Filesize
584KB
-
Filesize
40KB
-
Filesize
64KB
-
Filesize
7.7MB