Overview

overview

10

Static

static

1

Payment_Copy.docx.vbs

windows7-x64

8

Payment_Copy.docx.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-10-2023 15:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Payment_Copy.docx.vbs

  • Size

    8KB

  • MD5

    dc81bc3a9413ca5f8b6a0ad6bef2f271

  • SHA1

    d815331071d10edaf3e17aca21138de366a33c2a

  • SHA256

    c6ffe2653e2a4c3b4aaabae7700ab09a83591e2a2df884ad7beede92dda4080b

  • SHA512

    734567a4fbac86783699f8de0056f289e43cd8ef7114bb6443f05a2603abfda16fdcdc12b4d6c18cd4de7d993aae5ae20d9917337e9b2202b9315b170ae6b507

  • SSDEEP

    192:florgiorNohgUcigdOhgyC+lseKlwUGUiHijHifHiDLHiDAut:dQ+ygAgSgXBhHGaDOMA

Score
10/10
agentteslawshratkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    ftp.martur.cl
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    (57reRWWw5dj

Extracted

Family

agenttesla

Credentials

  • Protocol:     ftp
  • Host:
    ftp://ftp.martur.cl
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    (57reRWWw5dj

Extracted

Family

wshrat

C2

http://chongmei33.publicvm.com:7045

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • WSHRAT

    WSHRAT is a variant of Houdini worm and has vbs and js variants.

    trojanwshrat
  • WSHRAT payload 2 IoCs
  • Blocklisted process makes network request 28 IoCs
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 2 IoCs
  • Script User-Agent 24 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Payment_Copy.docx.vbs"
    1⤵
    • Blocklisted process makes network request
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4236
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\QZEEQJ.js"
      2⤵
      • Blocklisted process makes network request
      • Checks computer location settings
      • Drops startup file
      • Adds Run key to start application
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:1264
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Output.js"
        3⤵
        • Checks computer location settings
        • Suspicious use of WriteProcessMemory
        PID:4372
        • C:\Users\Admin\AppData\Local\Temp\vOb.exe
          "C:\Users\Admin\AppData\Local\Temp\vOb.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:440
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
            "Powershell.exe" -ExecutionPolicy Bypass -command xHpF2m2TxzO3qr4FIuPswPaRZvbKhAgsHoUgVc5c1AMOAI4xiJqOjlkD3YO/6qULkSENmFl3GsolqcGGkZrBbaRXVu7YY+n3wiyv8wS+UHUpwhx/IX6ZerqvTzuOLuRdO08npei7HwfH2wKRuaecB8P/FVecfW9FoWjF1A6O/68O0qK192cnIhUcctWjx/GW8ULXo/Un0WwvyWYxGKqhFtUjf6hQETjLzO/F68/W3GXggNfn4E0tbsHcWJ4Qs9QeauMywyAB+V1+9Uw+hcoLBpcocrYAhSqf6iaaMKaTanR4JlGBlD4IjJQmV1gvQRYmjDXbZawN8IgwRgaI+xcKtFjiFVvuA6CawFF5jzi4mENimIA39OD54y/zMb7idEh4oTy+f+VDOiQ16HbDvRyX1gv6ar2K+vNdRpiEk+FL75Dwi1y2R1DSLLrnXH75cn9Sxxkx16fkjltmZNwZYnnZc0VCbJz5PE8snBKcKUEemoAvDwcgj8rVX1tuhqqeYXrhP1hn6oaUpa8dLV9GkxPvUPm2U2PxYjlaVQk75pkxpaspctI89cBy4lXgWn0XYPaK1+WjxY5j1F5jeSb75FxuowoTWUXfk8j1s2KbANCsBuN3nd5227aIGAKGm+1kHAm/4MePOuLnj7mVqVrGuW9smZZvnluk2n2p0v6RGPmD818= 'C:\Users\Admin\AppData\Local\Temp\vOb.exe' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows Audio.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2644
          • C:\Users\Admin\AppData\Local\Temp\vOb.exe
            "C:\Users\Admin\AppData\Local\Temp\vOb.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            PID:1564

