agenttesla | 5843497eed3781c5569f53cd5709e93891fdb74cd12cdaff9487dd1d353dbe6b

General

Target

5843497eed3781c5569f53cd5709e93891fdb74cd12cdaff9487dd1d353dbe6bvbs_JC.vbs
Size

3.0MB
MD5

fce189a69c63f1c8e1e12eb476374180
SHA1

fb42127307eed7e43ba0c370452d2fa3a5337947
SHA256

5843497eed3781c5569f53cd5709e93891fdb74cd12cdaff9487dd1d353dbe6b
SHA512

b4658fc2447beb95b10748012e9c52eb82872a4fa1892c315493edabb14c9a3c452e699733479c68a31d2b93307b7ae44ba87bd7ce9bff5a2165a7925e2e028d
SSDEEP

6144:/jJCOMKt5IOrXOSZ01eawn7vWMeJtFsMFuh7QPmULgQofUBSh11h5x8noLHNeaZG:LtJPb+/

Score

10^/10

agenttesla wshrat keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
smtp.gmail.com
Port:
587
Username:
[email protected]
Password:
pifgweijlylkellk
Email To:
[email protected]

Extracted

Family

wshrat

C2

http://chongmei33.publicvm.com:7045

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat

Blocklisted process makes network request 27 IoCs

flow	pid	Process
21	4136	WScript.exe
23	4136	WScript.exe
28	4136	WScript.exe
33	4136	WScript.exe
34	4136	WScript.exe
35	4136	WScript.exe
46	4136	WScript.exe
47	4136	WScript.exe
48	4136	WScript.exe
49	4136	WScript.exe
50	4136	WScript.exe
53	4136	WScript.exe
59	4136	WScript.exe
61	4136	WScript.exe
62	4136	WScript.exe
63	4136	WScript.exe
65	4136	WScript.exe
66	4136	WScript.exe
79	4136	WScript.exe
81	4136	WScript.exe
82	4136	WScript.exe
85	4136	WScript.exe
87	4136	WScript.exe
88	4136	WScript.exe
89	4136	WScript.exe
90	4136	WScript.exe
91	4136	WScript.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5843497eed3781c5569f53cd5709e93891fdb74cd12cdaff9487dd1d353dbe6bvbs_JC.vbs	WScript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5843497eed3781c5569f53cd5709e93891fdb74cd12cdaff9487dd1d353dbe6bvbs_JC.vbs	WScript.exe

Executes dropped EXE 1 IoCs

pid	Process
3120	Tempwinlogon.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\5843497eed3781c5569f53cd5709e93891fdb74cd12cdaff9487dd1d353dbe6bvbs_JC = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\5843497eed3781c5569f53cd5709e93891fdb74cd12cdaff9487dd1d353dbe6bvbs_JC.vbs\""	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Windows Update\\Windows Update.exe"	Tempwinlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\5843497eed3781c5569f53cd5709e93891fdb74cd12cdaff9487dd1d353dbe6bvbs_JC = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\5843497eed3781c5569f53cd5709e93891fdb74cd12cdaff9487dd1d353dbe6bvbs_JC.vbs\""	WScript.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
20	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\Local Settings	WScript.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3120	Tempwinlogon.exe
3120	Tempwinlogon.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3120	Tempwinlogon.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3120	Tempwinlogon.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 4136 wrote to memory of 1980	4136	WScript.exe	88
PID 4136 wrote to memory of 1980	4136	WScript.exe	88
PID 1980 wrote to memory of 3120	1980	WScript.exe	91
PID 1980 wrote to memory of 3120	1980	WScript.exe	91
PID 1980 wrote to memory of 3120	1980	WScript.exe	91

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5843497eed3781c5569f53cd5709e93891fdb74cd12cdaff9487dd1d353dbe6bvbs_JC.vbs"
1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4136
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\origin.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1980
- - C:\Users\Admin\AppData\Local\Tempwinlogon.exe
    "C:\Users\Admin\AppData\Local\Tempwinlogon.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:3120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

3

T1552

Credentials In Files

3

T1552.001

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

3

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\DQKPKJPE\json[1].json

Filesize
323B

MD5
0c17abb0ed055fecf0c48bb6e46eb4eb

SHA1
a692730c8ec7353c31b94a888f359edb54aaa4c8

SHA256
f41e99f954e33e7b0e39930ec8620bf29801efc44275c1ee6b5cfa5e1be202c0

SHA512
645a9f2f94461d8a187261b736949df398ece5cfbf1af8653d18d3487ec1269d9f565534c1e249c12f31b3b1a41a8512953b1e991b001fc1360059e3fd494ec3

