Malware Analysis Report

2024-10-19 09:24

Sample ID 230804-r5y1kacf71
Target 5843497eed3781c5569f53cd5709e93891fdb74cd12cdaff9487dd1d353dbe6bvbs_JC.vbs
SHA256 5843497eed3781c5569f53cd5709e93891fdb74cd12cdaff9487dd1d353dbe6b
Tags
agenttesla wshrat keylogger persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5843497eed3781c5569f53cd5709e93891fdb74cd12cdaff9487dd1d353dbe6b

Threat Level: Known bad

The file 5843497eed3781c5569f53cd5709e93891fdb74cd12cdaff9487dd1d353dbe6bvbs_JC.vbs was found to be: Known bad.

Malicious Activity Summary

agenttesla wshrat keylogger persistence spyware stealer trojan

WSHRAT

AgentTesla

Blocklisted process makes network request

Reads user/profile data of local email clients

Drops startup file

Reads user/profile data of web browsers

Reads data files stored by FTP clients

Executes dropped EXE

Looks up external IP address via web service

Adds Run key to start application

Enumerates physical storage devices

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-08-04 14:47

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-08-04 14:47

Reported

2023-08-04 14:49

Platform

win7-20230712-en

Max time kernel

149s

Max time network

153s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5843497eed3781c5569f53cd5709e93891fdb74cd12cdaff9487dd1d353dbe6bvbs_JC.vbs"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

WSHRAT

trojan wshrat

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5843497eed3781c5569f53cd5709e93891fdb74cd12cdaff9487dd1d353dbe6bvbs_JC.vbs C:\Windows\System32\WScript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5843497eed3781c5569f53cd5709e93891fdb74cd12cdaff9487dd1d353dbe6bvbs_JC.vbs C:\Windows\System32\WScript.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Tempwinlogon.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Windows\CurrentVersion\Run\5843497eed3781c5569f53cd5709e93891fdb74cd12cdaff9487dd1d353dbe6bvbs_JC = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\5843497eed3781c5569f53cd5709e93891fdb74cd12cdaff9487dd1d353dbe6bvbs_JC.vbs\"" C:\Windows\System32\WScript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\5843497eed3781c5569f53cd5709e93891fdb74cd12cdaff9487dd1d353dbe6bvbs_JC = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\5843497eed3781c5569f53cd5709e93891fdb74cd12cdaff9487dd1d353dbe6bvbs_JC.vbs\"" C:\Windows\System32\WScript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Windows Update\\Windows Update.exe" C:\Users\Admin\AppData\Local\Tempwinlogon.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Tempwinlogon.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Tempwinlogon.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Tempwinlogon.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Tempwinlogon.exe N/A

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5843497eed3781c5569f53cd5709e93891fdb74cd12cdaff9487dd1d353dbe6bvbs_JC.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\origin.vbs"

C:\Users\Admin\AppData\Local\Tempwinlogon.exe

"C:\Users\Admin\AppData\Local\Tempwinlogon.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 chongmei33.publicvm.com udp
SG 103.47.144.14:7045 chongmei33.publicvm.com tcp
SG 103.47.144.14:7045 chongmei33.publicvm.com tcp
SG 103.47.144.14:7045 chongmei33.publicvm.com tcp
SG 103.47.144.14:7045 chongmei33.publicvm.com tcp
SG 103.47.144.14:7045 chongmei33.publicvm.com tcp
SG 103.47.144.14:7045 chongmei33.publicvm.com tcp
SG 103.47.144.14:7045 chongmei33.publicvm.com tcp
SG 103.47.144.14:7045 chongmei33.publicvm.com tcp
SG 103.47.144.14:7045 chongmei33.publicvm.com tcp
SG 103.47.144.14:7045 chongmei33.publicvm.com tcp
SG 103.47.144.14:7045 chongmei33.publicvm.com tcp
SG 103.47.144.14:7045 chongmei33.publicvm.com tcp
SG 103.47.144.14:7045 chongmei33.publicvm.com tcp
SG 103.47.144.14:7045 chongmei33.publicvm.com tcp
SG 103.47.144.14:7045 chongmei33.publicvm.com tcp
SG 103.47.144.14:7045 chongmei33.publicvm.com tcp
SG 103.47.144.14:7045 chongmei33.publicvm.com tcp
SG 103.47.144.14:7045 chongmei33.publicvm.com tcp
SG 103.47.144.14:7045 chongmei33.publicvm.com tcp
SG 103.47.144.14:7045 chongmei33.publicvm.com tcp
SG 103.47.144.14:7045 chongmei33.publicvm.com tcp
SG 103.47.144.14:7045 chongmei33.publicvm.com tcp
SG 103.47.144.14:7045 chongmei33.publicvm.com tcp
SG 103.47.144.14:7045 chongmei33.publicvm.com tcp
SG 103.47.144.14:7045 chongmei33.publicvm.com tcp
SG 103.47.144.14:7045 chongmei33.publicvm.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\origin.vbs