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\vOb.exe.log
    Filesize

    706B

    MD5

    2ef5ef69dadb8865b3d5b58c956077b8

    SHA1

    af2d869bac00685c745652bbd8b3fe82829a8998

    SHA256

    363502eb2a4e53ba02d2d85412b901fcf8e06de221736bdffa949799ef3d21e3

    SHA512

    66d4db5dd17d88e1d54ea0df3a7211a503dc4355de701259cefccc9f2e4e3ced9534b700099ffbb089a5a3acb082011c80b61801aa14aff76b379ce8f90d4fd3

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Output.js
    Filesize

    484KB

    MD5

    183b67bb3bced4ef59e57cfbfff3d08e

    SHA1

    f79fe87e3c5f331895db528dd7beef8b5477187a

    SHA256

    33170390bddb29dc3b25b4301982f88451c1cdff4415f98050a470c7f6d31f32

    SHA512

    21f2c5d01f493dc1d5f7c84c387b5cea5270f635ab154946a208977e8c9cc95b837d82230b74b307d0e20cabfabbf8a578b9b9be9260790d886426e358e0dabc

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\QZEEQJ.js
    Filesize

    764KB

    MD5

    8d38022aafef200f061a873cad79fe61

    SHA1

    536fb4fe64ce9695322eaca56ad895457acdfde8

    SHA256

    15921f2949858a67b8f01ac048ceed3083774b664549ea455d12eb8748049961

    SHA512

    e65acf7151e032df49a4f2bcd29dbcac0a3b1c2eb63f240bf556d603869ca5a73a61ba23aba924efb8fb764f212cceb9705c3ff8cdb635651ba9e10d2bb94060

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_230xe3ai.0un.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\vOb.exe
    Filesize

    346KB

    MD5

    84c9943b3b720f2090e42202d733ff5b

    SHA1

    da75a570bdceaa6eeb9beb3cf1a2a2a334265349

    SHA256

    1fd86142972ca45a894e5bae8f464164d521694d7a65e3e28d59be74ba6d5166

    SHA512

    aefc0c23ffc5b7d832e76eac265c403088b4ebbb120ceb718b753fda1b4292c9d3a05bfba303756fa25bed2e9090ac9f1925c232aa7cd443ebeb412f3dc88624

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\vOb.exe
    Filesize

    346KB

    MD5

    84c9943b3b720f2090e42202d733ff5b

    SHA1

    da75a570bdceaa6eeb9beb3cf1a2a2a334265349

    SHA256

    1fd86142972ca45a894e5bae8f464164d521694d7a65e3e28d59be74ba6d5166

    SHA512

    aefc0c23ffc5b7d832e76eac265c403088b4ebbb120ceb718b753fda1b4292c9d3a05bfba303756fa25bed2e9090ac9f1925c232aa7cd443ebeb412f3dc88624

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\vOb.exe
    Filesize

    346KB

    MD5

    84c9943b3b720f2090e42202d733ff5b

    SHA1

    da75a570bdceaa6eeb9beb3cf1a2a2a334265349

    SHA256

    1fd86142972ca45a894e5bae8f464164d521694d7a65e3e28d59be74ba6d5166

    SHA512

    aefc0c23ffc5b7d832e76eac265c403088b4ebbb120ceb718b753fda1b4292c9d3a05bfba303756fa25bed2e9090ac9f1925c232aa7cd443ebeb412f3dc88624

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\vOb.exe
    Filesize

    346KB

    MD5

    84c9943b3b720f2090e42202d733ff5b

    SHA1

    da75a570bdceaa6eeb9beb3cf1a2a2a334265349

    SHA256

    1fd86142972ca45a894e5bae8f464164d521694d7a65e3e28d59be74ba6d5166

    SHA512

    aefc0c23ffc5b7d832e76eac265c403088b4ebbb120ceb718b753fda1b4292c9d3a05bfba303756fa25bed2e9090ac9f1925c232aa7cd443ebeb412f3dc88624

