agenttesla | 8c7efed8c12db6a810810197cbad0da9e66457a01bf04edebe871f6406425803

Analysis

max time kernel
282s
max time network
292s
platform
windows10-1703_x64
resource
win10-20231020-en
resource tags

arch:x64arch:x86image:win10-20231020-enlocale:en-usos:windows10-1703-x64system
submitted
23/11/2023, 08:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

IMG_4517053111.zip
Size

5.8MB
MD5

fc54dae351501f1bae4b44a538fc785d
SHA1

60c766aa647a01adc67337acb932246b2aad567b
SHA256

8c7efed8c12db6a810810197cbad0da9e66457a01bf04edebe871f6406425803
SHA512

c22eb6cef1638449043c38b31b38f23b89aa516a54e5468fcbb4a90c8495aa77a967b615cc9df1bef10dfc80c31f9f85b035aa54f2a1c0c3ca3218bb6d462871
SSDEEP

98304:DiJRkYMienogByD2GlkhNV2VvQuK9at5g6CinwBnXSmVNBAKOHE5wq0L8O:ARkYMHpk2GlkNVgQAfdCiwRiOP9nU7

Score

10^/10

agenttesla vjw0rm keylogger spyware stealer trojan worm

Malware Config

Extracted

Family

agenttesla

https://api.telegram.org/bot6811423600:AAG2aeIaNsb7KhtKp1Js71i-PwGY1zN7uIg/

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm

Blocklisted process makes network request 64 IoCs

flow	pid	Process
6	3948	wscript.exe
7	1616	wscript.exe
11	3948	wscript.exe
12	1616	wscript.exe
13	3948	wscript.exe
14	1616	wscript.exe
15	3948	wscript.exe
16	1616	wscript.exe
17	3948	wscript.exe
20	1616	wscript.exe
22	3948	wscript.exe
23	3948	wscript.exe
24	1616	wscript.exe
25	3948	wscript.exe
26	1616	wscript.exe
27	3948	wscript.exe
28	1616	wscript.exe
29	3948	wscript.exe
30	1616	wscript.exe
31	2112	wscript.exe
32	3948	wscript.exe
33	1616	wscript.exe
34	2112	wscript.exe
35	3948	wscript.exe
36	1616	wscript.exe
39	2112	wscript.exe
42	3948	wscript.exe
44	1616	wscript.exe
45	2112	wscript.exe
46	3948	wscript.exe
47	1616	wscript.exe
48	2112	wscript.exe
49	3948	wscript.exe
50	1616	wscript.exe
51	2112	wscript.exe
52	3948	wscript.exe
53	1616	wscript.exe
54	2112	wscript.exe
55	3948	wscript.exe
56	1616	wscript.exe
57	2112	wscript.exe
58	3948	wscript.exe
59	1616	wscript.exe
60	2112	wscript.exe
61	3948	wscript.exe
62	1616	wscript.exe
63	2112	wscript.exe
64	3948	wscript.exe
65	1616	wscript.exe
66	2112	wscript.exe
67	3948	wscript.exe
68	1616	wscript.exe
69	2112	wscript.exe
70	3948	wscript.exe
71	1616	wscript.exe
72	2112	wscript.exe
73	3948	wscript.exe
74	1616	wscript.exe
75	2112	wscript.exe
76	3948	wscript.exe
77	1616	wscript.exe
78	2112	wscript.exe
79	3948	wscript.exe
80	1616	wscript.exe

Drops startup file 4 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OrEptoEwgL.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OrEptoEwgL.js	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OrEptoEwgL.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OrEptoEwgL.js	wscript.exe

Executes dropped EXE 1 IoCs

pid	Process
2232	aaad.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2232	aaad.exe
2232	aaad.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2232	aaad.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4152 wrote to memory of 3948	4152	WScript.exe	77
PID 4152 wrote to memory of 3948	4152	WScript.exe	77
PID 4152 wrote to memory of 2232	4152	WScript.exe	78
PID 4152 wrote to memory of 2232	4152	WScript.exe	78
PID 4152 wrote to memory of 2232	4152	WScript.exe	78
PID 4404 wrote to memory of 1616	4404	WScript.exe	80
PID 4404 wrote to memory of 1616	4404	WScript.exe	80
PID 4600 wrote to memory of 2112	4600	WScript.exe	82
PID 4600 wrote to memory of 2112	4600	WScript.exe	82

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\IMG_4517053111.zip
1⤵
PID:4752

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3424

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\IMG_4517053111.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:4152
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\OrEptoEwgL.js"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  PID:3948
- C:\Users\Admin\AppData\Local\Temp\aaad.exe
  "C:\Users\Admin\AppData\Local\Temp\aaad.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2232

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\IMG_4517053111.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:4404
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\OrEptoEwgL.js"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  PID:1616

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\IMG_4517053111.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:4600
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\OrEptoEwgL.js"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  PID:2112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\aaad.exe

