agenttesla | 71b3ff5d24faad6bb5347e40ab19266a7811527a0ef7fa76a5d8d24ba9beca8d

General

Target

ORDER-2308084AF.pdf.vbs
Size

8KB
MD5

76f898a3ef280f1124872b256f473061
SHA1

9d606f81785f790a8cb9b9ac178bb6da0316fb70
SHA256

71b3ff5d24faad6bb5347e40ab19266a7811527a0ef7fa76a5d8d24ba9beca8d
SHA512

949c60975eb7050a9e1b7a7b8bc21d1289641fbf1e73e021ec7b2f77068f704f7a042a64d5e7834b4fbdf908e3118eb97f1cc66c8d74d064c797c988e47d716b
SSDEEP

48:QMt0Vt6AGSPOVGSEkGSAciDDrScaWXlDDnZPlsVmzndVBVNuf5Vwmy:pysAGiOGKG3rDDrLXlDDnlSsnXrN4ny

Score

10^/10

agenttesla wshrat keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
smtp.gmail.com
Port:
587
Username:
[email protected]
Password:
pifgweijlylkellk
Email To:
[email protected]

Extracted

Family

wshrat

C2

http://chongmei33.publicvm.com:7045

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat

Blocklisted process makes network request 20 IoCs

flow	pid	Process
5	2252	WScript.exe
8	1788	WScript.exe
10	1788	WScript.exe
11	1788	WScript.exe
12	1788	WScript.exe
14	1788	WScript.exe
15	1788	WScript.exe
16	1788	WScript.exe
18	1788	WScript.exe
19	1788	WScript.exe
20	1788	WScript.exe
22	1788	WScript.exe
23	1788	WScript.exe
24	1788	WScript.exe
26	1788	WScript.exe
27	1788	WScript.exe
28	1788	WScript.exe
30	1788	WScript.exe
31	1788	WScript.exe
32	1788	WScript.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZLESZE.vbs	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZLESZE.vbs	WScript.exe

Executes dropped EXE 1 IoCs

pid	Process
612	Tempwinlogon.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Windows\CurrentVersion\Run\ZLESZE = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\ZLESZE.vbs\""	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ZLESZE = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\ZLESZE.vbs\""	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Windows Update\\Windows Update.exe"	Tempwinlogon.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
7	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
612	Tempwinlogon.exe
612	Tempwinlogon.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	612	Tempwinlogon.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
612	Tempwinlogon.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2252 wrote to memory of 1788	2252	WScript.exe	29
PID 2252 wrote to memory of 1788	2252	WScript.exe	29
PID 2252 wrote to memory of 1788	2252	WScript.exe	29
PID 1788 wrote to memory of 1080	1788	WScript.exe	32
PID 1788 wrote to memory of 1080	1788	WScript.exe	32
PID 1788 wrote to memory of 1080	1788	WScript.exe	32
PID 1080 wrote to memory of 612	1080	WScript.exe	34
PID 1080 wrote to memory of 612	1080	WScript.exe	34
PID 1080 wrote to memory of 612	1080	WScript.exe	34
PID 1080 wrote to memory of 612	1080	WScript.exe	34

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ORDER-2308084AF.pdf.vbs"
1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:2252
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ZLESZE.vbs"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1788
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\origin.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1080
  - - C:\Users\Admin\AppData\Local\Tempwinlogon.exe
      "C:\Users\Admin\AppData\Local\Tempwinlogon.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

3

T1552

Credentials In Files

3

T1552.001

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

3

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\12APMO2Y\json[1].json

Filesize
323B

MD5
149c2823b7eadbfb0a82388a2ab9494f

SHA1
415fe979ce5fd0064d2557a48745a3ed1a3fbf9c

SHA256
06fa5d4e7fbfb1efdc19baa034601a894b21cf729785732853ced4bb40aca869

SHA512
f8fb6b7c93c4ab37f6e250ba8ac5c82f6e17fe52156cab81d34e91107d1da716b744bfe02ee0306497a3876d5352af789a1e66dab10e11e22065bac3050475fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\Windows Update\Windows Update.exe