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QZEEQJ.js
    Filesize

    764KB

    MD5

    8d38022aafef200f061a873cad79fe61

    SHA1

    536fb4fe64ce9695322eaca56ad895457acdfde8

    SHA256

    15921f2949858a67b8f01ac048ceed3083774b664549ea455d12eb8748049961

    SHA512

    e65acf7151e032df49a4f2bcd29dbcac0a3b1c2eb63f240bf556d603869ca5a73a61ba23aba924efb8fb764f212cceb9705c3ff8cdb635651ba9e10d2bb94060

    Download Submit

  • memory/440-35-0x0000000005290000-0x000000000532C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/440-30-0x0000000000620000-0x000000000067C000-memory.dmp

    Filesize

    368KB

    Download

  • memory/440-34-0x0000000005060000-0x0000000005070000-memory.dmp

    Filesize

    64KB

    Download

  • memory/440-32-0x0000000005620000-0x0000000005BC4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/440-31-0x0000000002A80000-0x0000000002AD4000-memory.dmp

    Filesize

    336KB

    Download

  • memory/440-33-0x0000000005150000-0x00000000051E2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/440-29-0x00000000747A0000-0x0000000074F50000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/440-55-0x00000000050D0000-0x00000000050DA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/440-54-0x00000000747A0000-0x0000000074F50000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/440-62-0x00000000747A0000-0x0000000074F50000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1564-99-0x0000000006260000-0x000000000626A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1564-64-0x0000000000620000-0x0000000000662000-memory.dmp

    Filesize

    264KB

    Download

  • memory/1564-63-0x00000000747A0000-0x0000000074F50000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1564-65-0x0000000004C80000-0x0000000004C90000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1564-87-0x0000000005950000-0x00000000059A0000-memory.dmp

    Filesize

    320KB

    Download

  • memory/1564-97-0x00000000747A0000-0x0000000074F50000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1564-98-0x0000000004C80000-0x0000000004C90000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2644-36-0x0000000004BF0000-0x0000000004C26000-memory.dmp

    Filesize

    216KB

    Download

  • memory/2644-84-0x0000000007580000-0x000000000758A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2644-61-0x0000000006280000-0x00000000062CC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/2644-53-0x0000000005BD0000-0x0000000005F24000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/2644-43-0x0000000005B60000-0x0000000005BC6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2644-42-0x0000000005AF0000-0x0000000005B56000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2644-41-0x00000000050E0000-0x0000000005102000-memory.dmp

    Filesize

    136KB

    Download

  • memory/2644-67-0x000000007F950000-0x000000007F960000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2644-68-0x0000000007150000-0x0000000007182000-memory.dmp

    Filesize

    200KB

    Download

  • memory/2644-69-0x0000000070520000-0x000000007056C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/2644-80-0x0000000006760000-0x000000000677E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/2644-72-0x0000000004C90000-0x0000000004CA0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2644-81-0x00000000071A0000-0x0000000007243000-memory.dmp

    Filesize

    652KB

    Download

  • memory/2644-82-0x0000000007B50000-0x00000000081CA000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/2644-83-0x0000000007500000-0x000000000751A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/2644-59-0x00000000061D0000-0x00000000061EE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/2644-85-0x0000000007780000-0x0000000007816000-memory.dmp

    Filesize

    600KB

    Download

  • memory/2644-86-0x0000000007700000-0x0000000007711000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2644-40-0x00000000052D0000-0x00000000058F8000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/2644-88-0x00000000747A0000-0x0000000074F50000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2644-89-0x0000000007730000-0x000000000773E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2644-90-0x0000000007740000-0x0000000007754000-memory.dmp

    Filesize

    80KB

    Download

  • memory/2644-91-0x0000000004C90000-0x0000000004CA0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2644-92-0x0000000007840000-0x000000000785A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/2644-93-0x0000000007820000-0x0000000007828000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2644-96-0x00000000747A0000-0x0000000074F50000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2644-39-0x0000000004C90000-0x0000000004CA0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2644-38-0x0000000004C90000-0x0000000004CA0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2644-37-0x00000000747A0000-0x0000000074F50000-memory.dmp

    Filesize

    7.7MB

    Download