Filesize
234KB

MD5
6c6cee666da17c0043661cf2a0c56d6a

SHA1
9ca21a88e917d235b4fd923bc0bc8208af8c30ec

SHA256
25a4772b405adb2585dc19e528156f6907ce3f539d0bc85827419f93c320f5cc

SHA512
8bc9edfcc329b539dfce4490d2b7974b92517661caeb34cc16c941497cda982232db29f69714452ecda2614c9c669a31e7a9866c1619a0f4df5663eaa8daa335

Download Submit
C:\Users\Admin\AppData\Local\Temp\aaad.exe

Filesize
234KB

MD5
6c6cee666da17c0043661cf2a0c56d6a

SHA1
9ca21a88e917d235b4fd923bc0bc8208af8c30ec

SHA256
25a4772b405adb2585dc19e528156f6907ce3f539d0bc85827419f93c320f5cc

SHA512
8bc9edfcc329b539dfce4490d2b7974b92517661caeb34cc16c941497cda982232db29f69714452ecda2614c9c669a31e7a9866c1619a0f4df5663eaa8daa335

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OrEptoEwgL.js

Filesize
346KB

MD5
25c958cb7cc6fb32bdd9b3231ca96810

SHA1
014d9ed9586573cba40219996284a260d692f646

SHA256
5aa996194869704ddfb481c705bb5e80f0ab9a71568da650e4f9c3e270bf3d37

SHA512
966a48d38c3d035421fb7a74bc47779dc02b1e379007ed8cce53b10e718feaadddc636fbab94b8acc8ca97b7ac62b2cb717ee27ebd47c003b9c4e258ea307115

Download Submit
C:\Users\Admin\AppData\Roaming\OrEptoEwgL.js

Filesize
346KB

MD5
25c958cb7cc6fb32bdd9b3231ca96810

SHA1
014d9ed9586573cba40219996284a260d692f646

SHA256
5aa996194869704ddfb481c705bb5e80f0ab9a71568da650e4f9c3e270bf3d37

SHA512
966a48d38c3d035421fb7a74bc47779dc02b1e379007ed8cce53b10e718feaadddc636fbab94b8acc8ca97b7ac62b2cb717ee27ebd47c003b9c4e258ea307115

Download Submit
C:\Users\Admin\AppData\Roaming\OrEptoEwgL.js

Filesize
346KB

MD5
25c958cb7cc6fb32bdd9b3231ca96810

SHA1
014d9ed9586573cba40219996284a260d692f646

SHA256
5aa996194869704ddfb481c705bb5e80f0ab9a71568da650e4f9c3e270bf3d37

SHA512
966a48d38c3d035421fb7a74bc47779dc02b1e379007ed8cce53b10e718feaadddc636fbab94b8acc8ca97b7ac62b2cb717ee27ebd47c003b9c4e258ea307115

Download Submit
C:\Users\Admin\AppData\Roaming\OrEptoEwgL.js

Filesize
346KB

MD5
25c958cb7cc6fb32bdd9b3231ca96810

SHA1
014d9ed9586573cba40219996284a260d692f646

SHA256
5aa996194869704ddfb481c705bb5e80f0ab9a71568da650e4f9c3e270bf3d37

SHA512
966a48d38c3d035421fb7a74bc47779dc02b1e379007ed8cce53b10e718feaadddc636fbab94b8acc8ca97b7ac62b2cb717ee27ebd47c003b9c4e258ea307115

Download Submit
C:\Users\Admin\AppData\Roaming\OrEptoEwgL.js

Filesize
346KB

MD5
25c958cb7cc6fb32bdd9b3231ca96810

SHA1
014d9ed9586573cba40219996284a260d692f646

SHA256
5aa996194869704ddfb481c705bb5e80f0ab9a71568da650e4f9c3e270bf3d37

SHA512
966a48d38c3d035421fb7a74bc47779dc02b1e379007ed8cce53b10e718feaadddc636fbab94b8acc8ca97b7ac62b2cb717ee27ebd47c003b9c4e258ea307115

Download Submit
memory/2232-13-0x0000000006630000-0x0000000006680000-memory.dmp

Filesize
320KB

Download
memory/2232-14-0x0000000006720000-0x00000000067BC000-memory.dmp

Filesize
624KB

Download
memory/2232-12-0x0000000005930000-0x0000000005996000-memory.dmp

Filesize
408KB

Download
memory/2232-11-0x0000000005770000-0x0000000005780000-memory.dmp

Filesize
64KB

Download
memory/2232-19-0x0000000006FD0000-0x0000000007062000-memory.dmp

Filesize
584KB

Download
memory/2232-20-0x0000000006FB0000-0x0000000006FBA000-memory.dmp

Filesize
40KB

Download
memory/2232-21-0x0000000073E60000-0x000000007454E000-memory.dmp

Filesize
6.9MB

Download
memory/2232-22-0x0000000005770000-0x0000000005780000-memory.dmp

Filesize
64KB

Download
memory/2232-10-0x0000000005CC0000-0x00000000061BE000-memory.dmp

Filesize
5.0MB

Download
memory/2232-9-0x0000000000F40000-0x0000000000F80000-memory.dmp

Filesize
256KB

Download
memory/2232-8-0x0000000073E60000-0x000000007454E000-memory.dmp

Filesize
6.9MB

Download