Download Submit
C:\Users\Admin\AppData\Local\Temp\origin.vbs

Filesize
331KB

MD5
d593230ad945cc8c2db3237ff31624d4

SHA1
a89e668a3026c2158b40489ddc8f211092472e1b

SHA256
fbe3fe3d46d3037f1a770e778a69dac55db62929b9571746e19c63ea59b28d88

SHA512
938e43724b56bd4a23a122b22b366bc0564f77a1ee1b8b3a576ab2e5c9f6877d36cdb68fcd9f762d617f94b8cf309ad378a2ab321eaf34e5542f5f0cd9ac3846

Download Submit
C:\Users\Admin\AppData\Local\Tempwinlogon.exe

Filesize
165KB

MD5
d78e00882aa872bb8daaa715d7014413

SHA1
cb242a2e1d65263d733b45d0cda17ce50cb4e376

SHA256
58fe22735658313bf69b6e34aac69887063aa1d9618a1ae1e99822f47087dfe9

SHA512
613fed6c36d26fa18544eae2316e6e6e43a6e67eeb31fd043bd2833ca6b5b88b9b1a16db43a592196c365bf1326eac3a4511171d896bfcdcf5454566327e1ac6

Download Submit
C:\Users\Admin\AppData\Local\Tempwinlogon.exe

Filesize
165KB

MD5
d78e00882aa872bb8daaa715d7014413

SHA1
cb242a2e1d65263d733b45d0cda17ce50cb4e376

SHA256
58fe22735658313bf69b6e34aac69887063aa1d9618a1ae1e99822f47087dfe9

SHA512
613fed6c36d26fa18544eae2316e6e6e43a6e67eeb31fd043bd2833ca6b5b88b9b1a16db43a592196c365bf1326eac3a4511171d896bfcdcf5454566327e1ac6

Download Submit
C:\Users\Admin\AppData\Local\Tempwinlogon.exe

Filesize
165KB

MD5
d78e00882aa872bb8daaa715d7014413

SHA1
cb242a2e1d65263d733b45d0cda17ce50cb4e376

SHA256
58fe22735658313bf69b6e34aac69887063aa1d9618a1ae1e99822f47087dfe9

SHA512
613fed6c36d26fa18544eae2316e6e6e43a6e67eeb31fd043bd2833ca6b5b88b9b1a16db43a592196c365bf1326eac3a4511171d896bfcdcf5454566327e1ac6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5843497eed3781c5569f53cd5709e93891fdb74cd12cdaff9487dd1d353dbe6bvbs_JC.vbs

Filesize
3.0MB

MD5
fce189a69c63f1c8e1e12eb476374180

SHA1
fb42127307eed7e43ba0c370452d2fa3a5337947

SHA256
5843497eed3781c5569f53cd5709e93891fdb74cd12cdaff9487dd1d353dbe6b

SHA512
b4658fc2447beb95b10748012e9c52eb82872a4fa1892c315493edabb14c9a3c452e699733479c68a31d2b93307b7ae44ba87bd7ce9bff5a2165a7925e2e028d

Download Submit
memory/3120-155-0x0000000004FA0000-0x0000000005006000-memory.dmp

Filesize
408KB

Download
memory/3120-154-0x0000000005110000-0x0000000005120000-memory.dmp

Filesize
64KB

Download
memory/3120-153-0x0000000005550000-0x0000000005AF4000-memory.dmp

Filesize
5.6MB

Download
memory/3120-160-0x0000000005E80000-0x0000000005ED0000-memory.dmp

Filesize
320KB

Download
memory/3120-161-0x00000000060A0000-0x0000000006262000-memory.dmp

Filesize
1.8MB

Download
memory/3120-162-0x0000000005F70000-0x0000000006002000-memory.dmp

Filesize
584KB

Download
memory/3120-163-0x0000000006040000-0x000000000604A000-memory.dmp

Filesize
40KB

Download
memory/3120-166-0x0000000074900000-0x00000000750B0000-memory.dmp

Filesize
7.7MB

Download
memory/3120-167-0x0000000005110000-0x0000000005120000-memory.dmp

Filesize
64KB

Download
memory/3120-152-0x0000000000590000-0x00000000005C0000-memory.dmp

Filesize
192KB

Download
memory/3120-151-0x0000000074900000-0x00000000750B0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads