Overview

overview

10

Static

static

1

010729194c...d1.vbs

windows7-x64

10

010729194c...d1.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7-20240611-en
  • resource tags

    arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
  • submitted
    13-06-2024 01:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    010729194c08b557dc260c821d07d35b2c8fdfbaa18ff27c7f1f2fe233850fd1.vbs

  • Size

    3.2MB

  • MD5

    3a3f7a4a8b7ea91bd05523cb83456441

  • SHA1

    20bbbe54a25cced1f74f34521918effd6aa5877d

  • SHA256

    010729194c08b557dc260c821d07d35b2c8fdfbaa18ff27c7f1f2fe233850fd1

  • SHA512

    c86b406a756a9f5ad7f1368e741687af94e12ee258fc42c99c9f14d6118ded6976a09e7d7fa1840d17c72d827a900760bf69dceb774798db1a3e86fa293ba0ed

  • SSDEEP

    6144:0BRlhwEEM38fLACxm31KtNnzZnZjIylZLImb:0zYuIN/flHb

Score
10/10
agentteslawshratexecutionkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    smtp.gmail.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    bizr usjt guapiims

Extracted

Family

agenttesla

Credentials

Extracted

Family

wshrat

C2

http://chongmei33.publicvm.com:7045

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • WSHRAT

    WSHRAT is a variant of Houdini worm and has vbs and js variants.

    trojanwshrat
  • Detect packed .NET executables. Mostly AgentTeslaV4. 2 IoCs
  • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 2 IoCs
  • Detects executables referencing Windows vault credential objects. Observed in infostealers 2 IoCs
  • Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers 2 IoCs
  • Detects executables referencing many email and collaboration clients. Observed in information stealers 2 IoCs
  • Detects executables referencing many file transfer clients. Observed in information stealers 2 IoCs
  • Blocklisted process makes network request 25 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Command and Scripting Interpreter: JavaScript 1 TTPs
    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Kills process with taskkill 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\010729194c08b557dc260c821d07d35b2c8fdfbaa18ff27c7f1f2fe233850fd1.vbs"
    1⤵
    • Blocklisted process makes network request
    • Drops startup file
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2180
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\icon-smile-kl.js"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2076
      • C:\Users\Admin\AppData\Local\Temp\Gcp.exe
        "C:\Users\Admin\AppData\Local\Temp\Gcp.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:2668
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c taskkill /F /IM kl-plugin.exe
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2588
      • C:\Windows\system32\taskkill.exe
        taskkill /F /IM kl-plugin.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3048
    • C:\Users\Admin\AppData\Local\Temp\kl-plugin.exe
      "C:\Users\Admin\AppData\Local\Temp\kl-plugin.exe" chongmei33.publicvm.com 7045 "WSHRAT|489D4AE3|JAFTUVRJ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 6/13/2024|Visual Basic-v2.0|GB:United Kingdom" 1
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:856

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FY3LN490\json[1].json
    Filesize

    297B

    MD5

    be2ba1a8c142b5fa2178396ac67cb7d8

    SHA1

    b7c3d209d9c95d4b67d7ffb3c777d07f398260a5

    SHA256

    1191fa5928ed7ebf51830c0e601a327fb6480e4f35d9f96962c828b5b45ea260

    SHA512

    cca824422ebcc194e96c6af6c66160409b6c4f9e30af387921ad55712fc4316866e7ac3b2806427f7e06e43e99ef56e612738261f8d38fb58ef2758dc13c9204

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Gcp.exe
    Filesize

    243KB

    MD5

    d868c9dfdd377a1128f484a33c9d427d

    SHA1

    3cd816d84a5a06a669eb5cde82aa3eca272a6f13

    SHA256

    1f19267129cbabe2e50837f88eb2854c64521bd964f43a58f37365e60d5da5bd

    SHA512

    2702e2df330931d9fd2ed15e54aec37dbd68737cf3db642a8842cab813b9e3be67b7a5356d426772690b0b9e5c384931640d891f51662f870a9d3022eabce52b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\icon-smile-kl.js
    Filesize

    345KB

    MD5

    5ffa2f9b4305ee8ab9676456a5c41ae7

    SHA1

    9e517938920844699eddd8043df45e075682eef7

    SHA256

    0a75da170bd6e1cd271f48974d98345fb60b00ac3327b5e9d8fa8394c83800db

    SHA512

    06ed498e22a982b135c4c380cd01d296d2f05b106b5c75be4cccdaf41575750622eb7c8d5448dc935ebc6b5d525e803b9f4a3b132d503b6eccf4c28e42cad28d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\kl-plugin.exe
    Filesize

    25KB

    MD5

    7099a939fa30d939ccceb2f0597b19ed

    SHA1

    37b644ef5722709cd9024a372db4590916381976

    SHA256

    272e64291748fa8be01109faa46c0ea919bf4baf4924177ea6ac2ee0574f1c1a

    SHA512

    6e179a32b3091beee71d425248ae56495e31e9df569159a93af5826ddef28fba904ae4810d3ca2da45fe6dc8be1eeaecf71e8225b3e605f22f41f4e46d1cf721

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\010729194c08b557dc260c821d07d35b2c8fdfbaa18ff27c7f1f2fe233850fd1.vbs
    Filesize

    3.2MB

    MD5

    3a3f7a4a8b7ea91bd05523cb83456441

    SHA1

    20bbbe54a25cced1f74f34521918effd6aa5877d

    SHA256

    010729194c08b557dc260c821d07d35b2c8fdfbaa18ff27c7f1f2fe233850fd1

    SHA512

    c86b406a756a9f5ad7f1368e741687af94e12ee258fc42c99c9f14d6118ded6976a09e7d7fa1840d17c72d827a900760bf69dceb774798db1a3e86fa293ba0ed

    Download Submit

  • memory/2668-12-0x0000000074A2E000-0x0000000074A2F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2668-13-0x0000000000340000-0x0000000000384000-memory.dmp

    Filesize

    272KB

    Download

  • memory/2668-15-0x0000000074A20000-0x000000007510E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2668-31-0x0000000074A2E000-0x0000000074A2F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2668-32-0x0000000074A20000-0x000000007510E000-memory.dmp

    Filesize

    6.9MB

    Download