Malware Analysis Report

2024-10-19 09:24

Sample ID 230810-qnslsada67
Target ORDER-2308084AF.pdf.vbs
SHA256 71b3ff5d24faad6bb5347e40ab19266a7811527a0ef7fa76a5d8d24ba9beca8d
Tags
agenttesla wshrat keylogger persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

71b3ff5d24faad6bb5347e40ab19266a7811527a0ef7fa76a5d8d24ba9beca8d

Threat Level: Known bad

The file ORDER-2308084AF.pdf.vbs was found to be: Known bad.

Malicious Activity Summary

agenttesla wshrat keylogger persistence spyware stealer trojan

AgentTesla

WSHRAT

Blocklisted process makes network request

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Executes dropped EXE

Drops startup file

Adds Run key to start application

Looks up external IP address via web service

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-08-10 13:24

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-08-10 13:24

Reported

2023-08-10 13:27

Platform

win7-20230712-en

Max time kernel

148s

Max time network

151s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ORDER-2308084AF.pdf.vbs"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

WSHRAT

trojan wshrat

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZLESZE.vbs C:\Windows\System32\WScript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZLESZE.vbs C:\Windows\System32\WScript.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Tempwinlogon.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Windows\CurrentVersion\Run\ZLESZE = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\ZLESZE.vbs\"" C:\Windows\System32\WScript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ZLESZE = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\ZLESZE.vbs\"" C:\Windows\System32\WScript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Windows Update\\Windows Update.exe" C:\Users\Admin\AppData\Local\Tempwinlogon.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Tempwinlogon.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Tempwinlogon.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Tempwinlogon.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Tempwinlogon.exe N/A

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ORDER-2308084AF.pdf.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ZLESZE.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\origin.vbs"

C:\Users\Admin\AppData\Local\Tempwinlogon.exe

"C:\Users\Admin\AppData\Local\Tempwinlogon.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 onedirve.info udp
US 162.254.39.140:80 onedirve.info tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 chongmei33.publicvm.com udp
SG 103.47.144.15:7045 chongmei33.publicvm.com tcp
SG 103.47.144.15:7045 chongmei33.publicvm.com tcp
SG 103.47.144.15:7045 chongmei33.publicvm.com tcp
SG 103.47.144.15:7045 chongmei33.publicvm.com tcp
SG 103.47.144.15:7045 chongmei33.publicvm.com tcp
SG 103.47.144.15:7045 chongmei33.publicvm.com tcp
SG 103.47.144.15:7045 chongmei33.publicvm.com tcp
SG 103.47.144.15:7045 chongmei33.publicvm.com tcp
SG 103.47.144.15:7045 chongmei33.publicvm.com tcp
SG 103.47.144.15:7045 chongmei33.publicvm.com tcp
SG 103.47.144.15:7045 chongmei33.publicvm.com tcp
SG 103.47.144.15:7045 chongmei33.publicvm.com tcp
SG 103.47.144.15:7045 chongmei33.publicvm.com tcp
SG 103.47.144.15:7045 chongmei33.publicvm.com tcp
SG 103.47.144.15:7045 chongmei33.publicvm.com tcp
SG 103.47.144.15:7045 chongmei33.publicvm.com tcp
SG 103.47.144.15:7045 chongmei33.publicvm.com tcp
SG 103.47.144.15:7045 chongmei33.publicvm.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\ZLESZE.vbs

MD5 84bb1d74c4a7557002d7367e92f40ad6
SHA1 ea97be0ec5c3eedffd1d3e04f14a2578e90d4d17
SHA256 426df0578b775cbbf981acc12de59161bc2f19786138a784dc6b8e0b460c1c1a
SHA512 88937e1d9c5507288a6f86c0fc0c4f57ea6c18111c21b68b61bbf39b82a69d4c3a23e7efdda02a60918b7ecb8a958f7e1a31932c882fe841edd77711e1e12096

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZLESZE.vbs

MD5 84bb1d74c4a7557002d7367e92f40ad6
SHA1 ea97be0ec5c3eedffd1d3e04f14a2578e90d4d17
SHA256 426df0578b775cbbf981acc12de59161bc2f19786138a784dc6b8e0b460c1c1a
SHA512 88937e1d9c5507288a6f86c0fc0c4f57ea6c18111c21b68b61bbf39b82a69d4c3a23e7efdda02a60918b7ecb8a958f7e1a31932c882fe841edd77711e1e12096

C:\Users\Admin\AppData\Local\Temp\origin.vbs

MD5 d593230ad945cc8c2db3237ff31624d4
SHA1 a89e668a3026c2158b40489ddc8f211092472e1b
SHA256 fbe3fe3d46d3037f1a770e778a69dac55db62929b9571746e19c63ea59b28d88
SHA512 938e43724b56bd4a23a122b22b366bc0564f77a1ee1b8b3a576ab2e5c9f6877d36cdb68fcd9f762d617f94b8cf309ad378a2ab321eaf34e5542f5f0cd9ac3846