MD5 d593230ad945cc8c2db3237ff31624d4
SHA1 a89e668a3026c2158b40489ddc8f211092472e1b
SHA256 fbe3fe3d46d3037f1a770e778a69dac55db62929b9571746e19c63ea59b28d88
SHA512 938e43724b56bd4a23a122b22b366bc0564f77a1ee1b8b3a576ab2e5c9f6877d36cdb68fcd9f762d617f94b8cf309ad378a2ab321eaf34e5542f5f0cd9ac3846

C:\Users\Admin\AppData\Local\Tempwinlogon.exe

MD5 d78e00882aa872bb8daaa715d7014413
SHA1 cb242a2e1d65263d733b45d0cda17ce50cb4e376
SHA256 58fe22735658313bf69b6e34aac69887063aa1d9618a1ae1e99822f47087dfe9
SHA512 613fed6c36d26fa18544eae2316e6e6e43a6e67eeb31fd043bd2833ca6b5b88b9b1a16db43a592196c365bf1326eac3a4511171d896bfcdcf5454566327e1ac6

C:\Users\Admin\AppData\Local\Tempwinlogon.exe

MD5 d78e00882aa872bb8daaa715d7014413
SHA1 cb242a2e1d65263d733b45d0cda17ce50cb4e376
SHA256 58fe22735658313bf69b6e34aac69887063aa1d9618a1ae1e99822f47087dfe9
SHA512 613fed6c36d26fa18544eae2316e6e6e43a6e67eeb31fd043bd2833ca6b5b88b9b1a16db43a592196c365bf1326eac3a4511171d896bfcdcf5454566327e1ac6

memory/2056-65-0x0000000073ED0000-0x00000000745BE000-memory.dmp

memory/2056-66-0x00000000011D0000-0x0000000001200000-memory.dmp

memory/2056-67-0x0000000004CF0000-0x0000000004D30000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Windows Update\Windows Update.exe

MD5 d78e00882aa872bb8daaa715d7014413
SHA1 cb242a2e1d65263d733b45d0cda17ce50cb4e376
SHA256 58fe22735658313bf69b6e34aac69887063aa1d9618a1ae1e99822f47087dfe9
SHA512 613fed6c36d26fa18544eae2316e6e6e43a6e67eeb31fd043bd2833ca6b5b88b9b1a16db43a592196c365bf1326eac3a4511171d896bfcdcf5454566327e1ac6

memory/2056-73-0x0000000073ED0000-0x00000000745BE000-memory.dmp

memory/2056-74-0x0000000004CF0000-0x0000000004D30000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5843497eed3781c5569f53cd5709e93891fdb74cd12cdaff9487dd1d353dbe6bvbs_JC.vbs

MD5 fce189a69c63f1c8e1e12eb476374180
SHA1 fb42127307eed7e43ba0c370452d2fa3a5337947
SHA256 5843497eed3781c5569f53cd5709e93891fdb74cd12cdaff9487dd1d353dbe6b
SHA512 b4658fc2447beb95b10748012e9c52eb82872a4fa1892c315493edabb14c9a3c452e699733479c68a31d2b93307b7ae44ba87bd7ce9bff5a2165a7925e2e028d

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B9M1KBX1\json[1].json

MD5 0c17abb0ed055fecf0c48bb6e46eb4eb
SHA1 a692730c8ec7353c31b94a888f359edb54aaa4c8
SHA256 f41e99f954e33e7b0e39930ec8620bf29801efc44275c1ee6b5cfa5e1be202c0
SHA512 645a9f2f94461d8a187261b736949df398ece5cfbf1af8653d18d3487ec1269d9f565534c1e249c12f31b3b1a41a8512953b1e991b001fc1360059e3fd494ec3

