Overview

overview

10

Static

static

1

0969686.vbe

windows7-x64

8

0969686.vbe

windows10-2004-x64

10

Analysis

  • max time kernel
    299s
  • max time network
    276s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-01-2025 15:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0969686.vbe

  • Size

    11KB

  • MD5

    4565da69d82d3d17f33436b132261de7

  • SHA1

    5e124ae25d9ec64cc681546299e0fa2d4f4b50d4

  • SHA256

    e2604e06a1d397760f22a668b48821dc20f06a8c3a28d165b9c96569b0e88bbb

  • SHA512

    7390abe671d2ad1a430bfb69888cdcb7f6e9284cc9432338a5b1eddeb0624987b92a56009e50c283c46894256ca1ab43640cac3ecbf09bd4b69867cccb6f4329

  • SSDEEP

    192:YeHNd/sigyX/tr7b7RMAv0Evwfk5Pv4fX//CxHQ6V62nN4je5K:zHMiTFPXHvwfk5PvQiHQ6EGijT

Score
10/10
agenttesladiscoverykeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Agenttesla family
    agenttesla
  • Blocklisted process makes network request 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Checks processor information in registry 2 TTPs 6 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 4 IoCs
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0969686.vbe"
    1⤵
    • Blocklisted process makes network request
    PID:2100
  • C:\Windows\System32\WScript.exe
    C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Roaming\uaDoJtHubxengYS.vbs"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2168
    • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
      2⤵
      • Drops file in System32 directory
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:228
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3440
      • C:\Windows\system32\wermgr.exe
        "C:\Windows\system32\wermgr.exe" "-outproc" "0" "228" "2736" "1996" "2740" "0" "0" "2744" "0" "0" "0" "0" "0"
        3⤵
        • Checks processor information in registry
        • Enumerates system info in registry
        PID:912
    • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
      2⤵
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4316
      • C:\Windows\system32\wermgr.exe
        "C:\Windows\system32\wermgr.exe" "-outproc" "0" "4316" "2684" "2616" "2688" "0" "0" "2692" "0" "0" "0" "0" "0"
        3⤵
        • Checks processor information in registry
        • Enumerates system info in registry
        PID:3904
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\StartPing.bat" "
    1⤵
    • System Network Configuration Discovery: Internet Connection Discovery
    PID:2400

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
    Filesize

    3KB

    MD5

    9461a7cfb20ff5381df28f51b80c5ef1

    SHA1

    c86c53fca1dcbe307dafbefbb366abf52c9f5eca

    SHA256

    d4af1948337d0deb725f4f2b1fe1a9b60f4519841e28748b11bfd62ccd71e028

    SHA512

    da1e17f67dfebb004ba93d489be504fd7af6d62709ada2581ffa77880baecdaa0015b49d36333d18216d9dc6aad7b0ea2e5bd224d8d3f65ee9b66a05fc45e304

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
    Filesize

    53KB

    MD5

    a26df49623eff12a70a93f649776dab7

    SHA1

    efb53bd0df3ac34bd119adf8788127ad57e53803

    SHA256

    4ebde1c12625cb55034d47e5169f709b0bd02a8caa76b5b9854efad7f4710245

    SHA512

    e5f9b8645fb2a50763fcbffe877ca03e9cadf099fe2d510b74bfa9ff18d0a6563d11160e00f495eeefebde63450d0ade8d6b6a824e68bd8a59e1971dc842709c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_an1j13mh.0gc.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
    Filesize

    217B

    MD5

    2ede1065a2e3a4a7cc110d00bf346361

    SHA1

    3d51959a8c45e4b27b2b879db2b208b99e80fadb

    SHA256

    79800d4897e89892650d6d3185c883e7699b02d7c1d3033f00c3bef1fae0b6ee

    SHA512

    e144ce1adebccf43d5f7e0efe7dec3f7717a2c3f4f764149b972586b74dfdf501415352953490c86fdc4ad41a440fe3c31f484d0e49436c38af99fc584db411a

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    6KB

    MD5

    ab3d0f263a68b26d5e71d0e9ead44017

    SHA1

    9c16e513a6047b95661d5d4f01d99dc0f2f1cb49

    SHA256

    8cc3c000c52fb2198f9b50a81c578b8d8167afe9cc15b34d36e52d397722b201

    SHA512

    be1ca1252ed7830fb40a5519b1ea10a704bf77adc6ed4ec42da4830ef97808ecc54e18400fab659dd3b8fc107868d0c0793d54bb7f5e1fe57d86749a7ce5ac18

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    6KB

    MD5

    a7892771ca63efee1a4c00e9269c357c

    SHA1

    b83ace0db06368b2615f09b56429fc76359a52d6

    SHA256

    0dc392cb06e8f50ef9f4475280ed295bae711d95d070f6ea09ffce511ce6a9c5

    SHA512

    fc203129b9991f95b1d8e9dee4a77d9ac00459dc73654e24a6a984cc06d14022686c525b0d04a1deef91775b87a025eaa8b32cd1274c9280e30c0066be21bd3a

    Download Submit

  • C:\Users\Admin\AppData\Roaming\uaDoJtHubxengYS.vbs
    Filesize

    2KB

    MD5

    477e3b6cbf610f72373118d4ca9cdbb2

    SHA1

    ca88c1b80fa6248644497449c294f92b5a32b300

    SHA256

    9d75154b064fc63a3de686569088ef8c7ac31f2826dc4557d5e7074535bbdf3c

    SHA512

    ad3d81784cb1199839e66c7b88ac1da0c14a7f8a6f3f9a7bbb496fc953f02253733e5f7370efe5c08d9c5f4a9f037d84d814e958ea8715732d9e3df14b94b119

    Download Submit

  • memory/228-36-0x000001D035CA0000-0x000001D035CAC000-memory.dmp

    Filesize

    48KB

    Download

  • memory/228-14-0x000001D038090000-0x000001D0380D4000-memory.dmp

    Filesize

    272KB

    Download

  • memory/228-35-0x000001D035C90000-0x000001D035C98000-memory.dmp

    Filesize

    32KB

    Download

  • memory/228-15-0x000001D0380E0000-0x000001D038156000-memory.dmp

    Filesize

    472KB

    Download

  • memory/228-13-0x000001D035C20000-0x000001D035C42000-memory.dmp

    Filesize

    136KB

    Download

  • memory/3440-37-0x0000000000E00000-0x0000000000E40000-memory.dmp

    Filesize

    256KB

    Download

  • memory/3440-55-0x0000000005A50000-0x0000000005FF4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/3440-56-0x00000000054A0000-0x0000000005506000-memory.dmp

    Filesize

    408KB

    Download

  • memory/3440-57-0x0000000006870000-0x00000000068C0000-memory.dmp

    Filesize

    320KB

    Download

  • memory/3440-58-0x0000000006960000-0x00000000069F2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/3440-59-0x00000000068E0000-0x00000000068EA000-memory.dmp

    Filesize

    40KB

    Download