Overview

overview

10

Static

static

1

47fb37d285...de.vbs

windows7-x64

8

47fb37d285...de.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-01-2025 01:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    47fb37d285424a155defa75f5788442f68228ca67cf3e07d156f10c9b621e2de.vbs

  • Size

    17KB

  • MD5

    a7c2edb4d802f4195a1370be0063422b

  • SHA1

    30c32d08e7ca9dd1fe3cede09700947530c53ee2

  • SHA256

    47fb37d285424a155defa75f5788442f68228ca67cf3e07d156f10c9b621e2de

  • SHA512

    069ba00e62335b61550dca3c37422e054f5fb17cde5d7d8b999c2abcdbd8ea193daab3660afb2cf621ad2db43ea6c85f82cb69fe62dfe3f658d678048df5fafe

  • SSDEEP

    384:bZEeqBbbhht0F0o9BHdJD/UgdSmqSy65TGd:bZEeqhhhtzorHdJD/UgdSmqSy65TGd

Score
10/10
agenttesladiscoverykeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Agenttesla family
    agenttesla
  • Blocklisted process makes network request 1 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 9 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 7 IoCs
  • Modifies registry class 1 IoCs
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\47fb37d285424a155defa75f5788442f68228ca67cf3e07d156f10c9b621e2de.vbs"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3944
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\ProgramData\out.vbe"
      2⤵
      • Blocklisted process makes network request
      PID:2280
  • C:\Windows\System32\WScript.exe
    C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Roaming\qSqOPawvHoBdGel.vbs"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:5000
    • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
      2⤵
      • Drops file in System32 directory
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2460
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3944
      • C:\Windows\system32\wermgr.exe
        "C:\Windows\system32\wermgr.exe" "-outproc" "0" "2460" "2720" "2660" "2724" "0" "0" "2728" "0" "0" "0" "0" "0"
        3⤵
        • Checks processor information in registry
        • Enumerates system info in registry
        PID:4600
    • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
      2⤵
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4336
      • C:\Windows\system32\wermgr.exe
        "C:\Windows\system32\wermgr.exe" "-outproc" "0" "4336" "2676" "2604" "2680" "0" "0" "2684" "0" "0" "0" "0" "0"
        3⤵
        • Checks processor information in registry
        • Enumerates system info in registry
        PID:1612
  • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\StartDisable.docx" /o ""
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:2340

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Microsoft\Windows\WER\Temp\WER7A5C.tmp.xml
    Filesize

    4KB

    MD5

    2a030e061a63c2f532de7fc9ebc54faa

    SHA1

    9e4701e114434f20a1e39487a605ccce9ac21801

    SHA256

    e75c24b62489c0bcb085b4252fd99ea3e3054d44748f0159a2e9c94d58f00511

    SHA512

    5c7e1ff7be8c6af32c61316a6c2150f4f1f03bd2eca9b841a7aad8a3d83a0d364d1c616e2505930e17374c1bd88732711b71f8a149e007037b6e95e8abe131b3

    Download Submit

  • C:\ProgramData\out.vbe
    Filesize

    8KB

    MD5

    1f728a1a3707688ff942828693fe5087

    SHA1

    b3b101a73eb95afccecd9134d59749af8172c88d

    SHA256

    8a9fe12c582a9899f79fa0a40befd9fd5a29fa41d4143ad6da9725c8a5aa5306

    SHA512

    fea26ab73e9ce1ccfa16a1df052bd049b0a9376fdd63480f596858963dbb900edb1840586c0ebce9b220340be880e12bec229d28c166d5e8bfe9afe6fc288aeb

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
    Filesize

    3KB

    MD5

    9461a7cfb20ff5381df28f51b80c5ef1

    SHA1

    c86c53fca1dcbe307dafbefbb366abf52c9f5eca

    SHA256

    d4af1948337d0deb725f4f2b1fe1a9b60f4519841e28748b11bfd62ccd71e028

    SHA512

    da1e17f67dfebb004ba93d489be504fd7af6d62709ada2581ffa77880baecdaa0015b49d36333d18216d9dc6aad7b0ea2e5bd224d8d3f65ee9b66a05fc45e304

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
    Filesize

    53KB

    MD5

    a26df49623eff12a70a93f649776dab7

    SHA1

    efb53bd0df3ac34bd119adf8788127ad57e53803

    SHA256

    4ebde1c12625cb55034d47e5169f709b0bd02a8caa76b5b9854efad7f4710245

    SHA512

    e5f9b8645fb2a50763fcbffe877ca03e9cadf099fe2d510b74bfa9ff18d0a6563d11160e00f495eeefebde63450d0ade8d6b6a824e68bd8a59e1971dc842709c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\TCD741D.tmp\iso690.xsl
    Filesize

    263KB

    MD5

    ff0e07eff1333cdf9fc2523d323dd654

    SHA1

    77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4

    SHA256

    3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5

    SHA512

    b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3mlqssy5.lne.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
    Filesize