C:\Users\Admin\AppData\Local\Tempwinlogon.exe

MD5 d78e00882aa872bb8daaa715d7014413
SHA1 cb242a2e1d65263d733b45d0cda17ce50cb4e376
SHA256 58fe22735658313bf69b6e34aac69887063aa1d9618a1ae1e99822f47087dfe9
SHA512 613fed6c36d26fa18544eae2316e6e6e43a6e67eeb31fd043bd2833ca6b5b88b9b1a16db43a592196c365bf1326eac3a4511171d896bfcdcf5454566327e1ac6

C:\Users\Admin\AppData\Local\Tempwinlogon.exe

MD5 d78e00882aa872bb8daaa715d7014413
SHA1 cb242a2e1d65263d733b45d0cda17ce50cb4e376
SHA256 58fe22735658313bf69b6e34aac69887063aa1d9618a1ae1e99822f47087dfe9
SHA512 613fed6c36d26fa18544eae2316e6e6e43a6e67eeb31fd043bd2833ca6b5b88b9b1a16db43a592196c365bf1326eac3a4511171d896bfcdcf5454566327e1ac6

memory/612-72-0x0000000000DA0000-0x0000000000DD0000-memory.dmp

memory/612-73-0x00000000742B0000-0x000000007499E000-memory.dmp

memory/612-74-0x0000000004D20000-0x0000000004D60000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Windows Update\Windows Update.exe

MD5 d78e00882aa872bb8daaa715d7014413
SHA1 cb242a2e1d65263d733b45d0cda17ce50cb4e376
SHA256 58fe22735658313bf69b6e34aac69887063aa1d9618a1ae1e99822f47087dfe9
SHA512 613fed6c36d26fa18544eae2316e6e6e43a6e67eeb31fd043bd2833ca6b5b88b9b1a16db43a592196c365bf1326eac3a4511171d896bfcdcf5454566327e1ac6

memory/612-79-0x00000000742B0000-0x000000007499E000-memory.dmp

memory/612-80-0x0000000004D20000-0x0000000004D60000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\12APMO2Y\json[1].json

MD5 149c2823b7eadbfb0a82388a2ab9494f
SHA1 415fe979ce5fd0064d2557a48745a3ed1a3fbf9c
SHA256 06fa5d4e7fbfb1efdc19baa034601a894b21cf729785732853ced4bb40aca869
SHA512 f8fb6b7c93c4ab37f6e250ba8ac5c82f6e17fe52156cab81d34e91107d1da716b744bfe02ee0306497a3876d5352af789a1e66dab10e11e22065bac3050475fe

Analysis: behavioral2

Detonation Overview

Submitted

2023-08-10 13:24

Reported

2023-08-10 13:27

Platform

win10v2004-20230703-en

Max time kernel

149s

Max time network

154s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ORDER-2308084AF.pdf.vbs"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

WSHRAT

trojan wshrat

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZLESZE.vbs C:\Windows\System32\WScript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZLESZE.vbs C:\Windows\System32\WScript.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Tempwinlogon.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ZLESZE = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\ZLESZE.vbs\"" C:\Windows\System32\WScript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Windows Update\\Windows Update.exe" C:\Users\Admin\AppData\Local\Tempwinlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ZLESZE = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\ZLESZE.vbs\"" C:\Windows\System32\WScript.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings C:\Windows\System32\WScript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings C:\Windows\System32\WScript.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Tempwinlogon.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Tempwinlogon.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Tempwinlogon.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Tempwinlogon.exe N/A

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ORDER-2308084AF.pdf.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ZLESZE.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\origin.vbs"

C:\Users\Admin\AppData\Local\Tempwinlogon.exe

"C:\Users\Admin\AppData\Local\Tempwinlogon.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 onedirve.info udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 162.254.39.140:80 onedirve.info tcp
US 8.8.8.8:53 1.208.79.178.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 140.39.254.162.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 chongmei33.publicvm.com udp
SG 103.47.144.15:7045 chongmei33.publicvm.com tcp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 15.144.47.103.in-addr.arpa udp
SG 103.47.144.15:7045 chongmei33.publicvm.com tcp
SG 103.47.144.15:7045 chongmei33.publicvm.com tcp
SG 103.47.144.15:7045 chongmei33.publicvm.com tcp
SG 103.47.144.15:7045 chongmei33.publicvm.com tcp
SG 103.47.144.15:7045 chongmei33.publicvm.com tcp
SG 103.47.144.15:7045 chongmei33.publicvm.com tcp
SG 103.47.144.15:7045 chongmei33.publicvm.com tcp
SG 103.47.144.15:7045 chongmei33.publicvm.com tcp
SG 103.47.144.15:7045 chongmei33.publicvm.com tcp
SG 103.47.144.15:7045 chongmei33.publicvm.com tcp
SG 103.47.144.15:7045 chongmei33.publicvm.com tcp
SG 103.47.144.15:7045 chongmei33.publicvm.com tcp
SG 103.47.144.15:7045 chongmei33.publicvm.com tcp
SG 103.47.144.15:7045 chongmei33.publicvm.com tcp
SG 103.47.144.15:7045 chongmei33.publicvm.com tcp
SG 103.47.144.15:7045 chongmei33.publicvm.com tcp
SG 103.47.144.15:7045 chongmei33.publicvm.com tcp
US 8.8.8.8:53 14.173.189.20.in-addr.arpa udp
SG 103.47.144.15:7045 chongmei33.publicvm.com tcp
SG 103.47.144.15:7045 chongmei33.publicvm.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\ZLESZE.vbs