Analysis: behavioral2

Detonation Overview

Submitted

2023-08-04 14:47

Reported

2023-08-04 14:49

Platform

win10v2004-20230703-en

Max time kernel

150s

Max time network

156s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5843497eed3781c5569f53cd5709e93891fdb74cd12cdaff9487dd1d353dbe6bvbs_JC.vbs"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

WSHRAT

trojan wshrat

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5843497eed3781c5569f53cd5709e93891fdb74cd12cdaff9487dd1d353dbe6bvbs_JC.vbs C:\Windows\System32\WScript.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5843497eed3781c5569f53cd5709e93891fdb74cd12cdaff9487dd1d353dbe6bvbs_JC.vbs C:\Windows\System32\WScript.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Tempwinlogon.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\5843497eed3781c5569f53cd5709e93891fdb74cd12cdaff9487dd1d353dbe6bvbs_JC = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\5843497eed3781c5569f53cd5709e93891fdb74cd12cdaff9487dd1d353dbe6bvbs_JC.vbs\"" C:\Windows\System32\WScript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Windows Update\\Windows Update.exe" C:\Users\Admin\AppData\Local\Tempwinlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\5843497eed3781c5569f53cd5709e93891fdb74cd12cdaff9487dd1d353dbe6bvbs_JC = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\5843497eed3781c5569f53cd5709e93891fdb74cd12cdaff9487dd1d353dbe6bvbs_JC.vbs\"" C:\Windows\System32\WScript.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\Local Settings C:\Windows\System32\WScript.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Tempwinlogon.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Tempwinlogon.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Tempwinlogon.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Tempwinlogon.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4136 wrote to memory of 1980 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WScript.exe
PID 4136 wrote to memory of 1980 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WScript.exe
PID 1980 wrote to memory of 3120 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\AppData\Local\Tempwinlogon.exe
PID 1980 wrote to memory of 3120 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\AppData\Local\Tempwinlogon.exe
PID 1980 wrote to memory of 3120 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\AppData\Local\Tempwinlogon.exe

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5843497eed3781c5569f53cd5709e93891fdb74cd12cdaff9487dd1d353dbe6bvbs_JC.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\origin.vbs"

C:\Users\Admin\AppData\Local\Tempwinlogon.exe

"C:\Users\Admin\AppData\Local\Tempwinlogon.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 chongmei33.publicvm.com udp
SG 103.47.144.14:7045 chongmei33.publicvm.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 14.144.47.103.in-addr.arpa udp
SG 103.47.144.14:7045 chongmei33.publicvm.com tcp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
SG 103.47.144.14:7045 chongmei33.publicvm.com tcp
SG 103.47.144.14:7045 chongmei33.publicvm.com tcp
SG 103.47.144.14:7045 chongmei33.publicvm.com tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
SG 103.47.144.14:7045 chongmei33.publicvm.com tcp
SG 103.47.144.14:7045 chongmei33.publicvm.com tcp
SG 103.47.144.14:7045 chongmei33.publicvm.com tcp
SG 103.47.144.14:7045 chongmei33.publicvm.com tcp
SG 103.47.144.14:7045 chongmei33.publicvm.com tcp
SG 103.47.144.14:7045 chongmei33.publicvm.com tcp
SG 103.47.144.14:7045 chongmei33.publicvm.com tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
SG 103.47.144.14:7045 chongmei33.publicvm.com tcp
SG 103.47.144.14:7045 chongmei33.publicvm.com tcp
SG 103.47.144.14:7045 chongmei33.publicvm.com tcp
SG 103.47.144.14:7045 chongmei33.publicvm.com tcp
SG 103.47.144.14:7045 chongmei33.publicvm.com tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
SG 103.47.144.14:7045 chongmei33.publicvm.com tcp
US 8.8.8.8:53 18.175.53.84.in-addr.arpa udp
SG 103.47.144.14:7045 chongmei33.publicvm.com tcp
SG 103.47.144.14:7045 chongmei33.publicvm.com tcp
SG 103.47.144.14:7045 chongmei33.publicvm.com tcp
US 8.8.8.8:53 14.173.189.20.in-addr.arpa udp
SG 103.47.144.14:7045 chongmei33.publicvm.com tcp
SG 103.47.144.14:7045 chongmei33.publicvm.com tcp
SG 103.47.144.14:7045 chongmei33.publicvm.com tcp
SG 103.47.144.14:7045 chongmei33.publicvm.com tcp
SG 103.47.144.14:7045 chongmei33.publicvm.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\origin.vbs