    390B

    MD5

    d9a0786cdfd62d899818e574b3fc44d0

    SHA1

    66eed8748fbc3c2eb8d535111a7289c336edfc77

    SHA256

    54bc7bf9e4d8150a2315d0ff6033b7e2bfe1d0c8fb3319570a019f64ca586ef4

    SHA512

    39ecb1fc1e0ebaf10513f34d0c8f5965607cc6adda29738b22a42e0edf075db7e00767e451d05d2a1e5dedc4884abe4619180b8c4285fcee6b9acfabd7170f66

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    6KB

    MD5

    bd74ca9f0929a3c9d2c80e28875e7922

    SHA1

    203e3e936f238db71210c5bed24d99e54f0b038a

    SHA256

    3f3acb154267ad39cdfa9d8d694369e20e4b4d75bb218db4c8ed456ca25c3ab4

    SHA512

    ad58db3f0c905a8e7ffe69cc2fa642ec42f67583fb068d8493fa3b8c4b3703d90e5fb686b65158614774c51530c1a2a1ca0cda95fb84fb4334348b19c3522530

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    6KB

    MD5

    d7b39ccd8bc0559ff16f4e3d97a7e4b0

    SHA1

    9fa1281a48db4dd46d008c196b0c1b18c904c545

    SHA256

    4c9929d5746188afa757490efa3edac2e1e7b284b4a3a90baadefbbf6aa7ac70

    SHA512

    440dcfd2757356800e150f26073cc4b15f1aacc96b1f430e700e8a2511cdab291b68dcc13f3c355cfc5f80f6602983717adbe17b4920bc4504610283c79ffda9

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
    Filesize

    2KB

    MD5

    d14cab7146d592f80babe33a5cdc258c

    SHA1

    b7bd5c508cc0b2018cdc109b38e5213b84eae6bb

    SHA256

    3e7d79efe8420779116071767bafa58fcd98d289ac6b133c63a21539a3ff3836

    SHA512

    e73751da9f05d5f6e596d58868f27fd43044c8e3efa003a42eeadabb33f84c73b0a7f3f372e94036270ee26d13e1385e2e47eb7e04b7741d6ca084f74956fc48

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
    Filesize

    2KB

    MD5

    734342b029494db7e0aac75df3c442d6

    SHA1

    2a73a0c0e5d79aaf2cedd2cc61b9ab92edab5a0d

    SHA256

    9f9d6e5f73960be1cc9dade5e05061f2e1fac33789568f3654d2516ceb3b0d49

    SHA512

    cf48a2ce9a3d352aa5f21e18b7b24bcfb770becc00ac72183ffc3bab597173f2d1eeb3212a87ab88e39f693c39b02fc239a61243a7afe3d39a3e5dc8aaac677f

    Download Submit

  • C:\Users\Admin\AppData\Roaming\qSqOPawvHoBdGel.vbs
    Filesize

    2KB

    MD5

    a27ccb57ff1d5685f3b744f83ae76ceb

    SHA1

    be394b0554203ad342bd5b86a3f549577cdc7ea4

    SHA256

    dcbcc67a49fd29985c87993db391ab12dbc531a15b24cbc7149bd74adea174fc

    SHA512

    6fc2b6eaf3cf055206e1253654bf8542dabebab4159f0fd049e800bce4a2f9c3638ed0e754e695e079f6baed9267db72f5c41a3b5393fd521419adb1e40e3613

    Download Submit

  • memory/2340-19-0x00007FF81BC90000-0x00007FF81BCA0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2340-20-0x00007FF81BC90000-0x00007FF81BCA0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2340-24-0x00007FF819560000-0x00007FF819570000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2340-25-0x00007FF819560000-0x00007FF819570000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2340-22-0x00007FF81BC90000-0x00007FF81BCA0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2340-21-0x00007FF81BC90000-0x00007FF81BCA0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2340-18-0x00007FF81BC90000-0x00007FF81BCA0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2460-7-0x000001328D610000-0x000001328D632000-memory.dmp

    Filesize

    136KB

    Download

  • memory/2460-227-0x000001328D120000-0x000001328D12A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2460-82-0x000001328D110000-0x000001328D118000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2460-17-0x00000132A7C20000-0x00000132A7C64000-memory.dmp

    Filesize

    272KB

    Download

  • memory/2460-23-0x00000132A7CF0000-0x00000132A7D66000-memory.dmp

    Filesize

    472KB

    Download

  • memory/3944-246-0x0000000000B90000-0x0000000000BD0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/3944-319-0x0000000005720000-0x0000000005CC4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/3944-329-0x0000000005370000-0x00000000053D6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/3944-330-0x0000000006890000-0x00000000068E0000-memory.dmp

    Filesize

    320KB

    Download

  • memory/3944-331-0x0000000006980000-0x0000000006A12000-memory.dmp

    Filesize

    584KB

    Download

  • memory/3944-332-0x0000000006900000-0x000000000690A000-memory.dmp

    Filesize

    40KB

    Download