MD5 84bb1d74c4a7557002d7367e92f40ad6
SHA1 ea97be0ec5c3eedffd1d3e04f14a2578e90d4d17
SHA256 426df0578b775cbbf981acc12de59161bc2f19786138a784dc6b8e0b460c1c1a
SHA512 88937e1d9c5507288a6f86c0fc0c4f57ea6c18111c21b68b61bbf39b82a69d4c3a23e7efdda02a60918b7ecb8a958f7e1a31932c882fe841edd77711e1e12096

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZLESZE.vbs

MD5 84bb1d74c4a7557002d7367e92f40ad6
SHA1 ea97be0ec5c3eedffd1d3e04f14a2578e90d4d17
SHA256 426df0578b775cbbf981acc12de59161bc2f19786138a784dc6b8e0b460c1c1a
SHA512 88937e1d9c5507288a6f86c0fc0c4f57ea6c18111c21b68b61bbf39b82a69d4c3a23e7efdda02a60918b7ecb8a958f7e1a31932c882fe841edd77711e1e12096

C:\Users\Admin\AppData\Local\Temp\origin.vbs

MD5 d593230ad945cc8c2db3237ff31624d4
SHA1 a89e668a3026c2158b40489ddc8f211092472e1b
SHA256 fbe3fe3d46d3037f1a770e778a69dac55db62929b9571746e19c63ea59b28d88
SHA512 938e43724b56bd4a23a122b22b366bc0564f77a1ee1b8b3a576ab2e5c9f6877d36cdb68fcd9f762d617f94b8cf309ad378a2ab321eaf34e5542f5f0cd9ac3846

C:\Users\Admin\AppData\Local\Tempwinlogon.exe

MD5 d78e00882aa872bb8daaa715d7014413
SHA1 cb242a2e1d65263d733b45d0cda17ce50cb4e376
SHA256 58fe22735658313bf69b6e34aac69887063aa1d9618a1ae1e99822f47087dfe9
SHA512 613fed6c36d26fa18544eae2316e6e6e43a6e67eeb31fd043bd2833ca6b5b88b9b1a16db43a592196c365bf1326eac3a4511171d896bfcdcf5454566327e1ac6

C:\Users\Admin\AppData\Local\Tempwinlogon.exe

MD5 d78e00882aa872bb8daaa715d7014413
SHA1 cb242a2e1d65263d733b45d0cda17ce50cb4e376
SHA256 58fe22735658313bf69b6e34aac69887063aa1d9618a1ae1e99822f47087dfe9
SHA512 613fed6c36d26fa18544eae2316e6e6e43a6e67eeb31fd043bd2833ca6b5b88b9b1a16db43a592196c365bf1326eac3a4511171d896bfcdcf5454566327e1ac6

C:\Users\Admin\AppData\Local\Tempwinlogon.exe

MD5 d78e00882aa872bb8daaa715d7014413
SHA1 cb242a2e1d65263d733b45d0cda17ce50cb4e376
SHA256 58fe22735658313bf69b6e34aac69887063aa1d9618a1ae1e99822f47087dfe9
SHA512 613fed6c36d26fa18544eae2316e6e6e43a6e67eeb31fd043bd2833ca6b5b88b9b1a16db43a592196c365bf1326eac3a4511171d896bfcdcf5454566327e1ac6

memory/3856-156-0x0000000074AC0000-0x0000000075270000-memory.dmp

memory/3856-157-0x0000000000360000-0x0000000000390000-memory.dmp

memory/3856-158-0x00000000053C0000-0x0000000005964000-memory.dmp

memory/3856-159-0x0000000004FC0000-0x0000000004FD0000-memory.dmp

memory/3856-160-0x0000000004D50000-0x0000000004DB6000-memory.dmp

memory/3856-165-0x0000000005C70000-0x0000000005CC0000-memory.dmp

memory/3856-166-0x0000000005E90000-0x0000000006052000-memory.dmp

memory/3856-167-0x0000000005D60000-0x0000000005DF2000-memory.dmp

memory/3856-168-0x0000000005E10000-0x0000000005E1A000-memory.dmp

memory/3856-169-0x0000000074AC0000-0x0000000075270000-memory.dmp

memory/3856-172-0x0000000004FC0000-0x0000000004FD0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\42JDD8EA\json[1].json

MD5 0c17abb0ed055fecf0c48bb6e46eb4eb
SHA1 a692730c8ec7353c31b94a888f359edb54aaa4c8
SHA256 f41e99f954e33e7b0e39930ec8620bf29801efc44275c1ee6b5cfa5e1be202c0
SHA512 645a9f2f94461d8a187261b736949df398ece5cfbf1af8653d18d3487ec1269d9f565534c1e249c12f31b3b1a41a8512953b1e991b001fc1360059e3fd494ec3