Filesize
165KB

MD5
d78e00882aa872bb8daaa715d7014413

SHA1
cb242a2e1d65263d733b45d0cda17ce50cb4e376

SHA256
58fe22735658313bf69b6e34aac69887063aa1d9618a1ae1e99822f47087dfe9

SHA512
613fed6c36d26fa18544eae2316e6e6e43a6e67eeb31fd043bd2833ca6b5b88b9b1a16db43a592196c365bf1326eac3a4511171d896bfcdcf5454566327e1ac6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZLESZE.vbs

Filesize
3.6MB

MD5
84bb1d74c4a7557002d7367e92f40ad6

SHA1
ea97be0ec5c3eedffd1d3e04f14a2578e90d4d17

SHA256
426df0578b775cbbf981acc12de59161bc2f19786138a784dc6b8e0b460c1c1a

SHA512
88937e1d9c5507288a6f86c0fc0c4f57ea6c18111c21b68b61bbf39b82a69d4c3a23e7efdda02a60918b7ecb8a958f7e1a31932c882fe841edd77711e1e12096

Download Submit
C:\Users\Admin\AppData\Local\Temp\origin.vbs

Filesize
331KB

MD5
d593230ad945cc8c2db3237ff31624d4

SHA1
a89e668a3026c2158b40489ddc8f211092472e1b

SHA256
fbe3fe3d46d3037f1a770e778a69dac55db62929b9571746e19c63ea59b28d88

SHA512
938e43724b56bd4a23a122b22b366bc0564f77a1ee1b8b3a576ab2e5c9f6877d36cdb68fcd9f762d617f94b8cf309ad378a2ab321eaf34e5542f5f0cd9ac3846

Download Submit
C:\Users\Admin\AppData\Local\Tempwinlogon.exe

Filesize
165KB

MD5
d78e00882aa872bb8daaa715d7014413

SHA1
cb242a2e1d65263d733b45d0cda17ce50cb4e376

SHA256
58fe22735658313bf69b6e34aac69887063aa1d9618a1ae1e99822f47087dfe9

SHA512
613fed6c36d26fa18544eae2316e6e6e43a6e67eeb31fd043bd2833ca6b5b88b9b1a16db43a592196c365bf1326eac3a4511171d896bfcdcf5454566327e1ac6

Download Submit
C:\Users\Admin\AppData\Local\Tempwinlogon.exe

Filesize
165KB

MD5
d78e00882aa872bb8daaa715d7014413

SHA1
cb242a2e1d65263d733b45d0cda17ce50cb4e376

SHA256
58fe22735658313bf69b6e34aac69887063aa1d9618a1ae1e99822f47087dfe9

SHA512
613fed6c36d26fa18544eae2316e6e6e43a6e67eeb31fd043bd2833ca6b5b88b9b1a16db43a592196c365bf1326eac3a4511171d896bfcdcf5454566327e1ac6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZLESZE.vbs

Filesize
3.6MB

MD5
84bb1d74c4a7557002d7367e92f40ad6

SHA1
ea97be0ec5c3eedffd1d3e04f14a2578e90d4d17

SHA256
426df0578b775cbbf981acc12de59161bc2f19786138a784dc6b8e0b460c1c1a

SHA512
88937e1d9c5507288a6f86c0fc0c4f57ea6c18111c21b68b61bbf39b82a69d4c3a23e7efdda02a60918b7ecb8a958f7e1a31932c882fe841edd77711e1e12096

Download Submit
memory/612-72-0x0000000000DA0000-0x0000000000DD0000-memory.dmp

Filesize
192KB

Download
memory/612-73-0x00000000742B0000-0x000000007499E000-memory.dmp

Filesize
6.9MB

Download
memory/612-74-0x0000000004D20000-0x0000000004D60000-memory.dmp

Filesize
256KB

Download
memory/612-79-0x00000000742B0000-0x000000007499E000-memory.dmp

Filesize
6.9MB

Download
memory/612-80-0x0000000004D20000-0x0000000004D60000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads