agenttesla | a4dd485c93929dbeb0e6fd056e60aba8211005c76e97c581fc87875b6e3703c5

General

Target

ORDER-290424-007994PT.vbs
Size

162KB
MD5

4c75fc967ca796d4f8da4128b7bebf70
SHA1

8211cb066cda8aa6cfd62d39b6ccd45254d68916
SHA256

a4dd485c93929dbeb0e6fd056e60aba8211005c76e97c581fc87875b6e3703c5
SHA512

5d440d6b5ced3b364c2a1cd7380cdc89d2d5d8220bcb504ab1f2f1b66e0a0c42dfac02a22f3ba041b4a6faf58d5810817759943b49566b0e362d200dd9cb55c1
SSDEEP

3072:tvHpcPqzeEihOHbeM8fTSrnSRFHJnB/nRT/PRoFPAeRoFeO3RMpY:t6PqzeEiheeM8fTSrnSRFHxBvRjRoFPa

Score

10^/10

agenttesla wshrat keylogger persistence spyware stealer trojan

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
smtp.gmail.com
Port:
587
Username:
[email protected]
Password:
vknk bnwz oyuc ljbp

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
smtp.gmail.com
Port:
587
Username:
[email protected]
Password:
vknk bnwz oyuc ljbp
Email To:
[email protected]

Extracted

Family

wshrat

C2

http://chongmei33.publicvm.com:7045

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat

WSHRAT payload 1 IoCs

resource	yara_rule
behavioral1/files/0x0007000000012120-35.dat	family_wshrat

Blocklisted process makes network request 26 IoCs

flow	pid	Process
4	2640	WScript.exe
7	2932	WScript.exe
10	2640	WScript.exe
12	2932	WScript.exe
16	2932	WScript.exe
17	2932	WScript.exe
19	2932	WScript.exe
20	2932	WScript.exe
23	2932	WScript.exe
25	2932	WScript.exe
26	2932	WScript.exe
27	2932	WScript.exe
29	2932	WScript.exe
30	2932	WScript.exe
31	2932	WScript.exe
33	2932	WScript.exe
34	2932	WScript.exe
35	2932	WScript.exe
37	2932	WScript.exe
38	2932	WScript.exe
39	2932	WScript.exe
41	2932	WScript.exe
42	2932	WScript.exe
43	2932	WScript.exe
45	2932	WScript.exe
46	2932	WScript.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ORDER-290424-007994PT.vbs	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ORDER-290424-007994PT.vbs	WScript.exe

Executes dropped EXE 1 IoCs

pid	Process
108	NHI.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\ORDER-290424-007994PT = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\ORDER-290424-007994PT.vbs\""	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ORDER-290424-007994PT = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\ORDER-290424-007994PT.vbs\""	WScript.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
6	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	WScript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	WScript.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
108	NHI.exe
108	NHI.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	108	NHI.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
108	NHI.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2932 wrote to memory of 2640	2932	WScript.exe	28
PID 2932 wrote to memory of 2640	2932	WScript.exe	28
PID 2932 wrote to memory of 2640	2932	WScript.exe	28
PID 2640 wrote to memory of 2520	2640	WScript.exe	30
PID 2640 wrote to memory of 2520	2640	WScript.exe	30
PID 2640 wrote to memory of 2520	2640	WScript.exe	30
PID 2520 wrote to memory of 108	2520	WScript.exe	31
PID 2520 wrote to memory of 108	2520	WScript.exe	31
PID 2520 wrote to memory of 108	2520	WScript.exe	31
PID 2520 wrote to memory of 108	2520	WScript.exe	31

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ORDER-290424-007994PT.vbs"
1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2932
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\logger.js"
  2⤵
  - Blocklisted process makes network request
  - Modifies system certificate store
  - Suspicious use of WriteProcessMemory
  PID:2640
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\NSCSTP.js"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2520
  - - C:\Users\Admin\AppData\Local\Temp\NHI.exe
      "C:\Users\Admin\AppData\Local\Temp\NHI.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\528EVS6A\json[1].json

Filesize
297B

MD5
bd0c2d8e6b0fe0de4a3869c02ee43a85

SHA1
21d8cca90ea489f88c2953156e6c3dec6945388b

SHA256
3a3e433f615f99529721ee766ad453b75d73fe213cb1ab74ccbb4c0e32dcd533

SHA512
496b1285f1e78d50dd79b05fa2cbf4a0b655bb3e4515646be3a7c7cdf85d7db6ab35577aa1e294f3d515d707ca341652b5ae9d4b22197e4480226ef8440294b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\NHI.exe

Filesize
243KB

MD5
8a09a0830887b7231a5fcd2d57fada72

SHA1
4304b5693499efc4350ecfb140463e60b397aa18

SHA256
c032edcd9fd7c1c43a758ceebfd768c4dc7f13edcdde587730184c70e985268e

SHA512
4f1968d474d080254106025af7c2cffade90ebfe07003e4b68856874b40924e3cf2576006183ab66b7dfe5cccca24b05606682b2f7473bf928baa03b50cee2bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\NSCSTP.js

Filesize
346KB

MD5
e9f60911072fc771984463757b0d67f5

SHA1
d7f8f3e99d56c209f6487512e94fcfaf56b7cd96

SHA256
d71ccc573546fc8628bc1a08921912fdd89a70024e0ceb08878ff484266045fb

SHA512
fa581323e51b3e349c05caba537bde4ca75cfc57b89e8b35d0ebc8cb12fcbf97c4ddf9107be5d46e12350866bd4c783c17a2998d024d5c0a7945ce07a2d4fff2

Download Submit
C:\Users\Admin\AppData\Local\Temp\logger.js

Filesize
8KB

MD5
ae6f781865c0c33163bbd1bb291c9fff

SHA1
d1c14e216591588c1b5f0d7f62264c0cd7e235a4

SHA256
4b77eac5f82019f3d6bb66fa513a78a65fb0186580e582389f5fcfd337298352

SHA512
42a802f0a425b618a8d80924057d666a5a45683b597d26bd3664c6b3535132e0b51461f49a49275fe952ac1f7051086a0b67627e6c0425a0396f11f6dc4c5810

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ORDER-290424-007994PT.vbs

Filesize
162KB

MD5
4c75fc967ca796d4f8da4128b7bebf70

SHA1
8211cb066cda8aa6cfd62d39b6ccd45254d68916

SHA256
a4dd485c93929dbeb0e6fd056e60aba8211005c76e97c581fc87875b6e3703c5

SHA512
5d440d6b5ced3b364c2a1cd7380cdc89d2d5d8220bcb504ab1f2f1b66e0a0c42dfac02a22f3ba041b4a6faf58d5810817759943b49566b0e362d200dd9cb55c1

Download Submit
memory/108-30-0x00000000012D0000-0x0000000001314000-memory.dmp

Filesize
272KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads