agenttesla | a4dd485c93929dbeb0e6fd056e60aba8211005c76e97c581fc87875b6e3703c5

Analysis

max time kernel
143s
max time network
146s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
01-05-2024 01:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a4dd485c93929dbeb0e6fd056e60aba8211005c76e97c581fc87875b6e3703c5.vbs
Size

162KB
MD5

4c75fc967ca796d4f8da4128b7bebf70
SHA1

8211cb066cda8aa6cfd62d39b6ccd45254d68916
SHA256

a4dd485c93929dbeb0e6fd056e60aba8211005c76e97c581fc87875b6e3703c5
SHA512

5d440d6b5ced3b364c2a1cd7380cdc89d2d5d8220bcb504ab1f2f1b66e0a0c42dfac02a22f3ba041b4a6faf58d5810817759943b49566b0e362d200dd9cb55c1
SSDEEP

3072:tvHpcPqzeEihOHbeM8fTSrnSRFHJnB/nRT/PRoFPAeRoFeO3RMpY:t6PqzeEiheeM8fTSrnSRFHxBvRjRoFPa

Score

10^/10

agenttesla wshrat keylogger persistence spyware stealer trojan

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
smtp.gmail.com
Port:
587
Username:
[email protected]
Password:
vknk bnwz oyuc ljbp

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
smtp.gmail.com
Port:
587
Username:
[email protected]
Password:
vknk bnwz oyuc ljbp
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat

WSHRAT payload 1 IoCs

resource	yara_rule
behavioral1/files/0x000e000000013420-35.dat	family_wshrat

Detect packed .NET executables. Mostly AgentTeslaV4. 2 IoCs

resource	yara_rule
behavioral1/files/0x0008000000014a9a-28.dat	INDICATOR_EXE_Packed_GEN01
behavioral1/memory/2884-30-0x0000000000BE0000-0x0000000000C24000-memory.dmp	INDICATOR_EXE_Packed_GEN01

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 2 IoCs

resource	yara_rule
behavioral1/files/0x0008000000014a9a-28.dat	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral1/memory/2884-30-0x0000000000BE0000-0x0000000000C24000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers

Detects executables referencing Windows vault credential objects. Observed in infostealers 2 IoCs

resource	yara_rule
behavioral1/files/0x0008000000014a9a-28.dat	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
behavioral1/memory/2884-30-0x0000000000BE0000-0x0000000000C24000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID

Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers 2 IoCs

resource	yara_rule
behavioral1/files/0x0008000000014a9a-28.dat	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
behavioral1/memory/2884-30-0x0000000000BE0000-0x0000000000C24000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store

Detects executables referencing many email and collaboration clients. Observed in information stealers 2 IoCs

resource	yara_rule
behavioral1/files/0x0008000000014a9a-28.dat	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
behavioral1/memory/2884-30-0x0000000000BE0000-0x0000000000C24000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients

Detects executables referencing many file transfer clients. Observed in information stealers 2 IoCs

resource	yara_rule
behavioral1/files/0x0008000000014a9a-28.dat	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
behavioral1/memory/2884-30-0x0000000000BE0000-0x0000000000C24000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients

Blocklisted process makes network request 23 IoCs

flow	pid	Process
4	1444	WScript.exe
8	1444	WScript.exe
9	2792	WScript.exe
11	2792	WScript.exe
16	2792	WScript.exe
17	2792	WScript.exe
19	2792	WScript.exe
20	2792	WScript.exe
23	2792	WScript.exe
25	2792	WScript.exe
26	2792	WScript.exe
27	2792	WScript.exe
29	2792	WScript.exe
30	2792	WScript.exe
31	2792	WScript.exe
33	2792	WScript.exe
34	2792	WScript.exe
35	2792	WScript.exe
37	2792	WScript.exe
38	2792	WScript.exe
39	2792	WScript.exe
41	2792	WScript.exe
42	2792	WScript.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a4dd485c93929dbeb0e6fd056e60aba8211005c76e97c581fc87875b6e3703c5.vbs	WScript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a4dd485c93929dbeb0e6fd056e60aba8211005c76e97c581fc87875b6e3703c5.vbs	WScript.exe

Executes dropped EXE 1 IoCs

pid	Process
2884	NHI.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\a4dd485c93929dbeb0e6fd056e60aba8211005c76e97c581fc87875b6e3703c5 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\a4dd485c93929dbeb0e6fd056e60aba8211005c76e97c581fc87875b6e3703c5.vbs\""	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a4dd485c93929dbeb0e6fd056e60aba8211005c76e97c581fc87875b6e3703c5 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\a4dd485c93929dbeb0e6fd056e60aba8211005c76e97c581fc87875b6e3703c5.vbs\""	WScript.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
6	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	WScript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	WScript.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2884	NHI.exe
2884	NHI.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2884	NHI.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2884	NHI.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2792 wrote to memory of 1444	2792	WScript.exe	28
PID 2792 wrote to memory of 1444	2792	WScript.exe	28
PID 2792 wrote to memory of 1444	2792	WScript.exe	28
PID 1444 wrote to memory of 2624	1444	WScript.exe	30
PID 1444 wrote to memory of 2624	1444	WScript.exe	30
PID 1444 wrote to memory of 2624	1444	WScript.exe	30
PID 2624 wrote to memory of 2884	2624	WScript.exe	31
PID 2624 wrote to memory of 2884	2624	WScript.exe	31
PID 2624 wrote to memory of 2884	2624	WScript.exe	31
PID 2624 wrote to memory of 2884	2624	WScript.exe	31

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a4dd485c93929dbeb0e6fd056e60aba8211005c76e97c581fc87875b6e3703c5.vbs"
1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2792
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\logger.js"
  2⤵
  - Blocklisted process makes network request
  - Modifies system certificate store
  - Suspicious use of WriteProcessMemory
  PID:1444
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\NSCSTP.js"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2624
  - - C:\Users\Admin\AppData\Local\Temp\NHI.exe
      "C:\Users\Admin\AppData\Local\Temp\NHI.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MPR7YYBV\json[1].json

Filesize
297B

MD5
bd0c2d8e6b0fe0de4a3869c02ee43a85

SHA1
21d8cca90ea489f88c2953156e6c3dec6945388b

SHA256
3a3e433f615f99529721ee766ad453b75d73fe213cb1ab74ccbb4c0e32dcd533

SHA512
496b1285f1e78d50dd79b05fa2cbf4a0b655bb3e4515646be3a7c7cdf85d7db6ab35577aa1e294f3d515d707ca341652b5ae9d4b22197e4480226ef8440294b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\NHI.exe

Filesize
243KB

MD5
8a09a0830887b7231a5fcd2d57fada72

SHA1
4304b5693499efc4350ecfb140463e60b397aa18

SHA256
c032edcd9fd7c1c43a758ceebfd768c4dc7f13edcdde587730184c70e985268e

SHA512
4f1968d474d080254106025af7c2cffade90ebfe07003e4b68856874b40924e3cf2576006183ab66b7dfe5cccca24b05606682b2f7473bf928baa03b50cee2bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\NSCSTP.js

Filesize
346KB

MD5
e9f60911072fc771984463757b0d67f5

SHA1
d7f8f3e99d56c209f6487512e94fcfaf56b7cd96

SHA256
d71ccc573546fc8628bc1a08921912fdd89a70024e0ceb08878ff484266045fb

SHA512
fa581323e51b3e349c05caba537bde4ca75cfc57b89e8b35d0ebc8cb12fcbf97c4ddf9107be5d46e12350866bd4c783c17a2998d024d5c0a7945ce07a2d4fff2

Download Submit
C:\Users\Admin\AppData\Local\Temp\logger.js

Filesize
8KB

MD5
ae6f781865c0c33163bbd1bb291c9fff

SHA1
d1c14e216591588c1b5f0d7f62264c0cd7e235a4

SHA256
4b77eac5f82019f3d6bb66fa513a78a65fb0186580e582389f5fcfd337298352

SHA512
42a802f0a425b618a8d80924057d666a5a45683b597d26bd3664c6b3535132e0b51461f49a49275fe952ac1f7051086a0b67627e6c0425a0396f11f6dc4c5810

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a4dd485c93929dbeb0e6fd056e60aba8211005c76e97c581fc87875b6e3703c5.vbs

Filesize
162KB

MD5
4c75fc967ca796d4f8da4128b7bebf70

SHA1
8211cb066cda8aa6cfd62d39b6ccd45254d68916

SHA256
a4dd485c93929dbeb0e6fd056e60aba8211005c76e97c581fc87875b6e3703c5

SHA512
5d440d6b5ced3b364c2a1cd7380cdc89d2d5d8220bcb504ab1f2f1b66e0a0c42dfac02a22f3ba041b4a6faf58d5810817759943b49566b0e362d200dd9cb55c1

Download Submit
memory/2884-30-0x0000000000BE0000-0x0000000000C24000-memory.dmp

Filesize
272KB

Download