MD5 d593230ad945cc8c2db3237ff31624d4
SHA1 a89e668a3026c2158b40489ddc8f211092472e1b
SHA256 fbe3fe3d46d3037f1a770e778a69dac55db62929b9571746e19c63ea59b28d88
SHA512 938e43724b56bd4a23a122b22b366bc0564f77a1ee1b8b3a576ab2e5c9f6877d36cdb68fcd9f762d617f94b8cf309ad378a2ab321eaf34e5542f5f0cd9ac3846

C:\Users\Admin\AppData\Local\Tempwinlogon.exe

MD5 d78e00882aa872bb8daaa715d7014413
SHA1 cb242a2e1d65263d733b45d0cda17ce50cb4e376
SHA256 58fe22735658313bf69b6e34aac69887063aa1d9618a1ae1e99822f47087dfe9
SHA512 613fed6c36d26fa18544eae2316e6e6e43a6e67eeb31fd043bd2833ca6b5b88b9b1a16db43a592196c365bf1326eac3a4511171d896bfcdcf5454566327e1ac6

C:\Users\Admin\AppData\Local\Tempwinlogon.exe

MD5 d78e00882aa872bb8daaa715d7014413
SHA1 cb242a2e1d65263d733b45d0cda17ce50cb4e376
SHA256 58fe22735658313bf69b6e34aac69887063aa1d9618a1ae1e99822f47087dfe9
SHA512 613fed6c36d26fa18544eae2316e6e6e43a6e67eeb31fd043bd2833ca6b5b88b9b1a16db43a592196c365bf1326eac3a4511171d896bfcdcf5454566327e1ac6

C:\Users\Admin\AppData\Local\Tempwinlogon.exe

MD5 d78e00882aa872bb8daaa715d7014413
SHA1 cb242a2e1d65263d733b45d0cda17ce50cb4e376
SHA256 58fe22735658313bf69b6e34aac69887063aa1d9618a1ae1e99822f47087dfe9
SHA512 613fed6c36d26fa18544eae2316e6e6e43a6e67eeb31fd043bd2833ca6b5b88b9b1a16db43a592196c365bf1326eac3a4511171d896bfcdcf5454566327e1ac6

memory/3120-151-0x0000000074900000-0x00000000750B0000-memory.dmp

memory/3120-152-0x0000000000590000-0x00000000005C0000-memory.dmp

memory/3120-153-0x0000000005550000-0x0000000005AF4000-memory.dmp

memory/3120-154-0x0000000005110000-0x0000000005120000-memory.dmp

memory/3120-155-0x0000000004FA0000-0x0000000005006000-memory.dmp

memory/3120-160-0x0000000005E80000-0x0000000005ED0000-memory.dmp

memory/3120-161-0x00000000060A0000-0x0000000006262000-memory.dmp

memory/3120-162-0x0000000005F70000-0x0000000006002000-memory.dmp

memory/3120-163-0x0000000006040000-0x000000000604A000-memory.dmp

memory/3120-166-0x0000000074900000-0x00000000750B0000-memory.dmp

memory/3120-167-0x0000000005110000-0x0000000005120000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5843497eed3781c5569f53cd5709e93891fdb74cd12cdaff9487dd1d353dbe6bvbs_JC.vbs

MD5 fce189a69c63f1c8e1e12eb476374180
SHA1 fb42127307eed7e43ba0c370452d2fa3a5337947
SHA256 5843497eed3781c5569f53cd5709e93891fdb74cd12cdaff9487dd1d353dbe6b
SHA512 b4658fc2447beb95b10748012e9c52eb82872a4fa1892c315493edabb14c9a3c452e699733479c68a31d2b93307b7ae44ba87bd7ce9bff5a2165a7925e2e028d

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\DQKPKJPE\json[1].json

MD5 0c17abb0ed055fecf0c48bb6e46eb4eb
SHA1 a692730c8ec7353c31b94a888f359edb54aaa4c8
SHA256 f41e99f954e33e7b0e39930ec8620bf29801efc44275c1ee6b5cfa5e1be202c0
SHA512 645a9f2f94461d8a187261b736949df398ece5cfbf1af8653d18d3487ec1269d9f565534c1e249c12f31b3b1a41a8512953b1e991b001fc1360059e3fd494ec3