Overview

overview

10

Static

static

1

ORDER-2308...df.vbs

windows7-x64

10

ORDER-2308...df.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-08-2023 13:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ORDER-2308084AF.pdf.vbs

  • Size

    8KB

  • MD5

    76f898a3ef280f1124872b256f473061

  • SHA1

    9d606f81785f790a8cb9b9ac178bb6da0316fb70

  • SHA256

    71b3ff5d24faad6bb5347e40ab19266a7811527a0ef7fa76a5d8d24ba9beca8d

  • SHA512

    949c60975eb7050a9e1b7a7b8bc21d1289641fbf1e73e021ec7b2f77068f704f7a042a64d5e7834b4fbdf908e3118eb97f1cc66c8d74d064c797c988e47d716b

  • SSDEEP

    48:QMt0Vt6AGSPOVGSEkGSAciDDrScaWXlDDnZPlsVmzndVBVNuf5Vwmy:pysAGiOGKG3rDDrLXlDDnlSsnXrN4ny

Score
10/10
agentteslawshratkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Extracted

Family

wshrat

C2

http://chongmei33.publicvm.com:7045

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • WSHRAT

    WSHRAT is a variant of Houdini worm and has vbs and js variants.

    trojanwshrat
  • Blocklisted process makes network request 22 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ORDER-2308084AF.pdf.vbs"
    1⤵
    • Blocklisted process makes network request
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3808
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ZLESZE.vbs"
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      • Adds Run key to start application
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2984
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\origin.vbs"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3980
        • C:\Users\Admin\AppData\Local\Tempwinlogon.exe
          "C:\Users\Admin\AppData\Local\Tempwinlogon.exe"
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:3856

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\42JDD8EA\json[1].json
    Filesize

    323B

    MD5

    0c17abb0ed055fecf0c48bb6e46eb4eb

    SHA1

    a692730c8ec7353c31b94a888f359edb54aaa4c8

    SHA256

    f41e99f954e33e7b0e39930ec8620bf29801efc44275c1ee6b5cfa5e1be202c0

    SHA512

    645a9f2f94461d8a187261b736949df398ece5cfbf1af8653d18d3487ec1269d9f565534c1e249c12f31b3b1a41a8512953b1e991b001fc1360059e3fd494ec3

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\ZLESZE.vbs
    Filesize

    3.6MB

    MD5

    84bb1d74c4a7557002d7367e92f40ad6

    SHA1

    ea97be0ec5c3eedffd1d3e04f14a2578e90d4d17

    SHA256

    426df0578b775cbbf981acc12de59161bc2f19786138a784dc6b8e0b460c1c1a

    SHA512

    88937e1d9c5507288a6f86c0fc0c4f57ea6c18111c21b68b61bbf39b82a69d4c3a23e7efdda02a60918b7ecb8a958f7e1a31932c882fe841edd77711e1e12096

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\origin.vbs
    Filesize

    331KB

    MD5

    d593230ad945cc8c2db3237ff31624d4

    SHA1

    a89e668a3026c2158b40489ddc8f211092472e1b

    SHA256

    fbe3fe3d46d3037f1a770e778a69dac55db62929b9571746e19c63ea59b28d88

    SHA512

    938e43724b56bd4a23a122b22b366bc0564f77a1ee1b8b3a576ab2e5c9f6877d36cdb68fcd9f762d617f94b8cf309ad378a2ab321eaf34e5542f5f0cd9ac3846

    Download Submit

  • C:\Users\Admin\AppData\Local\Tempwinlogon.exe
    Filesize

    165KB

    MD5

    d78e00882aa872bb8daaa715d7014413

    SHA1

    cb242a2e1d65263d733b45d0cda17ce50cb4e376

    SHA256

    58fe22735658313bf69b6e34aac69887063aa1d9618a1ae1e99822f47087dfe9

    SHA512

    613fed6c36d26fa18544eae2316e6e6e43a6e67eeb31fd043bd2833ca6b5b88b9b1a16db43a592196c365bf1326eac3a4511171d896bfcdcf5454566327e1ac6

    Download Submit

  • C:\Users\Admin\AppData\Local\Tempwinlogon.exe
    Filesize

    165KB

    MD5

    d78e00882aa872bb8daaa715d7014413

    SHA1

    cb242a2e1d65263d733b45d0cda17ce50cb4e376

    SHA256

    58fe22735658313bf69b6e34aac69887063aa1d9618a1ae1e99822f47087dfe9

    SHA512

    613fed6c36d26fa18544eae2316e6e6e43a6e67eeb31fd043bd2833ca6b5b88b9b1a16db43a592196c365bf1326eac3a4511171d896bfcdcf5454566327e1ac6

    Download Submit

  • C:\Users\Admin\AppData\Local\Tempwinlogon.exe
    Filesize

    165KB

    MD5

    d78e00882aa872bb8daaa715d7014413

    SHA1

    cb242a2e1d65263d733b45d0cda17ce50cb4e376

    SHA256

    58fe22735658313bf69b6e34aac69887063aa1d9618a1ae1e99822f47087dfe9

    SHA512

    613fed6c36d26fa18544eae2316e6e6e43a6e67eeb31fd043bd2833ca6b5b88b9b1a16db43a592196c365bf1326eac3a4511171d896bfcdcf5454566327e1ac6

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZLESZE.vbs
    Filesize

    3.6MB

    MD5

    84bb1d74c4a7557002d7367e92f40ad6

    SHA1

    ea97be0ec5c3eedffd1d3e04f14a2578e90d4d17

    SHA256

    426df0578b775cbbf981acc12de59161bc2f19786138a784dc6b8e0b460c1c1a

    SHA512

    88937e1d9c5507288a6f86c0fc0c4f57ea6c18111c21b68b61bbf39b82a69d4c3a23e7efdda02a60918b7ecb8a958f7e1a31932c882fe841edd77711e1e12096

    Download Submit

  • memory/3856-158-0x00000000053C0000-0x0000000005964000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/3856-157-0x0000000000360000-0x0000000000390000-memory.dmp

    Filesize

    192KB

    Download

  • memory/3856-159-0x0000000004FC0000-0x0000000004FD0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3856-160-0x0000000004D50000-0x0000000004DB6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/3856-165-0x0000000005C70000-0x0000000005CC0000-memory.dmp

    Filesize

    320KB

    Download

  • memory/3856-166-0x0000000005E90000-0x0000000006052000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/3856-167-0x0000000005D60000-0x0000000005DF2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/3856-168-0x0000000005E10000-0x0000000005E1A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/3856-169-0x0000000074AC0000-0x0000000075270000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3856-172-0x0000000004FC0000-0x0000000004FD0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3856-156-0x0000000074AC0000-0x0000000075270000-memory.dmp

    Filesize

    7.7MB

    Download